662 lines
25 KiB

# --- SDE-COPYRIGHT-NOTE-BEGIN ---
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
#
# Filename: package/.../sancp/sancp-1.6.1-stable-prelude-3.diff
# Copyright (C) 2007 The OpenSDE Project
#
# More information can be found in the files COPYING and README.
#
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# --- SDE-COPYRIGHT-NOTE-END ---
diff -ruN sancp-1.6.1-stable.vanilla/Makefile sancp-1.6.1-stable/Makefile
--- sancp-1.6.1-stable.vanilla/Makefile 2007-07-07 00:46:11.000000000 +0200
+++ sancp-1.6.1-stable/Makefile 2007-07-24 13:44:01.000000000 +0200
@@ -9,7 +9,7 @@
# LINUX and BSD CFLAGS
-CFLAGS = -O3 -I/usr/include/pcap -I/usr/local/include/pcap -I./ -L/usr/lib/libsocket.so -g -L/opt/csw/lib -ggdb
+CFLAGS = -g -O3 -I/usr/include/pcap -I/usr/local/include/pcap -I./ -L/usr/lib/libsocket.so -g -L/opt/csw/lib -ggdb `libprelude-config --cflags`
# LINUX LFLAGS
LFLAGS = -lresolv -lnsl -lpcap -L/usr/lib/libpcap.so.0.6.2
@@ -41,10 +41,10 @@
bsd :
@(echo "#define PLATFORM_BSD" > platform.h)
@make final
- g++ -Wall $(BFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o
+ g++ -Wall $(BFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o `libprelude-config --libs` `libprelude-config --ldflags`
linux :
@(echo "#define PLATFORM_LINUX" > platform.h)
@make final
- g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o
+ g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o `libprelude-config --libs` `libprelude-config --ldflags`
diff -ruN sancp-1.6.1-stable.vanilla/apply_rule.cc sancp-1.6.1-stable/apply_rule.cc
--- sancp-1.6.1-stable.vanilla/apply_rule.cc 2007-07-05 18:12:20.000000000 +0200
+++ sancp-1.6.1-stable/apply_rule.cc 2007-07-24 13:44:01.000000000 +0200
@@ -47,6 +47,12 @@
tc->tcplag=myacl->tcplag;
tc->status=myacl->status;
tc->rid=myacl->rid;
+ tc->prelude_impact_severity=myacl->prelude_impact_severity;
+ tc->prelude_impact_completion=myacl->prelude_impact_completion;
+ tc->prelude_impact_type=myacl->prelude_impact_type;
+ tc->prelude_confidence_rating=myacl->prelude_confidence_rating;
+
+
if(myacl->pmode==OMODE_UNIQ)
{
@@ -112,6 +118,10 @@
nc->rgid=myacl->rgid;
nc->zone=myacl->zone;
nc->node=myacl->node;
+ nc->prelude_impact_severity=myacl->prelude_impact_severity;
+ nc->prelude_impact_completion=myacl->prelude_impact_completion;
+ nc->prelude_impact_type=myacl->prelude_impact_type;
+ nc->prelude_confidence_rating=myacl->prelude_confidence_rating;
myacl->ctr++;
return;
}
@@ -130,6 +140,10 @@
nc->timeout=gVars.default_timeout;
nc->tcplag=gVars.default_tcplag;
nc->node=gVars.default_node;
+ nc->prelude_impact_severity=gVars.prelude_impact_severity;
+ nc->prelude_impact_completion=gVars.prelude_impact_completion;
+ nc->prelude_impact_type=gVars.prelude_impact_type;
+ nc->prelude_confidence_rating=gVars.prelude_confidence_rating;
gVars.default_ctr++;
#ifdef DEBUG
printf("Setting stats: %d pcap: %d realtime: %d limit: %d timeout: %d tcplag: %d\n", nc->stats, nc->pcap, nc->realtime, nc->limit, nc->timeout, nc->tcplag);
