[Oisf-devel] [PATCH 2/2] Add Prelude output plugin
Pierre Chifflier
pchifflier at edenwall.com
Sun Jan 24 20:00:15 UTC 2010
From: Pierre Chifflier <chifflier at inl.fr>
Add support for reporting alerts to the Prelude SIEM system, using
libprelude.
Sending events is asynchronous and is entirely handled by the lib.
Signed-off-by: Pierre Chifflier <chifflier at inl.fr>
---
src/Makefile.am | 1 +
src/alert-prelude.c | 868 +++++++++++++++++++++++++++++++++++++++++++++++++++
src/alert-prelude.h | 9 +
src/runmodes.c | 1 +
src/suricata.c | 2 +
src/tm-modules.h | 1 +
suricata.yaml | 2 +
7 files changed, 884 insertions(+), 0 deletions(-)
create mode 100644 src/alert-prelude.c
create mode 100644 src/alert-prelude.h
diff --git a/src/Makefile.am b/src/Makefile.am
index bbfbcfe..196acc0 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -138,6 +138,7 @@ tmqh-packetpool.c tmqh-packetpool.h \
tmqh-flow.c tmqh-flow.h \
alert-fastlog.c alert-fastlog.h \
alert-debuglog.c alert-debuglog.h \
+alert-prelude.c alert-prelude.h \
alert-unified-log.c alert-unified-log.h \
alert-unified-alert.c alert-unified-alert.h \
alert-unified2-alert.c alert-unified2-alert.h \
diff --git a/src/alert-prelude.c b/src/alert-prelude.c
new file mode 100644
index 0000000..8d07036
--- /dev/null
+++ b/src/alert-prelude.c
@@ -0,0 +1,868 @@
+/* Copyright (c) 2010 Pierre Chifflier <chifflier at edenwall.com>
+ *
+ * Some code borrowed from snort's prelude output plugin, originally
+ * written by Yoann Vandoorselaere <yoann.v at prelude-ids.com>
+ */
+
+/* alert Prelude
+ *
+ * Logs alerts to the Prelude system
+ *
+ */
+
+#include "suricata-common.h"
+#include "debug.h"
+#include "detect.h"
+#include "flow.h"
+#include "conf.h"
+
+#include "threads.h"
+#include "threadvars.h"
+#include "tm-modules.h"
+
+#include "util-unittest.h"
+#include "util-time.h"
+#include "util-debug.h"
+#include "util-error.h"
+
+#include "output.h"
+
+#ifndef PRELUDE
+/** Handle the case where no PRELUDE support is compiled in.
+ *
+ */
+
+TmEcode AlertPrelude (ThreadVars *, Packet *, void *, PacketQueue *);
+TmEcode AlertPreludeThreadInit(ThreadVars *, void *, void **);
+TmEcode AlertPreludeThreadDeinit(ThreadVars *, void *);
+int AlertPreludeOpenFileCtx(LogFileCtx *, char *);
+void AlertPreludeRegisterTests(void);
+
+void TmModuleAlertPreludeRegister (void) {
+ printf("TmModuleAlertPreludeRegister\n");
+ tmm_modules[TMM_ALERTPRELUDE].name = "AlertPrelude";
+ tmm_modules[TMM_ALERTPRELUDE].ThreadInit = AlertPreludeThreadInit;
+ tmm_modules[TMM_ALERTPRELUDE].Func = AlertPrelude;
+ tmm_modules[TMM_ALERTPRELUDE].ThreadDeinit = AlertPreludeThreadDeinit;
+ tmm_modules[TMM_ALERTPRELUDE].RegisterTests = AlertPreludeRegisterTests;
+}
+
+LogFileCtx *AlertPreludeInitCtx(ConfNode *conf)
+{
+ SCLogDebug("Can't init Prelude output - Prelude support was disabled during build.\n");
+ return NULL;
+}
+
+TmEcode AlertPreludeThreadInit(ThreadVars *t, void *initdata, void **data)
+{
+ SCLogDebug("Can't init Prelude output thread - Prelude support was disabled during build.\n");
+ return TM_ECODE_FAILED;
+}
+
+TmEcode AlertPrelude (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
+{
