diff --git a/src/barnyard2.h b/src/barnyard2.h
index 23e20d2..bfa5e68 100644
--- a/src/barnyard2.h
+++ b/src/barnyard2.h
@@ -63,7 +63,7 @@
#define VER_MAJOR "2"
#define VER_MINOR "1"
#define VER_REVISION "10"
-#define VER_BUILD "310"
+#define VER_BUILD "313"
#define STD_BUF 1024
diff --git a/src/output-plugins/spo_alert_arubaaction.c b/src/output-plugins/spo_alert_arubaaction.c
index dab9ec1..227ab23 100644
--- a/src/output-plugins/spo_alert_arubaaction.c
+++ b/src/output-plugins/spo_alert_arubaaction.c
@@ -274,12 +274,7 @@ void AlertArubaAction(Packet *p, void *event, uint32_t event_type, void *arg)
}
snprintf(cmdbufp, xmllenrem, "%s",
-#ifdef SUP_IP6
- inet_ntoa(GET_SRC_ADDR(p))
-#else
- inet_ntoa(p->iph->ip_src)
-#endif
- );
+ inet_ntoa(GET_SRC_ADDR(p)));
xmllenrem -= strlen(cmdbufp);
cmdbufp += strlen(cmdbufp);
diff --git a/src/output-plugins/spo_alert_bro.c b/src/output-plugins/spo_alert_bro.c
index 03e5c17..6fca8bb 100644
--- a/src/output-plugins/spo_alert_bro.c
+++ b/src/output-plugins/spo_alert_bro.c
@@ -51,6 +51,7 @@
#include "plugbase.h"
#include "unified2.h"
#include "util.h"
+#include "ipv6_port.h"
extern OptTreeNode *otn_tmp;
diff --git a/src/output-plugins/spo_alert_cef.c b/src/output-plugins/spo_alert_cef.c
index 95ca97f..f7ca783 100644
--- a/src/output-plugins/spo_alert_cef.c
+++ b/src/output-plugins/spo_alert_cef.c
@@ -68,6 +68,7 @@
#include "plugbase.h"
#include "unified2.h"
#include "util.h"
+#include "ipv6_port.h"
typedef struct _CEFData
{
diff --git a/src/output-plugins/spo_alert_csv.c b/src/output-plugins/spo_alert_csv.c
index 589ef5a..8e9f6fe 100644
--- a/src/output-plugins/spo_alert_csv.c
+++ b/src/output-plugins/spo_alert_csv.c
@@ -66,6 +66,7 @@
#include "sfutil/sf_textlog.h"
#include "log_text.h"
+#include "ipv6_port.h"
#define DEFAULT_CSV "timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,ethsrc,ethdst,ethlen,tcpflags,tcpseq,tcpack,tcpln,tcpwindow,ttl,tos,id,dgmlen,iplen,icmptype,icmpcode,icmpid,icmpseq"
diff --git a/src/output-plugins/spo_alert_fast.c b/src/output-plugins/spo_alert_fast.c
index 75d7768..fa8752b 100644
--- a/src/output-plugins/spo_alert_fast.c
+++ b/src/output-plugins/spo_alert_fast.c
@@ -68,6 +68,8 @@
#include "sfutil/sf_textlog.h"
#include "log_text.h"
+#include "ipv6_port.h"
+
/* full buf was chosen to allow printing max size packets
* in hex/ascii mode:
diff --git a/src/output-plugins/spo_alert_fwsam.c b/src/output-plugins/spo_alert_fwsam.c
index b9a74b7..859c5f3 100644
--- a/src/output-plugins/spo_alert_fwsam.c
+++ b/src/output-plugins/spo_alert_fwsam.c
@@ -1047,16 +1047,16 @@ void AlertFWsam(Packet *p, void *event, uint32_t event_type, void *arg)
for(i=0; ihow==FWSAM_HOW_THIS ) ? /* if blocking mode SERVICE, check for src and dst */
- ( lastbsip[i]==GET_SRC_IP(p) && lastbdip[i]==GET_DST_IP(p) && lastbproto[i]==GET_IPH_PROTO(p) &&
- ( IP_HAS_PORTS(p) ? /* check port only of TCP or UDP */
+ ( lastbsip[i]==(unsigned long)GET_SRC_IP(p) && lastbdip[i]==(unsigned long)GET_DST_IP(p) && lastbproto[i]==GET_IPH_PROTO(p) &&
+ ( IP_HAS_PORTS(p) ? /* check port only of TCP or UDP */
/* ((optp->who==FWSAM_WHO_SRC)?(lastbsp[i]==record->sp):(lastbdp[i]==record->dp)):TRUE) ): */
lastbdp[i]==p->dp : TRUE
)
) :
(
( optp->who==FWSAM_WHO_SRC) ?
