Permalink
Browse files

Minor bugfix and improvement

Bumped revision to 313

Fix: Enable compilation without error with --enable-ipv6

Fix to spo_syslog_full
Fix: operation_mode parsing (strcasecmp return value)
Fix: defined values (literals instead of 0 and 1) for clarity.
Fix: in complete mode used a } instead of a ] at one place in a output
literal.
Fix: Check for input data in spo_database.c where revision is 0, we do
not log and we print messages
Modified: Replaced WARNING database by INFO database so people are less
alarmed when those pop-up.
  • Loading branch information...
1 parent 2f5d496 commit 163caf698eafe239c3afe23044ed6527b5f693c5 @binf binf committed Sep 25, 2012
View
@@ -63,7 +63,7 @@
#define VER_MAJOR "2"
#define VER_MINOR "1"
#define VER_REVISION "10"
-#define VER_BUILD "310"
+#define VER_BUILD "313"
#define STD_BUF 1024
@@ -274,12 +274,7 @@ void AlertArubaAction(Packet *p, void *event, uint32_t event_type, void *arg)
}
snprintf(cmdbufp, xmllenrem, "<ipaddr>%s</ipaddr>",
-#ifdef SUP_IP6
- inet_ntoa(GET_SRC_ADDR(p))
-#else
- inet_ntoa(p->iph->ip_src)
-#endif
- );
+ inet_ntoa(GET_SRC_ADDR(p)));
xmllenrem -= strlen(cmdbufp);
cmdbufp += strlen(cmdbufp);
@@ -51,6 +51,7 @@
#include "plugbase.h"
#include "unified2.h"
#include "util.h"
+#include "ipv6_port.h"
extern OptTreeNode *otn_tmp;
@@ -68,6 +68,7 @@
#include "plugbase.h"
#include "unified2.h"
#include "util.h"
+#include "ipv6_port.h"
typedef struct _CEFData
{
@@ -66,6 +66,7 @@
#include "sfutil/sf_textlog.h"
#include "log_text.h"
+#include "ipv6_port.h"
#define DEFAULT_CSV "timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,ethsrc,ethdst,ethlen,tcpflags,tcpseq,tcpack,tcpln,tcpwindow,ttl,tos,id,dgmlen,iplen,icmptype,icmpcode,icmpid,icmpseq"
@@ -68,6 +68,8 @@
#include "sfutil/sf_textlog.h"
#include "log_text.h"
+#include "ipv6_port.h"
+
/* full buf was chosen to allow printing max size packets
* in hex/ascii mode:
@@ -1047,16 +1047,16 @@ void AlertFWsam(Packet *p, void *event, uint32_t event_type, void *arg)
for(i=0; i<FWSAM_REPET_BLOCKS && len; i++)
{
if( ( ( optp->how==FWSAM_HOW_THIS ) ? /* if blocking mode SERVICE, check for src and dst */
- ( lastbsip[i]==GET_SRC_IP(p) && lastbdip[i]==GET_DST_IP(p) && lastbproto[i]==GET_IPH_PROTO(p) &&
- ( IP_HAS_PORTS(p) ? /* check port only of TCP or UDP */
+ ( lastbsip[i]==(unsigned long)GET_SRC_IP(p) && lastbdip[i]==(unsigned long)GET_DST_IP(p) && lastbproto[i]==GET_IPH_PROTO(p) &&
+ ( IP_HAS_PORTS(p) ? /* check port only of TCP or UDP */
/* ((optp->who==FWSAM_WHO_SRC)?(lastbsp[i]==record->sp):(lastbdp[i]==record->dp)):TRUE) ): */
lastbdp[i]==p->dp : TRUE
)
) :
(
( optp->who==FWSAM_WHO_SRC) ?
