# --- SDE-COPYRIGHT-NOTE-BEGIN --- # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # Filename: package/.../sancp/sancp-1.6.1-stable-prelude-3.diff # Copyright (C) 2007 The OpenSDE Project # # More information can be found in the files COPYING and README. # # This patch file is dual-licensed. It is available under the license the # patched project is licensed under, as long as it is an OpenSource license # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 2 of the License, or (at your option) any later # version. # --- SDE-COPYRIGHT-NOTE-END --- diff -ruN sancp-1.6.1-stable.vanilla/Makefile sancp-1.6.1-stable/Makefile --- sancp-1.6.1-stable.vanilla/Makefile 2007-07-07 00:46:11.000000000 +0200 +++ sancp-1.6.1-stable/Makefile 2007-07-24 13:44:01.000000000 +0200 @@ -9,7 +9,7 @@ # LINUX and BSD CFLAGS -CFLAGS = -O3 -I/usr/include/pcap -I/usr/local/include/pcap -I./ -L/usr/lib/libsocket.so -g -L/opt/csw/lib -ggdb +CFLAGS = -g -O3 -I/usr/include/pcap -I/usr/local/include/pcap -I./ -L/usr/lib/libsocket.so -g -L/opt/csw/lib -ggdb `libprelude-config --cflags` # LINUX LFLAGS LFLAGS = -lresolv -lnsl -lpcap -L/usr/lib/libpcap.so.0.6.2 @@ -41,10 +41,10 @@ bsd : @(echo "#define PLATFORM_BSD" > platform.h) @make final - g++ -Wall $(BFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o + g++ -Wall $(BFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o `libprelude-config --libs` `libprelude-config --ldflags` linux : @(echo "#define PLATFORM_LINUX" > platform.h) @make final - g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o + g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o `libprelude-config --libs` `libprelude-config --ldflags` diff -ruN sancp-1.6.1-stable.vanilla/apply_rule.cc sancp-1.6.1-stable/apply_rule.cc --- sancp-1.6.1-stable.vanilla/apply_rule.cc 2007-07-05 18:12:20.000000000 +0200 +++ sancp-1.6.1-stable/apply_rule.cc 2007-07-24 13:44:01.000000000 +0200 @@ -47,6 +47,12 @@ tc->tcplag=myacl->tcplag; tc->status=myacl->status; tc->rid=myacl->rid; + tc->prelude_impact_severity=myacl->prelude_impact_severity; + tc->prelude_impact_completion=myacl->prelude_impact_completion; + tc->prelude_impact_type=myacl->prelude_impact_type; + tc->prelude_confidence_rating=myacl->prelude_confidence_rating; + + if(myacl->pmode==OMODE_UNIQ) { @@ -112,6 +118,10 @@ nc->rgid=myacl->rgid; nc->zone=myacl->zone; nc->node=myacl->node; + nc->prelude_impact_severity=myacl->prelude_impact_severity; + nc->prelude_impact_completion=myacl->prelude_impact_completion; + nc->prelude_impact_type=myacl->prelude_impact_type; + nc->prelude_confidence_rating=myacl->prelude_confidence_rating; myacl->ctr++; return; } @@ -130,6 +140,10 @@ nc->timeout=gVars.default_timeout; nc->tcplag=gVars.default_tcplag; nc->node=gVars.default_node; + nc->prelude_impact_severity=gVars.prelude_impact_severity; + nc->prelude_impact_completion=gVars.prelude_impact_completion; + nc->prelude_impact_type=gVars.prelude_impact_type; + nc->prelude_confidence_rating=gVars.prelude_confidence_rating; gVars.default_ctr++; #ifdef DEBUG printf("Setting stats: %d pcap: %d realtime: %d limit: %d timeout: %d tcplag: %d\n", nc->stats, nc->pcap, nc->realtime, nc->limit, nc->timeout, nc->tcplag); diff -ruN sancp-1.6.1-stable.vanilla/build_acl.cc sancp-1.6.1-stable/build_acl.cc --- sancp-1.6.1-stable.vanilla/build_acl.cc 2007-07-05 18:12:20.000000000 +0200 +++ sancp-1.6.1-stable/build_acl.cc 2007-07-24 13:44:01.000000000 +0200 @@ -1168,6 +1168,62 @@ fprintf(stdout,"Didn't set default for %s to %s\n",tok,tmp); #endif } + if(strcmp(tok,"prelude_impact_severity")==0) + { + if((tmp = get_tok(&rules,accept))==NULL) + { + syslog(LOG_ERR,"Format error, prelude_impact_severity specified but none provided, using prelude_impact_severity %s\n",PRELUDE_IMPACT_SEVERITY); + free(rule); + return; + } + gVars.prelude_impact_severity = strdup(tmp); + free(rule); + } + if(strcmp(tok,"prelude_impact_completion")==0) + { + if((tmp = get_tok(&rules,accept))==NULL) + { + syslog(LOG_ERR,"Format error, prelude_impact_completion specified but none provided, using prelude_impact_completion %s\n",PRELUDE_IMPACT_COMPLETION); + free(rule); + return; + } + gVars.prelude_impact_completion = strdup(tmp); + free(rule); + } + if(strcmp(tok,"prelude_impact_type")==0) + { + if((tmp = get_tok(&rules,accept))==NULL) + { + syslog(LOG_ERR,"Format error, prelude_impact_type specified but none provided, using prelude_impact_type %s\n",PRELUDE_IMPACT_TYPE); + free(rule); + return; + } + gVars.prelude_impact_type = strdup(tmp); + free(rule); + } + if(strcmp(tok,"prelude_confidence_rating")==0) + { + if((tmp = get_tok(&rules,accept))==NULL) + { + syslog(LOG_ERR,"Format error, prelude_confidence_rating specified but none provided, using prelude_confidence_rating %s\n",PRELUDE_CONFIDENCE_RATING); + free(rule); + return; + } + gVars.prelude_confidence_rating = strdup(tmp); + free(rule); + } + if(strcmp(tok,"prelude_profile")==0) + { + if((tmp = get_tok(&rules,accept))==NULL) + { + syslog(LOG_ERR,"Format error, prelude_profile specified but none provided, using prelude_profile %s\n",PRELUDE_PROFILE); + free(rule); + return; + } + gVars.prelude_profile = strdup(tmp); + free(rule); + } + } void parse_var(char *c_rule, char *accept) @@ -1426,6 +1482,10 @@ }else{ n_acl->fH = 0; } + n_acl->prelude_impact_severity = gVars.prelude_impact_severity; + n_acl->prelude_impact_completion = gVars.prelude_impact_completion; + n_acl->prelude_impact_type = gVars.prelude_impact_type; + n_acl->prelude_confidence_rating = gVars.prelude_confidence_rating; // FIELD 0 - required - Get the h_proto n_acl->h_proto_h = 0xFFFF; @@ -2061,6 +2121,46 @@ n_acl->retro = true; continue; } + if(strcmp(tok,"severity")==0) + { + if((tmp = get_tok(rules,accept))==NULL) + { + syslog(LOG_ERR,"Format error, severity specified but no option provided%s\n",rule); + return; + } + n_acl->prelude_impact_severity = strdup(tmp); + continue; + } + if(strcmp(tok,"completion")==0) + { + if((tmp = get_tok(rules,accept))==NULL) + { + syslog(LOG_ERR,"Format error, completion specified but no option provided%s\n",rule); + return; + } + n_acl->prelude_impact_completion = strdup(tmp); + continue; + } + if(strcmp(tok,"type")==0) + { + if((tmp = get_tok(rules,accept))==NULL) + { + syslog(LOG_ERR,"Format error, type specified but no option provided%s\n",rule); + return; + } + n_acl->prelude_impact_type = strdup(tmp); + continue; + } + if(strcmp(tok,"confidence")==0) + { + if((tmp = get_tok(rules,accept))==NULL) + { + syslog(LOG_ERR,"Format error, confidence specified but no option provided%s\n",rule); + return; + } + n_acl->prelude_confidence_rating = strdup(tmp); + continue; + } syslog(LOG_ERR,"Skipping, invalid option in rule: %s %s\n", tok,*rules); return; } diff -ruN sancp-1.6.1-stable.vanilla/docs/README sancp-1.6.1-stable/docs/README --- sancp-1.6.1-stable.vanilla/docs/README 2007-07-06 03:33:14.000000000 +0200 +++ sancp-1.6.1-stable/docs/README 2007-07-24 13:44:01.000000000 +0200 @@ -277,6 +277,10 @@ strip-80211 { disable|enable } node debug_pcap_raw { disable|enable } + prelude_impact_severity [string] + prelude_impact_completion [string] + prelude_impact_type [string] + prelude_confidence_rating [string] known_port syntax: -----------------------: @@ -310,6 +314,9 @@ b) tagging options i.e. status=16 rid=1112 node=2 + c) prelude options + i.e. severity=severe, completion=succeeded, type=other, confidence=high + [[-] [|}>] [|}>] [{tcp|udp|icmp|[-] }] [{-[]}] [{-[]}] { ignore | stats [{log|pass}] | realtime [{log|pass}] | diff -ruN sancp-1.6.1-stable.vanilla/gvars.h sancp-1.6.1-stable/gvars.h --- sancp-1.6.1-stable.vanilla/gvars.h 2007-07-05 18:12:20.000000000 +0200 +++ sancp-1.6.1-stable/gvars.h 