- ( lastbsip[i]==GET_SRC_IP(p) ) :
- ( lastbdip[i]==GET_DST_IP(p) )
+ ( lastbsip[i]==(unsigned long)GET_SRC_IP(p) ) :
+ ( lastbdip[i]==(unsigned long)GET_DST_IP(p) )
)
) && /* otherwise if we block source, only compare source. Same for dest. */
lastbduration[i]==optp->duration &&
@@ -1073,8 +1073,8 @@ void AlertFWsam(Packet *p, void *event, uint32_t event_type, void *arg)
if(++lastbpointer>=FWSAM_REPET_BLOCKS) /* increase repetitive check pointer */
lastbpointer=0;
- lastbsip[lastbpointer]=GET_SRC_IP(p); /* and note packet details */
- lastbdip[lastbpointer]=GET_DST_IP(p);
+ lastbsip[lastbpointer]=(unsigned long)GET_SRC_IP(p); /* and note packet details */
+ lastbdip[lastbpointer]=(unsigned long)GET_DST_IP(p);
lastbduration[lastbpointer]=optp->duration;
lastbmode[lastbpointer]=optp->how|optp->who|optp->loglevel;
lastbproto[lastbpointer]=GET_IPH_PROTO(p);
@@ -1169,8 +1169,8 @@ void AlertFWsam(Packet *p, void *event, uint32_t event_type, void *arg)
LogMessage("DEBUG => [Alert_FWsam] Src IP : %s\n",sfip_ntoa(GET_SRC_IP(p)));
LogMessage("DEBUG => [Alert_FWsam] Dest IP : %s\n",sfip_ntoa(GET_DST_IP(p)));
#else
- LogMessage("DEBUG => [Alert_FWsam] Src IP : %s\n",inet_ntoa(p->iph->ip_src));
- LogMessage("DEBUG => [Alert_FWsam] Dest IP : %s\n",inet_ntoa(p->iph->ip_dst));
+ LogMessage("DEBUG => [Alert_FWsam] Src IP : %s\n",inet_ntoa(GET_SRC_ADDR(p)));
+ LogMessage("DEBUG => [Alert_FWsam] Dest IP : %s\n",inet_ntoa(GET_DST_ADDR(p)));
#endif
LogMessage("DEBUG => [Alert_FWsam] Src Port : %i\n",p->sp);
LogMessage("DEBUG => [Alert_FWsam] Dest Port : %i\n",p->dp);
diff --git a/src/output-plugins/spo_alert_prelude.c b/src/output-plugins/spo_alert_prelude.c
index 3a94bd1..6b55940 100644
--- a/src/output-plugins/spo_alert_prelude.c
+++ b/src/output-plugins/spo_alert_prelude.c
@@ -46,8 +46,8 @@
#include "mstring.h"
#include "map.h"
#include "unified2.h"
-
#include "barnyard2.h"
+#include "ipv6_port.h"
#define ANALYZER_CLASS "NIDS"
#define ANALYZER_MODEL "Snort"
diff --git a/src/output-plugins/spo_alert_syslog.c b/src/output-plugins/spo_alert_syslog.c
index 78d4a25..6dceb75 100644
--- a/src/output-plugins/spo_alert_syslog.c
+++ b/src/output-plugins/spo_alert_syslog.c
@@ -68,6 +68,8 @@
#include "plugbase.h"
#include "unified2.h"
#include "util.h"
+#include "ipv6_port.h"
+
typedef struct _SyslogData
{
diff --git a/src/output-plugins/spo_alert_test.c b/src/output-plugins/spo_alert_test.c
index bb096b7..f67353b 100644
--- a/src/output-plugins/spo_alert_test.c
+++ b/src/output-plugins/spo_alert_test.c
@@ -87,6 +87,7 @@
#include "util.h"
#include "spo_alert_test.h"
+#include "ipv6_port.h"
#define TEST_FLAG_FILE 0x01
#define TEST_FLAG_STDOUT 0x02
diff --git a/src/output-plugins/spo_database.c b/src/output-plugins/spo_database.c
index b2a41f8..77ea7fe 100644
--- a/src/output-plugins/spo_database.c
+++ b/src/output-plugins/spo_database.c
@@ -1261,7 +1261,7 @@ void ParseDatabaseArgs(DatabaseData *data)
if(data->dbRH[data->dbtype_id].dbConnectionLimit == 0)
{
- LogMessage("WARNING database: Defaulting Reconnect/Transaction Error limit to 10 \n");
+ LogMessage("INFO database: Defaulting Reconnect/Transaction Error limit to 10 \n");
data->dbRH[data->dbtype_id].dbConnectionLimit = 10;
/* Might make a different option for it but for now lets consider
