You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
661 lines
25 KiB
661 lines
25 KiB
# --- SDE-COPYRIGHT-NOTE-BEGIN --- |
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch. |
|
# |
|
# Filename: package/.../sancp/sancp-1.6.1-stable-prelude-3.diff |
|
# Copyright (C) 2007 The OpenSDE Project |
|
# |
|
# More information can be found in the files COPYING and README. |
|
# |
|
# This patch file is dual-licensed. It is available under the license the |
|
# patched project is licensed under, as long as it is an OpenSource license |
|
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms |
|
# of the GNU General Public License as published by the Free Software |
|
# Foundation; either version 2 of the License, or (at your option) any later |
|
# version. |
|
# --- SDE-COPYRIGHT-NOTE-END --- |
|
|
|
diff -ruN sancp-1.6.1-stable.vanilla/Makefile sancp-1.6.1-stable/Makefile |
|
--- sancp-1.6.1-stable.vanilla/Makefile 2007-07-07 00:46:11.000000000 +0200 |
|
+++ sancp-1.6.1-stable/Makefile 2007-07-24 13:44:01.000000000 +0200 |
|
@@ -9,7 +9,7 @@ |
|
|
|
|
|
# LINUX and BSD CFLAGS |
|
-CFLAGS = -O3 -I/usr/include/pcap -I/usr/local/include/pcap -I./ -L/usr/lib/libsocket.so -g -L/opt/csw/lib -ggdb |
|
+CFLAGS = -g -O3 -I/usr/include/pcap -I/usr/local/include/pcap -I./ -L/usr/lib/libsocket.so -g -L/opt/csw/lib -ggdb `libprelude-config --cflags` |
|
|
|
# LINUX LFLAGS |
|
LFLAGS = -lresolv -lnsl -lpcap -L/usr/lib/libpcap.so.0.6.2 |
|
@@ -41,10 +41,10 @@ |
|
bsd : |
|
@(echo "#define PLATFORM_BSD" > platform.h) |
|
@make final |
|
- g++ -Wall $(BFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o |
|
+ g++ -Wall $(BFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o `libprelude-config --libs` `libprelude-config --ldflags` |
|
|
|
linux : |
|
@(echo "#define PLATFORM_LINUX" > platform.h) |
|
@make final |
|
- g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o |
|
+ g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o `libprelude-config --libs` `libprelude-config --ldflags` |
|
|
|
diff -ruN sancp-1.6.1-stable.vanilla/apply_rule.cc sancp-1.6.1-stable/apply_rule.cc |
|
--- sancp-1.6.1-stable.vanilla/apply_rule.cc 2007-07-05 18:12:20.000000000 +0200 |
|
+++ sancp-1.6.1-stable/apply_rule.cc 2007-07-24 13:44:01.000000000 +0200 |
|
@@ -47,6 +47,12 @@ |
|
tc->tcplag=myacl->tcplag; |
|
tc->status=myacl->status; |
|
tc->rid=myacl->rid; |
|
+ tc->prelude_impact_severity=myacl->prelude_impact_severity; |
|
+ tc->prelude_impact_completion=myacl->prelude_impact_completion; |
|
+ tc->prelude_impact_type=myacl->prelude_impact_type; |
|
+ tc->prelude_confidence_rating=myacl->prelude_confidence_rating; |
|
+ |
|
+ |
|
|
|
if(myacl->pmode==OMODE_UNIQ) |
|
{ |
|
@@ -112,6 +118,10 @@ |
|
nc->rgid=myacl->rgid; |
|
nc->zone=myacl->zone; |
|
nc->node=myacl->node; |
|
+ nc->prelude_impact_severity=myacl->prelude_impact_severity; |
|
+ nc->prelude_impact_completion=myacl->prelude_impact_completion; |
|
+ nc->prelude_impact_type=myacl->prelude_impact_type; |
