📄 log.c
字号:
if(p->frag_flag)
{
/* just print the straight IP header */
fputs(inet_ntoa(p->iph->ip_src), file);
fwrite(" -> ", 4, 1, file);
fputs(inet_ntoa(p->iph->ip_dst), file);
}
else
{
switch(p->iph->ip_proto)
{
case IPPROTO_UDP:
case IPPROTO_TCP:
/* print the header complete with port information */
fputs(inet_ntoa(p->iph->ip_src), file);
fprintf(file, ":%d -> ", p->sp);
fputs(inet_ntoa(p->iph->ip_dst), file);
fprintf(file, ":%d", p->dp);
break;
case IPPROTO_ICMP:
default:
/* just print the straight IP header */
fputs(inet_ntoa(p->iph->ip_src), file);
fwrite(" -> ", 4, 1, file);
fputs(inet_ntoa(p->iph->ip_dst), file);
}
}
} /* end of if (p) */
fputc('\n', file);
return;
}
/****************************************************************************
*
* Function: SyslogAlert(Packet *, char *)
*
* Purpose: Send the current alert to syslog
*
* Arguments: p => pointer to the packet data struct
* msg => the message to print in the alert
*
* Returns: void function
*
***************************************************************************/
void SyslogAlert(Packet * p, char *msg, void *arg)
{
char sip[16];
char dip[16];
/*
* have to do this since inet_ntoa is fucked up and writes to a static
* memory location
*/
if(p)
{
strncpy(sip, inet_ntoa(p->iph->ip_src), 16);
strncpy(dip, inet_ntoa(p->iph->ip_dst), 16);
if((p->iph->ip_proto != IPPROTO_TCP &&
p->iph->ip_proto != IPPROTO_UDP) || p->frag_flag)
{
if(msg != NULL)
{
if(pv.alert_interface_flag)
{
/* ICMP packets don't get port info... */
syslog(LOG_AUTHPRIV | LOG_ALERT, "<%s> %s: %s -> %s",
#ifdef WIN32
print_interface(pv.interfaces[0]), msg, sip, dip);
#else
pv.interfaces[0], msg, sip, dip);
#endif
}
else
{
/* ICMP packets don't get port info... */
syslog(LOG_AUTHPRIV | LOG_ALERT, "%s: %s -> %s", msg,
sip, dip);
}
}
else
{
/* ICMP packets don't get port info... */
syslog(LOG_AUTHPRIV | LOG_ALERT, "ALERT: %s -> %s",
sip, dip);
}
}
else
{
if(msg != NULL)
{
if(pv.alert_interface_flag)
{
syslog(LOG_AUTHPRIV | LOG_ALERT, "<%s> %s: %s:%i -> %s:%i",
#ifdef WIN32
print_interface(pv.interfaces[0]), msg, sip, p->sp, dip, p->dp);
#else
pv.interfaces[0], msg, sip, p->sp, dip, p->dp);
#endif
}
else
{
syslog(LOG_AUTHPRIV | LOG_ALERT, "%s: %s:%i -> %s:%i",
msg, sip, p->sp, dip, p->dp);
}
}
else
{
syslog(LOG_AUTHPRIV | LOG_ALERT, "ALERT: %s:%i -> %s:%i",
sip, p->sp, dip, p->dp);
}
}
}
else /* p == NULL */
{
syslog(LOG_AUTHPRIV | LOG_ALERT, "%s", msg == NULL ? "ALERT!" : msg);
}
return;
}
/****************************************************************************
*
* Function: SmbAlert(Packet *, char *)
*
* Purpose: Send the current alert to a waiting WinPopup client
*
* Arguments: p => pointer to the packet data struct
* msg => the message to print in the alert
*
* Returns: void function
*
***************************************************************************/
#ifdef ENABLE_SMB_ALERTS
void SmbAlert(Packet * p, char *msg, void *arg)
{
char command_line[2048];
FILE *output;
FILE *workstations;
char *tempmsg;
char workfile[STD_BUF];
char tempwork[STD_BUF];
char timestamp[23];
int msg_str_size;
bzero((char *) timestamp, 23);
ts_print(p == NULL ? NULL : (struct timeval *) & p->pkth->ts, timestamp);
#ifdef DEBUG
printf("Generating SMB alert!\n");
#endif
/* set the workstation name filename */
sprintf(workfile, "%s", pv.smbmsg_dir);
/* message size + IP addrs + ports + pad space */
msg_str_size = strlen(msg) + 32 + 10 + 150;
if((tempmsg = (char *) calloc(msg_str_size, sizeof(char))) == NULL)
{
FatalError("[!] ERROR: SmbAlert() unable to allocate space for tempmsg: %s\n", strerror(errno));
}