diff -ruN sancp-1.6.1-stable.vanilla/build_acl.cc sancp-1.6.1-stable/build_acl.cc
--- sancp-1.6.1-stable.vanilla/build_acl.cc 2007-07-05 18:12:20.000000000 +0200
+++ sancp-1.6.1-stable/build_acl.cc 2007-07-24 13:44:01.000000000 +0200
@@ -1168,6 +1168,62 @@
fprintf(stdout,"Didn't set default for %s to %s\n",tok,tmp);
#endif
}
+ if(strcmp(tok,"prelude_impact_severity")==0)
+ {
+ if((tmp = get_tok(&rules,accept))==NULL)
+ {
+ syslog(LOG_ERR,"Format error, prelude_impact_severity specified but none provided, using prelude_impact_severity %s\n",PRELUDE_IMPACT_SEVERITY);
+ free(rule);
+ return;
+ }
+ gVars.prelude_impact_severity = strdup(tmp);
+ free(rule);
+ }
+ if(strcmp(tok,"prelude_impact_completion")==0)
+ {
+ if((tmp = get_tok(&rules,accept))==NULL)
+ {
+ syslog(LOG_ERR,"Format error, prelude_impact_completion specified but none provided, using prelude_impact_completion %s\n",PRELUDE_IMPACT_COMPLETION);
+ free(rule);
+ return;
+ }
+ gVars.prelude_impact_completion = strdup(tmp);
+ free(rule);
+ }
+ if(strcmp(tok,"prelude_impact_type")==0)
+ {
+ if((tmp = get_tok(&rules,accept))==NULL)
+ {
+ syslog(LOG_ERR,"Format error, prelude_impact_type specified but none provided, using prelude_impact_type %s\n",PRELUDE_IMPACT_TYPE);
+ free(rule);
+ return;
+ }
+ gVars.prelude_impact_type = strdup(tmp);
+ free(rule);
+ }
+ if(strcmp(tok,"prelude_confidence_rating")==0)
+ {
+ if((tmp = get_tok(&rules,accept))==NULL)
+ {
+ syslog(LOG_ERR,"Format error, prelude_confidence_rating specified but none provided, using prelude_confidence_rating %s\n",PRELUDE_CONFIDENCE_RATING);
+ free(rule);
+ return;
+ }
+ gVars.prelude_confidence_rating = strdup(tmp);
+ free(rule);
+ }
+ if(strcmp(tok,"prelude_profile")==0)
+ {
+ if((tmp = get_tok(&rules,accept))==NULL)
+ {
+ syslog(LOG_ERR,"Format error, prelude_profile specified but none provided, using prelude_profile %s\n",PRELUDE_PROFILE);
+ free(rule);
+ return;
+ }
+ gVars.prelude_profile = strdup(tmp);
+ free(rule);
+ }
+
}
void parse_var(char *c_rule, char *accept)
@@ -1426,6 +1482,10 @@
}else{
n_acl->fH = 0;
}
+ n_acl->prelude_impact_severity = gVars.prelude_impact_severity;
+ n_acl->prelude_impact_completion = gVars.prelude_impact_completion;
+ n_acl->prelude_impact_type = gVars.prelude_impact_type;
+ n_acl->prelude_confidence_rating = gVars.prelude_confidence_rating;
// FIELD 0 - required - Get the h_proto
n_acl->h_proto_h = 0xFFFF;
@@ -2061,6 +2121,46 @@
n_acl->retro = true;
continue;
}
+ if(strcmp(tok,"severity")==0)
+ {
+ if((tmp = get_tok(rules,accept))==NULL)
+ {
+ syslog(LOG_ERR,"Format error, severity specified but no option provided%s\n",rule);
+ return;
+ }
+ n_acl->prelude_impact_severity = strdup(tmp);
+ continue;
+ }
+ if(strcmp(tok,"completion")==0)
+ {
+ if((tmp = get_tok(rules,accept))==NULL)
+ {
+ syslog(LOG_ERR,"Format error, completion specified but no option provided%s\n",rule);
+ return;
+ }
+ n_acl->prelude_impact_completion = strdup(tmp);