|
+ nc->prelude_confidence_rating=myacl->prelude_confidence_rating; |
|
myacl->ctr++; |
|
return; |
|
} |
|
@@ -130,6 +140,10 @@ |
|
nc->timeout=gVars.default_timeout; |
|
nc->tcplag=gVars.default_tcplag; |
|
nc->node=gVars.default_node; |
|
+ nc->prelude_impact_severity=gVars.prelude_impact_severity; |
|
+ nc->prelude_impact_completion=gVars.prelude_impact_completion; |
|
+ nc->prelude_impact_type=gVars.prelude_impact_type; |
|
+ nc->prelude_confidence_rating=gVars.prelude_confidence_rating; |
|
gVars.default_ctr++; |
|
#ifdef DEBUG |
|
printf("Setting stats: %d pcap: %d realtime: %d limit: %d timeout: %d tcplag: %d\n", nc->stats, nc->pcap, nc->realtime, nc->limit, nc->timeout, nc->tcplag); |
|
diff -ruN sancp-1.6.1-stable.vanilla/build_acl.cc sancp-1.6.1-stable/build_acl.cc |
|
--- sancp-1.6.1-stable.vanilla/build_acl.cc 2007-07-05 18:12:20.000000000 +0200 |
|
+++ sancp-1.6.1-stable/build_acl.cc 2007-07-24 13:44:01.000000000 +0200 |
|
@@ -1168,6 +1168,62 @@ |
|
fprintf(stdout,"Didn't set default for %s to %s\n",tok,tmp); |
|
#endif |
|
} |
|
+ if(strcmp(tok,"prelude_impact_severity")==0) |
|
+ { |
|
+ if((tmp = get_tok(&rules,accept))==NULL) |
|
+ { |
|
+ syslog(LOG_ERR,"Format error, prelude_impact_severity specified but none provided, using prelude_impact_severity %s\n",PRELUDE_IMPACT_SEVERITY); |
|
+ free(rule); |
|
+ return; |
|
+ } |
|
+ gVars.prelude_impact_severity = strdup(tmp); |
|
+ free(rule); |
|
+ } |
|
+ if(strcmp(tok,"prelude_impact_completion")==0) |
|
+ { |
|
+ if((tmp = get_tok(&rules,accept))==NULL) |
|
+ { |
|
+ syslog(LOG_ERR,"Format error, prelude_impact_completion specified but none provided, using prelude_impact_completion %s\n",PRELUDE_IMPACT_COMPLETION); |
|
+ free(rule); |
|
+ return; |
|
+ } |
|
+ gVars.prelude_impact_completion = strdup(tmp); |
|
+ free(rule); |
|
+ } |
|
+ if(strcmp(tok,"prelude_impact_type")==0) |
|
+ { |
|
+ if((tmp = get_tok(&rules,accept))==NULL) |
|
+ { |
|
+ syslog(LOG_ERR,"Format error, prelude_impact_type specified but none provided, using prelude_impact_type %s\n",PRELUDE_IMPACT_TYPE); |
|
+ free(rule); |
|
+ return; |
|
+ } |
|
+ gVars.prelude_impact_type = strdup(tmp); |
|
+ free(rule); |
|
+ } |
|
+ if(strcmp(tok,"prelude_confidence_rating")==0) |
|
+ { |
|
+ if((tmp = get_tok(&rules,accept))==NULL) |
|
+ { |
|
+ syslog(LOG_ERR,"Format error, prelude_confidence_rating specified but none provided, using prelude_confidence_rating %s\n",PRELUDE_CONFIDENCE_RATING); |
|
+ free(rule); |
|
+ return; |
|
+ } |
|
+ gVars.prelude_confidence_rating = strdup(tmp); |
|
+ free(rule); |
|
+ } |
|
+ if(strcmp(tok,"prelude_profile")==0) |
|
+ { |
|
+ if((tmp = get_tok(&rules,accept))==NULL) |
|
+ { |
|
+ syslog(LOG_ERR,"Format error, prelude_profile specified but none provided, using prelude_profile %s\n",PRELUDE_PROFILE); |
|
+ free(rule); |
|
+ return; |
|
+ } |
|
+ gVars.prelude_profile = strdup(tmp); |
|
+ free(rule); |
|
+ } |
|
+ |
|
} |
|
|
|