+ return TM_ECODE_OK;
+}
+
+TmEcode AlertPreludeThreadDeinit(ThreadVars *t, void *data)
+{
+ return TM_ECODE_FAILED;
+}
+
+void AlertPreludeRegisterTests (void) {
+}
+
+#else /* implied we do have PRELUDE support */
+
+
+#include <libprelude/prelude.h>
+
+#define ANALYZER_CLASS "NIDS"
+#define ANALYZER_MODEL "Suricata"
+#define ANALYZER_MANUFACTURER "http://www.openinfosecfoundation.org/"
+//#define ANALYZER_SID_URL "http://www.snort.org/pub-bin/sigs.cgi?sid="
+#define ANALYZER_SID_URL "http://www.snort.org/search/sid/"
+
+#define SNORT_MAX_OWNED_SID 1000000
+#define DEFAULT_ANALYZER_NAME "suricata"
+
+#define DEFAULT_PRELUDE_PROFILE "suricata"
+
+#define IPH_IS_VALID(p) (PKT_IS_IPV4((p)) || PKT_IS_IPV6((p)))
+
+static unsigned int info_priority = 4;
+static unsigned int low_priority = 3;
+static unsigned int mid_priority = 2;
+
+
+LogFileCtx *AlertPreludeInitCtx(ConfNode *conf);
+TmEcode AlertPrelude (ThreadVars *, Packet *, void *, PacketQueue *);
+TmEcode AlertPreludeThreadInit(ThreadVars *, void *, void **);
+TmEcode AlertPreludeThreadDeinit(ThreadVars *, void *);
+int AlertPreludeOpenFileCtx(LogFileCtx *, char *);
+void AlertPreludeRegisterTests(void);
+
+void TmModuleAlertPreludeRegister (void) {
+ printf("TmModuleAlertPreludeRegister\n");
+ tmm_modules[TMM_ALERTPRELUDE].name = "AlertPrelude";
+ tmm_modules[TMM_ALERTPRELUDE].ThreadInit = AlertPreludeThreadInit;
+ tmm_modules[TMM_ALERTPRELUDE].Func = AlertPrelude;
+ tmm_modules[TMM_ALERTPRELUDE].ThreadDeinit = AlertPreludeThreadDeinit;
+ tmm_modules[TMM_ALERTPRELUDE].RegisterTests = AlertPreludeRegisterTests;
+
+ OutputRegisterModule("AlertPrelude", "alert-prelude", AlertPreludeInitCtx);
+}
+
+typedef struct AlertPreludeCtx_ {
+ prelude_client_t *client;
+ SCMutex client_mutex;
+} AlertPreludeCtx;
+
+typedef struct AlertPreludeThread_ {
+ /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
+ AlertPreludeCtx *ctx;
+ LogFileCtx* file_ctx;
+ uint32_t size_limit;
+ uint32_t size_current;
+} AlertPreludeThread;
+
+
+static int setup_analyzer(idmef_analyzer_t *analyzer)
+{
+ int ret;
+ prelude_string_t *string;
+
+ ret = idmef_analyzer_new_model(analyzer, &string);
+ if ( ret < 0 )
+ return ret;
+ prelude_string_set_constant(string, ANALYZER_MODEL);
+
+ ret = idmef_analyzer_new_class(analyzer, &string);
+ if ( ret < 0 )
+ return ret;
+ prelude_string_set_constant(string, ANALYZER_CLASS);
+
+ ret = idmef_analyzer_new_manufacturer(analyzer, &string);
+ if ( ret < 0 )
+ return ret;
+ prelude_string_set_constant(string, ANALYZER_MANUFACTURER);
+
+ ret = idmef_analyzer_new_version(analyzer, &string);
+ if ( ret < 0 )
+ return ret;
+ prelude_string_set_constant(string, VERSION);
+
+ return 0;
+}
+
+static int event_to_impact(PacketAlert *pa, idmef_alert_t *alert)
+{
+ int ret;
+ //ClassType *classtype;
+ prelude_string_t *str;
+ idmef_impact_t *impact;
+ idmef_assessment_t *assessment;
+ idmef_impact_severity_t severity;
+
+ ret = idmef_alert_new_assessment(alert, &assessment);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_assessment_new_impact(assessment, &impact);
+ if ( ret < 0 )
+ return ret;
+
+ if ( pa->prio < mid_priority )
