[Oisf-devel] [PATCH] Add Prelude output plugin
Pierre Chifflier
pchifflier at edenwall.com
Mon Jan 11 21:15:38 UTC 2010
From: Pierre Chifflier <chifflier at inl.fr>
Add support for reporting alerts to the Prelude SIEM system, using
libprelude.
Sending events is asynchronous and is entirely handled by the lib.
Signed-off-by: Pierre Chifflier <chifflier at inl.fr>
---
autojunk.sh | 2 +-
config.h.in | 3 +
configure.in | 24 ++
ltmain.sh | 29 +-
m4/libprelude.m4 | 189 ++++++++++++
src/Makefile.am | 1 +
src/alert-prelude.c | 851 +++++++++++++++++++++++++++++++++++++++++++++++++++
src/alert-prelude.h | 10 +
src/runmodes.c | 4 +-
src/suricata.c | 2 +
src/tm-modules.h | 1 +
suricata.yaml | 2 +
12 files changed, 1102 insertions(+), 16 deletions(-)
create mode 100644 m4/libprelude.m4
create mode 100644 src/alert-prelude.c
create mode 100644 src/alert-prelude.h
diff --git a/autojunk.sh b/autojunk.sh
index 4602750..a91b275 100755
--- a/autojunk.sh
+++ b/autojunk.sh
@@ -1,6 +1,6 @@
#!/bin/sh
# the list of commands that need to run before we do a compile
-aclocal
+aclocal -I m4
libtoolize --force --automake --copy
autoheader
automake --add-missing --copy
diff --git a/config.h.in b/config.h.in
index fedf813..8ece9ac 100644
--- a/config.h.in
+++ b/config.h.in
@@ -139,6 +139,9 @@
/* Define to the version of this package. */
#undef PACKAGE_VERSION
+/* Define whether application use libtool >= 2.0 */
+#undef PRELUDE_APPLICATION_USE_LIBTOOL2
+
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
diff --git a/configure.in b/configure.in
index 28218a9..e6376e1 100644
--- a/configure.in
+++ b/configure.in
@@ -304,6 +304,30 @@ AC_INIT(configure.in)
fi
fi
+#prelude
+
+ AC_ARG_ENABLE(prelude,
+ [ --enable-prelude Enable Prelude support for alerts],
+ [ enable_prelude=yes
+ ])
+ if test "$enable_prelude" = "yes"; then
+ CFLAGS="$CFLAGS -DPRELUDE"
+ AM_PATH_LIBPRELUDE(0.9.9, , AC_MSG_ERROR(Cannot find libprelude: Is libprelude-config in the path?), no)
+ if test "x${LIBPRELUDE_CFLAGS}" != "x"; then
+ CPPFLAGS="${CPPFLAGS} ${LIBPRELUDE_CFLAGS}"
+ fi
+
+ if test "x${LIBPRELUDE_LDFLAGS}" != "x"; then
+ LDFLAGS="${LDFLAGS} ${LIBPRELUDE_LDFLAGS}"
+ fi
+
+ if test "x${LIBPRELUDE_LIBS}" != "x"; then
+ LDFLAGS="${LDFLAGS} ${LIBPRELUDE_LIBS}"
+ fi
+
+ fi
+
+
#libnet
AC_ARG_WITH(libnet_includes,
[ --with-libnet-includes=DIR libnet include directory],
diff --git a/ltmain.sh b/ltmain.sh
index b612e9a..d88da2c 100755
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -1,6 +1,6 @@
# Generated from ltmain.m4sh.
-# ltmain.sh (GNU libtool) 2.2.6
+# ltmain.sh (GNU libtool) 2.2.6b
# Written by Gordon Matzigkeit <gord at gnu.ai.mit.edu>, 1996
# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, 2007 2008 Free Software Foundation, Inc.
@@ -65,7 +65,7 @@
# compiler: $LTCC
# compiler flags: $LTCFLAGS
# linker: $LD (gnu? $with_gnu_ld)
-# $progname: (GNU libtool) 2.2.6 Debian-2.2.6a-1ubuntu1
+# $progname: (GNU libtool) 2.2.6b Debian-2.2.6b-2
# automake: $automake_version
# autoconf: $autoconf_version
#
@@ -73,9 +73,9 @@
PROGRAM=ltmain.sh
PACKAGE=libtool
-VERSION="2.2.6 Debian-2.2.6a-1ubuntu1"
+VERSION="2.2.6b Debian-2.2.6b-2"
TIMESTAMP=""
-package_revision=1.3012
+package_revision=1.3017
# Be Bourne compatible
if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
@@ -5347,19 +5347,19 @@ func_mode_link ()
# It is a libtool convenience library, so add in its objects.
convenience="$convenience $ladir/$objdir/$old_library"
old_convenience="$old_convenience $ladir/$objdir/$old_library"
+ tmp_libs=
+ for deplib in $dependency_libs; do
+ deplibs="$deplib $deplibs"
+ if $opt_duplicate_deps ; then
+ case "$tmp_libs " in
+ *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+ esac
+ fi
+ tmp_libs="$tmp_libs $deplib"
+ done
elif test "$linkmode" != prog && test "$linkmode" != lib; then
func_fatal_error "\`$lib' is not a convenience library"
fi
- tmp_libs=
- for deplib in $dependency_libs; do
- deplibs="$deplib $deplibs"
- if $opt_duplicate_deps ; then
- case "$tmp_libs " in
- *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
- esac
- fi
- tmp_libs="$tmp_libs $deplib"
- done
continue
fi # $pass = conv
@@ -5896,6 +5896,7 @@ func_mode_link ()
if test "$link_all_deplibs" != no; then
# Add the search paths of all dependency libraries
for deplib in $dependency_libs; do
+ path=
case $deplib in
-L*) path="$deplib" ;;
*.la)
diff --git a/m4/libprelude.m4 b/m4/libprelude.m4
new file mode 100644
index 0000000..0438d83
--- /dev/null
+++ b/m4/libprelude.m4
@@ -0,0 +1,189 @@
+dnl Autoconf macros for libprelude
+dnl $id$
+
+# Modified for LIBPRELUDE -- Yoann Vandoorselaere
+# Modified for LIBGNUTLS -- nmav
+# Configure paths for LIBGCRYPT
+# Shamelessly stolen from the one of XDELTA by Owen Taylor
+# Werner Koch 99-12-09
+
+dnl AM_PATH_LIBPRELUDE([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]], THREAD_SUPPORT)
+dnl Test for libprelude, and define LIBPRELUDE_PREFIX, LIBPRELUDE_CFLAGS, LIBPRELUDE_PTHREAD_CFLAGS,
+dnl LIBPRELUDE_LDFLAGS, and LIBPRELUDE_LIBS
+dnl
+AC_DEFUN([AM_PATH_LIBPRELUDE],
+[dnl
+dnl Get the cflags and libraries from the libprelude-config script
+dnl
+AC_ARG_WITH(libprelude-prefix, AC_HELP_STRING(--with-libprelude-prefix=PFX,
+ Prefix where libprelude is installed (optional)),
+ libprelude_config_prefix="$withval", libprelude_config_prefix="")
+
+ if test x$libprelude_config_prefix != x ; then
+ if test x${LIBPRELUDE_CONFIG+set} != xset ; then
+ LIBPRELUDE_CONFIG=$libprelude_config_prefix/bin/libprelude-config
+ fi
+ fi
+
+ AC_PATH_PROG(LIBPRELUDE_CONFIG, libprelude-config, no)
+ if test "$LIBPRELUDE_CONFIG" != "no"; then
+ if $($LIBPRELUDE_CONFIG --thread > /dev/null 2>&1); then
+ LIBPRELUDE_PTHREAD_CFLAGS=`$LIBPRELUDE_CONFIG --thread --cflags`
+
+ if test x$4 = xtrue || test x$4 = xyes; then
+ libprelude_config_args="--thread"
+ else
+ libprelude_config_args="--no-thread"
+ fi
+ else
+ LIBPRELUDE_PTHREAD_CFLAGS=`$LIBPRELUDE_CONFIG --pthread-cflags`
+ fi
+ fi
+
+ min_libprelude_version=ifelse([$1], ,0.1.0,$1)
+ AC_MSG_CHECKING(for libprelude - version >= $min_libprelude_version)
+ no_libprelude=""
+ if test "$LIBPRELUDE_CONFIG" = "no" ; then
+ no_libprelude=yes
+ else
+ LIBPRELUDE_CFLAGS=`$LIBPRELUDE_CONFIG $libprelude_config_args --cflags`
+ LIBPRELUDE_LDFLAGS=`$LIBPRELUDE_CONFIG $libprelude_config_args --ldflags`
+ LIBPRELUDE_LIBS=`$LIBPRELUDE_CONFIG $libprelude_config_args --libs`
+ LIBPRELUDE_PREFIX=`$LIBPRELUDE_CONFIG $libprelude_config_args --prefix`
+ LIBPRELUDE_CONFIG_PREFIX=`$LIBPRELUDE_CONFIG $libprelude_config_args --config-prefix`
+ libprelude_config_version=`$LIBPRELUDE_CONFIG $libprelude_config_args --version`
+
+
+ ac_save_CFLAGS="$CFLAGS"
+ ac_save_LDFLAGS="$LDFLAGS"
+ ac_save_LIBS="$LIBS"
+ CFLAGS="$CFLAGS $LIBPRELUDE_CFLAGS"
+ LDFLAGS="$LDFLAGS $LIBPRELUDE_LDFLAGS"
+ LIBS="$LIBS $LIBPRELUDE_LIBS"
+dnl
+dnl Now check if the installed libprelude is sufficiently new. Also sanity
+dnl checks the results of libprelude-config to some extent
+dnl
+ rm -f conf.libpreludetest
+ AC_TRY_RUN([
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <libprelude/prelude.h>
+
+int
+main ()
+{
+ system ("touch conf.libpreludetest");
+
+ if( strcmp( prelude_check_version(NULL), "$libprelude_config_version" ) )
+ {
+ printf("\n*** 'libprelude-config --version' returned %s, but LIBPRELUDE (%s)\n",
+ "$libprelude_config_version", prelude_check_version(NULL) );
+ printf("*** was found! If libprelude-config was correct, then it is best\n");
+ printf("*** to remove the old version of LIBPRELUDE. You may also be able to fix the error\n");
+ printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n");
+ printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n");
+ printf("*** required on your system.\n");
+ printf("*** If libprelude-config was wrong, set the environment variable LIBPRELUDE_CONFIG\n");
+ printf("*** to point to the correct copy of libprelude-config, and remove the file config.cache\n");
+ printf("*** before re-running configure\n");
+ }
+ else if ( strcmp(prelude_check_version(NULL), LIBPRELUDE_VERSION ) ) {
+ printf("\n*** LIBPRELUDE header file (version %s) does not match\n", LIBPRELUDE_VERSION);