void parse_var(char *c_rule, char *accept) |
|
@@ -1426,6 +1482,10 @@ |
|
}else{ |
|
n_acl->fH = 0; |
|
} |
|
+ n_acl->prelude_impact_severity = gVars.prelude_impact_severity; |
|
+ n_acl->prelude_impact_completion = gVars.prelude_impact_completion; |
|
+ n_acl->prelude_impact_type = gVars.prelude_impact_type; |
|
+ n_acl->prelude_confidence_rating = gVars.prelude_confidence_rating; |
|
|
|
// FIELD 0 - required - Get the h_proto |
|
n_acl->h_proto_h = 0xFFFF; |
|
@@ -2061,6 +2121,46 @@ |
|
n_acl->retro = true; |
|
continue; |
|
} |
|
+ if(strcmp(tok,"severity")==0) |
|
+ { |
|
+ if((tmp = get_tok(rules,accept))==NULL) |
|
+ { |
|
+ syslog(LOG_ERR,"Format error, severity specified but no option provided%s\n",rule); |
|
+ return; |
|
+ } |
|
+ n_acl->prelude_impact_severity = strdup(tmp); |
|
+ continue; |
|
+ } |
|
+ if(strcmp(tok,"completion")==0) |
|
+ { |
|
+ if((tmp = get_tok(rules,accept))==NULL) |
|
+ { |
|
+ syslog(LOG_ERR,"Format error, completion specified but no option provided%s\n",rule); |
|
+ return; |
|
+ } |
|
+ n_acl->prelude_impact_completion = strdup(tmp); |
|
+ continue; |
|
+ } |
|
+ if(strcmp(tok,"type")==0) |
|
+ { |
|
+ if((tmp = get_tok(rules,accept))==NULL) |
|
+ { |
|
+ syslog(LOG_ERR,"Format error, type specified but no option provided%s\n",rule); |
|
+ return; |
|
+ } |
|
+ n_acl->prelude_impact_type = strdup(tmp); |
|
+ continue; |
|
+ } |
|
+ if(strcmp(tok,"confidence")==0) |
|
+ { |
|
+ if((tmp = get_tok(rules,accept))==NULL) |
|
+ { |
|
+ syslog(LOG_ERR,"Format error, confidence specified but no option provided%s\n",rule); |
|
+ return; |
|
+ } |
|
+ n_acl->prelude_confidence_rating = strdup(tmp); |
|
+ continue; |
|
+ } |
|
syslog(LOG_ERR,"Skipping, invalid option in rule: %s %s\n", tok,*rules); |
|
return; |
|
} |
|
diff -ruN sancp-1.6.1-stable.vanilla/docs/README sancp-1.6.1-stable/docs/README |
|
--- sancp-1.6.1-stable.vanilla/docs/README 2007-07-06 03:33:14.000000000 +0200 |
|
+++ sancp-1.6.1-stable/docs/README 2007-07-24 13:44:01.000000000 +0200 |
|
@@ -277,6 +277,10 @@ |
|
strip-80211 { disable|enable } |
|
node <number> |
|
debug_pcap_raw { disable|enable } |
|
+ prelude_impact_severity [string] |
|
+ prelude_impact_completion [string] |
|
+ prelude_impact_type [string] |
|
+ prelude_confidence_rating [string] |
|
|
|
known_port syntax: |
|
-----------------------: |
|
@@ -310,6 +314,9 @@ |
|
b) tagging options |
|
i.e. status=16 rid=1112 node=2 |
|
|
|
+ c) prelude options |
|
+ i.e. severity=severe, completion=succeeded, type=other, confidence=high |
|
+ |
|
[<ether protocol>[-<end_range>] [<src_ip{/<CIDR>|<dotted>}>] [<dst_ip{/<CIDR>|<dotted>}>] [{tcp|udp|icmp|<proto number>[-<end_range>] }] |
|
[<src_port>{-[<end_port_range>]}] [<dst_port>{-[<end_port_range>]}] |
|
{ ignore | stats [{log|pass}] | realtime [{log|pass}] | |
|
diff -ruN sancp-1.6.1-stable.vanilla/gvars.h sancp-1.6.1-stable/gvars.h |
|
--- sancp-1.6.1-stable.vanilla/gvars.h 2007-07-05 18:12:20.000000000 +0200 |
|
