Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Update Sguil output plugin (spo_sguil.c) to pull ip information from …

…the event data if a packet does not exist for the event
  • Loading branch information...
commit 701ccc1cbc7b3dca25a3b4f35480d3960b07b9b6 1 parent a14d84e
bradvoth bradvoth authored committed
Showing with 62 additions and 3 deletions.
  1. +62 −3 src/output-plugins/spo_sguil.c
65 src/output-plugins/spo_sguil.c
View
@@ -117,6 +117,7 @@ int SguilRecvAgentMsg(SpoSguilData *, char *);
char *SguilTimestamp(u_int32_t);
#ifdef ENABLE_TCL
+int SguilAppendIPHdrDataEVT(Tcl_DString *, void *);
int SguilAppendIPHdrData(Tcl_DString *, Packet *);
int SguilAppendICMPData(Tcl_DString *, Packet *);
int SguilAppendTCPData(Tcl_DString *, Packet *);
@@ -410,10 +411,22 @@ void Sguil(Packet *p, void *event, uint32_t event_type, void *arg)
}
else
{
- /* ack! an event without a packet. Append 32 fillers */
- int i;
- for(i = 0; i < 32; ++i)
+ /* ack! an event without a packet. Append IP data from event struct and append
+ 26 fillers */
+ if ( (event_type == UNIFIED2_IDS_EVENT_VLAN)||
+ (event_type == UNIFIED2_IDS_EVENT_MPLS) ||
+ (event_type == UNIFIED2_IDS_EVENT_VLAN)){
+ SguilAppendIPHdrDataEVT(&list, event);
+ int i;
+ for(i = 0; i < 26; ++i)
+ Tcl_DStringAppendElement(&list, "");
+ } else {
+ /* ack! an event without a packet. and no IP Data in eventAppend 32 fillers */
+ int i;
+ for(i = 0; i < 32; ++i)
Tcl_DStringAppendElement(&list, "");
+ }
+
}
/* send msg to sensor_agent */
@@ -590,6 +603,52 @@ void ParseSguilArgs(SpoSguilData *ssd_data)
}
#ifdef ENABLE_TCL
+int SguilAppendIPHdrDataEVT(Tcl_DString *list, void *event)
+{
+ char buffer[TMP_BUFFER];
+
+ memset(buffer, 0, TMP_BUFFER); /* bzero() deprecated, replaced by memset() */
+
+ SnortSnprintf(buffer, TMP_BUFFER, "%u", ntohl(((Unified2IDSEvent *)event)->ip_source));
+ Tcl_DStringAppendElement(list, buffer);
+#if defined(WORDS_BIGENDIAN)
+ SnortSnprintf(buffer, TMP_BUFFER, "%u.%u.%u.%u",
+ (((Unified2IDSEvent *)event)->ip_source & 0xff000000) >> 24,
+ (((Unified2IDSEvent *)event)->ip_source & 0x00ff0000) >> 16,
+ (((Unified2IDSEvent *)event)->ip_source & 0x0000ff00) >> 8,
+ (((Unified2IDSEvent *)event)->ip_source & 0x000000ff));
+#else
+ SnortSnprintf(buffer, TMP_BUFFER, "%u.%u.%u.%u",
+ (((Unified2IDSEvent *)event)->ip_source & 0x000000ff),
+ (((Unified2IDSEvent *)event)->ip_source & 0x0000ff00) >> 8,
+ (((Unified2IDSEvent *)event)->ip_source & 0x00ff0000) >> 16,
+ (((Unified2IDSEvent *)event)->ip_source & 0xff000000) >> 24);
+#endif
+ Tcl_DStringAppendElement(list, buffer);
+ SnortSnprintf(buffer, TMP_BUFFER, "%u", ntohl(((Unified2IDSEvent *)event)->ip_destination));
+ Tcl_DStringAppendElement(list, buffer);
+#if defined(WORDS_BIGENDIAN)
+ SnortSnprintf(buffer, TMP_BUFFER, "%u.%u.%u.%u",
+ (((Unified2IDSEvent *)event)->ip_destination & 0xff000000) >> 24,
+ (((Unified2IDSEvent *)event)->ip_destination & 0x00ff0000) >> 16,
+ (((Unified2IDSEvent *)event)->ip_destination & 0x0000ff00) >> 8,
+ (((Unified2IDSEvent *)event)->ip_destination & 0x000000ff));
+#else
+ SnortSnprintf(buffer, TMP_BUFFER, "%u.%u.%u.%u",
+ (((Unified2IDSEvent *)event)->ip_destination & 0x000000ff),
+ (((Unified2IDSEvent *)event)->ip_destination & 0x0000ff00) >> 8,
+ (((Unified2IDSEvent *)event)->ip_destination & 0x00ff0000) >> 16,
+ (((Unified2IDSEvent *)event)->ip_destination & 0xff000000) >> 24);
+#endif
+ Tcl_DStringAppendElement(list, buffer);
+ SnortSnprintf(buffer, TMP_BUFFER, "%u", ((Unified2IDSEvent *)event)->protocol);
+ Tcl_DStringAppendElement(list, buffer);
+
+ return 0;
+}
+#endif
+
+#ifdef ENABLE_TCL
int SguilAppendIPHdrData(Tcl_DString *list, Packet *p)
{
char buffer[TMP_BUFFER];
Please sign in to comment.
Something went wrong with that request. Please try again.