📄 spo_unified.c
字号:
DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Unified Log Initialized\n");); /* tell command line loggers to go away */ pv.log_plugin_active = 1; /* parse the argument list from the rules file */ UnifiedInfo = UnifiedParseArgs(args, "snort-unified.log"); //LogMessage("UnifiedLogFilename = %s\n", UnifiedInfo->filename); UnifiedInitLogFile(UnifiedInfo); AddFuncToPostConfigList(UnifiedLogInitFinalize, UnifiedInfo); pv.log_bitmap |= LOG_UNIFIED; /* Set the preprocessor function into the function list */ AddFuncToOutputList(OldUnifiedLogPacketAlert, NT_OUTPUT_LOG, UnifiedInfo); AddFuncToCleanExitList(UnifiedCleanExit, UnifiedInfo); AddFuncToRestartList(UnifiedRestart, UnifiedInfo);}static void UnifiedLogInitFinalize(int unused, void *arg){ UnifiedConfig *data = (UnifiedConfig *)arg; UnifiedLogFileHeader hdr; /* write the log file header */ hdr.magic = LOG_MAGIC; hdr.version_major = SNORT_VERSION_MAJOR; hdr.version_minor = SNORT_VERSION_MINOR; hdr.timezone = thiszone; hdr.snaplen = snaplen; hdr.sigfigs = 0; hdr.linktype = datalink;#ifdef GIDS hdr.linktype = DLT_EN10MB;#endif if(fwrite((char *)&hdr, sizeof(hdr), 1, data->stream) != 1) { FatalError("UnifiedLogInitFinalize(): %s", strerror(errno)); } fflush(data->stream);}/* * Function: UnifiedInitLogFile() * * Purpose: Initialize the unified log file header * * Arguments: data => pointer to the plugin's reference data struct * * Returns: void function */void UnifiedInitLogFile(UnifiedConfig *data){ time_t curr_time; /* place to stick the clock data */ char logdir[STD_BUF]; int value; //UnifiedLogFileHeader hdr; bzero(logdir, STD_BUF); curr_time = time(NULL); if(data == NULL) { FatalError("Can't get unified plugin context, that's bad\n"); } if(data->nostamp) { if(*(data->filename) == '/') value = SnortSnprintf(logdir, STD_BUF, "%s", data->filename, (u_int32_t)curr_time); else value = SnortSnprintf(logdir, STD_BUF, "%s/%s", pv.log_dir, data->filename, (u_int32_t)curr_time); } else { if(*(data->filename) == '/') value = SnortSnprintf(logdir, STD_BUF, "%s.%lu", data->filename, (u_int32_t)curr_time); else value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%lu", pv.log_dir, data->filename, (u_int32_t)curr_time); } if(value != SNORT_SNPRINTF_SUCCESS) { FatalError("unified log file logging path and file name are " "too long, aborting!\n"); } if((data->stream = fopen(logdir, "wb")) == NULL) { FatalError("UnifiedInitLogFile(%s): %s\n", logdir, strerror(errno)); }#if 0 /* write the log file header */ hdr.magic = LOG_MAGIC; hdr.version_major = SNORT_VERSION_MAJOR; hdr.version_minor = SNORT_VERSION_MINOR; hdr.timezone = thiszone; hdr.snaplen = snaplen; hdr.sigfigs = 0; hdr.linktype = datalink;#ifdef GIDS hdr.linktype = DLT_EN10MB;#endif if(fwrite((char *)&hdr, sizeof(hdr), 1, data->stream) != 1) { FatalError("UnifiedLogInit(): %s", strerror(errno)); }#endif fflush(data->stream); return;}typedef struct _OldUnifiedLogStreamCallbackData{ UnifiedLog *logheader; UnifiedConfig *data; Event *event; int first_time; int packet_flags; const void *eh;} OldUnifiedLogStreamCallbackData;/** * Callback for the Stream reassembler to log packets * */int OldUnifiedLogStreamCallback(struct pcap_pkthdr *pkth, u_int8_t *packet_data, void *userdata){ OldUnifiedLogStreamCallbackData *unifiedData; if (!userdata) return -1; unifiedData = (OldUnifiedLogStreamCallbackData *)userdata; unifiedData->logheader->flags = unifiedData->packet_flags; /* copy it's pktheader data into the logheader */ unifiedData->logheader->pkth.ts.tv_sec = (u_int32_t)pkth->ts.tv_sec; unifiedData->logheader->pkth.ts.tv_usec = (u_int32_t)pkth->ts.tv_usec; unifiedData->logheader->pkth.caplen = (u_int32_t)pkth->caplen; unifiedData->logheader->pkth.pktlen = (u_int32_t)pkth->len;#ifdef GIDS /* ** Add the ethernet header size to the total pktlen. ** If the ethernet hdr is already set, then this means ** that it's a portscan packet and we don't add the ** ethernet header. */ if(!unifiedData->eh) { unifiedData->logheader->pkth.caplen += sizeof(EtherHdr); unifiedData->logheader->pkth.pktlen += sizeof(EtherHdr); }#endif /* Set reference time equal to log time for the first packet */ if (unifiedData->first_time) { unifiedData->logheader->event.ref_time.tv_sec = unifiedData->logheader->pkth.ts.tv_sec; unifiedData->logheader->event.ref_time.tv_usec = unifiedData->logheader->pkth.ts.tv_usec; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sec: %lu\n", unifiedData->logheader->event.ref_time.tv_sec);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "usc: %lu\n", unifiedData->logheader->event.ref_time.tv_usec);); } if(fwrite((char*)unifiedData->logheader,sizeof(UnifiedLog),1,unifiedData->data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); unifiedData->data->current += sizeof(UnifiedLog); if(packet_data) {#ifdef GIDS if(!unifiedData->eh) {#ifndef IPFW SafeMemcpy((u_char *)g_ethernet.ether_src,g_m->hw_addr,6, (u_char *)g_ethernet.ether_src, (u_char *)g_ethernet.ether_src + sizeof(EtherHdr)); memset((u_char *)g_ethernet.ether_dst,0x00,6);#else