+++ sancp-1.6.1-stable/gvars.h 2007-07-24 13:44:01.000000000 +0200 |
|
@@ -17,7 +17,8 @@ |
|
/* Make certain all id's are represented in the same order (as strings) in fmtnames[] */ |
|
/* 'null' is a place holder - in the list for field 0 */ |
|
|
|
-enum id {null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_local,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac }; |
|
+enum id |
|
+{null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_local,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac,prelude_impact_sevirty,prelude_impact_completion,prelude_impact_type,prelude_confidence_rating,prelude_profile }; |
|
|
|
struct cnx_queue { |
|
struct cnx *head; |
|
@@ -102,5 +103,10 @@ |
|
int stdout_fmt_len; |
|
pcap_t *ph; // pcap handle |
|
struct pcap_pkthdr *g_pkthdr;// |
|
+ char *prelude_impact_severity; |
|
+ char *prelude_impact_completion; |
|
+ char *prelude_impact_type; |
|
+ char *prelude_confidence_rating; |
|
+ char *prelude_profile; |
|
}; |
|
|
|
diff -ruN sancp-1.6.1-stable.vanilla/sancp.cc sancp-1.6.1-stable/sancp.cc |
|
--- sancp-1.6.1-stable.vanilla/sancp.cc 2007-07-05 18:12:20.000000000 +0200 |
|
+++ sancp-1.6.1-stable/sancp.cc 2007-07-24 13:44:01.000000000 +0200 |
|
@@ -48,7 +48,40 @@ |
|
//char dfltfmt[]= { sancp_id,start_time_gmt,src_mac,dst_mac,eth_proto,src_ip_dotted,dst_ip_dotted,ip_proto,src_port,dst_port }; |
|
char dfltfmt_human_readable[]= { sancp_id,start_time_gmt,stop_time_gmt,erased_time_gmt,eth_proto,ip_proto,src_ip_dotted,src_port,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,dflags_hex,cflags_hex,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac }; |
|
|
|
+prelude_client_t *client; |
|
+static idmef_analyzer_t *idmef_analyzer; |
|
|
|
+int sancp_alert_init(prelude_client_t *client) |
|
+{ |
|
+ int ret; |
|
+ prelude_string_t *string; |
|
+ |
|
+ idmef_analyzer = prelude_client_get_analyzer(client); |
|
+ if ( ! idmef_analyzer ) |
|
+ return -1; |
|
+ |
|
+ ret = idmef_analyzer_new_model(idmef_analyzer, &string); |
|
+ if ( ret < 0 ) |
|
+ return -1; |
|
+ prelude_string_set_constant(string, PRELUDE_ANALYZER_MODEL); |
|
+ |
|
+ ret = idmef_analyzer_new_class(idmef_analyzer, &string); |
|
+ if ( ret < 0 ) |
|
+ return -1; |
|
+ prelude_string_set_constant(string, PRELUDE_ANALYZER_CLASS); |
|
+ |
|
+ ret = idmef_analyzer_new_manufacturer(idmef_analyzer, &string); |
|
+ if ( ret < 0 ) |
|
+ return -1; |
|
+ prelude_string_set_constant(string, PRELUDE_ANALYZER_MANUFACTURER); |
|
+ |
|
+ ret = idmef_analyzer_new_version(idmef_analyzer, &string); |
|
+ if ( ret < 0 ) |
|
+ return -1; |
|
+ prelude_string_set_constant(string, VERSION); |
|
+ |
|
+ return 0; |
|
+} |
|
/************* |
|
* Main * |
|
*************/ |
|
@@ -56,6 +89,7 @@ |
|
int main(int argc, char *argv[]) { |
|
extern struct gvars gVars; |
|
int cKey; |
|
+ int ret; |
|
pid_t pid=0; |
|
|
|
/* |
|
@@ -102,6 +136,14 @@ |
|
gVars.stdout_delimiter=DEFAULT_DELIMITER; |
|
gVars.stdout_eor=DEFAULT_EOR; |
|
|
|