+ continue;
+ }
+ if(strcmp(tok,"type")==0)
+ {
+ if((tmp = get_tok(rules,accept))==NULL)
+ {
+ syslog(LOG_ERR,"Format error, type specified but no option provided%s\n",rule);
+ return;
+ }
+ n_acl->prelude_impact_type = strdup(tmp);
+ continue;
+ }
+ if(strcmp(tok,"confidence")==0)
+ {
+ if((tmp = get_tok(rules,accept))==NULL)
+ {
+ syslog(LOG_ERR,"Format error, confidence specified but no option provided%s\n",rule);
+ return;
+ }
+ n_acl->prelude_confidence_rating = strdup(tmp);
+ continue;
+ }
syslog(LOG_ERR,"Skipping, invalid option in rule: %s %s\n", tok,*rules);
return;
}
diff -ruN sancp-1.6.1-stable.vanilla/docs/README sancp-1.6.1-stable/docs/README
--- sancp-1.6.1-stable.vanilla/docs/README 2007-07-06 03:33:14.000000000 +0200
+++ sancp-1.6.1-stable/docs/README 2007-07-24 13:44:01.000000000 +0200
@@ -277,6 +277,10 @@
strip-80211 { disable|enable }
node <number>
debug_pcap_raw { disable|enable }
+ prelude_impact_severity [string]
+ prelude_impact_completion [string]
+ prelude_impact_type [string]
+ prelude_confidence_rating [string]
known_port syntax:
-----------------------:
@@ -310,6 +314,9 @@
b) tagging options
i.e. status=16 rid=1112 node=2
+ c) prelude options
+ i.e. severity=severe, completion=succeeded, type=other, confidence=high
+
[<ether protocol>[-<end_range>] [<src_ip{/<CIDR>|<dotted>}>] [<dst_ip{/<CIDR>|<dotted>}>] [{tcp|udp|icmp|<proto number>[-<end_range>] }]
[<src_port>{-[<end_port_range>]}] [<dst_port>{-[<end_port_range>]}]
{ ignore | stats [{log|pass}] | realtime [{log|pass}] |
diff -ruN sancp-1.6.1-stable.vanilla/gvars.h sancp-1.6.1-stable/gvars.h
--- sancp-1.6.1-stable.vanilla/gvars.h 2007-07-05 18:12:20.000000000 +0200
+++ sancp-1.6.1-stable/gvars.h 2007-07-24 13:44:01.000000000 +0200
@@ -17,7 +17,8 @@
/* Make certain all id's are represented in the same order (as strings) in fmtnames[] */
/* 'null' is a place holder - in the list for field 0 */
-enum id {null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_local,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac };
+enum id
+{null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_local,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac,prelude_impact_sevirty,prelude_impact_completion,prelude_impact_type,prelude_confidence_rating,prelude_profile };
struct cnx_queue {
struct cnx *head;
@@ -102,5 +103,10 @@
int stdout_fmt_len;
pcap_t *ph; // pcap handle
struct pcap_pkthdr *g_pkthdr;//
+ char *prelude_impact_severity;
+ char *prelude_impact_completion;
+ char *prelude_impact_type;
+ char *prelude_confidence_rating;
+ char *prelude_profile;
};
diff -ruN sancp-1.6.1-stable.vanilla/sancp.cc sancp-1.6.1-stable/sancp.cc
--- sancp-1.6.1-stable.vanilla/sancp.cc 2007-07-05 18:12:20.000000000 +0200
+++ sancp-1.6.1-stable/sancp.cc 2007-07-24 13:44:01.000000000 +0200
@@ -48,7 +48,40 @@
//char dfltfmt[]= { sancp_id,start_time_gmt,src_mac,dst_mac,eth_proto,src_ip_dotted,dst_ip_dotted,ip_proto,src_port,dst_port };