+ severity = IDMEF_IMPACT_SEVERITY_HIGH;
+
+ else if ( pa->prio < low_priority )
+ severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
+
+ else if ( pa->prio < info_priority )
+ severity = IDMEF_IMPACT_SEVERITY_LOW;
+
+ else severity = IDMEF_IMPACT_SEVERITY_INFO;
+
+ idmef_impact_set_severity(impact, severity);
+
+// XXX
+#if 0
+ if ( ! otn_tmp )
+ return 0;
+
+ classtype = otn_tmp->sigInfo.classType;
+ if ( classtype ) {
+ ret = idmef_impact_new_description(impact, &str);
+ if ( ret < 0 )
+ return ret;
+
+ prelude_string_set_ref(str, classtype->name);
+ }
+#endif
+ ret = idmef_impact_new_description(impact, &str);
+ if ( ret < 0 )
+ return ret;
+
+ prelude_string_set_ref(str, pa->class_msg);
+
+ return 0;
+}
+
+static int event_to_source_target(Packet *p, idmef_alert_t *alert)
+{
+ int ret;
+ idmef_node_t *node;
+ idmef_source_t *source;
+ idmef_target_t *target;
+ idmef_address_t *address;
+ idmef_service_t *service;
+ prelude_string_t *string;
+ static char saddr[128], daddr[128];
+ uint8_t ip_vers;
+ uint8_t ip_proto;
+
+ if ( !p )
+ return 0;
+
+ if ( ! IPH_IS_VALID(p) )
+ return 0;
+
+ if (PKT_IS_IPV4(p)) {
+ ip_vers = 4;
+ ip_proto = IPV4_GET_RAW_IPPROTO(p->ip4h);
+ inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), saddr, sizeof(saddr));
+ inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), daddr, sizeof(daddr));
+ } else if (PKT_IS_IPV6(p)) {
+ ip_vers = 6;
+ ip_proto = IPV6_GET_L4PROTO(p);
+ inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), saddr, sizeof(saddr));
+ inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), daddr, sizeof(daddr));
+ } else
+ return 0;
+
+ ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+#if 0
+ if ( pv.interface ) {
+ ret = idmef_source_new_interface(source, &string);
+ if ( ret < 0 )
+ return ret;
+ prelude_string_set_ref(string, pv.interface);
+ }
+#endif
+
+ ret = idmef_source_new_service(source, &service);
+ if ( ret < 0 )
+ return ret;
+
+ if ( p->tcph || p->udph )
+ idmef_service_set_port(service, p->sp);
+
+ idmef_service_set_ip_version(service, ip_vers);
+ idmef_service_set_iana_protocol_number(service, ip_proto);
+
+ ret = idmef_source_new_node(source, &node);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_address_new_address(address, &string);
+ if ( ret < 0 )
+ return ret;
+
+ prelude_string_set_ref(string, saddr);
+
+ ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+#if 0
+ if ( pv.interface ) {
+ ret = idmef_target_new_interface(target, &string);
+ if ( ret < 0 )
+ return ret;
+ prelude_string_set_ref(string, pv.interface);
+ }
+#endif
+
+ ret = idmef_target_new_service(target, &service);
+ if ( ! ret < 0 )
+ return ret;
+
+ if ( p->tcph || p->udph )
+ idmef_service_set_port(service, p->dp);
+
+ idmef_service_set_ip_version(service, ip_vers);
+ idmef_service_set_iana_protocol_number(service, ip_proto);
+
+ ret = idmef_target_new_node(target, &node);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_address_new_address(address, &string);
+ if ( ret < 0 )
+ return ret;
+
+ prelude_string_set_ref(string, daddr);
+
+ return 0;
+}
+
+static int add_byte_data(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size)