- ( lastbsip[i]==GET_SRC_IP(p) ) :
- ( lastbdip[i]==GET_DST_IP(p) )
+ ( lastbsip[i]==(unsigned long)GET_SRC_IP(p) ) :
+ ( lastbdip[i]==(unsigned long)GET_DST_IP(p) )
)
) && /* otherwise if we block source, only compare source. Same for dest. */
lastbduration[i]==optp->duration &&
@@ -1073,8 +1073,8 @@ void AlertFWsam(Packet *p, void *event, uint32_t event_type, void *arg)
if(++lastbpointer>=FWSAM_REPET_BLOCKS) /* increase repetitive check pointer */
lastbpointer=0;
- lastbsip[lastbpointer]=GET_SRC_IP(p); /* and note packet details */
- lastbdip[lastbpointer]=GET_DST_IP(p);
+ lastbsip[lastbpointer]=(unsigned long)GET_SRC_IP(p); /* and note packet details */
+ lastbdip[lastbpointer]=(unsigned long)GET_DST_IP(p);
lastbduration[lastbpointer]=optp->duration;
lastbmode[lastbpointer]=optp->how|optp->who|optp->loglevel;
lastbproto[lastbpointer]=GET_IPH_PROTO(p);
@@ -1169,8 +1169,8 @@ void AlertFWsam(Packet *p, void *event, uint32_t event_type, void *arg)
LogMessage("DEBUG => [Alert_FWsam] Src IP : %s\n",sfip_ntoa(GET_SRC_IP(p)));
LogMessage("DEBUG => [Alert_FWsam] Dest IP : %s\n",sfip_ntoa(GET_DST_IP(p)));
#else
- LogMessage("DEBUG => [Alert_FWsam] Src IP : %s\n",inet_ntoa(p->iph->ip_src));
- LogMessage("DEBUG => [Alert_FWsam] Dest IP : %s\n",inet_ntoa(p->iph->ip_dst));
+ LogMessage("DEBUG => [Alert_FWsam] Src IP : %s\n",inet_ntoa(GET_SRC_ADDR(p)));
+ LogMessage("DEBUG => [Alert_FWsam] Dest IP : %s\n",inet_ntoa(GET_DST_ADDR(p)));
#endif
LogMessage("DEBUG => [Alert_FWsam] Src Port : %i\n",p->sp);
LogMessage("DEBUG => [Alert_FWsam] Dest Port : %i\n",p->dp);
@@ -46,8 +46,8 @@
#include "mstring.h"
#include "map.h"
#include "unified2.h"
-
#include "barnyard2.h"
+#include "ipv6_port.h"
#define ANALYZER_CLASS "NIDS"
#define ANALYZER_MODEL "Snort"
@@ -68,6 +68,8 @@
#include "plugbase.h"
#include "unified2.h"
#include "util.h"
+#include "ipv6_port.h"
+
typedef struct _SyslogData
{
@@ -87,6 +87,7 @@
#include "util.h"
#include "spo_alert_test.h"
+#include "ipv6_port.h"
#define TEST_FLAG_FILE 0x01
#define TEST_FLAG_STDOUT 0x02
@@ -1261,7 +1261,7 @@ void ParseDatabaseArgs(DatabaseData *data)
if(data->dbRH[data->dbtype_id].dbConnectionLimit == 0)
{
- LogMessage("WARNING database: Defaulting Reconnect/Transaction Error limit to 10 \n");
+ LogMessage("INFO database: Defaulting Reconnect/Transaction Error limit to 10 \n");
data->dbRH[data->dbtype_id].dbConnectionLimit = 10;
/* Might make a different option for it but for now lets consider
@@ -1271,7 +1271,7 @@ void ParseDatabaseArgs(DatabaseData *data)
if(data->dbRH[data->dbtype_id].dbReconnectSleepTime.tv_sec == 0)
{
- LogMessage("WARNING database: Defaulting Reconnect sleep time to 5 second \n");
+ LogMessage("INFO database: Defaulting Reconnect sleep time to 5 second \n");
data->dbRH[data->dbtype_id].dbReconnectSleepTime.tv_sec = 5;
}
@@ -1441,7 +1441,7 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
revision = ntohl(((Unified2EventCommon *)event)->signature_revision);
priority = ntohl(((Unified2EventCommon *)event)->priority_id);
classification = ntohl(((Unified2EventCommon *)event)->classification_id);
-
+
/* NOTE: elz
For sanity purpose the sig_class table SHOULD have internal classification id to prevent possible
@@ -1578,7 +1578,7 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
if(reuseSigMsg)
{
/* The signature was not found we will have to insert it */
- LogMessage("WARNING [%s()]: [Event: %u] with [gid: %u] [sid: %u] [rev: %u] [classification: %u] [priority: %u] Signature Message -> \"[%s]\"\n"
+ LogMessage("INFO [%s()]: [Event: %u] with [gid: %u] [sid: %u] [rev: %u] [classification: %u] [priority: %u] Signature Message -> \"[%s]\"\n"
"\t was not found in barnyard2 signature cache, this could mean its is the first time the signature is processed, and will be inserted\n"