char dfltfmt_human_readable[]= { sancp_id,start_time_gmt,stop_time_gmt,erased_time_gmt,eth_proto,ip_proto,src_ip_dotted,src_port,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,dflags_hex,cflags_hex,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac };
+prelude_client_t *client;
+static idmef_analyzer_t *idmef_analyzer;
+int sancp_alert_init(prelude_client_t *client)
+{
+ int ret;
+ prelude_string_t *string;
+
+ idmef_analyzer = prelude_client_get_analyzer(client);
+ if ( ! idmef_analyzer )
+ return -1;
+
+ ret = idmef_analyzer_new_model(idmef_analyzer, &string);
+ if ( ret < 0 )
+ return -1;
+ prelude_string_set_constant(string, PRELUDE_ANALYZER_MODEL);
+
+ ret = idmef_analyzer_new_class(idmef_analyzer, &string);
+ if ( ret < 0 )
+ return -1;
+ prelude_string_set_constant(string, PRELUDE_ANALYZER_CLASS);
+
+ ret = idmef_analyzer_new_manufacturer(idmef_analyzer, &string);
+ if ( ret < 0 )
+ return -1;
+ prelude_string_set_constant(string, PRELUDE_ANALYZER_MANUFACTURER);
+
+ ret = idmef_analyzer_new_version(idmef_analyzer, &string);
+ if ( ret < 0 )
+ return -1;
+ prelude_string_set_constant(string, VERSION);
+
+ return 0;
+}
/*************
* Main *
*************/
@@ -56,6 +89,7 @@
int main(int argc, char *argv[]) {
extern struct gvars gVars;
int cKey;
+ int ret;
pid_t pid=0;
/*
@@ -102,6 +136,14 @@
gVars.stdout_delimiter=DEFAULT_DELIMITER;
gVars.stdout_eor=DEFAULT_EOR;
+ gVars.prelude_impact_severity=PRELUDE_IMPACT_SEVERITY;
+ gVars.prelude_impact_completion=PRELUDE_IMPACT_COMPLETION;
+ gVars.prelude_impact_type=PRELUDE_IMPACT_TYPE;
+ gVars.prelude_confidence_rating=PRELUDE_CONFIDENCE_RATING;
+ gVars.prelude_profile=PRELUDE_PROFILE;
+
+
+
for(cKey=0; cKey<HASH_KEYS; cKey++)
{
gVars.cnx_head[cKey]=NULL;
@@ -116,6 +158,8 @@
parse_args(argc, argv);
+
+
if(gVars.human_readable){
if(gVars.realtime_fmt_len!=sizeof(dfltfmt_human_readable)){
free(gVars.realtime_fmt);
@@ -143,7 +187,15 @@
setsid();
}
+ prelude_log_set_flags((prelude_log_flags_t)PRELUDE_LOG_FLAGS_SYSLOG);
}
+
+ /* Initialize prelude */
+ ret = prelude_init(&argc, argv);
+ if (ret < 0) {
+ prelude_perror(ret, "unable to initialize the prelude library");
+ exit_all(0);
+ }
/* Retrieve the last cnxid from cache file if we haven't already in parse_args() */
if(!gVars.cnx_id)
@@ -197,6 +249,29 @@
build_config(1);
+ /* Create prelude sensor */
+
+ ret = prelude_client_new(&client, gVars.prelude_profile);
+ if ( ! client ) {
+ prelude_perror(ret, "Unable to create a prelude client object");
+ exit_all(0);
+ }
+
+ /* Start prelude sensor */
+ sancp_alert_init(client);
+ ret = prelude_client_start(client);
+ if ( ret < 0 ) {
+ prelude_perror(ret, "Unable to start prelude client");
+ exit_all(0);
+ }
+
+ ret = prelude_client_set_flags(client, (prelude_client_flags_t)
+ (PRELUDE_CLIENT_FLAGS_ASYNC_SEND|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER));
+ if ( ret < 0 ) {
+ fprintf(stderr, "Unable to set asynchronous send and timer.\n");
+ exit_all(0);
+ }
+
/* Open files for output */