+ printf("*** library (version %s)\n", prelude_check_version(NULL) );
+ }
+ else {
+ if ( prelude_check_version( "$min_libprelude_version" ) )
+ return 0;
+ else {
+ printf("no\n*** An old version of LIBPRELUDE (%s) was found.\n",
+ prelude_check_version(NULL) );
+ printf("*** You need a version of LIBPRELUDE newer than %s. The latest version of\n",
+ "$min_libprelude_version" );
+ printf("*** LIBPRELUDE is always available from http://www.prelude-ids.com/development/download/\n");
+ printf("*** \n");
+ printf("*** If you have already installed a sufficiently new version, this error\n");
+ printf("*** probably means that the wrong copy of the libprelude-config shell script is\n");
+ printf("*** being found. The easiest way to fix this is to remove the old version\n");
+ printf("*** of LIBPRELUDE, but you can also set the LIBPRELUDE_CONFIG environment to point to the\n");
+ printf("*** correct copy of libprelude-config. (In this case, you will have to\n");
+ printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n");
+ printf("*** so that the correct libraries are found at run-time))\n");
+ }
+ }
+ return 1;
+}
+],, no_libprelude=yes,[echo $ac_n "cross compiling; assumed OK... $ac_c"])
+ CFLAGS="$ac_save_CFLAGS"
+ LIBS="$ac_save_LIBS"
+ LDFLAGS="$ac_save_LDFLAGS"
+ fi
+
+ if test "x$no_libprelude" = x ; then
+ AC_MSG_RESULT(yes)
+ ifelse([$2], , :, [$2])
+ else
+ if test -f conf.libpreludetest ; then
+ :
+ else
+ AC_MSG_RESULT(no)
+ fi
+ if test "$LIBPRELUDE_CONFIG" = "no" ; then
+ echo "*** The libprelude-config script installed by LIBPRELUDE could not be found"
+ echo "*** If LIBPRELUDE was installed in PREFIX, make sure PREFIX/bin is in"
+ echo "*** your path, or set the LIBPRELUDE_CONFIG environment variable to the"
+ echo "*** full path to libprelude-config."
+ else
+ if test -f conf.libpreludetest ; then
+ :
+ else
+ echo "*** Could not run libprelude test program, checking why..."
+ CFLAGS="$CFLAGS $LIBPRELUDE_CFLAGS"
+ LDFLAGS="$LDFLAGS $LIBPRELUDE_LDFLAGS"
+ LIBS="$LIBS $LIBPRELUDE_LIBS"
+ AC_TRY_LINK([
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <libprelude/prelude.h>
+], [ return !!prelude_check_version(NULL); ],
+ [ echo "*** The test program compiled, but did not run. This usually means"
+ echo "*** that the run-time linker is not finding LIBPRELUDE or finding the wrong"
+ echo "*** version of LIBPRELUDE. If it is not finding LIBPRELUDE, you'll need to set your"
+ echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point"
+ echo "*** to the installed location Also, make sure you have run ldconfig if that"
+ echo "*** is required on your system"
+ echo "***"
+ echo "*** If you have an old version installed, it is best to remove it, although"
+ echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH"
+ echo "***" ],
+ [ echo "*** The test program failed to compile or link. See the file config.log for the"
+ echo "*** exact error that occured. This usually means LIBPRELUDE was incorrectly installed"
+ echo "*** or that you have moved LIBPRELUDE since it was installed. In the latter case, you"
+ echo "*** may want to edit the libprelude-config script: $LIBPRELUDE_CONFIG" ])
+ CFLAGS="$ac_save_CFLAGS"
+ LDFLAGS="$ac_save_LDFLAGS"
+ LIBS="$ac_save_LIBS"
+ fi
+ fi
+ LIBPRELUDE_CFLAGS=""
+ LIBPRELUDE_LDFLAGS=""
+ LIBPRELUDE_LIBS=""
+ ifelse([$3], , :, [$3])
+ fi
+ rm -f conf.libpreludetest
+ AC_SUBST(LIBPRELUDE_CFLAGS)
+ AC_SUBST(LIBPRELUDE_PTHREAD_CFLAGS)
+ AC_SUBST(LIBPRELUDE_LDFLAGS)
+ AC_SUBST(LIBPRELUDE_LIBS)
+ AC_SUBST(LIBPRELUDE_PREFIX)
+ AC_SUBST(LIBPRELUDE_CONFIG_PREFIX)
+
+ m4_ifdef([LT_INIT],
+ [AC_DEFINE([PRELUDE_APPLICATION_USE_LIBTOOL2], [], [Define whether application use libtool >= 2.0])],
+ [])
+
+])
+
+dnl *-*wedit:notab*-* Please keep this as the last line.
diff --git a/src/Makefile.am b/src/Makefile.am
index a686535..63d36e5 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -134,6 +134,7 @@ tmqh-packetpool.c tmqh-packetpool.h \
tmqh-flow.c tmqh-flow.h \
alert-fastlog.c alert-fastlog.h \
alert-debuglog.c alert-debuglog.h \
+alert-prelude.c alert-prelude.h \
alert-unified-log.c alert-unified-log.h \
alert-unified-alert.c alert-unified-alert.h \
alert-unified2-alert.c alert-unified2-alert.h \
diff --git a/src/alert-prelude.c b/src/alert-prelude.c
new file mode 100644
index 0000000..6fc366e
--- /dev/null
+++ b/src/alert-prelude.c
@@ -0,0 +1,851 @@
+/* Copyright (c) 2010 Pierre Chifflier <chifflier at edenwall.com> */
+
+/* alert Prelude
+ *
+ * Logs alerts to the Prelude system
+ *
+ */
+
+#include "suricata-common.h"
+#include "debug.h"
+#include "detect.h"
+#include "flow.h"
+#include "conf.h"
+
+#include "threads.h"
+#include "threadvars.h"
+#include "tm-modules.h"
+
+#include "util-unittest.h"
+#include "util-time.h"
+#include "util-debug.h"
+#include "util-error.h"
+
+#ifndef PRELUDE
+/** Handle the case where no NFQ support is compiled in.