+{
+ int ret;
+ prelude_string_t *str;
+ idmef_additional_data_t *ad;
+
+ if ( ! data || ! size )
+ return 0;
+
+ ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_additional_data_set_byte_string_ref(ad, data, size);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error setting byte string data: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ ret = idmef_additional_data_new_meaning(ad, &str);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error creating additional-data meaning: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ ret = prelude_string_set_ref(str, meaning);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error setting byte string data meaning: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ return 0;
+}
+
+
+
+#if 0
+static int add_string_data(idmef_alert_t *alert, const char *meaning, const char *data)
+{
+ int ret;
+ prelude_string_t *str;
+ idmef_additional_data_t *ad;
+
+ if ( ! data )
+ return 0;
+
+ ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_additional_data_set_string_ref(ad, data);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error setting string data: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ ret = idmef_additional_data_new_meaning(ad, &str);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error creating additional-data meaning: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ ret = prelude_string_set_ref(str, meaning);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error setting string data meaning: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ return 0;
+}
+#endif
+
+
+
+static int add_int_data(idmef_alert_t *alert, const char *meaning, uint32_t data)
+{
+ int ret;
+ prelude_string_t *str;
+ idmef_additional_data_t *ad;
+
+ ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ idmef_additional_data_set_integer(ad, data);
+
+ ret = idmef_additional_data_new_meaning(ad, &str);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error creating additional-data meaning: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ ret = prelude_string_set_ref(str, meaning);
+ if ( ret < 0 ) {
+ SCLogDebug("%s: error setting integer data meaning: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int packet_to_data_v4(Packet *p, PacketAlert *pa, idmef_alert_t *alert)
+{
+ add_int_data(alert, "ip_ver", IPV4_GET_RAW_VER(p->ip4h));
+ add_int_data(alert, "ip_hlen", IPV4_GET_RAW_HLEN(p->ip4h));
+ add_int_data(alert, "ip_tos", IPV4_GET_RAW_IPTOS(p->ip4h));
+ add_int_data(alert, "ip_len", ntohs(IPV4_GET_RAW_IPLEN(p->ip4h)));
+
+ add_int_data(alert, "ip_id", ntohs(IPV4_GET_RAW_IPID(p->ip4h)));
+
+ add_int_data(alert, "ip_off", ntohs(IPV4_GET_RAW_IPOFFSET(p->ip4h)));
+
+ add_int_data(alert, "ip_ttl", IPV4_GET_RAW_IPTTL(p->ip4h));
+ add_int_data(alert, "ip_proto", IPV4_GET_RAW_IPPROTO(p->ip4h));
+
+ add_int_data(alert, "ip_sum", ntohs(p->ip4h->ip_csum));
+
+#if 0
+ for ( i = 0; i < p->ip_option_count; i++ ) {
+ add_int_data(alert, "ip_option_code", p->ip_options[i].code);
+ add_byte_data(alert, "ip_option_data",
+ p->ip_options[i].data, p->ip_options[i].len);
+ }
+#endif
+
+ return 0;
+}
+