memset(g_ethernet.ether_dst,0x00,6); memset(g_ethernet.ether_src,0x00,6);#endif g_ethernet.ether_type = htons(0x0800); if(fwrite((char*)&g_ethernet,sizeof(EtherHdr),1,unifiedData->data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); unifiedData->data->current += sizeof(EtherHdr); }#endif if(fwrite((char*)packet_data,pkth->caplen,1, unifiedData->data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); unifiedData->data->current += pkth->caplen; } /* after the first logged packet modify the event headers */ if (unifiedData->first_time) { unifiedData->logheader->event.sig_generator = GENERATOR_TAG; unifiedData->logheader->event.sig_id = TAG_LOG_PKT; unifiedData->logheader->event.sig_rev = 1; unifiedData->logheader->event.classification = 0; unifiedData->logheader->event.priority = unifiedData->event->priority; unifiedData->first_time = 0; } /* Update event ID for subsequent logged packets */ unifiedData->logheader->event.event_id = ++event_id | pv.event_log_id; return 0;}/* * Function: LogUnified(Packet *, char *msg, void *arg) * * Purpose: Perform the preprocessor's intended function. This can be * simple (statistics collection) or complex (IP defragmentation) * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * * Arguments: p => pointer to the current packet data struct * * Returns: void function */void OldUnifiedLogPacketAlert(Packet *p, char *msg, void *arg, Event *event){ OldUnifiedLogStreamCallbackData unifiedData; int first_time = 1; UnifiedLog logheader; UnifiedConfig *data = (UnifiedConfig *)arg; if(event != NULL) { logheader.event.sig_generator = event->sig_generator; logheader.event.sig_id = event->sig_id; logheader.event.sig_rev = event->sig_rev; logheader.event.classification = event->classification; logheader.event.priority = event->priority; logheader.event.event_id = event->event_id; logheader.event.event_reference = event->event_reference; logheader.event.ref_time.tv_sec = event->ref_time.tv_sec; logheader.event.ref_time.tv_usec = event->ref_time.tv_usec; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "------------\n");); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "gen: %u\n", logheader.event.sig_generator);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sid: %u\n", logheader.event.sig_id);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "rev: %u\n", logheader.event.sig_rev);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "cls: %u\n", logheader.event.classification);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "pri: %u\n", logheader.event.priority);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "eid: %u\n", logheader.event.event_id);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "erf: %u\n", logheader.event.event_reference);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sec: %lu\n", logheader.event.ref_time.tv_sec);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "usc: %lu\n", logheader.event.ref_time.tv_usec);); } if(p && (p->packet_flags & PKT_REBUILT_STREAM) && stream_api) { unifiedData.logheader = &logheader; unifiedData.data = data; unifiedData.event = event; unifiedData.first_time = first_time; unifiedData.packet_flags = p->packet_flags; unifiedData.eh = p->eh; stream_api->traverse_reassembled(p, OldUnifiedLogStreamCallback, &unifiedData); } else { if(p) { logheader.flags = p->packet_flags; logheader.pkth.ts.tv_sec = (u_int32_t)p->pkth->ts.tv_sec; logheader.pkth.ts.tv_usec = (u_int32_t)p->pkth->ts.tv_usec; logheader.pkth.caplen = p->pkth->caplen; logheader.pkth.pktlen = p->pkth->len;#ifdef GIDS /* ** Add the ethernet header size to the total pktlen. ** If the ethernet hdr is already set, then this means ** that it's a portscan packet and we don't add the ** ethernet header. */ if(!p->eh) { logheader.pkth.caplen += sizeof(EtherHdr); logheader.pkth.pktlen += sizeof(EtherHdr); }#endif } else { logheader.flags = 0; logheader.pkth.ts.tv_sec = 0; logheader.pkth.ts.tv_usec = 0; logheader.pkth.caplen = 0; logheader.pkth.pktlen = 0; } if((data->current + sizeof(UnifiedLog) + logheader.pkth.caplen) > data->limit) UnifiedLogRotateFile(data); fwrite((char*)&logheader, sizeof(UnifiedLog), 1, data->stream); if(p) {#ifdef GIDS if(!p->eh) {#ifndef IPFW SafeMemcpy((u_char *)g_ethernet.ether_src,g_m->hw_addr,6, (u_char *)g_ethernet.ether_src, (u_char *)g_ethernet.ether_src + sizeof(EtherHdr)); memset((u_char *)g_ethernet.ether_dst,0x00,6);#else memset(g_ethernet.ether_dst,0x00,6); memset(g_ethernet.ether_src,0x00,6);#endif g_ethernet.ether_type = htons(0x0800); if(fwrite((char*)&g_ethernet,sizeof(EtherHdr),1,data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(EtherHdr); }#endif fwrite((char*)p->pkt, p->pkth->caplen, 1, data->stream); } } fflush(data->stream); data->current += sizeof(UnifiedLog); if(p && p->pkth) data->current += p->pkth->caplen;}void UnifiedLogRotateFile(UnifiedConfig *data){ fclose(data->stream); data->current = 0; UnifiedInitLogFile(data); UnifiedLogInitFinalize(0, (void *)data);}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -