spo_unified2.c

著名的入侵检测系统snort的最新版本的源码

        if(alertdata.protocol == 255) 
        {
             alertdata.sport_itype = 0;             
             alertdata.dport_icode = 0;             
        }   
    }
    
    if((sizeof(Unified2RecordHeader) + sizeof(Unified2Event6)) > data->limit)
    {
       Unified2RotateFile(data);
    }

    hdr.length = htonl(sizeof(Unified2Event6));
    hdr.type = htonl(UNIFIED2_IDS_EVENT_IPV6);

    SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Unified2RecordHeader), 
               write_pkt_buffer, write_pkt_end);
    
    SafeMemcpy(write_pkt_buffer + sizeof(Unified2RecordHeader),
               &alertdata, sizeof(Unified2Event6), 
               write_pkt_buffer, write_pkt_end);

    if(fwrite(write_pkt_buffer, 
              sizeof(Unified2RecordHeader) +  sizeof(Unified2Event6),
               1, data->stream) != 1)
        FatalError("SpoUnified2: write failed: %s\n", strerror(errno));

    fflush(data->stream);
    data->current += sizeof(Unified2RecordHeader) + sizeof(Unified2Event6);
#endif
}

void Unified2LogAlert(Packet *p, char *msg, void *arg, Event *event)
{
    if(!event) return;
    if(IS_IP4(p)) _AlertIP4(p, msg, arg, event);
    else _AlertIP6(p, msg, arg, event);
}

static void Unified2LogPacketAlert(Packet *p, char *msg, void *arg, Event *event)
{
    if(p) 
    {
        if( p->packet_flags & PKT_REBUILT_STREAM)
        {
            DEBUG_WRAP(DebugMessage(DEBUG_LOG, 
                        "[*] Reassembled packet, dumping stream packets\n"););
            _Unified2LogStreamAlert(p, msg, arg, event);
        }
        else 
        {
            DEBUG_WRAP(DebugMessage(DEBUG_LOG, "[*] Logging unified 2 packets...\n"););
            _Unified2LogPacketAlert(p, msg, arg, event);
        }
   }
}

static void _Unified2LogPacketAlert(Packet *p, char *msg, 
                void *arg, Event *event)
{ 
    Unified2RecordHeader hdr;
    Unified2Packet logheader;
    Unified2Config *data = (Unified2Config *)arg;
    uint32_t pkt_length; 

    if(event != NULL)
    {
        logheader.sensor_id = 0;
        logheader.event_id = htonl(event->event_reference);
        logheader.event_second = htonl(event->ref_time.tv_sec);
        logheader.linktype = htonl(1);

        DEBUG_WRAP(DebugMessage(DEBUG_LOG, "------------\n"));
    }

    if(p && p->pkt && p->pkth)
    {
        logheader.packet_second = htonl((u_int32_t)p->pkth->ts.tv_sec);
        logheader.packet_microsecond = htonl((u_int32_t)p->pkth->ts.tv_usec);
        pkt_length = p->pkth->caplen;
        logheader.packet_length = htonl(pkt_length);
    }
    else
    {
        logheader.packet_second = 0;
        logheader.packet_microsecond = 0;
        logheader.packet_length = 0;
        pkt_length = 0;
    }

    if((data->current + sizeof(Unified2Packet) + 
                sizeof(Unified2RecordHeader) +
                pkt_length - 4) > data->limit)
    {
       Unified2RotateFile(data);
    }

    hdr.length = htonl(sizeof(Unified2Packet) - 4 + pkt_length);
    hdr.type = htonl(UNIFIED2_PACKET);

    SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Unified2RecordHeader), 
               write_pkt_buffer, write_pkt_end);
    
    SafeMemcpy(write_pkt_buffer + sizeof(Unified2RecordHeader),
               &logheader, sizeof(Unified2Packet) - 4, 
               write_pkt_buffer, write_pkt_end);

    if(p && p->pkt && p->pkth)
    {
        SafeMemcpy(write_pkt_buffer + sizeof(Unified2RecordHeader) +
               sizeof(Unified2Packet) - 4,
               p->pkt, p->pkth->caplen, 
               write_pkt_buffer, write_pkt_end);
            
        if(fwrite(write_pkt_buffer, 
           sizeof(Unified2RecordHeader) + sizeof(Unified2Packet)-4 + p->pkth->caplen,
           1, data->stream) != 1)
            FatalError("SpoUnified2: write failed: %s\n", strerror(errno));
        
        data->current += p->pkth->caplen;
    }
    else
    {
        if(fwrite(write_pkt_buffer, 
           sizeof(Unified2RecordHeader) + sizeof(Unified2Packet) - 4,
           1, data->stream) != 1)
            FatalError("SpoUnified2: write failed: %s\n", strerror(errno));
    }

    data->current += sizeof(Unified2RecordHeader) +
                            sizeof(Unified2Packet);

    fflush(data->stream);
}

typedef struct _Unified2LogStreamCallbackData
{
    Unified2Packet *logheader;
    Unified2Config *data;
    Event *event;
    int once;
} Unified2LogStreamCallbackData;

/**
 * Callback for the Stream reassembler to log packets
 *
 */
int Unified2LogStreamCallback(struct pcap_pkthdr *pkth,
                              u_int8_t *packet_data, void *userdata)
{
    Unified2LogStreamCallbackData *unifiedData;
    Unified2RecordHeader hdr;

    if (!userdata || !pkth || !packet_data)
        return -1;

    unifiedData = (Unified2LogStreamCallbackData *)userdata;

    if((unifiedData->data->current +
        sizeof(Unified2Packet) + sizeof(Unified2RecordHeader) +
        pkth->caplen - 4) > unifiedData->data->limit)
    {
       Unified2RotateFile(unifiedData->data);
    }

    hdr.type = htonl(UNIFIED2_PACKET);
    hdr.length = htonl(sizeof(Unified2Packet) - 4 + pkth->caplen);
            
    unifiedData->logheader->event_id = htonl(unifiedData->event->event_reference);
    unifiedData->logheader->event_second = htonl(unifiedData->event->ref_time.tv_sec);
    unifiedData->logheader->packet_second = htonl((u_int32_t)pkth->ts.tv_sec);
    unifiedData->logheader->packet_microsecond = htonl((u_int32_t)pkth->ts.tv_usec);
    unifiedData->logheader->packet_length = htonl(pkth->caplen);

    SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Unified2RecordHeader),
               write_pkt_buffer, write_pkt_end);

    SafeMemcpy(write_pkt_buffer + sizeof(Unified2RecordHeader), 
               unifiedData->logheader, sizeof(Unified2Packet) - 4,
               write_pkt_buffer, write_pkt_end);

    SafeMemcpy(write_pkt_buffer + 
                sizeof(Unified2RecordHeader) + sizeof(Unified2Packet) - 4, 
               packet_data, pkth->caplen,
               write_pkt_buffer, write_pkt_end);

    //if(fwrite(write_pkt_buffer, pkth->caplen, 1, 
    if(fwrite(write_pkt_buffer, sizeof(Unified2RecordHeader) + sizeof(Unified2Packet) - 4 + pkth->caplen, 1, 
               unifiedData->data->stream) != 1)
    {
         FatalError("SpoUnified2: write failed: %s\n", strerror(errno));
    }

    unifiedData->data->current += ntohl(hdr.length);

#if 0 
    /* DO NOT DO THIS FOR UNIFIED2.
     * The event referenced below in the unifiedData is a pointer
     * to the actual event and this changes its gid & sid to 2:1.
     * That is baaaaad.
     */
    /* after the first logged packet modify the event headers */
    if(!unifiedData->once++)
    {
        unifiedData->event->sig_generator = GENERATOR_TAG;
        unifiedData->event->sig_id = TAG_LOG_PKT;
        unifiedData->event->sig_rev = 1;
        unifiedData->event->classification = 0;
        unifiedData->event->priority = unifiedData->event->priority;
        /* Note that event_id is now incorrect. 
         * See OldUnified2LogPacketAlert() for details. */
    }
#endif

    return 0;
}

/**
 * Log a set of packets stored in the stream reassembler
 *
 */
static void _Unified2LogStreamAlert(Packet *p, char *msg, void *arg, Event *event)
{
    Unified2LogStreamCallbackData unifiedData;
    Unified2Packet logheader;
    Unified2Config *data = (Unified2Config *)arg;
    int once = 0;

    /* setup the event header */
    if(event != NULL)
    {
        logheader.sensor_id = 0;
        logheader.event_id = htonl(event->event_reference);
        logheader.event_second = htonl(event->ref_time.tv_sec);
        logheader.linktype = htonl(1);
    }

    /* queue up the stream for logging */
    if(p && stream_api)
    {
        unifiedData.logheader = &logheader;
        unifiedData.data = data;
        unifiedData.event = event;
        unifiedData.once = once;
        stream_api->traverse_reassembled(p, Unified2LogStreamCallback, &unifiedData);
    }
    
    fflush(data->stream);
}

/*
 * Function: Unified2ParseArgs(char *)
 *
 * Purpose: Process the preprocessor arguements from the rules file and 
 *          initialize the preprocessor's data struct.  This function doesn't
 *          have to exist if it makes sense to parse the args in the init 
 *          function.
 *
 * Arguments: args => argument list
 *
 * Returns: void function
 *
 */
Unified2Config *Unified2ParseArgs(char *args, char *default_filename)
{
    Unified2Config *tmp;
    int limit = 0;

    tmp = (Unified2Config *)calloc(sizeof(Unified2Config), sizeof(char));

    if(tmp == NULL)
    {
        FatalError("Unable to allocate Unified2 Data struct!\n");
    }

    /* This is so the if 'nostamps' option is used on the command line,
     * it will be honored by unified2, and only one variable is used. */
    tmp->nostamp = pv.nostamp;

    DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Args: %s\n", args););

    if(args != NULL)
    {
        char **toks, *end;
        int num_toks;
        int i = 0;
        toks = mSplit((char *)args, ",", 31, &num_toks, '\\');
        for(i = 0; i < num_toks; ++i)
        {
            char **stoks;
            int num_stoks;
            char *index = toks[i];
            while(isspace((int)*index))
                ++index;
          
            stoks = mSplit(index, " ", 2, &num_stoks, 0);
            
            if(strcasecmp("filename", stoks[0]) == 0)
            {
                if(num_stoks > 1 && tmp->filename == NULL)
                    tmp->filename = strdup(stoks[1]);
                else
                    FatalError("Argument Error in %s(%i): %s\n",
                            file_name, file_line, index);
            }
            else if(strcasecmp("limit", stoks[0]) == 0)
            {
                if(num_stoks > 1 && limit == 0) 
                {
                    limit = strtol(stoks[1], &end, 10);

                    if(stoks[1] == end)
                        FatalError("Argument Error in %s(%i): %s\n",
                            file_name, file_line, index);
                }
                else
                    FatalError("Argument Error in %s(%i): %s\n",
                            file_name, file_line, index);
            }
            else if(strcasecmp("nostamp", stoks[0]) == 0)
            {
                tmp->nostamp = 1;
            }
            else
            {
                FatalError("Argument Error in %s(%i): %s\n",
                        file_name, file_line, index);
            }

            mSplitFree(&stoks, num_stoks);
        }
        mSplitFree(&toks, num_toks);
    }

    if(tmp->filename == NULL)
        tmp->filename = strdup(default_filename);
    
    //LogMessage("limit == %i\n", limit);

    if(limit <= 0)
    {
        limit = 128;
    }
    if(limit > 512)
    {
        LogMessage("spo_unified %s(%d)=> Lowering limit of %iMB to 512MB\n", 
            file_name, file_line, limit);
        limit = 512;
    }

    /* convert the limit to "MB" */
    tmp->limit = limit << 20;

    return tmp;
}

/*
 * Function: Unified2CleanExitFunc()
 *
 * Purpose: Cleanup at exit time
 *
 * Arguments: signal => signal that caused this event
 *            arg => data ptr to reference this plugin's data
 *
 * Returns: void function
 */
static void Unified2CleanExit(int signal, void *arg)
{
    /* cast the arg pointer to the proper type */
    Unified2Config *data = (Unified2Config *)arg;

    DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified2: CleanExit\n"););

    fclose(data->stream);

    /* free up initialized memory */
    free(data->filename);
    free(data);
}

/*
 * Function: Restart()
 *
 * Purpose: For restarts (SIGHUP usually) clean up structs that need it
 *
 * Arguments: signal => signal that caused this event
 *            arg => data ptr to reference this plugin's data
 *
 * Returns: void function
 */
static void Unified2Restart(int signal, void *arg)
{
    Unified2Config *data = (Unified2Config *)arg;

    DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified2: Restart\n"););

    fclose(data->stream);
    free(data->filename);
    free(data);
}

/* Unified2 Alert functions (deprecated) */
void Unified2AlertInit(char *args)
{
    Unified2Config *data;

    DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Unified2 Alert Initialized\n"););

    pv.alert_plugin_active = 1;

    /* parse the argument list from the rules file */
    data = Unified2ParseArgs(args, "snort-unified.alert");

    Unified2InitFile(data);

    /* Set the preprocessor function into the function list */
    AddFuncToOutputList(Unified2LogAlert, NT_OUTPUT_ALERT, data);
    AddFuncToCleanExitList(Unified2CleanExit, data);
    AddFuncToRestartList(Unified2Restart, data);
}

/* Unified2 Packet Log functions (deprecated) */
void Unified2LogInit(char *args)
{
    Unified2Config *Unified2Info;

    DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Unified2 Log Initialized\n"););

    /* tell command line loggers to go away */
    pv.log_plugin_active = 1;

    /* parse the argument list from the rules file */
    Unified2Info = Unified2ParseArgs(args, "snort-unified.log");

    //LogMessage("Unified2LogFilename = %s\n", Unified2Info->filename);

    Unified2InitFile(Unified2Info);

    pv.log_bitmap |= LOG_UNIFIED2;

    /* Set the preprocessor function into the function list */
    AddFuncToOutputList(Unified2LogPacketAlert, NT_OUTPUT_LOG, Unified2Info);
    AddFuncToCleanExitList(Unified2CleanExit, Unified2Info);
    AddFuncToRestartList(Unified2Restart, Unified2Info);
}