+static int packet_to_data_v6(Packet *p, PacketAlert *pa, idmef_alert_t *alert)
+{
+ return 0;
+}
+
+
+static int packet_to_data(Packet *p, PacketAlert *pa, idmef_alert_t *alert)
+{
+ //int i;
+
+ if ( ! p )
+ return 0;
+
+ add_int_data(alert, "snort_rule_sid", pa->sid);
+ add_int_data(alert, "snort_rule_rev", pa->rev);
+
+#define IPH_IS_VALID(p) (PKT_IS_IPV4((p)) || PKT_IS_IPV6((p)))
+ if (p->ip4h) {
+ packet_to_data_v4(p, pa, alert);
+ }
+
+ else if (p->ip6h) {
+ packet_to_data_v6(p, pa, alert);
+ }
+
+ if ( p->tcph ) {
+ add_int_data(alert, "tcp_seq", ntohl(p->tcph->th_seq));
+ add_int_data(alert, "tcp_ack", ntohl(p->tcph->th_ack));
+
+ add_int_data(alert, "tcp_off", TCP_GET_RAW_OFFSET(p->tcph));
+ add_int_data(alert, "tcp_res", TCP_GET_RAW_X2(p->tcph));
+ add_int_data(alert, "tcp_flags", p->tcph->th_flags);
+
+ add_int_data(alert, "tcp_win", ntohs(p->tcph->th_win));
+ add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum));
+ add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp));
+
+#if 0
+ for ( i = 0; i < p->tcp_option_count; i++ ) {
+ add_int_data(alert, "tcp_option_code", p->tcp_options[i].code);
+ add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len);
+ }
+#endif
+ }
+
+ else if ( p->udph ) {
+ add_int_data(alert, "udp_len", ntohs(p->udph->uh_len));
+ add_int_data(alert, "udp_sum", ntohs(p->udph->uh_sum));
+ }
+
+ else if ( p->icmpv4h ) {
+ add_int_data(alert, "icmp_type", p->icmpv4h->type);
+ add_int_data(alert, "icmp_code", p->icmpv4h->code);
+ add_int_data(alert, "icmp_sum", ntohs(p->icmpv4h->checksum));
+
+#if 0
+ switch ( p->icmph->type ) {
+
+ case ICMP_ECHO:
+ case ICMP_ECHOREPLY:
+ case ICMP_INFO_REQUEST:
+ case ICMP_INFO_REPLY:
+ case ICMP_ADDRESS:
+ case ICMP_TIMESTAMP:
+ add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
+ add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
+ break;
+
+ case ICMP_ADDRESSREPLY:
+ add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
+ add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
+ add_int_data(alert, "icmp_mask", (uint32_t) ntohl(p->icmph->s_icmp_mask));
+ break;
+
+ case ICMP_REDIRECT:
+ add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr));
+ break;
+
+ case ICMP_ROUTER_ADVERTISE:
+ add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs);
+ add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa);
+ add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime));
+ break;
+
+ case ICMP_TIMESTAMPREPLY:
+ add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
+ add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
+ add_int_data(alert, "icmp_otime", p->icmph->s_icmp_otime);
+ add_int_data(alert, "icmp_rtime", p->icmph->s_icmp_rtime);
+ add_int_data(alert, "icmp_ttime", p->icmph->s_icmp_ttime);
+ break;
+ }
+#endif
+ }
+
+ add_byte_data(alert, "payload", p->pkt, p->pktlen);
+
+ return 0;
+}
+
+static int add_snort_reference(idmef_classification_t *class, int gen_id, int sig_id)
+{
+ int ret;
+ prelude_string_t *str;
+ idmef_reference_t *ref;
+
+ if ( sig_id >= SNORT_MAX_OWNED_SID )
+ return 0;
+
+ ret = idmef_classification_new_reference(class, &ref, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_reference_new_name(ref, &str);