+ *
+ */
+
+TmEcode AlertPrelude (ThreadVars *, Packet *, void *, PacketQueue *);
+TmEcode AlertPreludeThreadInit(ThreadVars *, void *, void **);
+TmEcode AlertPreludeThreadDeinit(ThreadVars *, void *);
+int AlertPreludeOpenFileCtx(LogFileCtx *, char *);
+void AlertPreludeRegisterTests(void);
+
+void TmModuleAlertPreludeRegister (void) {
+ printf("TmModuleAlertPreludeRegister\n");
+ tmm_modules[TMM_ALERTPRELUDE].name = "AlertPrelude";
+ tmm_modules[TMM_ALERTPRELUDE].ThreadInit = AlertPreludeThreadInit;
+ tmm_modules[TMM_ALERTPRELUDE].Func = AlertPrelude;
+ tmm_modules[TMM_ALERTPRELUDE].ThreadDeinit = AlertPreludeThreadDeinit;
+ tmm_modules[TMM_ALERTPRELUDE].RegisterTests = AlertPreludeRegisterTests;
+}
+
+LogFileCtx *AlertPreludeInitCtx(ConfNode *conf)
+{
+ SCLogDebug("Can't init Prelude output - Prelude support was disabled during build.\n");
+ return NULL;
+}
+
+TmEcode AlertPreludeThreadInit(ThreadVars *t, void *initdata, void **data)
+{
+ SCLogDebug("Can't init Prelude output thread - Prelude support was disabled during build.\n");
+ return TM_ECODE_FAILED;
+}
+
+TmEcode AlertPrelude (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
+{
+ return TM_ECODE_OK;
+}
+
+TmEcode AlertPreludeThreadDeinit(ThreadVars *t, void *data)
+{
+ return TM_ECODE_FAILED;
+}
+
+void AlertPreludeRegisterTests (void) {
+}
+
+#else /* implied we do have NFQ support */
+
+
+#include <libprelude/prelude.h>
+
+#define ANALYZER_CLASS "NIDS"
+#define ANALYZER_MODEL "Suricata"
+#define ANALYZER_MANUFACTURER "http://www.openinfosecfoundation.org/"
+#define ANALYZER_SID_URL "http://www.snort.org/pub-bin/sigs.cgi?sid="
+
+#define SNORT_MAX_OWNED_SID 1000000
+#define DEFAULT_ANALYZER_NAME "suricata"
+
+#define DEFAULT_PRELUDE_PROFILE "suricata"
+
+#define IPH_IS_VALID(p) (PKT_IS_IPV4((p)) || PKT_IS_IPV6((p)))
+
+static unsigned int info_priority = 4;
+static unsigned int low_priority = 3;
+static unsigned int mid_priority = 2;
+
+
+TmEcode AlertPrelude (ThreadVars *, Packet *, void *, PacketQueue *);
+TmEcode AlertPreludeThreadInit(ThreadVars *, void *, void **);
+TmEcode AlertPreludeThreadDeinit(ThreadVars *, void *);
+int AlertPreludeOpenFileCtx(LogFileCtx *, char *);
+void AlertPreludeRegisterTests(void);
+
+void TmModuleAlertPreludeRegister (void) {
+ printf("TmModuleAlertPreludeRegister\n");
+ tmm_modules[TMM_ALERTPRELUDE].name = "AlertPrelude";
+ tmm_modules[TMM_ALERTPRELUDE].ThreadInit = AlertPreludeThreadInit;
+ tmm_modules[TMM_ALERTPRELUDE].Func = AlertPrelude;
+ tmm_modules[TMM_ALERTPRELUDE].ThreadDeinit = AlertPreludeThreadDeinit;
+ tmm_modules[TMM_ALERTPRELUDE].RegisterTests = AlertPreludeRegisterTests;
+}
+
+typedef struct AlertPreludeCtx_ {
+ prelude_client_t *client;
+ SCMutex client_mutex;
+} AlertPreludeCtx;
+
+typedef struct AlertPreludeThread_ {
+ /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
+ AlertPreludeCtx *ctx;
+ LogFileCtx* file_ctx;
+ uint32_t size_limit;
+ uint32_t size_current;
+} AlertPreludeThread;
+
+
+static int setup_analyzer(idmef_analyzer_t *analyzer)
+{
+ int ret;
+ prelude_string_t *string;
+
+ ret = idmef_analyzer_new_model(analyzer, &string);
+ if ( ret < 0 )
+ return ret;
+ prelude_string_set_constant(string, ANALYZER_MODEL);
+
+ ret = idmef_analyzer_new_class(analyzer, &string);
+ if ( ret < 0 )
+ return ret;
+ prelude_string_set_constant(string, ANALYZER_CLASS);
+
+ ret = idmef_analyzer_new_manufacturer(analyzer, &string);
+ if ( ret < 0 )
+ return ret;
+ prelude_string_set_constant(string, ANALYZER_MANUFACTURER);
+
+ ret = idmef_analyzer_new_version(analyzer, &string);
+ if ( ret < 0 )
+ return ret;
+ prelude_string_set_constant(string, VERSION);
+
+ return 0;
+}
+
+static int event_to_impact(PacketAlert *pa, idmef_alert_t *alert)
+{
+ int ret;
+ //ClassType *classtype;
+ prelude_string_t *str;
+ idmef_impact_t *impact;
+ idmef_assessment_t *assessment;
+ idmef_impact_severity_t severity;
+
+ ret = idmef_alert_new_assessment(alert, &assessment);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_assessment_new_impact(assessment, &impact);
+ if ( ret < 0 )
+ return ret;
+
+ if ( pa->prio < mid_priority )
+ severity = IDMEF_IMPACT_SEVERITY_HIGH;
+
+ else if ( pa->prio < low_priority )
+ severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
+
+ else if ( pa->prio < info_priority )
+ severity = IDMEF_IMPACT_SEVERITY_LOW;
+
+ else severity = IDMEF_IMPACT_SEVERITY_INFO;
+
+ idmef_impact_set_severity(impact, severity);
+
+// XXX
+#if 0
+ if ( ! otn_tmp )
+ return 0;
+
+ classtype = otn_tmp->sigInfo.classType;
+ if ( classtype ) {
+ ret = idmef_impact_new_description(impact, &str);
+ if ( ret < 0 )
+ return ret;
+
+ prelude_string_set_ref(str, classtype->name);
+ }
+#endif
+ ret = idmef_impact_new_description(impact, &str);
+ if ( ret < 0 )
+ return ret;
+
+ prelude_string_set_ref(str, pa->class_msg);
+
+ return 0;
+}
+
+static int event_to_source_target(Packet *p, idmef_alert_t *alert)
+{
+ int ret;