+ gVars.prelude_impact_severity=PRELUDE_IMPACT_SEVERITY; |
|
+ gVars.prelude_impact_completion=PRELUDE_IMPACT_COMPLETION; |
|
+ gVars.prelude_impact_type=PRELUDE_IMPACT_TYPE; |
|
+ gVars.prelude_confidence_rating=PRELUDE_CONFIDENCE_RATING; |
|
+ gVars.prelude_profile=PRELUDE_PROFILE; |
|
+ |
|
+ |
|
+ |
|
for(cKey=0; cKey<HASH_KEYS; cKey++) |
|
{ |
|
gVars.cnx_head[cKey]=NULL; |
|
@@ -116,6 +158,8 @@ |
|
|
|
parse_args(argc, argv); |
|
|
|
+ |
|
+ |
|
if(gVars.human_readable){ |
|
if(gVars.realtime_fmt_len!=sizeof(dfltfmt_human_readable)){ |
|
free(gVars.realtime_fmt); |
|
@@ -143,7 +187,15 @@ |
|
|
|
setsid(); |
|
} |
|
+ prelude_log_set_flags((prelude_log_flags_t)PRELUDE_LOG_FLAGS_SYSLOG); |
|
} |
|
+ |
|
+ /* Initialize prelude */ |
|
+ ret = prelude_init(&argc, argv); |
|
+ if (ret < 0) { |
|
+ prelude_perror(ret, "unable to initialize the prelude library"); |
|
+ exit_all(0); |
|
+ } |
|
/* Retrieve the last cnxid from cache file if we haven't already in parse_args() */ |
|
|
|
if(!gVars.cnx_id) |
|
@@ -197,6 +249,29 @@ |
|
|
|
build_config(1); |
|
|
|
+ /* Create prelude sensor */ |
|
+ |
|
+ ret = prelude_client_new(&client, gVars.prelude_profile); |
|
+ if ( ! client ) { |
|
+ prelude_perror(ret, "Unable to create a prelude client object"); |
|
+ exit_all(0); |
|
+ } |
|
+ |
|
+ /* Start prelude sensor */ |
|
+ sancp_alert_init(client); |
|
+ ret = prelude_client_start(client); |
|
+ if ( ret < 0 ) { |
|
+ prelude_perror(ret, "Unable to start prelude client"); |
|
+ exit_all(0); |
|
+ } |
|
+ |
|
+ ret = prelude_client_set_flags(client, (prelude_client_flags_t) |
|
+ (PRELUDE_CLIENT_FLAGS_ASYNC_SEND|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); |
|
+ if ( ret < 0 ) { |
|
+ fprintf(stderr, "Unable to set asynchronous send and timer.\n"); |
|
+ exit_all(0); |
|
+ } |
|
+ |
|
/* Open files for output */ |
|
/* Be r3al l33t h3r3 */ |
|
|
|
diff -ruN sancp-1.6.1-stable.vanilla/sancp.h sancp-1.6.1-stable/sancp.h |
|
--- sancp-1.6.1-stable.vanilla/sancp.h 2007-07-06 06:18:04.000000000 +0200 |
|
+++ sancp-1.6.1-stable/sancp.h 2007-07-24 13:44:01.000000000 +0200 |
|
@@ -47,6 +47,10 @@ |
|
#include "gvars.h" |
|
#endif |
|
|
|
+#include <libprelude/prelude.h> |
|
+#include <libprelude/prelude-log.h> |
|
+#include <netdb.h> |
|
+ |
|
#define NCP_H |
|
#define Y 'Y' |
|
#define N 'N' |
|
@@ -79,6 +83,7 @@ |
|
struct vars *next; |
|
}; |
|
|
|
+extern prelude_client_t *client; |
|
int main(int argc, char *argv[]); |
|
struct cnx *process(struct cnx*, int len, u_char * pkt); |
|
char * createPcapFileName(); |
|
@@ -185,6 +190,15 @@ |
|
#define OMODE_RULE 5 |
|
#define OMODE_UNIQ 6 |
|
|
|
+#define PRELUDE_IMPACT_SEVERITY "medium" |
|
+#define PRELUDE_IMPACT_COMPLETION "succeeded" |
|
+#define PRELUDE_IMPACT_TYPE "other" |
|
+#define PRELUDE_CONFIDENCE_RATING "high" |
|
+#define PRELUDE_ANALYZER_MODEL "Sancp" |
|
+#define PRELUDE_ANALYZER_CLASS "NIDS" |
|
+#define PRELUDE_ANALYZER_MANUFACTURER "http://www.metre.net/sancp.html" |
|
