OpenSDE
/
package-nopast
3
0
Fork 0
Code Issues 9 Projects 1 Releases Activity
OpenSDE Packages Database (without history before r20070)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8236 Commits
49 Branches
0 Tags
34 MiB
Tree: fd9fba9642
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fd9fba9642'
${ noResults }
package-nopast/network/sancp/sancp-1.6.1-stable-prelude-...

661 lines
25 KiB
Raw Normal View History

* updated sancp (1.6.1d -> 1.6.1) * marked sancp stable * reworked sancp prelude support git-svn-id: svn://svn.opensde.net/opensde/package/trunk@22001 10447126-35f2-4685-b0cf-6dd780d3921f
17 years ago
Regenerated copyright notes broadly, without renewing them.
17 years ago
* updated sancp (1.6.1d -> 1.6.1) * marked sancp stable * reworked sancp prelude support git-svn-id: svn://svn.opensde.net/opensde/package/trunk@22001 10447126-35f2-4685-b0cf-6dd780d3921f
17 years ago
Regenerated copyright notes broadly, without renewing them.
17 years ago
* updated sancp (1.6.1d -> 1.6.1) * marked sancp stable * reworked sancp prelude support git-svn-id: svn://svn.opensde.net/opensde/package/trunk@22001 10447126-35f2-4685-b0cf-6dd780d3921f
17 years ago
Regenerated copyright notes broadly, without renewing them.
17 years ago
* updated sancp (1.6.1d -> 1.6.1) * marked sancp stable * reworked sancp prelude support git-svn-id: svn://svn.opensde.net/opensde/package/trunk@22001 10447126-35f2-4685-b0cf-6dd780d3921f
17 years ago
  1. # --- SDE-COPYRIGHT-NOTE-BEGIN ---
  2. # This copyright note is auto-generated by ./scripts/Create-CopyPatch.
  3. #
  4. # Filename: package/.../sancp/sancp-1.6.1-stable-prelude-3.diff
  5. # Copyright (C) 2007 The OpenSDE Project
  6. #
  7. # More information can be found in the files COPYING and README.
  8. #
  9. # This patch file is dual-licensed. It is available under the license the
  10. # patched project is licensed under, as long as it is an OpenSource license
  11. # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
  12. # of the GNU General Public License as published by the Free Software
  13. # Foundation; either version 2 of the License, or (at your option) any later
  14. # version.
  15. # --- SDE-COPYRIGHT-NOTE-END ---
  17. diff -ruN sancp-1.6.1-stable.vanilla/Makefile sancp-1.6.1-stable/Makefile
  18. --- sancp-1.6.1-stable.vanilla/Makefile 2007-07-07 00:46:11.000000000 +0200
  19. +++ sancp-1.6.1-stable/Makefile 2007-07-24 13:44:01.000000000 +0200
  20. @@ -9,7 +9,7 @@
  23. # LINUX and BSD CFLAGS
  24. -CFLAGS = -O3 -I/usr/include/pcap -I/usr/local/include/pcap -I./ -L/usr/lib/libsocket.so -g -L/opt/csw/lib -ggdb
  25. +CFLAGS = -g -O3 -I/usr/include/pcap -I/usr/local/include/pcap -I./ -L/usr/lib/libsocket.so -g -L/opt/csw/lib -ggdb `libprelude-config --cflags`
  27. # LINUX LFLAGS
  28. LFLAGS = -lresolv -lnsl -lpcap -L/usr/lib/libpcap.so.0.6.2
  29. @@ -41,10 +41,10 @@
  30. bsd :
  31. @(echo "#define PLATFORM_BSD" > platform.h)
  32. @make final
  33. - g++ -Wall $(BFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o
  34. + g++ -Wall $(BFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o `libprelude-config --libs` `libprelude-config --ldflags`
  36. linux :
  37. @(echo "#define PLATFORM_LINUX" > platform.h)
  38. @make final
  39. - g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o
  40. + g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o `libprelude-config --libs` `libprelude-config --ldflags`
  42. diff -ruN sancp-1.6.1-stable.vanilla/apply_rule.cc sancp-1.6.1-stable/apply_rule.cc
  43. --- sancp-1.6.1-stable.vanilla/apply_rule.cc 2007-07-05 18:12:20.000000000 +0200
  44. +++ sancp-1.6.1-stable/apply_rule.cc 2007-07-24 13:44:01.000000000 +0200
  45. @@ -47,6 +47,12 @@
  46. tc->tcplag=myacl->tcplag;