@@ -1271,7 +1271,7 @@ void ParseDatabaseArgs(DatabaseData *data)
if(data->dbRH[data->dbtype_id].dbReconnectSleepTime.tv_sec == 0)
{
- LogMessage("WARNING database: Defaulting Reconnect sleep time to 5 second \n");
+ LogMessage("INFO database: Defaulting Reconnect sleep time to 5 second \n");
data->dbRH[data->dbtype_id].dbReconnectSleepTime.tv_sec = 5;
}
@@ -1441,7 +1441,7 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
revision = ntohl(((Unified2EventCommon *)event)->signature_revision);
priority = ntohl(((Unified2EventCommon *)event)->priority_id);
classification = ntohl(((Unified2EventCommon *)event)->classification_id);
-
+
/* NOTE: elz
For sanity purpose the sig_class table SHOULD have internal classification id to prevent possible
@@ -1578,7 +1578,7 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
if(reuseSigMsg)
{
/* The signature was not found we will have to insert it */
- LogMessage("WARNING [%s()]: [Event: %u] with [gid: %u] [sid: %u] [rev: %u] [classification: %u] [priority: %u] Signature Message -> \"[%s]\"\n"
+ LogMessage("INFO [%s()]: [Event: %u] with [gid: %u] [sid: %u] [rev: %u] [classification: %u] [priority: %u] Signature Message -> \"[%s]\"\n"
"\t was not found in barnyard2 signature cache, this could mean its is the first time the signature is processed, and will be inserted\n"
"\t in the database with the above information, this message should only be printed once for each signature that is not present in the database\n"
"\t The new inserted signature will not have its information present in the sig_reference table,it should be present on restart\n"
@@ -1603,7 +1603,7 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
else
{
/* The signature does not exist we will have to insert it */
- LogMessage("WARNING [%s()]: [Event: %u] with [gid: %u] [sid: %u] [rev: %u] [classification: %u] [priority: %u]\n"
+ LogMessage("INFO [%s()]: [Event: %u] with [gid: %u] [sid: %u] [rev: %u] [classification: %u] [priority: %u]\n"
"\t was not found in barnyard2 signature cache, this could lead to display inconsistency.\n"
"\t To prevent this warning, make sure that your sid-msg.map and gen-msg.map file are up to date with the snort process logging to the spool file.\n"
"\t The new inserted signature will not have its information present in the sig_reference table. \n"
@@ -2406,7 +2406,7 @@ void Database(Packet *p, void *event, uint32_t event_type, void *arg)
if( event == NULL || p == NULL)
{
- LogMessage("WARNING database [%s()]: Called with Event[0x%x] Event Type [%u] (P)acket [0x%x] \n",
+ LogMessage("WARNING database [%s()]: Called with Event[0x%x] Event Type [%u] (P)acket [0x%x], information has not been outputed. \n",
__FUNCTION__,
event,
event_type,
@@ -2414,6 +2414,40 @@ void Database(Packet *p, void *event, uint32_t event_type, void *arg)
return;
}
+
+ /*
+ Check for invalid revision eg: rev==0 when people write their own testing signature and
+ do not set a revision, in our context we will not log it to the database
+ and print a informative messsage
+ */
+ u_int32_t sid = 0;
+ u_int32_t gid = 0;
+ u_int32_t revision = 0;
+ u_int32_t event_id = 0;
+ u_int32_t event_second = 0;
+ u_int32_t event_microsecond = 0;
+
+ sid = ntohl(((Unified2EventCommon *)event)->signature_id);