+#define PRELUDE_PROFILE "sancp" |
|
+ |
|
// Need to distinguish between classes of variables |
|
#define VCLASS_0 1 // eth_proto class vars |
|
#define VCLASS_1 2 // ip_addr class vars |
|
@@ -276,6 +290,10 @@ |
|
u_int16_t rgid; |
|
u_int16_t node; |
|
u_int16_t zone; |
|
+ char *prelude_impact_severity; |
|
+ char *prelude_impact_completion; |
|
+ char *prelude_impact_type; |
|
+ char *prelude_confidence_rating; |
|
CBuffer *CBufferPtr; |
|
struct acl *next; |
|
}; |
|
@@ -314,6 +332,10 @@ |
|
u_int16_t rgid; |
|
u_int16_t node; |
|
u_int16_t zone; |
|
+ char *prelude_impact_severity; |
|
+ char *prelude_impact_completion; |
|
+ char *prelude_impact_type; |
|
+ char *prelude_confidence_rating; |
|
CBuffer *CBufferPtr; |
|
struct os_info os_info; |
|
struct os_info os_info2; |
|
diff -ruN sancp-1.6.1-stable.vanilla/statefull_logging.cc sancp-1.6.1-stable/statefull_logging.cc |
|
--- sancp-1.6.1-stable.vanilla/statefull_logging.cc 2007-07-05 18:12:20.000000000 +0200 |
|
+++ sancp-1.6.1-stable/statefull_logging.cc 2007-07-24 13:44:01.000000000 +0200 |
|
@@ -183,6 +183,208 @@ |
|
snprintf(buf,len,"%s",currenttime); |
|
} |
|
|
|
+static int add_idmef_object(idmef_message_t *message, const char *object, const char *value) |
|
+{ |
|
+ int ret; |
|
+ idmef_value_t *val; |
|
+ idmef_path_t *path; |
|
+ |
|
+ ret = idmef_path_new(&path, object); |
|
+ if ( ret < 0 ) |
|
+ return -1; |
|
+ |
|
+ ret = idmef_value_new_from_path(&val, path, value); |
|
+ if ( ret < 0 ) { |
|
+ idmef_path_destroy(path); |
|
+ return -1; |
|
+ } |
|
+ |
|
+ ret = idmef_path_set(path, message, val); |
|
+ |
|
+ idmef_value_destroy(val); |
|
+ idmef_path_destroy(path); |
|
+ |
|
+ return ret; |
|
+} |
|
+ |
|
+#define IDMEF(x) { \ |
|
+ int ret = (x); \ |
|
+ if (ret < 0) { idmef_message_destroy(idmef); printf("error\n"); return; } \ |
|
+ } |
|
+ |
|
+void record_prelude(struct cnx *cn) { |
|
+ char LOG[MAXENTRYLEN]; |
|
+ |
|
+ idmef_message_t *idmef; |
|
+ idmef_alert_t *alert; |
|
+ idmef_time_t *time; |
|
+ |
|
+ struct servent *sourceservent; |
|
+ struct protoent *protoent; |
|
+ |
|
+ IDMEF(idmef_message_new(&idmef)); |
|
+ IDMEF(idmef_message_new_alert(idmef, &alert)); |
|
+ |
|
+ /* alert.detecttime */ |
|
+ if (cn->start_time) { |
|
+ IDMEF(idmef_time_new_from_time(&time, &cn->start_time)); |
|
+ } else { |
|
+ /* using the curen time */ |
|
+ IDMEF(idmef_time_new_from_gettimeofday(&time)); |
|
+ } |
|
+ idmef_alert_set_detect_time(alert, time); |
|
+ |
|
+ /* alert.createtime */ |
|
+ time = NULL; |
|
+ IDMEF(idmef_time_new_from_gettimeofday(&time)); |
|
+ idmef_alert_set_create_time(alert, time); |
|
+ |
|
+ /* alert.analyzer */ |
|
+ idmef_alert_set_analyzer(alert,idmef_analyzer_ref(prelude_client_get_analyzer(client)),0); |
|
+ |
|
+ /* alert.classification.text */ |
|
+ add_idmef_object(idmef, "alert.classification.text", |
|
+ "Unauthorized network connectivity"); |
|
+ |
|
+ /* alert.messageid */ |
|
+ snprintf(LOG,MAXENTRYLEN,"%lld",cn->cid); |