/* open the message file and the workstation names file */
if((workstations = fopen(workfile, "r")) != NULL)
{
/* clear the read buffers */
bzero((char *) workfile, STD_BUF);
if(p != NULL)
{
if(p->frag_flag || (p->iph->ip_proto != IPPROTO_TCP
&& p->iph->ip_proto != IPPROTO_UDP))
{
/* write the alert message into the buffer */
sprintf(tempmsg, "SNORT ALERT - Possible Network Attack or Probe:\n [**] %s [**]\n%s %s->%s", msg, timestamp, inet_ntoa(p->iph->ip_src), inet_ntoa(p->iph->ip_dst));
}
else
{
/* write the alert message into the buffer */
sprintf(tempmsg, "SNORT ALERT - Possible Network Attack or Probe:\n [**] %s [**]\n%s %s:%d->%s:%d", msg, timestamp, inet_ntoa(p->iph->ip_src), p->sp, inet_ntoa(p->iph->ip_dst), p->dp);
}
}
else
{
/*
* write the alert message into the buffer - this part is for
* alerts with NULL packets (like portscans)
*/
sprintf(tempmsg, "SNORT ALERT - Possible Network Attack or Probe:\n [**] %s [**]\n", msg);
}
bzero((char *) tempwork, STD_BUF);
bzero((char *) command_line, 2048);
/* read in the name of each workstation to send the message to */
while((fgets(tempwork, STD_BUF - 1, workstations)) != NULL)
{
/* if the line isn't blank */
if(tempwork[0] != 0x0A)
{
/* chop the <CR> */
strip(tempwork);
if(strlen(tempmsg) + strlen(tempwork) + 50 < 2048)
{
/* build the command line */
sprintf(command_line, "echo \"%s\" | smbclient -U Snort -M %s", tempmsg, tempwork);
/* run the command */
output = popen(command_line, "r");
pclose(output);
}
else
{
ErrorMessage("[!] WARNING: Unable to send alert to %s, command buffer size exceeded!\n", tempwork);
}
#ifdef DEBUG
printf("Sending WinPopup alert to: %s\n", tempwork);
printf("Command Line: %s\n", command_line);
#endif
bzero((char *) tempwork, STD_BUF);
bzero((char *) command_line, 2048);
}
}
fclose(workstations);
}
free(tempmsg);
}
#endif
/****************************************************************************
*
* Function: NoAlert(Packet *, char *)
*
* Purpose: Don't alert at all
*
* Arguments: p => pointer to the packet data struct
* msg => the message to not print in the alert
*
* Returns: void function
*
***************************************************************************/
void NoAlert(Packet * p, char *msg, void *arg)
{
return;
}
/****************************************************************************
*
* Function: LogPkt(Packet *)
*
* Purpose: Log packets that match one of the Snort rules, plus the rules
* message
*
* Arguments: p => pointer to the packet data structure
*
* Returns: void function
*
***************************************************************************/
void LogPkt(Packet * p, char *msg, void *arg)
{
/*
* some plugins may pass NULL as 'p' structure here (f.e. if they only
* want to log message
*/
if(p)
OpenLogFile(0, p);
else
OpenLogFile(GENERIC_LOG, p);
if(msg != NULL)
{
fwrite("[**] ", 5, 1, log_ptr);
fwrite(msg, strlen(msg), 1, log_ptr);
fwrite(" [**]\n", 6, 1, log_ptr);
}
if(p)
PrintIPPkt(log_ptr, p->iph->ip_proto, p);
fclose(log_ptr);
}
/****************************************************************************
*
* Function: LogArpPkt(Packet *)
*
* Purpose: Log ARP packets
*
* Arguments: p => pointer to the packet data structure
*
* Returns: void function
*
***************************************************************************/
void LogArpPkt(Packet * p)
{
if(p)
{
if(pv.logbin_flag)
{
/* LogBin(p); */
}
else if(!pv.nolog_flag)
{
OpenLogFile(ARP, p);
PrintArpHeader(log_ptr, p);
fclose(log_ptr);
}
}
else
{
/* let's just make sure we don't coredump if we have some logic error in one
* of plugins/preprocessors...