+ gid = ntohl(((Unified2EventCommon *)event)->generator_id);
+ revision = ntohl(((Unified2EventCommon *)event)->signature_revision);
+ event_id = ntohl(((Unified2EventCommon *)event)->event_id);
+ event_second = ntohl(((Unified2EventCommon *)event)->event_second);
+ event_microsecond = ntohl(((Unified2EventCommon *)event)->event_microsecond);
+
+ if( (gid == 1) &&
+ (revision == 0))
+ {
+ LogMessage("INFO: Current event with event_id [%u] Event Second:Microsecond [%u:%u] and signature id of [%u] was logged with a revision of [%u]\n"
+ " Make sure you verify your triggering rule body so it include the snort keyword \"rev:xxx;\" Where xxx is greater than 0 \n"
+ ">>>>>>The event has not been logged to the database<<<<<<\n",
+ event_id,
+ event_second,
+ event_microsecond,
+ sid,
+ revision);
+ return;
+ }
+
/*
This has been refactored to simplify the workflow of the function
We separate the legacy signature entry code and the event entry code
diff --git a/src/output-plugins/spo_log_ascii.c b/src/output-plugins/spo_log_ascii.c
index 672b750..2552524 100644
--- a/src/output-plugins/spo_log_ascii.c
+++ b/src/output-plugins/spo_log_ascii.c
@@ -68,6 +68,7 @@
#include "plugbase.h"
#include "unified2.h"
#include "util.h"
+#include "ipv6_port.h"
/* internal functions */
void LogAsciiInit(char *args);
diff --git a/src/output-plugins/spo_syslog_full.c b/src/output-plugins/spo_syslog_full.c
index b6622e6..ce677a1 100644
--- a/src/output-plugins/spo_syslog_full.c
+++ b/src/output-plugins/spo_syslog_full.c
@@ -49,6 +49,7 @@
*/
#include "output-plugins/spo_syslog_full.h"
+#include "ipv6_port.h"
/* Output plugin API functions */
static void OpSyslog_Exit(int signal,void *outputPlugin);
@@ -129,11 +130,11 @@ void OpSyslog_Init(char *args)
case OUTPUT_TYPE_FLAG__LOG:
switch(syslogContext->operation_mode)
{
- case 1:
+ case OUT_MODE_FULL:
AddFuncToOutputList(OpSyslog_Log, OUTPUT_TYPE__LOG, (void *)syslogContext);
break;
- case 0:
+ case OUT_MODE_DEFAULT:
default:
LogMessage("[%s()]: OUTPUT_TYPE__LOG was selected but operation_mode is set to \"default\", using defaut logging hook \n",
__FUNCTION__);
@@ -248,7 +249,7 @@ int OpSyslog_Concat(OpSyslog_Data *syslogContext)
switch(syslogContext->operation_mode)
{
- case 0:
+ case OUT_MODE_DEFAULT:
if( (syslogContext->payload_current_pos += snprintf((syslogContext->payload+syslogContext->payload_current_pos),
(SYSLOG_MAX_QUERY_SIZE - syslogContext->payload_current_pos),
"%s",
@@ -259,7 +260,7 @@ int OpSyslog_Concat(OpSyslog_Data *syslogContext)
}
break;
- case 1:
+ case OUT_MODE_FULL:
if( (syslogContext->payload_current_pos += snprintf((syslogContext->payload+syslogContext->payload_current_pos),
(SYSLOG_MAX_QUERY_SIZE - syslogContext->payload_current_pos),
"%c %s %c",
@@ -362,15 +363,15 @@ static int Syslog_FormatTrigger(OpSyslog_Data *syslogData, Unified2EventCommon *
switch(opType)
{
- case 0:
+ case OUT_MODE_DEFAULT:
/* Alert */
- if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"[SNORTIDS[ALERT]: [%s] }", syslogData->sensor_name)) >= SYSLOG_MAX_QUERY_SIZE)
+ if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"[SNORTIDS[ALERT]: [%s] ]", syslogData->sensor_name)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
return 1;
}
break;
- case 1:
+ case OUT_MODE_FULL:
/* Log */
if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"[SNORTIDS[LOG]: [%s] ]", syslogData->sensor_name)) >= SYSLOG_MAX_QUERY_SIZE)
{
@@ -496,10 +497,10 @@ static int Syslog_FormatIPHeaderAlert(OpSyslog_Data *data, Packet *p)
if(p->iph)
{
- p_ip = inet_ntoa(p->iph->ip_src);
+ p_ip = inet_ntoa(GET_SRC_ADDR(p));
memcpy(s_ip,p_ip,strlen(p_ip));
- p_ip = inet_ntoa(p->iph->ip_dst);
+ p_ip = inet_ntoa(GET_DST_ADDR(p));
memcpy(d_ip,p_ip,strlen(p_ip));
if( (data->format_current_pos += snprintf(data->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"%lu%c%s%c%s",
@@ -858,8 +859,8 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
switch(syslogContext->operation_mode)
{
- case 0: /* Ze Classic (Requested) */
-
+ case OUT_MODE_DEFAULT:
+
if(IPH_IS_VALID(p))
{
if (strlcpy(sip, inet_ntoa(GET_SRC_ADDR(p)), sizeof(sip)) >= sizeof(sip))
@@ -873,7 +874,7 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
if (strlcpy(dip, inet_ntoa(GET_DST_ADDR(p)), sizeof(dip)) >= sizeof(dip))
{
FatalError("[%s()], strlcpy() error , bailing \n",
- __FUNCTION__);
+ __FUNCTION__);
return;
}
}
@@ -885,8 +886,8 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
ntohl(iEvent->classification_id));
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
- "[%u:%u:%u] ",
- ntohl(iEvent->generator_id),
+ "[%u:%u:%u] ",
+ ntohl(iEvent->generator_id),
ntohl(iEvent->signature_id),
ntohl(iEvent->signature_revision))) >= SYSLOG_MAX_QUERY_SIZE)
{
@@ -1051,7 +1052,7 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
break;
- case 1: /* Ze verbose */
+ case OUT_MODE_FULL: /* Ze verbose */
if(Syslog_FormatTrigger(syslogContext, iEvent,0) )
{
@@ -1116,7 +1117,7 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
FatalError("NetSend(): call failed for host:port '%s:%u' bailing...\n", syslogContext->server, syslogContext->port);
}
}
-
+
return;
}
@@ -1329,11 +1330,11 @@ OpSyslog_Data *OpSyslog_ParseArgs(char *args)
{
if(num_stoks >=1)
{
- if(strcasecmp("default",stoks[1]))
+ if(strcasecmp("default",stoks[1]) == 0)
{
op_data->operation_mode = 0;
}
- else if(strcasecmp("complete",stoks[1]))
+ else if(strcasecmp("complete",stoks[1]) == 0)
{
op_data->operation_mode = 1;
}
@@ -1718,10 +1719,10 @@ int NetConnect(OpSyslog_Data *op_data)
switch(op_data->proto)
{
- case 0:
+ case LOG_UDP:
return UDPConnect(op_data);
break;
- case 1:
+ case LOG_TCP:
return TCPConnect(op_data);
break;
default:
@@ -1826,7 +1827,7 @@ int NetSend(OpSyslog_Data *op_data)
switch(op_data->proto)
{
- case 0:
+ case LOG_UDP:
/* UDP */
if(sendto(op_data->socket,op_data->payload, strlen(op_data->payload), 0 , (struct sockaddr *)&op_data->sockaddr, sizeof(struct sockaddr)) <= 0)
{
@@ -1837,7 +1838,7 @@ int NetSend(OpSyslog_Data *op_data)
}
break;
- case 1:
+ case LOG_TCP:
/* TCP */
sendRetVal = send(op_data->socket, op_data->payload, strlen(op_data->payload),0);
diff --git a/src/output-plugins/spo_syslog_full.h b/src/output-plugins/spo_syslog_full.h
index 8ae04a5..5c1a246 100644
--- a/src/output-plugins/spo_syslog_full.h
+++ b/src/output-plugins/spo_syslog_full.h
@@ -42,6 +42,14 @@
#include "strlcpyu.h"
#include "unified2.h"
+
+#define OUT_MODE_DEFAULT 0
+#define OUT_MODE_FULL 1
+
+#define LOG_UDP 0
+#define LOG_TCP 1
+
+
typedef struct _OpSyslog_Data
{
char *server;