|
+ add_idmef_object(idmef, "alert.messageid", LOG); |
|
+ |
|
+ /* alert.impact.severity */ |
|
+ add_idmef_object(idmef, "alert.assessment.impact.severity", |
|
+ cn->prelude_impact_severity); |
|
+ |
|
+ /* alert.impact.completion */ |
|
+ add_idmef_object(idmef, "alert.assessment.impact.completion", |
|
+ cn->prelude_impact_completion); |
|
+ |
|
+ /* alert.impact.type */ |
|
+ add_idmef_object(idmef, "alert.assessment.impact.type", |
|
+ cn->prelude_impact_type); |
|
+ |
|
+ /* alert.confidence.rating */ |
|
+ add_idmef_object(idmef, "alert.assessment.confidence.rating", |
|
+ cn->prelude_confidence_rating); |
|
+ |
|
+ /* alert.additionaldata(0) */ |
|
+ add_idmef_object(idmef, "alert.additionaldata(0).type", "integer"); |
|
+ add_idmef_object(idmef, "alert.additionaldata(0).meaning", "status"); |
|
+ snprintf(LOG,MAXENTRYLEN,"%u",cn->status); |
|
+ add_idmef_object(idmef, "alert.additionaldata(0).integer", LOG); |
|
+ |
|
+ /* alert.additionaldata(1) */ |
|
+ add_idmef_object(idmef, "alert.additionaldata(1).type", "integer"); |
|
+ add_idmef_object(idmef, "alert.additionaldata(1).meaning", "Network node"); |
|
+ snprintf(LOG,MAXENTRYLEN,"%u",cn->node); |
|
+ add_idmef_object(idmef, "alert.additionaldata(1).integer", LOG); |
|
+ |
|
+ /* IP versios */ |
|
+ if (cn->h_proto == 8) { |
|
+ add_idmef_object(idmef, "alert.source(0).service.ip_version", "4"); |
|
+ add_idmef_object(idmef, "alert.target(0).service.ip_version", "4"); |
|
+ } else { |
|
+ /* bail out */ |
|
+ idmef_message_destroy(idmef); |
|
+ return; |
|
+ } |
|
+ |
|
+ /* alert.source(0).node.address(0) (ip address) */ |
|
+ if(cn->reversed==CNX_REVERSED){ |
|
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0'); |
|
+ }else{ |
|
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0'); |
|
+ } |
|
+ add_idmef_object(idmef, "alert.source(0).node.address(0).category", |
|
+ "ipv4-addr"); |
|
+ add_idmef_object(idmef, "alert.source(0).node.address(0).address", LOG); |
|
+ |
|
+ /* alert.source(0).node.address(1) (mac address) */ |
|
+ add_idmef_object(idmef, "alert.source(0).node.address(1).category", "mac"); |
|
+ { |
|
+ struct myether_addr *es=(struct myether_addr *)&cn->eth_hdr.ether_shost; |
|
+ snprintf(LOG,MAXENTRYLEN,"%0x:%0x:%0x:%0x:%0x:%0x",es->octet[0],es->octet[1],es->octet[2],es->octet[3],es->octet[4],es->octet[5]); |
|
+ } |
|
+ add_idmef_object(idmef, "alert.source(0).node.address(1).address", LOG); |
|
+ |
|
+ protoent = getprotobynumber(cn->proto); |
|
+ |
|
+ /* alert.source(0).iana_protocol_number */ |
|
+ snprintf(LOG,MAXENTRYLEN,"%u",(cn->proto)); |
|
+ add_idmef_object(idmef, "alert.source(0).service.iana_protocol_number", LOG); |
|
+ |
|
+ /* alert.target(0).iana_protocol_number */ |
|
+ add_idmef_object(idmef, "alert.target(0).service.iana_protocol_number", LOG); |
|
+ |
|
+ |
|
+ if (protoent) { |
|
+ /* alert.source(0).iana_protocol_name */ |
|
+ add_idmef_object(idmef, "alert.source(0).service.iana_protocol_name", |
|