/* Be r3al l33t h3r3 */
diff -ruN sancp-1.6.1-stable.vanilla/sancp.h sancp-1.6.1-stable/sancp.h
--- sancp-1.6.1-stable.vanilla/sancp.h 2007-07-06 06:18:04.000000000 +0200
+++ sancp-1.6.1-stable/sancp.h 2007-07-24 13:44:01.000000000 +0200
@@ -47,6 +47,10 @@
#include "gvars.h"
#endif
+#include <libprelude/prelude.h>
+#include <libprelude/prelude-log.h>
+#include <netdb.h>
+
#define NCP_H
#define Y 'Y'
#define N 'N'
@@ -79,6 +83,7 @@
struct vars *next;
};
+extern prelude_client_t *client;
int main(int argc, char *argv[]);
struct cnx *process(struct cnx*, int len, u_char * pkt);
char * createPcapFileName();
@@ -185,6 +190,15 @@
#define OMODE_RULE 5
#define OMODE_UNIQ 6
+#define PRELUDE_IMPACT_SEVERITY "medium"
+#define PRELUDE_IMPACT_COMPLETION "succeeded"
+#define PRELUDE_IMPACT_TYPE "other"
+#define PRELUDE_CONFIDENCE_RATING "high"
+#define PRELUDE_ANALYZER_MODEL "Sancp"
+#define PRELUDE_ANALYZER_CLASS "NIDS"
+#define PRELUDE_ANALYZER_MANUFACTURER "http://www.metre.net/sancp.html"
+#define PRELUDE_PROFILE "sancp"
+
// Need to distinguish between classes of variables
#define VCLASS_0 1 // eth_proto class vars
#define VCLASS_1 2 // ip_addr class vars
@@ -276,6 +290,10 @@
u_int16_t rgid;
u_int16_t node;
u_int16_t zone;
+ char *prelude_impact_severity;
+ char *prelude_impact_completion;
+ char *prelude_impact_type;
+ char *prelude_confidence_rating;
CBuffer *CBufferPtr;
struct acl *next;
};
@@ -314,6 +332,10 @@
u_int16_t rgid;
u_int16_t node;
u_int16_t zone;
+ char *prelude_impact_severity;
+ char *prelude_impact_completion;
+ char *prelude_impact_type;
+ char *prelude_confidence_rating;
CBuffer *CBufferPtr;
struct os_info os_info;
struct os_info os_info2;
diff -ruN sancp-1.6.1-stable.vanilla/statefull_logging.cc sancp-1.6.1-stable/statefull_logging.cc
--- sancp-1.6.1-stable.vanilla/statefull_logging.cc 2007-07-05 18:12:20.000000000 +0200
+++ sancp-1.6.1-stable/statefull_logging.cc 2007-07-24 13:44:01.000000000 +0200
@@ -183,6 +183,208 @@
snprintf(buf,len,"%s",currenttime);
}
+static int add_idmef_object(idmef_message_t *message, const char *object, const char *value)
+{
+ int ret;
+ idmef_value_t *val;
+ idmef_path_t *path;
+
+ ret = idmef_path_new(&path, object);
+ if ( ret < 0 )
+ return -1;
+
+ ret = idmef_value_new_from_path(&val, path, value);
+ if ( ret < 0 ) {
+ idmef_path_destroy(path);
+ return -1;
+ }
+
+ ret = idmef_path_set(path, message, val);
+
+ idmef_value_destroy(val);
+ idmef_path_destroy(path);
+
+ return ret;
+}
+
+#define IDMEF(x) { \
+ int ret = (x); \
+ if (ret < 0) { idmef_message_destroy(idmef); printf("error\n"); return; } \
+ }
+
+void record_prelude(struct cnx *cn) {
+ char LOG[MAXENTRYLEN];
+
+ idmef_message_t *idmef;
+ idmef_alert_t *alert;
+ idmef_time_t *time;
+
+ struct servent *sourceservent;
+ struct protoent *protoent;
+
+ IDMEF(idmef_message_new(&idmef));
+ IDMEF(idmef_message_new_alert(idmef, &alert));
+
+ /* alert.detecttime */
+ if (cn->start_time) {
