Skip to content

Commit

Permalink
Fix the Bro segfaults I'm seeing by only sending events with a TCP, U…
Browse files Browse the repository at this point in the history 
…DP or ICMP protocol.
  • Loading branch information
Vlad Grigorescu committed Jan 23, 2013
1 parent f57e464 commit bdd0ef1
Showing 1 changed file with 41 additions and 32 deletions.
73 changes: 41 additions & 32 deletions src/output-plugins/spo_alert_bro.c
View file
Expand Up @@ -177,31 +177,53 @@ void AlertBro(Packet *p, void *event, u_int32_t event_type, void *arg)

// First value
BroRecord *packet_id = bro_record_new();
src_p.port_num = dst_p.port_num = 0;
// Broccoli's protocol handling is sort of broken at the moment
src_p.port_num = dst_p.port_num = 0;
src_p.port_proto = dst_p.port_proto = GET_IPH_PROTO(p);

// Broccoli's protocol handling is sort of broken at the moment
// it segfaults when doing bro_record_add_val if not tcp, udp, or icmp
// waiting on ticket: http://tracker.icir.org/bro/ticket/278
src_p.port_proto = dst_p.port_proto = IPPROTO_TCP;
if(GET_IPH_PROTO(p) != 255)
if((GET_IPH_PROTO(p) == IPPROTO_TCP) || (GET_IPH_PROTO(p) == IPPROTO_UDP))
{
src_p.port_proto = dst_p.port_proto = GET_IPH_PROTO(p);
if((GET_IPH_PROTO(p) == IPPROTO_ICMP) && p->icmph)
{
src_p.port_num = p->icmph->type;
dst_p.port_num = p->icmph->code;
} else {
src_p.port_num = p->sp;
dst_p.port_num = p->dp;
}
src_p.port_num = p->sp;
dst_p.port_num = p->dp;

}
else if(GET_IPH_PROTO(p) == IPPROTO_ICMP)
{
src_p.port_num = p->icmph->type;
dst_p.port_num = p->icmph->code;
}
else
{
DEBUG_WRAP(DebugMessage(DEBUG_LOG, "DEBUG (Bro) Could not use protocol: %d\n", GET_IPH_PROTO(p)););
return;
}

map_broccoli_addr(&src_addr, GET_SRC_ADDR(p));
if (!bro_record_add_val(packet_id, "src_ip", BRO_TYPE_IPADDR, NULL, &src_addr)){
LogMessage("WARNING (Bro) Could not use src_ip: %s. Skipping this alert.\n", inet_ntoa(GET_SRC_ADDR(p)));
return;
}
if (!bro_record_add_val(packet_id, "src_p", BRO_TYPE_PORT, NULL, &src_p)){
LogMessage("WARNING (Bro) Could not use src_p: %d (proto: %d). Skipping this alert.\n", p->sp, GET_IPH_PROTO(p));
return;
}

map_broccoli_addr(&src_addr, GET_SRC_ADDR(p));
bro_record_add_val(packet_id, "src_ip", BRO_TYPE_IPADDR, NULL, &src_addr);
bro_record_add_val(packet_id, "src_p", BRO_TYPE_PORT, NULL, &src_p);
map_broccoli_addr(&dst_addr, GET_DST_ADDR(p));
bro_record_add_val(packet_id, "dst_ip", BRO_TYPE_IPADDR, NULL, &dst_addr);
bro_record_add_val(packet_id, "dst_p", BRO_TYPE_PORT, NULL, &dst_p);
bro_event_add_val(ev, BRO_TYPE_RECORD, "Barnyard2::PacketID", packet_id);
if (!bro_record_add_val(packet_id, "dst_ip", BRO_TYPE_IPADDR, NULL, &dst_addr)){
LogMessage("WARNING (Bro) Could not use dst_ip: %s. Skipping this alert.\n", inet_ntoa(GET_DST_ADDR(p)));
return;
}
if (!bro_record_add_val(packet_id, "dst_p", BRO_TYPE_PORT, NULL, &dst_p)){
LogMessage("WARNING (Bro) Could not use dst_p: %d (proto: %d). Skipping this alert.\n", dst_p.port_num, dst_p.port_proto);
return;
}

if (!bro_event_add_val(ev, BRO_TYPE_RECORD, "Barnyard2::PacketID", packet_id)){
LogMessage("WARNING (Bro) Could not add PacketID to record. Skipping this alert.\n");
return;
}
bro_record_free(packet_id);

// Second value
Expand Down Expand Up @@ -229,19 +251,6 @@ void AlertBro(Packet *p, void *event, u_int32_t event_type, void *arg)
bro_record_add_val(sad, "priority_id", BRO_TYPE_COUNT, NULL, &priority_id_hl);
uint64_t event_id_hl = ntohl(uevent->event_id);
bro_record_add_val(sad, "event_id", BRO_TYPE_COUNT, NULL, &event_id_hl);
//BroSet *ref_set = bro_set_new();
//BroString ref_name_bs;
//rn = sn->refs;
//while(rn)
//{
// bro_string_init(&ref_name_bs);
// bro_string_set(&ref_name_bs, rn->system->name);
// bro_set_insert(ref_set, BRO_TYPE_STRING, &ref_name_bs);
// bro_string_cleanup(&ref_name_bs);
// rn = rn->next;
//}
//bro_record_add_val(sad, "references", BRO_TYPE_SET, NULL, ref_set);
//bro_set_free(ref_set);

bro_event_add_val(ev, BRO_TYPE_RECORD, "Barnyard2::AlertData", sad);
bro_record_free(sad);
Expand Down

0 comments on commit bdd0ef1

Please sign in to comment.