+ protoent->p_name); |
|
+ |
|
+ /* alert.target(0).iana_protocol_name */ |
|
+ add_idmef_object(idmef, "alert.target(0).service.iana_protocol_name", |
|
+ protoent->p_name); |
|
+ |
|
+ /* alert.source(0).service */ |
|
+ setservent(1); |
|
+ if(cn->reversed==CNX_REVERSED){ |
|
+ snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->d_port)); |
|
+ sourceservent = getservbyport(ntohs(cn->d_port), protoent->p_name); |
|
+ }else{ |
|
+ snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->s_port)); |
|
+ sourceservent = getservbyport(ntohs(cn->s_port), protoent->p_name); |
|
+ } |
|
+ |
|
+ if (sourceservent && sourceservent->s_name) |
|
+ add_idmef_object(idmef, "alert.source(0).service.name", |
|
+ sourceservent->s_name ); |
|
+ add_idmef_object(idmef, "alert.source(0).service.port", |
|
+ LOG); |
|
+ add_idmef_object(idmef, "alert.source(0).service.protocol", |
|
+ protoent->p_name); |
|
+ |
|
+ /* alert.target(0).service */ |
|
+ if(cn->reversed==CNX_REVERSED){ |
|
+ snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->s_port)); |
|
+ sourceservent = getservbyport(ntohs(cn->s_port), protoent->p_name); |
|
+ }else{ |
|
+ snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->d_port)); |
|
+ sourceservent = getservbyport(ntohs(cn->d_port), protoent->p_name); |
|
+ } |
|
+ |
|
+ if (sourceservent && sourceservent->s_name) |
|
+ add_idmef_object(idmef, "alert.target(0).service.name", |
|
+ sourceservent->s_name ); |
|
+ add_idmef_object(idmef, "alert.target(0).service.port", |
|
+ LOG); |
|
+ add_idmef_object(idmef, "alert.target(0).service.protocol", |
|
+ protoent->p_name); |
|
+ } |
|
+/* |
|
+*/ |
|
+ |
|
+ /* alert.target(0).node.address(0) (ip address) */ |
|
+ if(cn->reversed==CNX_REVERSED){ |
|
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0'); |
|
+ }else{ |
|
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0'); |
|
+ } |
|
+ add_idmef_object(idmef, "alert.target(0).node.address(0).category", |
|
+ "ipv4-addr"); |
|
+ add_idmef_object(idmef, "alert.target(0).node.address(0).address", LOG); |
|
+ |
|
+ /* alert.target(0).node_address(1) (mac address) */ |
|
+ add_idmef_object(idmef, "alert.target(0).node.address(1).category", "mac"); |
|
+ { |
|
+ struct myether_addr *es=(struct myether_addr *)&cn->eth_hdr.ether_dhost; |
|
+ snprintf(LOG,MAXENTRYLEN,"%0x:%0x:%0x:%0x:%0x:%0x",es->octet[0],es->octet[1],es->octet[2],es->octet[3],es->octet[4],es->octet[5]); |
|
+ } |
|
+ add_idmef_object(idmef, "alert.target(0).node.address(1).address", LOG); |
|
+ |
|
+ prelude_client_send_idmef(client, idmef); |
|
+ idmef_message_destroy(idmef); |
|
+} |
|
+ |
|
|
|
void record(struct cnx *cn, outputFileHandle *fH) |
|
{ |
|
@@ -199,8 +401,15 @@ |
|
|
|
char eor=fH->getEor(); |
|
|
|
+ /* do we want prelude alert generation for this record? */ |
|
+ |
|
bzero(LOG,MAXENTRYLEN); |
|
|
|
+ if (fH == gVars.sfH) { |
|
+ record_prelude(cn); |
|
+ } |
|
+ |
|
+ |
|
|
|
/* |
|
* Structure of a 48-bit Ethernet address.
|
|
|