+ IDMEF(idmef_time_new_from_time(&time, &cn->start_time));
+ } else {
+ /* using the curen time */
+ IDMEF(idmef_time_new_from_gettimeofday(&time));
+ }
+ idmef_alert_set_detect_time(alert, time);
+
+ /* alert.createtime */
+ time = NULL;
+ IDMEF(idmef_time_new_from_gettimeofday(&time));
+ idmef_alert_set_create_time(alert, time);
+
+ /* alert.analyzer */
+ idmef_alert_set_analyzer(alert,idmef_analyzer_ref(prelude_client_get_analyzer(client)),0);
+
+ /* alert.classification.text */
+ add_idmef_object(idmef, "alert.classification.text",
+ "Unauthorized network connectivity");
+
+ /* alert.messageid */
+ snprintf(LOG,MAXENTRYLEN,"%lld",cn->cid);
+ add_idmef_object(idmef, "alert.messageid", LOG);
+
+ /* alert.impact.severity */
+ add_idmef_object(idmef, "alert.assessment.impact.severity",
+ cn->prelude_impact_severity);
+
+ /* alert.impact.completion */
+ add_idmef_object(idmef, "alert.assessment.impact.completion",
+ cn->prelude_impact_completion);
+
+ /* alert.impact.type */
+ add_idmef_object(idmef, "alert.assessment.impact.type",
+ cn->prelude_impact_type);
+
+ /* alert.confidence.rating */
+ add_idmef_object(idmef, "alert.assessment.confidence.rating",
+ cn->prelude_confidence_rating);
+
+ /* alert.additionaldata(0) */
+ add_idmef_object(idmef, "alert.additionaldata(0).type", "integer");
+ add_idmef_object(idmef, "alert.additionaldata(0).meaning", "status");
+ snprintf(LOG,MAXENTRYLEN,"%u",cn->status);
+ add_idmef_object(idmef, "alert.additionaldata(0).integer", LOG);
+
+ /* alert.additionaldata(1) */
+ add_idmef_object(idmef, "alert.additionaldata(1).type", "integer");
+ add_idmef_object(idmef, "alert.additionaldata(1).meaning", "Network node");
+ snprintf(LOG,MAXENTRYLEN,"%u",cn->node);
+ add_idmef_object(idmef, "alert.additionaldata(1).integer", LOG);
+
+ /* IP versios */
+ if (cn->h_proto == 8) {
+ add_idmef_object(idmef, "alert.source(0).service.ip_version", "4");
+ add_idmef_object(idmef, "alert.target(0).service.ip_version", "4");
+ } else {
+ /* bail out */
+ idmef_message_destroy(idmef);
+ return;
+ }
+
+ /* alert.source(0).node.address(0) (ip address) */
+ if(cn->reversed==CNX_REVERSED){
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0');
+ }else{
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0');
+ }
+ add_idmef_object(idmef, "alert.source(0).node.address(0).category",
+ "ipv4-addr");
+ add_idmef_object(idmef, "alert.source(0).node.address(0).address", LOG);
+
+ /* alert.source(0).node.address(1) (mac address) */
+ add_idmef_object(idmef, "alert.source(0).node.address(1).category", "mac");
+ {
+ struct myether_addr *es=(struct myether_addr *)&cn->eth_hdr.ether_shost;
+ snprintf(LOG,MAXENTRYLEN,"%0x:%0x:%0x:%0x:%0x:%0x",es->octet[0],es->octet[1],es->octet[2],es->octet[3],es->octet[4],es->octet[5]);
+ }
+ add_idmef_object(idmef, "alert.source(0).node.address(1).address", LOG);
+
+ protoent = getprotobynumber(cn->proto);
+
+ /* alert.source(0).iana_protocol_number */
+ snprintf(LOG,MAXENTRYLEN,"%u",(cn->proto));