+ if ( ret < 0 )
+ return ret;
+
+ idmef_reference_set_origin(ref, IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC);
+
+ if ( gen_id == 0 )
+ ret = prelude_string_sprintf(str, "%u", sig_id);
+ else
+ ret = prelude_string_sprintf(str, "%u:%u", gen_id, sig_id);
+
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_reference_new_meaning(ref, &str);
+ if ( ret < 0 )
+ return ret;
+
+ ret = prelude_string_sprintf(str, "Snort Signature ID");
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_reference_new_url(ref, &str);
+ if ( ret < 0 )
+ return ret;
+
+ if ( gen_id == 0 )
+ ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u", sig_id);
+ else
+ ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u-%u", gen_id, sig_id);
+
+ return ret;
+}
+
+static int event_to_reference(PacketAlert *pa, Packet *p, idmef_classification_t *class)
+{
+ int ret;
+ prelude_string_t *str;
+#if 0
+ idmef_reference_t *ref;
+ ReferenceNode *refs;
+ ReferenceSystemNode *system;
+#endif
+
+ ret = idmef_classification_new_ident(class, &str);
+ if ( ret < 0 )
+ return ret;
+
+ if ( pa->gid == 0 )
+ ret = prelude_string_sprintf(str, "%u", pa->sid);
+ else
+ ret = prelude_string_sprintf(str, "%u:%u", pa->gid, pa->sid);
+ if ( ret < 0 )
+ return ret;
+
+ ret = add_snort_reference(class, pa->gid, pa->sid);
+ if ( ret < 0 )
+ return ret;
+
+#if 0
+ /*
+ * return if we have no information about the rule.
+ */
+ if ( ! otn_tmp )
+ return 0;
+
+ for ( refs = otn_tmp->sigInfo.refs; refs != NULL; refs = refs->next ) {
+
+ system = refs->system;
+ if ( ! system )
+ continue;
+
+ ret = idmef_classification_new_reference(class, &ref, IDMEF_LIST_APPEND);
+ if ( ret < 0 )
+ return ret;
+
+ ret = idmef_reference_new_name(ref, &str);
+ if ( ret < 0 )
+ return ret;
+
+ idmef_reference_set_origin(ref, reference_to_origin(system->name));
+ if ( idmef_reference_get_origin(ref) != IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC )
+ prelude_string_set_ref(str, refs->id);
+ else
+ prelude_string_set_constant(str, "url");
+
+ ret = idmef_reference_new_url(ref, &str);
+ if ( ret < 0 )
+ return ret;
+
+ prelude_string_sprintf(str, "%s%s", system->url ? system->url : "", refs->id ? refs->id : "");
+ }
+#endif
+
+ return 0;
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+TmEcode AlertPrelude (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
+{
+ AlertPreludeThread *apn = (AlertPreludeThread *)data;
+ uint8_t ethh_offset = 0;
+ int ret;
+ idmef_time_t *time;
+ idmef_alert_t *alert;
+ prelude_string_t *str;
+ idmef_message_t *idmef;
+ idmef_classification_t *class;
+ PacketAlert *pa;
+
+ if (apn == NULL) {
+ printf("AlertPrelude: apn is NULL !!\n");
+ }
+ if (apn->ctx == NULL) {
+ printf("AlertPrelude: apn->ctx is NULL !!\n");
+ }
+
+ if (p->alerts.cnt == 0)
+ return TM_ECODE_OK;
+
+ if ( !(PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) )
+ return TM_ECODE_OK;
+
+ /* if we have no ethernet header (e.g. when using nfq), we have to create
+ * one ourselves. */
+ if (p->ethh == NULL) {
+ ethh_offset = sizeof(EthernetHdr);
+ }
+
+ /* XXX which one to add to this alert? Lets see how Snort solves this.