+ idmef_node_t *node;
+ idmef_source_t *source;
+ idmef_target_t *target;
+ idmef_address_t *address;
+ idmef_service_t *service;
+ prelude_string_t *string;
+ static char saddr[128], daddr[128];
+ uint8_t ip_vers;
+ uint8_t ip_proto;
+
+ if ( !p )
+ return 0;
+
+ if ( ! IPH_IS_VALID(p) )
+ return 0;
+
+ if (PKT_IS_IPV4(p)) {
+ ip_vers = 4;
+ ip_proto = IPV4_GET_RAW_IPPROTO(p->ip4h);
+ inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), saddr, sizeof(saddr));
+ inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), daddr, sizeof(daddr));
+ } else if (PKT_IS_IPV6(p)) {
+ ip_vers = 6;
+ ip_proto = IPV6_GET_L4PROTO(p);
+ inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), saddr, sizeof(saddr));
+ inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), daddr, sizeof(daddr));
+ } else
+ return 0;
+
+ ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+#if 0
+ if ( pv.interface ) {
+ ret = idmef_source_new_interface(source, &string);
+ if ( ret < 0 )
+ return ret;
+ prelude_string_set_ref(string, pv.interface);
+ }
+#endif
+
+ ret = idmef_source_new_service(source, &service);
+ if ( ret < 0 )
+ return ret;
+
+ if ( p->tcph || p->udph )
+ idmef_service_set_port(service, p->sp);
+
+ idmef_service_set_ip_version(service, ip_vers);
+ idmef_service_set_iana_protocol_number(service, ip_proto);
+
+ ret = idmef_source_new_node(source, &node);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_address_new_address(address, &string);
+ if ( ret < 0 )
+ return ret;
+
+ prelude_string_set_ref(string, saddr);
+
+ ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+#if 0
+ if ( pv.interface ) {
+ ret = idmef_target_new_interface(target, &string);
+ if ( ret < 0 )
+ return ret;
+ prelude_string_set_ref(string, pv.interface);
+ }
+#endif
+
+ ret = idmef_target_new_service(target, &service);
+ if ( ! ret < 0 )
+ return ret;
+
+ if ( p->tcph || p->udph )
+ idmef_service_set_port(service, p->dp);
+
+ idmef_service_set_ip_version(service, ip_vers);
+ idmef_service_set_iana_protocol_number(service, ip_proto);
+
+ ret = idmef_target_new_node(target, &node);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_address_new_address(address, &string);
+ if ( ret < 0 )
+ return ret;
+
+ prelude_string_set_ref(string, daddr);
+
+ return 0;
+}
+
+static int add_byte_data(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size)
+{
+ int ret;
+ prelude_string_t *str;
+ idmef_additional_data_t *ad;
+
+ if ( ! data || ! size )
+ return 0;
+
+ ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_additional_data_set_byte_string_ref(ad, data, size);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error setting byte string data: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ ret = idmef_additional_data_new_meaning(ad, &str);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error creating additional-data meaning: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ ret = prelude_string_set_ref(str, meaning);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error setting byte string data meaning: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ return 0;
+}
+
+
+
+#if 0
+static int add_string_data(idmef_alert_t *alert, const char *meaning, const char *data)
+{
+ int ret;
+ prelude_string_t *str;
+ idmef_additional_data_t *ad;
+
+ if ( ! data )
+ return 0;
+
+ ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_additional_data_set_string_ref(ad, data);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error setting string data: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ ret = idmef_additional_data_new_meaning(ad, &str);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error creating additional-data meaning: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ ret = prelude_string_set_ref(str, meaning);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error setting string data meaning: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ return 0;
+}
+#endif
+
+
+
+static int add_int_data(idmef_alert_t *alert, const char *meaning, uint32_t data)
+{
+ int ret;
+ prelude_string_t *str;
+ idmef_additional_data_t *ad;
+
+ ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ idmef_additional_data_set_integer(ad, data);
+
+ ret = idmef_additional_data_new_meaning(ad, &str);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error creating additional-data meaning: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ ret = prelude_string_set_ref(str, meaning);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error setting integer data meaning: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ return 0;
+}
+
+
+
+
+static int packet_to_data(Packet *p, PacketAlert *pa, idmef_alert_t *alert)
+{
+ //int i;
+
+ if ( ! p )
+ return 0;
+
+ add_int_data(alert, "snort_rule_sid", pa->sid);
+ add_int_data(alert, "snort_rule_rev", pa->rev);
+
+#if 0
+ if ( IPH_IS_VALID(p) ) {
+ add_int_data(alert, "ip_ver", GET_IPH_VER(p));