*/
ErrorMessage("WARNING: Null Packet pointer in LogArpPkt. Please report.\n");
}
}
/****************************************************************************
*
* Function: NoLog(Packet *)
*
* Purpose: Don't log anything
*
* Arguments: p => packet to not log
*
* Returns: void function
*
***************************************************************************/
void NoLog(Packet * p, char *msg, void *arg)
{
return;
}
/****************************************************************************
*
* Function: Print2ndHeader(FILE *, Packet p)
*
* Purpose: Print2ndHeader -- prints second layber header info.
*
* Arguments: fp => file stream to print to
*
* Returns: void function
*
***************************************************************************/
void Print2ndHeader(FILE * fp, Packet * p)
{
if(p && p->eh)
PrintEthHeader(fp, p);
if(p && p->trh)
PrintTrHeader(fp, p);
}
/****************************************************************************
*
* Function: PrintTrHeader(FILE *, Packet p)
&
* Purpose: Print the packet TokenRing header to the specified stream
*
* Arguments: fp => file stream to print to
*
* Returns: void function
***************************************************************************/
void PrintTrHeader(FILE * fp, Packet * p)
{
fprintf(fp, "%X:%X:%X:%X:%X:%X -> ", p->trh->saddr[0],
p->trh->saddr[1], p->trh->saddr[2], p->trh->saddr[3],
p->trh->saddr[4], p->trh->saddr[5]);
fprintf(fp, "%X:%X:%X:%X:%X:%X\n", p->trh->daddr[0],
p->trh->daddr[1], p->trh->daddr[2], p->trh->daddr[3],
p->trh->daddr[4], p->trh->daddr[5]);
fprintf(fp, "access control:0x%X frame control:0x%X\n", p->trh->ac,
p->trh->fc);
if(!p->trhllc)
return;
fprintf(fp, "DSAP: 0x%X SSAP 0x%X protoID: %X%X%X Ethertype: %X\n",
p->trhllc->dsap, p->trhllc->ssap, p->trhllc->protid[0],
p->trhllc->protid[1], p->trhllc->protid[2], p->trhllc->ethertype);
if(p->trhmr)
{
fprintf(fp, "RIF structure is present:\n");
fprintf(fp, "bcast: 0x%X length: 0x%X direction: 0x%X largest"
"fr. size: 0x%X res: 0x%X\n",
p->trhmr->bcast, p->trhmr->len, p->trhmr->dir, p->trhmr->lf,
p->trhmr->res);
fprintf(fp, "rseg -> %X:%X:%X:%X:%X:%X:%X:%X\n",
p->trhmr->rseg[0], p->trhmr->rseg[1], p->trhmr->rseg[2],
p->trhmr->rseg[3], p->trhmr->rseg[4], p->trhmr->rseg[5],
p->trhmr->rseg[6], p->trhmr->rseg[7]);
}
}
/****************************************************************************
*
* Function: PrintEthHeader(FILE *)
*
* Purpose: Print the packet Ethernet header to the specified stream
*
* Arguments: fp => file stream to print to
*
* Returns: void function
*
***************************************************************************/
void PrintEthHeader(FILE * fp, Packet * p)
{
/* src addr */
fprintf(fp, "%X:%X:%X:%X:%X:%X -> ", p->eh->ether_src[0],
p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3],
p->eh->ether_src[4], p->eh->ether_src[5]);
/* dest addr */
fprintf(fp, "%X:%X:%X:%X:%X:%X ", p->eh->ether_dst[0],
p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3],
p->eh->ether_dst[4], p->eh->ether_dst[5]);
/* protocol and pkt size */
fprintf(fp, "type:0x%X len:0x%X\n", ntohs(p->eh->ether_type), p->pkth->len);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -