You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
662 lines
25 KiB
662 lines
25 KiB
18 years ago
|
# --- SDE-COPYRIGHT-NOTE-BEGIN ---
|
||
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
|
||
|
#
|
||
|
# Filename: package/.../sancp/sancp-1.6.1-stable-prelude-3.diff
|
||
|
# Copyright (C) 2007 The OpenSDE Project
|
||
|
#
|
||
|
# More information can be found in the files COPYING and README.
|
||
|
#
|
||
|
# This patch file is dual-licensed. It is available under the license the
|
||
|
# patched project is licensed under, as long as it is an OpenSource license
|
||
|
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
|
||
|
# of the GNU General Public License as published by the Free Software
|
||
|
# Foundation; either version 2 of the License, or (at your option) any later
|
||
|
# version.
|
||
|
# --- SDE-COPYRIGHT-NOTE-END ---
|
||
|
|
||
|
diff -ruN sancp-1.6.1-stable.vanilla/Makefile sancp-1.6.1-stable/Makefile
|
||
|
--- sancp-1.6.1-stable.vanilla/Makefile 2007-07-07 00:46:11.000000000 +0200
|
||
|
+++ sancp-1.6.1-stable/Makefile 2007-07-24 13:44:01.000000000 +0200
|
||
|
@@ -9,7 +9,7 @@
|
||
|
|
||
|
|
||
|
# LINUX and BSD CFLAGS
|
||
|
-CFLAGS = -O3 -I/usr/include/pcap -I/usr/local/include/pcap -I./ -L/usr/lib/libsocket.so -g -L/opt/csw/lib -ggdb
|
||
|
+CFLAGS = -g -O3 -I/usr/include/pcap -I/usr/local/include/pcap -I./ -L/usr/lib/libsocket.so -g -L/opt/csw/lib -ggdb `libprelude-config --cflags`
|
||
|
|
||
|
# LINUX LFLAGS
|
||
|
LFLAGS = -lresolv -lnsl -lpcap -L/usr/lib/libpcap.so.0.6.2
|
||
|
@@ -41,10 +41,10 @@
|
||
|
bsd :
|
||
|
@(echo "#define PLATFORM_BSD" > platform.h)
|
||
|
@make final
|
||
|
- g++ -Wall $(BFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o
|
||
|
+ g++ -Wall $(BFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o `libprelude-config --libs` `libprelude-config --ldflags`
|
||
|
|
||
|
linux :
|
||
|
@(echo "#define PLATFORM_LINUX" > platform.h)
|
||
|
@make final
|
||
|
- g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o
|
||
|
+ g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o `libprelude-config --libs` `libprelude-config --ldflags`
|
||
|
|
||
|
diff -ruN sancp-1.6.1-stable.vanilla/apply_rule.cc sancp-1.6.1-stable/apply_rule.cc
|
||
|
--- sancp-1.6.1-stable.vanilla/apply_rule.cc 2007-07-05 18:12:20.000000000 +0200
|
||
|
+++ sancp-1.6.1-stable/apply_rule.cc 2007-07-24 13:44:01.000000000 +0200
|
||
|
@@ -47,6 +47,12 @@
|
||
|
tc->tcplag=myacl->tcplag;
|
||
|
tc->status=myacl->status;
|
||
|
tc->rid=myacl->rid;
|
||
|
+ tc->prelude_impact_severity=myacl->prelude_impact_severity;
|
||
|
+ tc->prelude_impact_completion=myacl->prelude_impact_completion;
|
||
|
+ tc->prelude_impact_type=myacl->prelude_impact_type;
|
||
|
+ tc->prelude_confidence_rating=myacl->prelude_confidence_rating;
|
||
|
+
|
||
|
+
|
||
|
|
||
|
if(myacl->pmode==OMODE_UNIQ)
|
||
|
{
|
||
|
@@ -112,6 +118,10 @@
|
||
|
nc->rgid=myacl->rgid;
|
||
|
nc->zone=myacl->zone;
|
||
|
nc->node=myacl->node;
|
||
|
+ nc->prelude_impact_severity=myacl->prelude_impact_severity;
|
||
|
+ nc->prelude_impact_completion=myacl->prelude_impact_completion;
|
||
|
+ nc->prelude_impact_type=myacl->prelude_impact_type;
|
||
|
+ nc->prelude_confidence_rating=myacl->prelude_confidence_rating;
|
||
|
myacl->ctr++;
|
||
|
return;
|
||
|
}
|
||
|
@@ -130,6 +140,10 @@
|
||
|
nc->timeout=gVars.default_timeout;
|
||
|
nc->tcplag=gVars.default_tcplag;
|
||
|
nc->node=gVars.default_node;
|
||
|
+ nc->prelude_impact_severity=gVars.prelude_impact_severity;
|
||
|
+ nc->prelude_impact_completion=gVars.prelude_impact_completion;
|
||
|
+ nc->prelude_impact_type=gVars.prelude_impact_type;
|
||
|
+ nc->prelude_confidence_rating=gVars.prelude_confidence_rating;
|
||
|
gVars.default_ctr++;
|
||
|
#ifdef DEBUG
|
||
|
printf("Setting stats: %d pcap: %d realtime: %d limit: %d timeout: %d tcplag: %d\n", nc->stats, nc->pcap, nc->realtime, nc->limit, nc->timeout, nc->tcplag);
|
||
|
diff -ruN sancp-1.6.1-stable.vanilla/build_acl.cc sancp-1.6.1-stable/build_acl.cc
|
||
|
--- sancp-1.6.1-stable.vanilla/build_acl.cc 2007-07-05 18:12:20.000000000 +0200
|
||
|
+++ sancp-1.6.1-stable/build_acl.cc 2007-07-24 13:44:01.000000000 +0200
|
||
|
@@ -1168,6 +1168,62 @@
|
||
|
fprintf(stdout,"Didn't set default for %s to %s\n",tok,tmp);
|
||
|
#endif
|
||
|
}
|
||
|
+ if(strcmp(tok,"prelude_impact_severity")==0)
|
||
|
+ {
|
||
|
+ if((tmp = get_tok(&rules,accept))==NULL)
|
||
|
+ {
|
||
|
+ syslog(LOG_ERR,"Format error, prelude_impact_severity specified but none provided, using prelude_impact_severity %s\n",PRELUDE_IMPACT_SEVERITY);
|
||
|
+ free(rule);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+ gVars.prelude_impact_severity = strdup(tmp);
|
||
|
+ free(rule);
|
||
|
+ }
|
||
|
+ if(strcmp(tok,"prelude_impact_completion")==0)
|
||
|
+ {
|
||
|
+ if((tmp = get_tok(&rules,accept))==NULL)
|
||
|
+ {
|
||
|
+ syslog(LOG_ERR,"Format error, prelude_impact_completion specified but none provided, using prelude_impact_completion %s\n",PRELUDE_IMPACT_COMPLETION);
|
||
|
+ free(rule);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+ gVars.prelude_impact_completion = strdup(tmp);
|
||
|
+ free(rule);
|
||
|
+ }
|
||
|
+ if(strcmp(tok,"prelude_impact_type")==0)
|
||
|
+ {
|
||
|
+ if((tmp = get_tok(&rules,accept))==NULL)
|
||
|
+ {
|
||
|
+ syslog(LOG_ERR,"Format error, prelude_impact_type specified but none provided, using prelude_impact_type %s\n",PRELUDE_IMPACT_TYPE);
|
||
|
+ free(rule);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+ gVars.prelude_impact_type = strdup(tmp);
|
||
|
+ free(rule);
|
||
|
+ }
|
||
|
+ if(strcmp(tok,"prelude_confidence_rating")==0)
|
||
|
+ {
|
||
|
+ if((tmp = get_tok(&rules,accept))==NULL)
|
||
|
+ {
|
||
|
+ syslog(LOG_ERR,"Format error, prelude_confidence_rating specified but none provided, using prelude_confidence_rating %s\n",PRELUDE_CONFIDENCE_RATING);
|
||
|
+ free(rule);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+ gVars.prelude_confidence_rating = strdup(tmp);
|
||
|
+ free(rule);
|
||
|
+ }
|
||
|
+ if(strcmp(tok,"prelude_profile")==0)
|
||
|
+ {
|
||
|
+ if((tmp = get_tok(&rules,accept))==NULL)
|
||
|
+ {
|
||
|
+ syslog(LOG_ERR,"Format error, prelude_profile specified but none provided, using prelude_profile %s\n",PRELUDE_PROFILE);
|
||
|
+ free(rule);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+ gVars.prelude_profile = strdup(tmp);
|
||
|
+ free(rule);
|
||
|
+ }
|
||
|
+
|
||
|
}
|
||
|
|
||
|
void parse_var(char *c_rule, char *accept)
|
||
|
@@ -1426,6 +1482,10 @@
|
||
|
}else{
|
||
|
n_acl->fH = 0;
|
||
|
}
|
||
|
+ n_acl->prelude_impact_severity = gVars.prelude_impact_severity;
|
||
|
+ n_acl->prelude_impact_completion = gVars.prelude_impact_completion;
|
||
|
+ n_acl->prelude_impact_type = gVars.prelude_impact_type;
|
||
|
+ n_acl->prelude_confidence_rating = gVars.prelude_confidence_rating;
|
||
|
|
||
|
// FIELD 0 - required - Get the h_proto
|
||
|
n_acl->h_proto_h = 0xFFFF;
|
||
|
@@ -2061,6 +2121,46 @@
|
||
|
n_acl->retro = true;
|
||
|
continue;
|
||
|
}
|
||
|
+ if(strcmp(tok,"severity")==0)
|
||
|
+ {
|
||
|
+ if((tmp = get_tok(rules,accept))==NULL)
|
||
|
+ {
|
||
|
+ syslog(LOG_ERR,"Format error, severity specified but no option provided%s\n",rule);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+ n_acl->prelude_impact_severity = strdup(tmp);
|
||
|
+ continue;
|
||
|
+ }
|
||
|
+ if(strcmp(tok,"completion")==0)
|
||
|
+ {
|
||
|
+ if((tmp = get_tok(rules,accept))==NULL)
|
||
|
+ {
|
||
|
+ syslog(LOG_ERR,"Format error, completion specified but no option provided%s\n",rule);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+ n_acl->prelude_impact_completion = strdup(tmp);
|
||
|
+ continue;
|
||
|
+ }
|
||
|
+ if(strcmp(tok,"type")==0)
|
||
|
+ {
|
||
|
+ if((tmp = get_tok(rules,accept))==NULL)
|
||
|
+ {
|
||
|
+ syslog(LOG_ERR,"Format error, type specified but no option provided%s\n",rule);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+ n_acl->prelude_impact_type = strdup(tmp);
|
||
|
+ continue;
|
||
|
+ }
|
||
|
+ if(strcmp(tok,"confidence")==0)
|
||
|
+ {
|
||
|
+ if((tmp = get_tok(rules,accept))==NULL)
|
||
|
+ {
|
||
|
+ syslog(LOG_ERR,"Format error, confidence specified but no option provided%s\n",rule);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+ n_acl->prelude_confidence_rating = strdup(tmp);
|
||
|
+ continue;
|
||
|
+ }
|
||
|
syslog(LOG_ERR,"Skipping, invalid option in rule: %s %s\n", tok,*rules);
|
||
|
return;
|
||
|
}
|
||
|
diff -ruN sancp-1.6.1-stable.vanilla/docs/README sancp-1.6.1-stable/docs/README
|
||
|
--- sancp-1.6.1-stable.vanilla/docs/README 2007-07-06 03:33:14.000000000 +0200
|
||
|
+++ sancp-1.6.1-stable/docs/README 2007-07-24 13:44:01.000000000 +0200
|
||
|
@@ -277,6 +277,10 @@
|
||
|
strip-80211 { disable|enable }
|
||
|
node <number>
|
||
|
debug_pcap_raw { disable|enable }
|
||
|
+ prelude_impact_severity [string]
|
||
|
+ prelude_impact_completion [string]
|
||
|
+ prelude_impact_type [string]
|
||
|
+ prelude_confidence_rating [string]
|
||
|
|
||
|
known_port syntax:
|
||
|
-----------------------:
|
||
|
@@ -310,6 +314,9 @@
|
||
|
b) tagging options
|
||
|
i.e. status=16 rid=1112 node=2
|
||
|
|
||
|
+ c) prelude options
|
||
|
+ i.e. severity=severe, completion=succeeded, type=other, confidence=high
|
||
|
+
|
||
|
[<ether protocol>[-<end_range>] [<src_ip{/<CIDR>|<dotted>}>] [<dst_ip{/<CIDR>|<dotted>}>] [{tcp|udp|icmp|<proto number>[-<end_range>] }]
|
||
|
[<src_port>{-[<end_port_range>]}] [<dst_port>{-[<end_port_range>]}]
|
||
|
{ ignore | stats [{log|pass}] | realtime [{log|pass}] |
|
||
|
diff -ruN sancp-1.6.1-stable.vanilla/gvars.h sancp-1.6.1-stable/gvars.h
|
||
|
--- sancp-1.6.1-stable.vanilla/gvars.h 2007-07-05 18:12:20.000000000 +0200
