|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Brian Caswell (bmc
mitre.org)Date: Tue Mar 13 2001 - 22:57:40 CST
I've forwarded on the updated diff, thanks to Eugene Tsyrklevich. Geez,
some days I just need to drink a beer before I code.
-brian
Index: Makefile.am
===================================================================
RCS file: /cvsroot/snort/snort/Makefile.am,v
retrieving revision 1.29
diff -u -r1.29 Makefile.am
--- Makefile.am 2001/03/14 00:18:37 1.29
+++ Makefile.am 2001/03/14 03:52:22
-24,7 +24,8
checksum.h sp_reference.c sp_reference.h sp_ip_fragbits.c \
sp_ip_fragbits.h spp_anomsensor.h spp_anomsensor.c tag.c tag.h \
spp_unidecode.c spp_unidecode.h codes.c codes.h fatal.h smalloc.h \
-strlcpyu.c strlcpyu.h strlcatu.c strlcatu.h debug.c debug.h
+strlcpyu.c strlcpyu.h strlcatu.c strlcatu.h debug.c debug.h \
+spo_csv.c spo_csv.h
EXTRA_DIST = BUGS RULES.SAMPLE CREDITS snort.conf USAGE backdoor.rules \
info.rules smtp.rules ddos.rules local.rules telnet.rules dns.rules \
Index: log.c
===================================================================
RCS file: /cvsroot/snort/snort/log.c,v
retrieving revision 1.38
diff -u -r1.38 log.c
--- log.c 2001/03/13 16:17:20 1.38
+++ log.c 2001/03/13 22:28:06
-773,6 +819,240
fputs("\n\n", file);
}
+
+ return;
+}
+
+
+/*
+ * Function: CSVAlert(Packet *, char *, void *, char *, const int )
+ *
+ * Purpose: Stub function for compatability
+ *
+ * Arguments: p => ptr to packet data
+ * msg => message to send to alert facility
+ * arg => arguments to the alert facility
+ * args => CSV arguements
+ * numargs => number of arguements
+ * Returns: void function
+ */
+void CSVAlert(Packet * p, char *msg, void *arg, char **args, int numargs)
+{
+ AlertCSV(p, msg, alert, args, numargs);
+ return;
+}
+
+/*
+ *
+ * Function: AlertCSV(Packet *, char *, FILE *, char *, numargs const int)
+ *
+ * Purpose: Write a user defined CSV message
+ *
+ * Arguments: p => packet. (could be NULL)
+ * msg => the message to send
+ * file => file pointer to print data to
+ * args => CSV output arguements
+ * numargs => number of arguements
+ * Returns: void function
+ *
+ */
+void AlertCSV(Packet * p, char *msg, FILE * file, char **args, int numargs)
+{
+ char timestamp[TIMEBUF_SIZE];
+ int num;
+ char *type;
+ char tcpFlags[9];
+
+ bzero((char *) timestamp, TIMEBUF_SIZE);
+ ts_print(p == NULL ? NULL : (struct timeval *) & p->pkth->ts, timestamp);
+
+ DebugMessage(DEBUG_LOG, "Logging CSV Alert data\n");
+
+ for (num = 0; num < numargs; num++)
+ {
+ type = args[num];
+
+ DebugMessage(DEBUG_LOG, "CSV Got type %s %d\n", type, num);
+
+ if(!strncasecmp("timestamp", type, 9))
+ {
+ fwrite(timestamp, strlen(timestamp), 1, file);
+ }
+ else if(!strncasecmp("msg", type, 3))
+ {
+ fwrite(msg, strlen(msg),1,file);
+ }
+ else if(!strncasecmp("proto", type, 5))
+ {
+ switch (p->iph->ip_proto)
+ {
+ case IPPROTO_UDP:
+ fwrite("UDP", 3,1,file);
+ break;
+ case IPPROTO_TCP:
+ fwrite("TCP", 3,1,file);
+ break;
+ case IPPROTO_ICMP:
+ fwrite("ICMP", 4,1,file);
+ break;
+ }
+ }
+ else if(!strncasecmp("ethsrc", type, 6))
+ {
+ if(p && p->eh)
+ {
+ fprintf(file, "%X:%X:%X:%X:%X:%X", p->eh->ether_src[0],
+ p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3],
+ p->eh->ether_src[4], p->eh->ether_src[5]);
+ }
+ }
+ else if(!strncasecmp("ethdst", type, 6))
+ {
+ if(p && p->eh)
+ {
+ fprintf(file, "%X:%X:%X:%X:%X:%X", p->eh->ether_dst[0],
+ p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3],
+ p->eh->ether_dst[4], p->eh->ether_dst[5]);
+ }
+ }
+ else if(!strncasecmp("ethtype", type, 7))
+ {
+ if(p && p->eh)
+ {
+ fprintf(file,"0x%X",ntohs(p->eh->ether_type));
+ }
+ }
+ else if(!strncasecmp("udplength", type, 9))
+ {
+ if(p->udph)
+ fprintf(file,"%d",ntohs(p->udph->uh_len));
+ }
+ else if(!strncasecmp("ethlen", type, 6))
+ {
+ if(p && p->eh)
+ fprintf(file,"0x%X",p->pkth->len);
+ }
+ else if(!strncasecmp("trheader", type, 8))
+ {
+ if(p && p->trh)
+ PrintTrHeader(file, p);
+ }
+ else if(!strncasecmp("src", type, 3))
+ {
+ fputs(inet_ntoa(p->iph->ip_src), file);
+ }
+ else if(!strncasecmp("dst", type, 3))
+ {
+ fputs(inet_ntoa(p->iph->ip_dst), file);
+ }
+ else if(!strncasecmp("srcport", type, 7))
+ {
+ switch(p->iph->ip_proto)
+ {
+ case IPPROTO_UDP:
+ case IPPROTO_TCP:
+ fprintf(file, "%d", p->sp);
+ break;
+ }
+ }
+ else if(!strncasecmp("dstport", type, 7))
+ {
+ switch(p->iph->ip_proto)
+ {
+ case IPPROTO_UDP:
+ case IPPROTO_TCP:
+ fprintf(file, "%d", p->dp);
+ break;
+ }
+ }
+ else if(!strncasecmp("icmptype",type,8))
+ {
+ if(p->icmph)
+ {
+ fprintf(file,"%d",p->icmph->type);
+ }
+ }
+ else if(!strncasecmp("icmpcode",type,8))
+ {
+ if(p->icmph)
+ {
+ fprintf(file,"%d",p->icmph->code);
+ }
+ }
+ else if(!strncasecmp("icmpid",type,6))
+ {
+ if(p->ext)
+ {
+ fprintf(file,"%d",ntohs(p->ext->id));
+ }
+ }
+ else if(!strncasecmp("icmpseq",type,7))
+ {
+ if(p->ext)
+ fprintf(file,"%d",ntohs(p->ext->seqno));
+ }
+ else if(!strncasecmp("ttl",type,3))
+ {
+ if(p->iph)
+ fprintf(file,"%d",p->iph->ip_ttl);
+ }
+ else if(!strncasecmp("tos",type,3))
+ {
+ if(p->iph)
+ fprintf(file,"%d",p->iph->ip_tos);
+ }
+ else if(!strncasecmp("id",type,2))
+ {
+ if(p->iph)
+ fprintf(file,"%d",ntohs(p->iph->ip_id));
+ }
+ else if(!strncasecmp("iplen",type,5))
+ {
+ if(p->iph)
+ fprintf(file,"%d",p->iph->ip_hlen << 2);
+ }
+ else if(!strncasecmp("dgmlen",type,6))
+ {
+ if(p->iph)
+ fprintf(file,"%d",ntohs(p->iph->ip_len));
+ }
+ else if(!strncasecmp("tcpseq",type,6))
+ {
+ if(p->tcph)
+ fprintf(file,"0x%lX",(u_long) ntohl(p->tcph->th_seq));
+ }
+ else if(!strncasecmp("tcpack",type,6))
+ {
+ if(p->tcph)
+ fprintf(file,"0x%lX",(u_long) ntohl(p->tcph->th_ack));
+ }
+ else if(!strncasecmp("tcplen",type,6))
+ {
+ if(p->tcph)
+ fprintf(file,"%d",p->tcph->th_off << 2);
+ }
+ else if(!strncasecmp("tcpwindow",type,9))
+ {
+ if(p->tcph)
+ fprintf(file,"0x%X",ntohs(p->tcph->th_win));
+ }
+ else if(!strncasecmp("tcpflags",type,8))
+ {
+ if(p->tcph)
+ {
+ CreateTCPFlagString(p, tcpFlags);
+ fprintf(file,"%s", tcpFlags);
+ }
+ }
+
+ if (num < numargs - 1)
+ fputc(',',file);
+ }
+ fputc('\n', file);
+
return;
}
Index: log.h
===================================================================
RCS file: /cvsroot/snort/snort/log.h,v
retrieving revision 1.7
diff -u -r1.7 log.h
--- log.h 2001/01/02 08:06:00 1.7
+++ log.h 2001/03/13 22:28:07
-79,6 +79,9
void AlertFast(Packet *, char *, FILE *);
void AlertFull(Packet *, char *, FILE *);
+void AlertCSV(Packet *, char *, FILE *, char **, const int);
+void CSVAlert(Packet *, char *, void *, char **, const int);
+
void FastAlert(Packet *, char *, void *);
void FullAlert(Packet *, char *, void *);
void NoAlert(Packet *, char *, void *);
Index: plugbase.c
===================================================================
RCS file: /cvsroot/snort/snort/plugbase.c,v
retrieving revision 1.20
diff -u -r1.20 plugbase.c
--- plugbase.c 2001/03/12 21:51:12 1.20
+++ plugbase.c 2001/03/13 22:28:08
-95,6 +95,7
SetupAlertSmb();
SetupAlertUnixSock();
SetupXml();
+ SetupCSV();
}
Index: plugbase.h
===================================================================
RCS file: /cvsroot/snort/snort/plugbase.h,v
retrieving revision 1.25
diff -u -r1.25 plugbase.h
--- plugbase.h 2001/03/12 21:51:12 1.25
+++ plugbase.h 2001/03/13 22:28:09
-62,6 +62,7
#include "spo_alert_smb.h"
#include "spo_alert_unixsock.h"
#include "spo_xml.h"
+#include "spo_csv.h"
#include <sys/ioctl.h>
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]