2007-07-24 13:44:01.000000000 +0200 @@ -17,7 +17,8 @@ /* Make certain all id's are represented in the same order (as strings) in fmtnames[] */ /* 'null' is a place holder - in the list for field 0 */ -enum id {null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_local,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac }; +enum id +{null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_local,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac,prelude_impact_sevirty,prelude_impact_completion,prelude_impact_type,prelude_confidence_rating,prelude_profile }; struct cnx_queue { struct cnx *head; @@ -102,5 +103,10 @@ int stdout_fmt_len; pcap_t *ph; // pcap handle struct pcap_pkthdr *g_pkthdr;// + char *prelude_impact_severity; + char *prelude_impact_completion; + char *prelude_impact_type; + char *prelude_confidence_rating; + char *prelude_profile; }; diff -ruN sancp-1.6.1-stable.vanilla/sancp.cc sancp-1.6.1-stable/sancp.cc --- sancp-1.6.1-stable.vanilla/sancp.cc 2007-07-05 18:12:20.000000000 +0200 +++ sancp-1.6.1-stable/sancp.cc 2007-07-24 13:44:01.000000000 +0200 @@ -48,7 +48,40 @@ //char dfltfmt[]= { sancp_id,start_time_gmt,src_mac,dst_mac,eth_proto,src_ip_dotted,dst_ip_dotted,ip_proto,src_port,dst_port }; char dfltfmt_human_readable[]= { sancp_id,start_time_gmt,stop_time_gmt,erased_time_gmt,eth_proto,ip_proto,src_ip_dotted,src_port,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,dflags_hex,cflags_hex,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac }; +prelude_client_t *client; +static idmef_analyzer_t *idmef_analyzer; +int sancp_alert_init(prelude_client_t *client) +{ + int ret; + prelude_string_t *string; + + idmef_analyzer = prelude_client_get_analyzer(client); + if ( ! idmef_analyzer ) + return -1; + + ret = idmef_analyzer_new_model(idmef_analyzer, &string); + if ( ret < 0 ) + return -1; + prelude_string_set_constant(string, PRELUDE_ANALYZER_MODEL); + + ret = idmef_analyzer_new_class(idmef_analyzer, &string); + if ( ret < 0 ) + return -1; + prelude_string_set_constant(string, PRELUDE_ANALYZER_CLASS); + + ret = idmef_analyzer_new_manufacturer(idmef_analyzer, &string); + if ( ret < 0 ) + return -1; + prelude_string_set_constant(string, PRELUDE_ANALYZER_MANUFACTURER); + + ret = idmef_analyzer_new_version(idmef_analyzer, &string); + if ( ret < 0 ) + return -1; + prelude_string_set_constant(string, VERSION); + + return 0; +} /************* * Main * *************/ @@ -56,6 +89,7 @@ int main(int argc, char *argv[]) { extern struct gvars gVars; int cKey; + int ret; pid_t pid=0; /* @@ -102,6 +136,14 @@ gVars.stdout_delimiter=DEFAULT_DELIMITER; gVars.stdout_eor=DEFAULT_EOR; + gVars.prelude_impact_severity=PRELUDE_IMPACT_SEVERITY; + gVars.prelude_impact_completion=PRELUDE_IMPACT_COMPLETION; + gVars.prelude_impact_type=PRELUDE_IMPACT_TYPE; + gVars.prelude_confidence_rating=PRELUDE_CONFIDENCE_RATING; + gVars.prelude_profile=PRELUDE_PROFILE; + + + for(cKey=0; cKey +#include +#include + #define NCP_H #define Y 'Y' #define N 'N' @@ -79,6 +83,7 @@ struct vars *next; }; +extern prelude_client_t *client; int main(int argc, char *argv[]); struct cnx *process(struct cnx*, int len, u_char * pkt); char * createPcapFileName(); @@ -185,6 +190,15 @@ #define OMODE_RULE 5 #define OMODE_UNIQ 6 +#define PRELUDE_IMPACT_SEVERITY "medium" +#define PRELUDE_IMPACT_COMPLETION "succeeded" +#define PRELUDE_IMPACT_TYPE "other" +#define PRELUDE_CONFIDENCE_RATING "high" +#define PRELUDE_ANALYZER_MODEL "Sancp" +#define PRELUDE_ANALYZER_CLASS "NIDS" +#define PRELUDE_ANALYZER_MANUFACTURER "http://www.metre.net/sancp.html" +#define PRELUDE_PROFILE "sancp" + // Need to distinguish between classes of variables #define VCLASS_0 1 // eth_proto class vars #define VCLASS_1 2 // ip_addr class vars @@ -276,6 +290,10 @@ u_int16_t rgid; u_int16_t node; u_int16_t zone; + char *prelude_impact_severity; + char *prelude_impact_completion; + char *prelude_impact_type; + char *prelude_confidence_rating; CBuffer *CBufferPtr; struct acl *next; }; @@ -314,6 +332,10 @@ u_int16_t rgid; u_int16_t node; u_int16_t zone; + char *prelude_impact_severity; + char *prelude_impact_completion; + char *prelude_impact_type; + char *prelude_confidence_rating; CBuffer *CBufferPtr; struct os_info os_info; struct os_info os_info2; diff -ruN sancp-1.6.1-stable.vanilla/statefull_logging.cc sancp-1.6.1-stable/statefull_logging.cc --- sancp-1.6.1-stable.vanilla/statefull_logging.cc 2007-07-05 18:12:20.000000000 +0200 +++ sancp-1.6.1-stable/statefull_logging.cc 2007-07-24 13:44:01.000000000 +0200 @@ -183,6 +183,208 @@ snprintf(buf,len,"%s",currenttime); } +static int add_idmef_object(idmef_message_t *message, const char *object, const char *value) +{ + int ret; + idmef_value_t *val; + idmef_path_t *path; + + ret = idmef_path_new(&path, object); + if ( ret < 0 ) + return -1; + + ret = idmef_value_new_from_path(&val, path, value); + if ( ret < 0 ) { + idmef_path_destroy(path); + return -1; + } + + ret = idmef_path_set(path, message, val); + + idmef_value_destroy(val); + idmef_path_destroy(path); + + return ret; +} + +#define IDMEF(x) { \ + int ret = (x); \ + if (ret < 0) { idmef_message_destroy(idmef); printf("error\n"); return; } \ + } + +void record_prelude(struct cnx *cn) { + char LOG[MAXENTRYLEN]; + + idmef_message_t *idmef; + idmef_alert_t *alert; + idmef_time_t *time; + + struct servent *sourceservent; + struct protoent *protoent; + + IDMEF(idmef_message_new(&idmef)); + IDMEF(idmef_message_new_alert(idmef, &alert)); + + /* alert.detecttime */ + if (cn->start_time) { + IDMEF(idmef_time_new_from_time(&time, &cn->start_time)); + } else { + /* using the curen time */ + IDMEF(idmef_time_new_from_gettimeofday(&time)); + } + idmef_alert_set_detect_time(alert, time); + + /* alert.createtime */ + time = NULL; + IDMEF(idmef_time_new_from_gettimeofday(&time)); + idmef_alert_set_create_time(alert, time); + + /* alert.analyzer */ + idmef_alert_set_analyzer(alert,idmef_analyzer_ref(prelude_client_get_analyzer(client)),0); + + /* alert.classification.text */ + add_idmef_object(idmef, "alert.classification.text", + "Unauthorized network connectivity"); + + /* alert.messageid */ + snprintf(LOG,MAXENTRYLEN,"%lld",cn->cid); + add_idmef_object(idmef, "alert.messageid", LOG); + + /* alert.impact.severity */ + add_idmef_object(idmef, "alert.assessment.impact.severity", + cn->prelude_impact_severity); + + /* alert.impact.completion */ + add_idmef_object(idmef, "alert.assessment.impact.completion", + cn->prelude_impact_completion); + + /* alert.impact.type */ + add_idmef_object(idmef, "alert.assessment.impact.type", + cn->prelude_impact_type); + + /* alert.confidence.rating */ + add_idmef_object(idmef, "alert.assessment.confidence.rating", + cn->prelude_confidence_rating); + + /* alert.additionaldata(0) */ + add_idmef_object(idmef, "alert.additionaldata(0).type", "integer"); + add_idmef_object(idmef, "alert.additionaldata(0).meaning", "status"); + snprintf(LOG,MAXENTRYLEN,"%u",cn->status); + add_idmef_object(idmef, "alert.additionaldata(0).integer", LOG); + + /* alert.additionaldata(1) */ + add_idmef_object(idmef, "alert.additionaldata(1).type", "integer"); + add_idmef_object(idmef, "alert.additionaldata(1).meaning", "Network node"); + snprintf(LOG,MAXENTRYLEN,"%u",cn->node); + add_idmef_object(idmef, "alert.additionaldata(1).integer", LOG); + + /* IP versios */ + if (cn->h_proto == 8) { + add_idmef_object(idmef, "alert.source(0).service.ip_version", "4"); + add_idmef_object(idmef, "alert.target(0).service.ip_version", "4"); + } else { + /* bail out */ + idmef_message_destroy(idmef); + return; + } + + /* alert.source(0).node.address(0) (ip address) */ + if(cn->reversed==CNX_REVERSED){ + snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0'); + }else{ + snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0'); + } + add_idmef_object(idmef, "alert.source(0).node.address(0).category", + "ipv4-addr"); + add_idmef_object(idmef, "alert.source(0).node.address(0).address", LOG); + + /* alert.source(0).node.address(1) (mac address) */ + add_idmef_object(idmef, "alert.source(0).node.address(1).category", "mac"); + { + struct myether_addr *es=(struct myether_addr *)&cn->eth_hdr.ether_shost; + snprintf(LOG,MAXENTRYLEN,"%0x:%0x:%0x:%0x:%0x:%0x",es->octet[0],es->octet[1],es->octet[2],es->octet[3],es->octet[4],es->octet[5]); + } + add_idmef_object(idmef, "alert.source(0).node.address(1).address", LOG); + + protoent = getprotobynumber(cn->proto); + + /* alert.source(0).iana_protocol_number */ + snprintf(LOG,MAXENTRYLEN,"%u",(cn->proto)); + add_idmef_object(idmef, "alert.source(0).service.iana_protocol_number", LOG); + + /* alert.target(0).iana_protocol_number */ + add_idmef_object(idmef, "alert.target(0).service.iana_protocol_number", LOG); + + + if (protoent) { + /* alert.source(0).iana_protocol_name */ + add_idmef_object(idmef, "alert.source(0).service.iana_protocol_name", + protoent->p_name); + + /* alert.target(0).iana_protocol_name */ + add_idmef_object(idmef, "alert.target(0).service.iana_protocol_name", + protoent->p_name); + + /* alert.source(0).service */ + setservent(1); + if(cn->reversed==CNX_REVERSED){ + snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->d_port)); + sourceservent = getservbyport(ntohs(cn->d_port), protoent->p_name); + }else{ + snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->s_port)); + sourceservent = getservbyport(ntohs(cn->s_port), protoent->p_name); + } + + if (sourceservent && sourceservent->s_name) + add_idmef_object(idmef, "alert.source(0).service.name", + sourceservent->s_name ); + add_idmef_object(idmef, "alert.source(0).service.port", + LOG); + add_idmef_object(idmef, "alert.source(0).service.protocol", + protoent->p_name); + + /* alert.target(0).service */ + if(cn->reversed==CNX_REVERSED){ + snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->s_port)); + sourceservent = getservbyport(ntohs(cn->s_port), protoent->p_name); + }else{ + snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->d_port)); + sourceservent = getservbyport(ntohs(cn->d_port), protoent->p_name); + } + + if (sourceservent && sourceservent->s_name) + add_idmef_object(idmef, "alert.target(0).service.name", + sourceservent->s_name ); + add_idmef_object(idmef, "alert.target(0).service.port", + LOG); + add_idmef_object(idmef, "alert.target(0).service.protocol", + protoent->p_name); + } +/* +*/ + + /* alert.target(0).node.address(0) (ip address) */ + if(cn->reversed==CNX_REVERSED){ + snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0'); + }else{ + snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0'); + } + add_idmef_object(idmef, "alert.target(0).node.address(0).category", + "ipv4-addr"); + add_idmef_object(idmef, "alert.target(0).node.address(0).address", LOG); + + /* alert.target(0).node_address(1) (mac address) */ + add_idmef_object(idmef, "alert.target(0).node.address(1).category", "mac"); + { + struct myether_addr *es=(struct myether_addr *)&cn->eth_hdr.ether_dhost; + snprintf(LOG,MAXENTRYLEN,"%0x:%0x:%0x:%0x:%0x:%0x",es->octet[0],es->octet[1],es->octet[2],es->octet[3],es->octet[4],es->octet[5]); + } + add_idmef_object(idmef, "alert.target(0).node.address(1).address", LOG); + + prelude_client_send_idmef(client, idmef); + idmef_message_destroy(idmef); +} + void record(struct cnx *cn, outputFileHandle *fH) { @@ -199,8 +401,15 @@ char eor=fH->getEor(); + /* do we want prelude alert generation for this record? */ + bzero(LOG,MAXENTRYLEN); + if (fH == gVars.sfH) { + record_prelude(cn); + } + + /* * Structure of a 48-bit Ethernet address.