"\t in the database with the above information, this message should only be printed once for each signature that is not present in the database\n"
"\t The new inserted signature will not have its information present in the sig_reference table,it should be present on restart\n"
@@ -1603,7 +1603,7 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
else
{
/* The signature does not exist we will have to insert it */
- LogMessage("WARNING [%s()]: [Event: %u] with [gid: %u] [sid: %u] [rev: %u] [classification: %u] [priority: %u]\n"
+ LogMessage("INFO [%s()]: [Event: %u] with [gid: %u] [sid: %u] [rev: %u] [classification: %u] [priority: %u]\n"
"\t was not found in barnyard2 signature cache, this could lead to display inconsistency.\n"
"\t To prevent this warning, make sure that your sid-msg.map and gen-msg.map file are up to date with the snort process logging to the spool file.\n"
"\t The new inserted signature will not have its information present in the sig_reference table. \n"
@@ -2406,14 +2406,48 @@ void Database(Packet *p, void *event, uint32_t event_type, void *arg)
if( event == NULL || p == NULL)
{
- LogMessage("WARNING database [%s()]: Called with Event[0x%x] Event Type [%u] (P)acket [0x%x] \n",
+ LogMessage("WARNING database [%s()]: Called with Event[0x%x] Event Type [%u] (P)acket [0x%x], information has not been outputed. \n",
__FUNCTION__,
event,
event_type,
p);
return;
}
+
+ /*
+ Check for invalid revision eg: rev==0 when people write their own testing signature and
+ do not set a revision, in our context we will not log it to the database
+ and print a informative messsage
+ */
+ u_int32_t sid = 0;
+ u_int32_t gid = 0;
+ u_int32_t revision = 0;
+ u_int32_t event_id = 0;
+ u_int32_t event_second = 0;
+ u_int32_t event_microsecond = 0;
+
+ sid = ntohl(((Unified2EventCommon *)event)->signature_id);
+ gid = ntohl(((Unified2EventCommon *)event)->generator_id);
+ revision = ntohl(((Unified2EventCommon *)event)->signature_revision);
+ event_id = ntohl(((Unified2EventCommon *)event)->event_id);
+ event_second = ntohl(((Unified2EventCommon *)event)->event_second);
+ event_microsecond = ntohl(((Unified2EventCommon *)event)->event_microsecond);
+
+ if( (gid == 1) &&
+ (revision == 0))
+ {
+ LogMessage("INFO: Current event with event_id [%u] Event Second:Microsecond [%u:%u] and signature id of [%u] was logged with a revision of [%u]\n"
+ " Make sure you verify your triggering rule body so it include the snort keyword \"rev:xxx;\" Where xxx is greater than 0 \n"
+ ">>>>>>The event has not been logged to the database<<<<<<\n",
+ event_id,
+ event_second,
+ event_microsecond,
+ sid,
+ revision);
+ return;
+ }
+
/*
This has been refactored to simplify the workflow of the function
We separate the legacy signature entry code and the event entry code
@@ -68,6 +68,7 @@
#include "plugbase.h"
#include "unified2.h"
#include "util.h"
+#include "ipv6_port.h"
/* internal functions */
void LogAsciiInit(char *args);
@@ -49,6 +49,7 @@
*/
#include "output-plugins/spo_syslog_full.h"
+#include "ipv6_port.h"
/* Output plugin API functions */
static void OpSyslog_Exit(int signal,void *outputPlugin);
@@ -129,11 +130,11 @@ void OpSyslog_Init(char *args)
case OUTPUT_TYPE_FLAG__LOG:
switch(syslogContext->operation_mode)
{
- case 1:
+ case OUT_MODE_FULL:
AddFuncToOutputList(OpSyslog_Log, OUTPUT_TYPE__LOG, (void *)syslogContext);
break;
- case 0:
+ case OUT_MODE_DEFAULT:
default:
LogMessage("[%s()]: OUTPUT_TYPE__LOG was selected but operation_mode is set to \"default\", using defaut logging hook \n",
__FUNCTION__);
@@ -248,7 +249,7 @@ int OpSyslog_Concat(OpSyslog_Data *syslogContext)
switch(syslogContext->operation_mode)
{
- case 0:
+ case OUT_MODE_DEFAULT:
if( (syslogContext->payload_current_pos += snprintf((syslogContext->payload+syslogContext->payload_current_pos),