+ add_int_data(alert, "ip_hlen", GET_IPH_HLEN(p));
+ add_int_data(alert, "ip_tos", GET_IPH_TOS(p));
+ add_int_data(alert, "ip_len", ntohs(GET_IPH_LEN(p)));
+#ifdef SUP_IP6
+// XXX-IPv6 need fragmentation ID
+#else
+ add_int_data(alert, "ip_id", ntohs(p->iph->ip_id));
+#endif
+#ifdef SUP_IP6
+// XXX-IPv6 need fragmentation offset
+#else
+ add_int_data(alert, "ip_off", ntohs(p->iph->ip_off));
+#endif
+ add_int_data(alert, "ip_ttl", GET_IPH_TTL(p));
+ add_int_data(alert, "ip_proto", GET_IPH_PROTO(p));
+#ifdef SUP_IP6
+// XXX-IPv6 need checksum
+#else
+ add_int_data(alert, "ip_sum", ntohs(p->iph->ip_csum));
+#endif
+
+ for ( i = 0; i < p->ip_option_count; i++ ) {
+ add_int_data(alert, "ip_option_code", p->ip_options[i].code);
+ add_byte_data(alert, "ip_option_data",
+ p->ip_options[i].data, p->ip_options[i].len);
+ }
+ }
+#endif
+
+ if ( p->tcph ) {
+ add_int_data(alert, "tcp_seq", ntohl(p->tcph->th_seq));
+ add_int_data(alert, "tcp_ack", ntohl(p->tcph->th_ack));
+
+#if 0
+ add_int_data(alert, "tcp_off", TCP_OFFSET(p->tcph));
+ add_int_data(alert, "tcp_res", TCP_X2(p->tcph));
+ add_int_data(alert, "tcp_flags", p->tcph->th_flags);
+
+ add_int_data(alert, "tcp_win", ntohs(p->tcph->th_win));
+ add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum));
+ add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp));
+
+
+ for ( i = 0; i < p->tcp_option_count; i++ ) {
+ add_int_data(alert, "tcp_option_code", p->tcp_options[i].code);
+ add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len);
+ }
+#endif
+ }
+
+#if 0
+ else if ( p->udph ) {
+ add_int_data(alert, "udp_len", ntohs(p->udph->uh_len));
+ add_int_data(alert, "udp_sum", ntohs(p->udph->uh_chk));
+ }
+
+ else if ( p->icmph ) {
+ add_int_data(alert, "icmp_type", p->icmph->type);
+ add_int_data(alert, "icmp_code", p->icmph->code);
+ add_int_data(alert, "icmp_sum", ntohs(p->icmph->csum));
+
+ switch ( p->icmph->type ) {
+
+ case ICMP_ECHO:
+ case ICMP_ECHOREPLY:
+ case ICMP_INFO_REQUEST:
+ case ICMP_INFO_REPLY:
+ case ICMP_ADDRESS:
+ case ICMP_TIMESTAMP:
+ add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
+ add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
+ break;
+
+ case ICMP_ADDRESSREPLY:
+ add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
+ add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
+ add_int_data(alert, "icmp_mask", (uint32_t) ntohl(p->icmph->s_icmp_mask));
+ break;
+
+ case ICMP_REDIRECT:
+ add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr));
+ break;
+
+ case ICMP_ROUTER_ADVERTISE:
+ add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs);
+ add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa);
+ add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime));
+ break;
+
+ case ICMP_TIMESTAMPREPLY:
+ add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
+ add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
+ add_int_data(alert, "icmp_otime", p->icmph->s_icmp_otime);
+ add_int_data(alert, "icmp_rtime", p->icmph->s_icmp_rtime);
+ add_int_data(alert, "icmp_ttime", p->icmph->s_icmp_ttime);
+ break;
+ }
+ }
+#endif
+
+ add_byte_data(alert, "payload", p->pkt, p->pktlen);
+
+ return 0;
+}
+
+static int add_snort_reference(idmef_classification_t *class, int gen_id, int sig_id)
+{
+ int ret;
+ prelude_string_t *str;
+ idmef_reference_t *ref;
+
+ if ( sig_id >= SNORT_MAX_OWNED_SID )
+ return 0;
+
+ ret = idmef_classification_new_reference(class, &ref, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_reference_new_name(ref, &str);
+ if ( ret < 0 )
+ return ret;
+
+ idmef_reference_set_origin(ref, IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC);
+
+ if ( gen_id == 0 )
+ ret = prelude_string_sprintf(str, "%u", sig_id);
+ else
+ ret = prelude_string_sprintf(str, "%u:%u", gen_id, sig_id);
+
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_reference_new_meaning(ref, &str);
+ if ( ret < 0 )
+ return ret;
+
+ ret = prelude_string_sprintf(str, "Snort Signature ID");
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_reference_new_url(ref, &str);
+ if ( ret < 0 )
+ return ret;
+
+ if ( gen_id == 0 )
+ ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u", sig_id);
+ else
+ ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u:%u", gen_id, sig_id);
+
+ return ret;
+}
+
+static int event_to_reference(PacketAlert *pa, Packet *p, idmef_classification_t *class)
+{
+ int ret;
+ prelude_string_t *str;
+#if 0
+ idmef_reference_t *ref;
+ ReferenceNode *refs;
+ ReferenceSystemNode *system;
+#endif
+
+ ret = idmef_classification_new_ident(class, &str);
+ if ( ret < 0 )
+ return ret;
+
+ if ( pa->gid == 0 )
+ ret = prelude_string_sprintf(str, "%u", pa->sid);
+ else
+ ret = prelude_string_sprintf(str, "%u:%u", pa->gid, pa->sid);
+ if ( ret < 0 )
+ return ret;
+
+ ret = add_snort_reference(class, pa->gid, pa->sid);
+ if ( ret < 0 )
+ return ret;
+
+#if 0
+ /*
+ * return if we have no information about the rule.