+ add_idmef_object(idmef, "alert.source(0).service.iana_protocol_number", LOG);
+
+ /* alert.target(0).iana_protocol_number */
+ add_idmef_object(idmef, "alert.target(0).service.iana_protocol_number", LOG);
+
+
+ if (protoent) {
+ /* alert.source(0).iana_protocol_name */
+ add_idmef_object(idmef, "alert.source(0).service.iana_protocol_name",
+ protoent->p_name);
+
+ /* alert.target(0).iana_protocol_name */
+ add_idmef_object(idmef, "alert.target(0).service.iana_protocol_name",
+ protoent->p_name);
+
+ /* alert.source(0).service */
+ setservent(1);
+ if(cn->reversed==CNX_REVERSED){
+ snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->d_port));
+ sourceservent = getservbyport(ntohs(cn->d_port), protoent->p_name);
+ }else{
+ snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->s_port));
+ sourceservent = getservbyport(ntohs(cn->s_port), protoent->p_name);
+ }
+
+ if (sourceservent && sourceservent->s_name)
+ add_idmef_object(idmef, "alert.source(0).service.name",
+ sourceservent->s_name );
+ add_idmef_object(idmef, "alert.source(0).service.port",
+ LOG);
+ add_idmef_object(idmef, "alert.source(0).service.protocol",
+ protoent->p_name);
+
+ /* alert.target(0).service */
+ if(cn->reversed==CNX_REVERSED){
+ snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->s_port));
+ sourceservent = getservbyport(ntohs(cn->s_port), protoent->p_name);
+ }else{
+ snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->d_port));
+ sourceservent = getservbyport(ntohs(cn->d_port), protoent->p_name);
+ }
+
+ if (sourceservent && sourceservent->s_name)
+ add_idmef_object(idmef, "alert.target(0).service.name",
+ sourceservent->s_name );
+ add_idmef_object(idmef, "alert.target(0).service.port",
+ LOG);
+ add_idmef_object(idmef, "alert.target(0).service.protocol",
+ protoent->p_name);
+ }
+/*
+*/
+
+ /* alert.target(0).node.address(0) (ip address) */
+ if(cn->reversed==CNX_REVERSED){
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0');
+ }else{
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0');
+ }
+ add_idmef_object(idmef, "alert.target(0).node.address(0).category",
+ "ipv4-addr");
+ add_idmef_object(idmef, "alert.target(0).node.address(0).address", LOG);
+
+ /* alert.target(0).node_address(1) (mac address) */
+ add_idmef_object(idmef, "alert.target(0).node.address(1).category", "mac");
+ {
+ struct myether_addr *es=(struct myether_addr *)&cn->eth_hdr.ether_dhost;
+ snprintf(LOG,MAXENTRYLEN,"%0x:%0x:%0x:%0x:%0x:%0x",es->octet[0],es->octet[1],es->octet[2],es->octet[3],es->octet[4],es->octet[5]);
+ }
+ add_idmef_object(idmef, "alert.target(0).node.address(1).address", LOG);
+
+ prelude_client_send_idmef(client, idmef);
+ idmef_message_destroy(idmef);
+}
+
void record(struct cnx *cn, outputFileHandle *fH)
{
@@ -199,8 +401,15 @@
char eor=fH->getEor();
+ /* do we want prelude alert generation for this record? */
+
bzero(LOG,MAXENTRYLEN);
+ if (fH == gVars.sfH) {
+ record_prelude(cn);
+ }
+
+
/*
* Structure of a 48-bit Ethernet address.