|
||
|
+++ sancp-1.6.1-stable/gvars.h 2007-07-24 13:44:01.000000000 +0200
|
||
|
@@ -17,7 +17,8 @@
|
||
|
/* Make certain all id's are represented in the same order (as strings) in fmtnames[] */
|
||
|
/* 'null' is a place holder - in the list for field 0 */
|
||
|
|
||
|
-enum id {null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_local,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac };
|
||
|
+enum id
|
||
|
+{null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_local,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac,prelude_impact_sevirty,prelude_impact_completion,prelude_impact_type,prelude_confidence_rating,prelude_profile };
|
||
|
|
||
|
struct cnx_queue {
|
||
|
struct cnx *head;
|
||
|
@@ -102,5 +103,10 @@
|
||
|
int stdout_fmt_len;
|
||
|
pcap_t *ph; // pcap handle
|
||
|
struct pcap_pkthdr *g_pkthdr;//
|
||
|
+ char *prelude_impact_severity;
|
||
|
+ char *prelude_impact_completion;
|
||
|
+ char *prelude_impact_type;
|
||
|
+ char *prelude_confidence_rating;
|
||
|
+ char *prelude_profile;
|
||
|
};
|
||
|
|
||
|
diff -ruN sancp-1.6.1-stable.vanilla/sancp.cc sancp-1.6.1-stable/sancp.cc
|
||
|
--- sancp-1.6.1-stable.vanilla/sancp.cc 2007-07-05 18:12:20.000000000 +0200
|
||
|
+++ sancp-1.6.1-stable/sancp.cc 2007-07-24 13:44:01.000000000 +0200
|
||
|
@@ -48,7 +48,40 @@
|
||
|
//char dfltfmt[]= { sancp_id,start_time_gmt,src_mac,dst_mac,eth_proto,src_ip_dotted,dst_ip_dotted,ip_proto,src_port,dst_port };
|
||
|
char dfltfmt_human_readable[]= { sancp_id,start_time_gmt,stop_time_gmt,erased_time_gmt,eth_proto,ip_proto,src_ip_dotted,src_port,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,dflags_hex,cflags_hex,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac };
|
||
|
|
||
|
+prelude_client_t *client;
|
||
|
+static idmef_analyzer_t *idmef_analyzer;
|
||
|
|
||
|
+int sancp_alert_init(prelude_client_t *client)
|
||
|
+{
|
||
|
+ int ret;
|
||
|
+ prelude_string_t *string;
|
||
|
+
|
||
|
+ idmef_analyzer = prelude_client_get_analyzer(client);
|
||
|
+ if ( ! idmef_analyzer )
|
||
|
+ return -1;
|
||
|
+
|
||
|
+ ret = idmef_analyzer_new_model(idmef_analyzer, &string);
|
||
|
+ if ( ret < 0 )
|
||
|
+ return -1;
|
||
|
+ prelude_string_set_constant(string, PRELUDE_ANALYZER_MODEL);
|
||
|
+
|
||
|
+ ret = idmef_analyzer_new_class(idmef_analyzer, &string);
|
||
|
+ if ( ret < 0 )
|
||
|
+ return -1;
|
||
|
+ prelude_string_set_constant(string, PRELUDE_ANALYZER_CLASS);
|
||
|
+
|
||
|
+ ret = idmef_analyzer_new_manufacturer(idmef_analyzer, &string);
|
||
|
+ if ( ret < 0 )
|
||
|
+ return -1;
|
||
|
+ prelude_string_set_constant(string, PRELUDE_ANALYZER_MANUFACTURER);
|
||
|
+
|
||
|
+ ret = idmef_analyzer_new_version(idmef_analyzer, &string);
|
||
|
+ if ( ret < 0 )
|
||
|
+ return -1;
|
||
|
+ prelude_string_set_constant(string, VERSION);
|
||
|
+
|
||
|
+ return 0;
|
||
|
+}
|
||
|
/*************
|
||
|
* Main *
|
||
|
*************/
|
||
|
@@ -56,6 +89,7 @@
|
||
|
int main(int argc, char *argv[]) {
|
||
|
extern struct gvars gVars;
|
||
|
int cKey;
|
||
|
+ int ret;
|
||
|
pid_t pid=0;
|
||
|
|
||
|
/*
|
||
|
@@ -102,6 +136,14 @@
|
||
|
gVars.stdout_delimiter=DEFAULT_DELIMITER;
|
||
|
gVars.stdout_eor=DEFAULT_EOR;
|
||
|
|
||
|
+ gVars.prelude_impact_severity=PRELUDE_IMPACT_SEVERITY;
|
||
|
+ gVars.prelude_impact_completion=PRELUDE_IMPACT_COMPLETION;
|
||
|
+ gVars.prelude_impact_type=PRELUDE_IMPACT_TYPE;
|
||
|
+ gVars.prelude_confidence_rating=PRELUDE_CONFIDENCE_RATING;
|
||
|
+ gVars.prelude_profile=PRELUDE_PROFILE;
|
||
|
+
|
||
|
+
|
||
|
+
|
||
|
for(cKey=0; cKey<HASH_KEYS; cKey++)
|
||
|
{
|
||
|
gVars.cnx_head[cKey]=NULL;
|
||
|
@@ -116,6 +158,8 @@
|
||
|
|
||
|
parse_args(argc, argv);
|
||
|
|
||
|
+
|
||
|
+
|
||
|
if(gVars.human_readable){
|
||
|
if(gVars.realtime_fmt_len!=sizeof(dfltfmt_human_readable)){
|
||
|
free(gVars.realtime_fmt);
|
||
|
@@ -143,7 +187,15 @@
|
||
|
|
||
|
setsid();
|
||
|
}
|
||
|
+ prelude_log_set_flags((prelude_log_flags_t)PRELUDE_LOG_FLAGS_SYSLOG);
|
||
|
}
|
||
|
+
|
||
|
+ /* Initialize prelude */
|
||
|
+ ret = prelude_init(&argc, argv);
|
||
|
+ if (ret < 0) {
|
||
|
+ prelude_perror(ret, "unable to initialize the prelude library");
|
||
|
+ exit_all(0);
|
||
|
+ }
|
||
|
/* Retrieve the last cnxid from cache file if we haven't already in parse_args() */
|
||
|
|
||
|
if(!gVars.cnx_id)
|
||
|
@@ -197,6 +249,29 @@
|
||
|
|
||
|
build_config(1);
|
||
|
|
||
|
+ /* Create prelude sensor */
|
||
|
+
|
||
|
+ ret = prelude_client_new(&client, gVars.prelude_profile);
|
||
|
+ if ( ! client ) {
|
||
|
+ prelude_perror(ret, "Unable to create a prelude client object");
|
||
|
+ exit_all(0);
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Start prelude sensor */
|
||
|
+ sancp_alert_init(client);
|
||
|
+ ret = prelude_client_start(client);
|
||
|
+ if ( ret < 0 ) {
|
||
|
+ prelude_perror(ret, "Unable to start prelude client");
|
||
|
+ exit_all(0);
|
||
|
+ }
|
||
|
+
|
||
|
+ ret = prelude_client_set_flags(client, (prelude_client_flags_t)
|
||
|
+ (PRELUDE_CLIENT_FLAGS_ASYNC_SEND|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER));
|
||
|
+ if ( ret < 0 ) {
|
||
|
+ fprintf(stderr, "Unable to set asynchronous send and timer.\n");
|
||
|
+ exit_all(0);
|
||
|
+ }
|
||
|
+
|
||
|
/* Open files for output */
|
||
|
/* Be r3al l33t h3r3 */
|
||
|
|
||
|
diff -ruN sancp-1.6.1-stable.vanilla/sancp.h sancp-1.6.1-stable/sancp.h
|
||
|
--- sancp-1.6.1-stable.vanilla/sancp.h 2007-07-06 06:18:04.000000000 +0200
|
||
|
+++ sancp-1.6.1-stable/sancp.h 2007-07-24 13:44:01.000000000 +0200
|
||
|
@@ -47,6 +47,10 @@
|
||
|
#include "gvars.h"
|
||
|
#endif
|
||
|
|
||
|
+#include <libprelude/prelude.h>
|
||
|
+#include <libprelude/prelude-log.h>
|
||
|
+#include <netdb.h>
|
||
|
+
|
||
|
#define NCP_H
|
||
|
#define Y 'Y'
|
||
|
#define N 'N'
|
||
|
@@ -79,6 +83,7 @@
|
||
|
struct vars *next;
|
||
|
};
|
||
|
|
||
|
+extern prelude_client_t *client;
|
||
|
int main(int argc, char *argv[]);
|
||
|
struct cnx *process(struct cnx*, int len, u_char * pkt);
|
||
|
char * createPcapFileName();
|
||
|
@@ -185,6 +190,15 @@
|
||
|
#define OMODE_RULE 5
|
||
|
#define OMODE_UNIQ 6
|
||
|
|
||
|
+#define PRELUDE_IMPACT_SEVERITY "medium"
|
||
|
+#define PRELUDE_IMPACT_COMPLETION "succeeded"
|
||
|
+#define PRELUDE_IMPACT_TYPE "other"
|
||
|
+#define PRELUDE_CONFIDENCE_RATING "high"
|
||
|
+#define PRELUDE_ANALYZER_MODEL "Sancp"
|
||
|
+#define PRELUDE_ANALYZER_CLASS "NIDS"
|
||
|
+#define PRELUDE_ANALYZER_MANUFACTURER "http://www.metre.net/sancp.html"