+ * For now just take last alert. */
+ pa = &p->alerts.alerts[p->alerts.cnt-1];
+
+ ret = idmef_message_new(&idmef);
+ if ( ret < 0 )
+ return TM_ECODE_FAILED;
+
+ ret = idmef_message_new_alert(idmef, &alert);
+ if ( ret < 0 )
+ goto err;
+
+ ret = idmef_alert_new_classification(alert, &class);
+ if ( ret < 0 )
+ goto err;
+
+ ret = idmef_classification_new_text(class, &str);
+ if ( ret < 0 )
+ goto err;
+
+ prelude_string_set_ref(str, pa->msg);
+
+ ret = event_to_impact(pa, alert);
+ if ( ret < 0 )
+ goto err;
+
+ ret = event_to_reference(pa, p, class);
+ if ( ret < 0 )
+ goto err;
+
+ ret = event_to_source_target(p, alert);
+ if ( ret < 0 )
+ goto err;
+
+ ret = packet_to_data(p, pa, alert);
+ if ( ret < 0 )
+ goto err;
+
+ ret = idmef_alert_new_detect_time(alert, &time);
+ if ( ret < 0 )
+ goto err;
+ idmef_time_set_from_timeval(time, &p->ts);
+
+ ret = idmef_time_new_from_gettimeofday(&time);
+ if ( ret < 0 )
+ goto err;
+ idmef_alert_set_create_time(alert, time);
+
+ idmef_alert_set_analyzer(alert, idmef_analyzer_ref(prelude_client_get_analyzer(apn->ctx->client)), IDMEF_LIST_PREPEND);
+
+ // finally, send event
+
+ prelude_client_send_idmef(apn->ctx->client, idmef);
+ idmef_message_destroy(idmef);
+
+ return TM_ECODE_OK;
+
+err:
+ idmef_message_destroy(idmef);
+ return TM_ECODE_FAILED;
+}
+
+TmEcode AlertPreludeThreadInit(ThreadVars *t, void *initdata, void **data)
+{
+ AlertPreludeThread *aun = malloc(sizeof(AlertPreludeThread));
+
+ if (aun == NULL) {
+ return TM_ECODE_FAILED;
+ }
+ memset(aun, 0, sizeof(AlertPreludeThread));
+ if(initdata == NULL)
+ {
+ SCLogDebug("Error getting context for Prelude. \"initdata\" argument NULL");
+ return TM_ECODE_FAILED;
+ }
+ /** Use the Ouptut Context (file pointer and mutex) */
+ aun->ctx = (AlertPreludeCtx*) initdata;
+
+ *data = (void *)aun;
+ return TM_ECODE_OK;
+}
+
+TmEcode AlertPreludeThreadDeinit(ThreadVars *t, void *data)
+{
+ AlertPreludeThread *aun = (AlertPreludeThread *)data;
+ if (aun == NULL) {
+ goto error;
+ }
+
+ /* clear memory */
+ memset(aun, 0, sizeof(AlertPreludeThread));
+ free(aun);
+ return TM_ECODE_OK;
+
+error:
+ /* clear memory */
+ if (aun != NULL) {
+ memset(aun, 0, sizeof(AlertPreludeThread));
+ free(aun);
+ }
+ printf("AlertPreludeThreadDeinit done (error)\n");
+ return TM_ECODE_FAILED;
+}
+
+
+/** \brief Create a new file_ctx from config_file (if specified)
+ * \param config_file for loading separate configs
+ * \return NULL if failure, LogFileCtx* to the file_ctx if succesful
+ * */
+LogFileCtx *AlertPreludeInitCtx(ConfNode *conf)
+{
+ int ret;
+ prelude_client_t *client;
+ AlertPreludeCtx *ctx;
+
+ ret = prelude_init(0, NULL);
+ if ( ret < 0 ) {
+ prelude_perror(ret, "unable to initialize the prelude library");
+ return NULL;
+ }
+
+ char *prelude_profile_name;
+ if (ConfGet("prelude-profile", &prelude_profile_name) != 1)