+ */
+ if ( ! otn_tmp )
+ return 0;
+
+ for ( refs = otn_tmp->sigInfo.refs; refs != NULL; refs = refs->next ) {
+
+ system = refs->system;
+ if ( ! system )
+ continue;
+
+ ret = idmef_classification_new_reference(class, &ref, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_reference_new_name(ref, &str);
+ if ( ret < 0 )
+ return ret;
+
+ idmef_reference_set_origin(ref, reference_to_origin(system->name));
+ if ( idmef_reference_get_origin(ref) != IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC )
+ prelude_string_set_ref(str, refs->id);
+ else
+ prelude_string_set_constant(str, "url");
+
+ ret = idmef_reference_new_url(ref, &str);
+ if ( ret < 0 )
+ return ret;
+
+ prelude_string_sprintf(str, "%s%s", system->url ? system->url : "", refs->id ? refs->id : "");
+ }
+#endif
+
+ return 0;
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+TmEcode AlertPrelude (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
+{
+ AlertPreludeThread *apn = (AlertPreludeThread *)data;
+ uint8_t ethh_offset = 0;
+ int ret;
+ idmef_time_t *time;
+ idmef_alert_t *alert;
+ prelude_string_t *str;
+ idmef_message_t *idmef;
+ idmef_classification_t *class;
+ PacketAlert *pa;
+
+ if (apn == NULL) {
+ printf("AlertPrelude: apn is NULL !!\n");
+ }
+ if (apn->ctx == NULL) {
+ printf("AlertPrelude: apn->ctx is NULL !!\n");
+ }
+
+ if (p->alerts.cnt == 0)
+ return TM_ECODE_OK;
+
+ if ( !(PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) )
+ return TM_ECODE_OK;
+
+ /* if we have no ethernet header (e.g. when using nfq), we have to create
+ * one ourselves. */
+ if (p->ethh == NULL) {
+ ethh_offset = sizeof(EthernetHdr);
+ }
+
+ /* XXX which one to add to this alert? Lets see how Snort solves this.
+ * For now just take last alert. */
+ pa = &p->alerts.alerts[p->alerts.cnt-1];
+
+ ret = idmef_message_new(&idmef);
+ if ( ret < 0 )
+ return TM_ECODE_FAILED;
+
+ ret = idmef_message_new_alert(idmef, &alert);
+ if ( ret < 0 )
+ goto err;
+
+ ret = idmef_alert_new_classification(alert, &class);
+ if ( ret < 0 )
+ goto err;
+
+ ret = idmef_classification_new_text(class, &str);
+ if ( ret < 0 )
+ goto err;
+
+ prelude_string_set_ref(str, pa->msg);
+
+ ret = event_to_impact(pa, alert);
+ if ( ret < 0 )
+ goto err;
+
+ ret = event_to_reference(pa, p, class);
+ if ( ret < 0 )
+ goto err;
+
+ ret = event_to_source_target(p, alert);
+ if ( ret < 0 )
+ goto err;
+
+ ret = packet_to_data(p, pa, alert);
+ if ( ret < 0 )
+ goto err;
+
+ ret = idmef_alert_new_detect_time(alert, &time);
+ if ( ret < 0 )
+ goto err;
+ idmef_time_set_from_timeval(time, &p->ts);
+
+ ret = idmef_time_new_from_gettimeofday(&time);
+ if ( ret < 0 )
+ goto err;
+ idmef_alert_set_create_time(alert, time);
+
+ idmef_alert_set_analyzer(alert, idmef_analyzer_ref(prelude_client_get_analyzer(apn->ctx->client)), IDMEF_LIST_PREPEND);
+
+ // finally, send event
+
+ prelude_client_send_idmef(apn->ctx->client, idmef);
+ idmef_message_destroy(idmef);
+
+ return TM_ECODE_OK;
+
+err:
+ idmef_message_destroy(idmef);
+ return TM_ECODE_FAILED;
+}
+
+TmEcode AlertPreludeThreadInit(ThreadVars *t, void *initdata, void **data)
+{
+ AlertPreludeThread *aun = malloc(sizeof(AlertPreludeThread));
+
+ if (aun == NULL) {
+ return TM_ECODE_FAILED;
+ }
+ memset(aun, 0, sizeof(AlertPreludeThread));
+ if(initdata == NULL)
+ {
+ SCLogDebug("Error getting context for Prelude. \"initdata\" argument NULL");
+ return TM_ECODE_FAILED;
+ }
+ /** Use the Ouptut Context (file pointer and mutex) */
+ aun->ctx = (AlertPreludeCtx*) initdata;
+
+ *data = (void *)aun;
+ return TM_ECODE_OK;
+}
+
+TmEcode AlertPreludeThreadDeinit(ThreadVars *t, void *data)
+{
+ AlertPreludeThread *aun = (AlertPreludeThread *)data;
+ if (aun == NULL) {
+ goto error;
+ }
+
+ /* clear memory */
+ memset(aun, 0, sizeof(AlertPreludeThread));
+ free(aun);
+ return TM_ECODE_OK;
+
+error:
+ /* clear memory */
+ if (aun != NULL) {
+ memset(aun, 0, sizeof(AlertPreludeThread));
+ free(aun);
+ }
+ printf("AlertPreludeThreadDeinit done (error)\n");
+ return TM_ECODE_FAILED;
+}
+
+