|
||
|
+#define PRELUDE_PROFILE "sancp"
|
||
|
+
|
||
|
// Need to distinguish between classes of variables
|
||
|
#define VCLASS_0 1 // eth_proto class vars
|
||
|
#define VCLASS_1 2 // ip_addr class vars
|
||
|
@@ -276,6 +290,10 @@
|
||
|
u_int16_t rgid;
|
||
|
u_int16_t node;
|
||
|
u_int16_t zone;
|
||
|
+ char *prelude_impact_severity;
|
||
|
+ char *prelude_impact_completion;
|
||
|
+ char *prelude_impact_type;
|
||
|
+ char *prelude_confidence_rating;
|
||
|
CBuffer *CBufferPtr;
|
||
|
struct acl *next;
|
||
|
};
|
||
|
@@ -314,6 +332,10 @@
|
||
|
u_int16_t rgid;
|
||
|
u_int16_t node;
|
||
|
u_int16_t zone;
|
||
|
+ char *prelude_impact_severity;
|
||
|
+ char *prelude_impact_completion;
|
||
|
+ char *prelude_impact_type;
|
||
|
+ char *prelude_confidence_rating;
|
||
|
CBuffer *CBufferPtr;
|
||
|
struct os_info os_info;
|
||
|
struct os_info os_info2;
|
||
|
diff -ruN sancp-1.6.1-stable.vanilla/statefull_logging.cc sancp-1.6.1-stable/statefull_logging.cc
|
||
|
--- sancp-1.6.1-stable.vanilla/statefull_logging.cc 2007-07-05 18:12:20.000000000 +0200
|
||
|
+++ sancp-1.6.1-stable/statefull_logging.cc 2007-07-24 13:44:01.000000000 +0200
|
||
|
@@ -183,6 +183,208 @@
|
||
|
snprintf(buf,len,"%s",currenttime);
|
||
|
}
|
||
|
|
||
|
+static int add_idmef_object(idmef_message_t *message, const char *object, const char *value)
|
||
|
+{
|
||
|
+ int ret;
|
||
|
+ idmef_value_t *val;
|
||
|
+ idmef_path_t *path;
|
||
|
+
|
||
|
+ ret = idmef_path_new(&path, object);
|
||
|
+ if ( ret < 0 )
|
||
|
+ return -1;
|
||
|
+
|
||
|
+ ret = idmef_value_new_from_path(&val, path, value);
|
||
|
+ if ( ret < 0 ) {
|
||
|
+ idmef_path_destroy(path);
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+
|
||
|
+ ret = idmef_path_set(path, message, val);
|
||
|
+
|
||
|
+ idmef_value_destroy(val);
|
||
|
+ idmef_path_destroy(path);
|
||
|
+
|
||
|
+ return ret;
|
||
|
+}
|
||
|
+
|
||
|
+#define IDMEF(x) { \
|
||
|
+ int ret = (x); \
|
||
|
+ if (ret < 0) { idmef_message_destroy(idmef); printf("error\n"); return; } \
|
||
|
+ }
|
||
|
+
|
||
|
+void record_prelude(struct cnx *cn) {
|
||
|
+ char LOG[MAXENTRYLEN];
|
||
|
+
|
||
|
+ idmef_message_t *idmef;
|
||
|
+ idmef_alert_t *alert;
|
||
|
+ idmef_time_t *time;
|
||
|
+
|
||
|
+ struct servent *sourceservent;
|
||
|
+ struct protoent *protoent;
|
||
|
+
|
||
|
+ IDMEF(idmef_message_new(&idmef));
|
||
|
+ IDMEF(idmef_message_new_alert(idmef, &alert));
|
||
|
+
|
||
|
+ /* alert.detecttime */
|
||
|
+ if (cn->start_time) {
|
||
|
+ IDMEF(idmef_time_new_from_time(&time, &cn->start_time));
|
||
|
+ } else {
|
||
|
+ /* using the curen time */
|
||
|
+ IDMEF(idmef_time_new_from_gettimeofday(&time));
|
||
|
+ }
|
||
|
+ idmef_alert_set_detect_time(alert, time);
|
||
|
+
|
||
|
+ /* alert.createtime */
|
||
|
+ time = NULL;
|
||
|
+ IDMEF(idmef_time_new_from_gettimeofday(&time));
|
||
|
+ idmef_alert_set_create_time(alert, time);
|
||
|
+
|
||
|
+ /* alert.analyzer */
|
||
|
+ idmef_alert_set_analyzer(alert,idmef_analyzer_ref(prelude_client_get_analyzer(client)),0);
|
||
|
+
|
||
|
+ /* alert.classification.text */
|
||
|
+ add_idmef_object(idmef, "alert.classification.text",
|
||
|
+ "Unauthorized network connectivity");
|
||
|
+
|
||
|
+ /* alert.messageid */
|
||
|
+ snprintf(LOG,MAXENTRYLEN,"%lld",cn->cid);
|
||
|
+ add_idmef_object(idmef, "alert.messageid", LOG);
|
||
|
+
|
||
|
+ /* alert.impact.severity */
|
||
|
+ add_idmef_object(idmef, "alert.assessment.impact.severity",
|
||
|
+ cn->prelude_impact_severity);
|
||
|
+
|
||
|
+ /* alert.impact.completion */
|
||
|
+ add_idmef_object(idmef, "alert.assessment.impact.completion",
|
||
|
+ cn->prelude_impact_completion);
|
||
|
+
|
||
|
+ /* alert.impact.type */
|
||
|
+ add_idmef_object(idmef, "alert.assessment.impact.type",
|
||
|
+ cn->prelude_impact_type);
|
||
|
+
|
||
|
+ /* alert.confidence.rating */
|
||
|
+ add_idmef_object(idmef, "alert.assessment.confidence.rating",
|
||
|
+ cn->prelude_confidence_rating);
|
||
|
+
|
||
|
+ /* alert.additionaldata(0) */
|
||
|
+ add_idmef_object(idmef, "alert.additionaldata(0).type", "integer");
|
||
|
+ add_idmef_object(idmef, "alert.additionaldata(0).meaning", "status");
|
||
|
+ snprintf(LOG,MAXENTRYLEN,"%u",cn->status);
|
||
|
+ add_idmef_object(idmef, "alert.additionaldata(0).integer", LOG);
|
||
|
+
|
||
|
+ /* alert.additionaldata(1) */
|
||
|
+ add_idmef_object(idmef, "alert.additionaldata(1).type", "integer");
|
||
|
+ add_idmef_object(idmef, "alert.additionaldata(1).meaning", "Network node");
|
||
|
+ snprintf(LOG,MAXENTRYLEN,"%u",cn->node);
|
||
|
+ add_idmef_object(idmef, "alert.additionaldata(1).integer", LOG);
|
||
|
+
|
||
|
+ /* IP versios */
|
||
|
+ if (cn->h_proto == 8) {
|
||
|
+ add_idmef_object(idmef, "alert.source(0).service.ip_version", "4");
|
||
|
+ add_idmef_object(idmef, "alert.target(0).service.ip_version", "4");
|
||
|
+ } else {
|
||
|
+ /* bail out */
|
||
|
+ idmef_message_destroy(idmef);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* alert.source(0).node.address(0) (ip address) */
|
||
|
+ if(cn->reversed==CNX_REVERSED){
|
||
|
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0');
|
||
|
+ }else{
|
||
|
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0');
|
||
|
+ }
|
||
|
+ add_idmef_object(idmef, "alert.source(0).node.address(0).category",
|
||
|
+ "ipv4-addr");
|
||
|
+ add_idmef_object(idmef, "alert.source(0).node.address(0).address", LOG);
|
||
|
+
|
||
|
+ /* alert.source(0).node.address(1) (mac address) */
|
||
|
+ add_idmef_object(idmef, "alert.source(0).node.address(1).category", "mac");
|
||
|
+ {
|
||
|
+ struct myether_addr *es=(struct myether_addr *)&cn->eth_hdr.ether_shost;
|
||
|
+ snprintf(LOG,MAXENTRYLEN,"%0x:%0x:%0x:%0x:%0x:%0x",es->octet[0],es->octet[1],es->octet[2],es->octet[3],es->octet[4],es->octet[5]);
|
||
|
+ }
|
||
|
+ add_idmef_object(idmef, "alert.source(0).node.address(1).address", LOG);
|
||
|
+
|
||
|
+ protoent = getprotobynumber(cn->proto);
|
||
|
+
|
||
|
+ /* alert.source(0).iana_protocol_number */
|
||
|
+ snprintf(LOG,MAXENTRYLEN,"%u",(cn->proto));
|
||
|
+ add_idmef_object(idmef, "alert.source(0).service.iana_protocol_number", LOG);
|
||
|
+
|
||
|
+ /* alert.target(0).iana_protocol_number */
|
||
|
+ add_idmef_object(idmef, "alert.target(0).service.iana_protocol_number", LOG);
|
||
|
+
|
||
|
+
|
||
|
+ if (protoent) {
|
||
|
+ /* alert.source(0).iana_protocol_name */
|
||
|
+ add_idmef_object(idmef, "alert.source(0).service.iana_protocol_name",
|
||
|
+ protoent->p_name);
|
||
|
+
|
||
|
+ /* alert.target(0).iana_protocol_name */
|
||
|
+ add_idmef_object(idmef, "alert.target(0).service.iana_protocol_name",
|
||
|
+ protoent->p_name);
|
||
|
+
|
||
|
+ /* alert.source(0).service */
|
||
|
+ setservent(1);
|
||
|
+ if(cn->reversed==CNX_REVERSED){
|
||
|
+ snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->d_port));
|
||
|
+ sourceservent = getservbyport(ntohs(cn->d_port), protoent->p_name);
|
||
|
+ }else{
|
||
|
+ snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->s_port));
|
||
|
+ sourceservent = getservbyport(ntohs(cn->s_port), protoent->p_name);
|
||
|
+ }
|
||
|
+
|
||
|
+ if (sourceservent && sourceservent->s_name)
|
||
|
+ add_idmef_object(idmef, "alert.source(0).service.name",
|
||
|
+ sourceservent->s_name );
|
||
|
+ add_idmef_object(idmef, "alert.source(0).service.port",
|
||
|
+ LOG);
|
||
|
+ add_idmef_object(idmef, "alert.source(0).service.protocol",
|
||
|
+ protoent->p_name);
|
||
|
+
|
||
|
+ /* alert.target(0).service */
|
||
|
+ if(cn->reversed==CNX_REVERSED){
|
||
|
+ snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->s_port));
|
||
|
+ sourceservent = getservbyport(ntohs(cn->s_port), protoent->p_name);
|
||
|
+ }else{
|
||
|
+ snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->d_port));
|
||
|
+ sourceservent = getservbyport(ntohs(cn->d_port), protoent->p_name);
|
||
|
+ }
|
||
|
+
|
||
|
+ if (sourceservent && sourceservent->s_name)
|
||
|
+ add_idmef_object(idmef, "alert.target(0).service.name",
|
||
|
+ sourceservent->s_name );
|
||
|
+ add_idmef_object(idmef, "alert.target(0).service.port",
|
||
|
+ LOG);
|
||
|
+ add_idmef_object(idmef, "alert.target(0).service.protocol",
|
||
|
+ protoent->p_name);
|
||
|
+ }
|
||
|
+/*
|
||
|
+*/
|
||
|
+
|
||
|
+ /* alert.target(0).node.address(0) (ip address) */
|
||
|
+ if(cn->reversed==CNX_REVERSED){
|
||
|
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0');
|
||
|
+ }else{
|
||
|
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0');
|
||
|
+ }
|
||
|
+ add_idmef_object(idmef, "alert.target(0).node.address(0).category",
|
||
|
+ "ipv4-addr");
|
||
|
+ add_idmef_object(idmef, "alert.target(0).node.address(0).address", LOG);
|
||
|
+
|
||
|
+ /* alert.target(0).node_address(1) (mac address) */
|
||
|
+ add_idmef_object(idmef, "alert.target(0).node.address(1).category", "mac");
|
||
|
+ {
|
||
|
+ struct myether_addr *es=(struct myether_addr *)&cn->eth_hdr.ether_dhost;
|
||
|
+ snprintf(LOG,MAXENTRYLEN,"%0x:%0x:%0x:%0x:%0x:%0x",es->octet[0],es->octet[1],es->octet[2],es->octet[3],es->octet[4],es->octet[5]);
|
||
|
+ }
|
||
|
+ add_idmef_object(idmef, "alert.target(0).node.address(1).address", LOG);
|
||
|
+
|
||
|
+ prelude_client_send_idmef(client, idmef);
|
||
|
+ idmef_message_destroy(idmef);
|
||
|
+}
|
||
|
+
|
||
|
|
||
|
void record(struct cnx *cn, outputFileHandle *fH)
|
||
|
{
|
||
|
@@ -199,8 +401,15 @@
|
||
|
|
||
|
char eor=fH->getEor();
|
||
|
|
||
|
+ /* do we want prelude alert generation for this record? */
|
||
|
+
|
||
|
bzero(LOG,MAXENTRYLEN);
|
||
|
|
||
|
+ if (fH == gVars.sfH) {
|
||
|
+ record_prelude(cn);
|
||
|
+ }
|
||
|
+
|
||
|
+
|
||
|
|
||
|
/*
|
||
|
* Structure of a 48-bit Ethernet address.
|