+ prelude_profile_name = DEFAULT_PRELUDE_PROFILE;
+
+ ret = prelude_client_new(&client, prelude_profile_name);
+ if ( ret < 0 || ! client ) {
+ prelude_perror(ret, "Unable to create a prelude client object");
+ return NULL;
+ }
+
+ ret = prelude_client_set_flags(client, prelude_client_get_flags(client) | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER|PRELUDE_CLIENT_FLAGS_ASYNC_SEND);
+ if ( ret < 0 ) {
+ fprintf(stderr, "Unable to set asynchronous send and timer.\n");
+ return NULL;
+ }
+
+ setup_analyzer(prelude_client_get_analyzer(client));
+
+ ret = prelude_client_start(client);
+ if ( ret < 0 ) {
+ prelude_perror(ret, "Unable to start prelude client");
+ return NULL;
+ }
+
+ ctx = malloc(sizeof(AlertPreludeCtx));
+ ctx->client = client;
+
+ /* use file descriptor to store context ... eeeek */
+ return (void*)ctx;
+}
+
+void AlertPreludeRegisterTests (void) {
+#ifdef UNITTESTS
+#endif /* UNITTESTS */
+}
+
+#endif /* PRELUDE */
+
diff --git a/src/alert-prelude.h b/src/alert-prelude.h
new file mode 100644
index 0000000..be4fc50
--- /dev/null
+++ b/src/alert-prelude.h
@@ -0,0 +1,9 @@
+/* Copyright (c) 2010 Pierre Chifflier <chifflier at inl.fr> */
+
+#ifndef __ALERT_PRELUDE_H__
+#define __ALERT_PRELUDE_H__
+
+void TmModuleAlertPreludeRegister (void);
+LogFileCtx *AlertPreludeInitCtx(ConfNode *conf);
+
+#endif /* __ALERT_PRELUDE_H__ */
diff --git a/src/runmodes.c b/src/runmodes.c
index ee0f232..1d70404 100644
--- a/src/runmodes.c
+++ b/src/runmodes.c
@@ -15,6 +15,7 @@
#include "queue.h"
#include "alert-fastlog.h"
+#include "alert-prelude.h"
#include "alert-unified-log.h"
#include "alert-unified-alert.h"
#include "alert-unified2-alert.h"
diff --git a/src/suricata.c b/src/suricata.c
index a414dd1..b0e3d99 100644
--- a/src/suricata.c
+++ b/src/suricata.c
@@ -41,6 +41,7 @@
#include "alert-unified-alert.h"
#include "alert-unified2-alert.h"
#include "alert-debuglog.h"
+#include "alert-prelude.h"
#include "log-httplog.h"
@@ -529,6 +530,7 @@ int main(int argc, char **argv)
TmModuleDetectRegister();
TmModuleAlertFastLogRegister();
TmModuleAlertDebugLogRegister();
+ TmModuleAlertPreludeRegister();
TmModuleRespondRejectRegister();
TmModuleAlertFastLogIPv4Register();
TmModuleAlertFastLogIPv6Register();
diff --git a/src/tm-modules.h b/src/tm-modules.h
index 312a0e4..adea3d9 100644
--- a/src/tm-modules.h
+++ b/src/tm-modules.h
@@ -40,6 +40,7 @@ enum {
TMM_ALERTUNIFIEDLOG,
TMM_ALERTUNIFIEDALERT,
TMM_ALERTUNIFIED2ALERT,
+ TMM_ALERTPRELUDE,
TMM_ALERTDEBUGLOG,
TMM_RESPONDREJECT,
TMM_LOGHTTPLOG,
diff --git a/suricata.yaml b/suricata.yaml
index 0f6d68e..57c40bb 100644
--- a/suricata.yaml
+++ b/suricata.yaml
@@ -32,6 +32,8 @@ outputs:
enabled: yes
filename: alert-debug.log
+ - alert-prelude:
+ enabled: no
defrag:
max-frags: 65535
prealloc: yes
--
1.6.6
More information about the Oisf-devel
mailing list