+/** \brief Create a new file_ctx from config_file (if specified)
+ * \param config_file for loading separate configs
+ * \return NULL if failure, LogFileCtx* to the file_ctx if succesful
+ * */
+LogFileCtx *AlertPreludeInitCtx(ConfNode *conf)
+{
+ int ret;
+ prelude_client_t *client;
+ AlertPreludeCtx *ctx;
+
+ ret = prelude_init(0, NULL);
+ if ( ret < 0 ) {
+ prelude_perror(ret, "unable to initialize the prelude library");
+ return NULL;
+ }
+
+ char *prelude_profile_name;
+ if (ConfGet("prelude-profile", &prelude_profile_name) != 1)
+ prelude_profile_name = DEFAULT_PRELUDE_PROFILE;
+
+ ret = prelude_client_new(&client, prelude_profile_name);
+ if ( ret < 0 || ! client ) {
+ prelude_perror(ret, "Unable to create a prelude client object");
+ return NULL;
+ }
+
+ ret = prelude_client_set_flags(client, prelude_client_get_flags(client) | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER|PRELUDE_CLIENT_FLAGS_ASYNC_SEND);
+ if ( ret < 0 ) {
+ fprintf(stderr, "Unable to set asynchronous send and timer.\n");
+ return NULL;
+ }
+
+ setup_analyzer(prelude_client_get_analyzer(client));
+
+ ret = prelude_client_start(client);
+ if ( ret < 0 ) {
+ prelude_perror(ret, "Unable to start prelude client");
+ return NULL;
+ }
+
+ ctx = malloc(sizeof(AlertPreludeCtx));
+ ctx->client = client;
+
+ /* use file descriptor to store context ... eeeek */
+ return (void*)ctx;
+}
+
+void AlertPreludeRegisterTests (void) {
+#ifdef UNITTESTS
+#endif /* UNITTESTS */
+}
+
+#endif /* PRELUDE */
+
diff --git a/src/alert-prelude.h b/src/alert-prelude.h
new file mode 100644
index 0000000..7f4ac5b
--- /dev/null
+++ b/src/alert-prelude.h
@@ -0,0 +1,10 @@
+/* Copyright (c) 2010 Pierre Chifflier <chifflier at inl.fr> */
+
+#ifndef __ALERT_PRELUDE_H__
+#define __ALERT_PRELUDE_H__
+
+void TmModuleAlertPreludeRegister (void);
+LogFileCtx *AlertPreludeInitCtx(ConfNode *conf);
+
+#endif /* __ALERT_PRELUDE_H__ */
+
diff --git a/src/runmodes.c b/src/runmodes.c
index 8bfbffd..a0e1979 100644
--- a/src/runmodes.c
+++ b/src/runmodes.c
@@ -15,6 +15,7 @@
#include "queue.h"
#include "alert-fastlog.h"
+#include "alert-prelude.h"
#include "alert-unified-log.h"
#include "alert-unified-alert.h"
#include "alert-unified2-alert.h"
@@ -80,6 +81,7 @@ struct AlertOutput {
{"unified-alert", "AlertUnifiedAlert", AlertUnifiedAlertInitCtx},
{"unified2-alert", "Unified2Alert", Unified2AlertInitCtx},
{"alert-debug", "AlertDebuglog", AlertDebuglogInitCtx},
+ {"alert-prelude", "AlertPrelude", AlertPreludeInitCtx},
};
struct AlertOutput *
@@ -136,7 +138,7 @@ static void SetupOutputs(ThreadVars *tv_outputs)
tm_module = TmModuleGetByName(output_info->longname);
if (tm_module == NULL) {
SCLogError(SC_INVALID_ARGUMENT,
- "TmModuleGetByName for AlertFastlog failed");
+ "TmModuleGetByName for %s failed", output_info->longname);
exit(EXIT_FAILURE);
}
TmVarSlotSetFuncAppend(tv_outputs, tm_module, logfile_ctx);
diff --git a/src/suricata.c b/src/suricata.c
index 8e29974..047d86b 100644
--- a/src/suricata.c
+++ b/src/suricata.c
@@ -41,6 +41,7 @@
#include "alert-unified-alert.h"
#include "alert-unified2-alert.h"
#include "alert-debuglog.h"
+#include "alert-prelude.h"
#include "log-httplog.h"
@@ -518,6 +519,7 @@ int main(int argc, char **argv)
TmModuleDetectRegister();
TmModuleAlertFastlogRegister();
TmModuleAlertDebuglogRegister();
+ TmModuleAlertPreludeRegister();
TmModuleRespondRejectRegister();
TmModuleAlertFastlogIPv4Register();
TmModuleAlertFastlogIPv6Register();
diff --git a/src/tm-modules.h b/src/tm-modules.h
index 312a0e4..adea3d9 100644
--- a/src/tm-modules.h
+++ b/src/tm-modules.h
@@ -40,6 +40,7 @@ enum {
TMM_ALERTUNIFIEDLOG,
TMM_ALERTUNIFIEDALERT,
TMM_ALERTUNIFIED2ALERT,
+ TMM_ALERTPRELUDE,
TMM_ALERTDEBUGLOG,
TMM_RESPONDREJECT,
TMM_LOGHTTPLOG,
diff --git a/suricata.yaml b/suricata.yaml
index 48bd4ef..a0fe34a 100644
--- a/suricata.yaml
+++ b/suricata.yaml
@@ -29,6 +29,8 @@ outputs:
enabled: yes
filename: alert-debug.log
+ - alert-prelude:
+ enabled: no
defrag:
max-frags: 65535
prealloc: yes
--
1.6.6
More information about the Oisf-devel
mailing list