(SYSLOG_MAX_QUERY_SIZE - syslogContext->payload_current_pos),
"%s",
@@ -259,7 +260,7 @@ int OpSyslog_Concat(OpSyslog_Data *syslogContext)
}
break;
- case 1:
+ case OUT_MODE_FULL:
if( (syslogContext->payload_current_pos += snprintf((syslogContext->payload+syslogContext->payload_current_pos),
(SYSLOG_MAX_QUERY_SIZE - syslogContext->payload_current_pos),
"%c %s %c",
@@ -362,15 +363,15 @@ static int Syslog_FormatTrigger(OpSyslog_Data *syslogData, Unified2EventCommon *
switch(opType)
{
- case 0:
+ case OUT_MODE_DEFAULT:
/* Alert */
- if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"[SNORTIDS[ALERT]: [%s] }", syslogData->sensor_name)) >= SYSLOG_MAX_QUERY_SIZE)
+ if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"[SNORTIDS[ALERT]: [%s] ]", syslogData->sensor_name)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
return 1;
}
break;
- case 1:
+ case OUT_MODE_FULL:
/* Log */
if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"[SNORTIDS[LOG]: [%s] ]", syslogData->sensor_name)) >= SYSLOG_MAX_QUERY_SIZE)
{
@@ -496,10 +497,10 @@ static int Syslog_FormatIPHeaderAlert(OpSyslog_Data *data, Packet *p)
if(p->iph)
{
- p_ip = inet_ntoa(p->iph->ip_src);
+ p_ip = inet_ntoa(GET_SRC_ADDR(p));
memcpy(s_ip,p_ip,strlen(p_ip));
- p_ip = inet_ntoa(p->iph->ip_dst);
+ p_ip = inet_ntoa(GET_DST_ADDR(p));
memcpy(d_ip,p_ip,strlen(p_ip));
if( (data->format_current_pos += snprintf(data->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"%lu%c%s%c%s",
@@ -858,8 +859,8 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
switch(syslogContext->operation_mode)
{
- case 0: /* Ze Classic (Requested) */
-
+ case OUT_MODE_DEFAULT:
+
if(IPH_IS_VALID(p))
{
if (strlcpy(sip, inet_ntoa(GET_SRC_ADDR(p)), sizeof(sip)) >= sizeof(sip))
@@ -873,7 +874,7 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
if (strlcpy(dip, inet_ntoa(GET_DST_ADDR(p)), sizeof(dip)) >= sizeof(dip))
{
FatalError("[%s()], strlcpy() error , bailing \n",
- __FUNCTION__);
+ __FUNCTION__);
return;
}
}
@@ -885,8 +886,8 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
ntohl(iEvent->classification_id));
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
- "[%u:%u:%u] ",
- ntohl(iEvent->generator_id),
+ "[%u:%u:%u] ",
+ ntohl(iEvent->generator_id),
ntohl(iEvent->signature_id),
ntohl(iEvent->signature_revision))) >= SYSLOG_MAX_QUERY_SIZE)
{
@@ -1051,7 +1052,7 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
break;
- case 1: /* Ze verbose */
+ case OUT_MODE_FULL: /* Ze verbose */
if(Syslog_FormatTrigger(syslogContext, iEvent,0) )
{
@@ -1116,7 +1117,7 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
FatalError("NetSend(): call failed for host:port '%s:%u' bailing...\n", syslogContext->server, syslogContext->port);
}
}
-
+
return;
}
@@ -1329,11 +1330,11 @@ OpSyslog_Data *OpSyslog_ParseArgs(char *args)
{
if(num_stoks >=1)
{
- if(strcasecmp("default",stoks[1]))
+ if(strcasecmp("default",stoks[1]) == 0)
{
op_data->operation_mode = 0;
}
- else if(strcasecmp("complete",stoks[1]))
+ else if(strcasecmp("complete",stoks[1]) == 0)
{
op_data->operation_mode = 1;
}
@@ -1718,10 +1719,10 @@ int NetConnect(OpSyslog_Data *op_data)
switch(op_data->proto)
{
- case 0:
+ case LOG_UDP:
return UDPConnect(op_data);
break;
- case 1:
+ case LOG_TCP:
return TCPConnect(op_data);
break;
default:
@@ -1826,7 +1827,7 @@ int NetSend(OpSyslog_Data *op_data)
switch(op_data->proto)
{
- case 0:
+ case LOG_UDP:
/* UDP */
if(sendto(op_data->socket,op_data->payload, strlen(op_data->payload), 0 , (struct sockaddr *)&op_data->sockaddr, sizeof(struct sockaddr)) <= 0)
{
@@ -1837,7 +1838,7 @@ int NetSend(OpSyslog_Data *op_data)
}
break;
- case 1:
+ case LOG_TCP:
/* TCP */
sendRetVal = send(op_data->socket, op_data->payload, strlen(op_data->payload),0);
Oops, something went wrong.

0 comments on commit 163caf6

Please sign in to comment.