  47. tc->status=myacl->status;
  48. tc->rid=myacl->rid;
  49. + tc->prelude_impact_severity=myacl->prelude_impact_severity;
  50. + tc->prelude_impact_completion=myacl->prelude_impact_completion;
  51. + tc->prelude_impact_type=myacl->prelude_impact_type;
  52. + tc->prelude_confidence_rating=myacl->prelude_confidence_rating;
  53. +
  54. +
  56. if(myacl->pmode==OMODE_UNIQ)
  57. {
  58. @@ -112,6 +118,10 @@
  59. nc->rgid=myacl->rgid;
  60. nc->zone=myacl->zone;
  61. nc->node=myacl->node;
  62. + nc->prelude_impact_severity=myacl->prelude_impact_severity;
  63. + nc->prelude_impact_completion=myacl->prelude_impact_completion;
  64. + nc->prelude_impact_type=myacl->prelude_impact_type;
  65. + nc->prelude_confidence_rating=myacl->prelude_confidence_rating;
  66. myacl->ctr++;
  67. return;
  68. }
  69. @@ -130,6 +140,10 @@
  70. nc->timeout=gVars.default_timeout;
  71. nc->tcplag=gVars.default_tcplag;
  72. nc->node=gVars.default_node;
  73. + nc->prelude_impact_severity=gVars.prelude_impact_severity;
  74. + nc->prelude_impact_completion=gVars.prelude_impact_completion;
  75. + nc->prelude_impact_type=gVars.prelude_impact_type;
  76. + nc->prelude_confidence_rating=gVars.prelude_confidence_rating;
  77. gVars.default_ctr++;
  78. #ifdef DEBUG
  79. printf("Setting stats: %d pcap: %d realtime: %d limit: %d timeout: %d tcplag: %d\n", nc->stats, nc->pcap, nc->realtime, nc->limit, nc->timeout, nc->tcplag);
  80. diff -ruN sancp-1.6.1-stable.vanilla/build_acl.cc sancp-1.6.1-stable/build_acl.cc
  81. --- sancp-1.6.1-stable.vanilla/build_acl.cc 2007-07-05 18:12:20.000000000 +0200
  82. +++ sancp-1.6.1-stable/build_acl.cc 2007-07-24 13:44:01.000000000 +0200
  83. @@ -1168,6 +1168,62 @@
  84. fprintf(stdout,"Didn't set default for %s to %s\n",tok,tmp);
  85. #endif
  86. }
  87. + if(strcmp(tok,"prelude_impact_severity")==0)
  88. + {
  89. + if((tmp = get_tok(&rules,accept))==NULL)
  90. + {
  91. + syslog(LOG_ERR,"Format error, prelude_impact_severity specified but none provided, using prelude_impact_severity %s\n",PRELUDE_IMPACT_SEVERITY);
  92. + free(rule);
  93. + return;
  94. + }
  95. + gVars.prelude_impact_severity = strdup(tmp);
  96. + free(rule);
  97. + }
  98. + if(strcmp(tok,"prelude_impact_completion")==0)
  99. + {
  100. + if((tmp = get_tok(&rules,accept))==NULL)
  101. + {
  102. + syslog(LOG_ERR,"Format error, prelude_impact_completion specified but none provided, using prelude_impact_completion %s\n",PRELUDE_IMPACT_COMPLETION);
  103. + free(rule);
  104. + return;
  105. + }
  106. + gVars.prelude_impact_completion = strdup(tmp);
  107. + free(rule);
  108. + }
  109. + if(strcmp(tok,"prelude_impact_type")==0)
  110. + {
  111. + if((tmp = get_tok(&rules,accept))==NULL)
  112. + {
  113. + syslog(LOG_ERR,"Format error, prelude_impact_type specified but none provided, using prelude_impact_type %s\n",PRELUDE_IMPACT_TYPE);
  114. + free(rule);
  115. + return;
  116. + }
  117. + gVars.prelude_impact_type = strdup(tmp);
  118. + free(rule);
  119. + }
  120. + if(strcmp(tok,"prelude_confidence_rating")==0)
  121. + {
  122. + if((tmp = get_tok(&rules,accept))==NULL)
  123. + {
  124. + syslog(LOG_ERR,"Format error, prelude_confidence_rating specified but none provided, using prelude_confidence_rating %s\n",PRELUDE_CONFIDENCE_RATING);
  125. + free(rule);
  126. + return;
  127. + }
  128. + gVars.prelude_confidence_rating = strdup(tmp);
  129. + free(rule);
  130. + }
  131. + if(strcmp(tok,"prelude_profile")==0)
  132. + {
  133. + if((tmp = get_tok(&rules,accept))==NULL)
  134. + {
  135. + syslog(LOG_ERR,"Format error, prelude_profile specified but none provided, using prelude_profile %s\n",PRELUDE_PROFILE);
  136. + free(rule);
  137. + return;
  138. + }
  139. + gVars.prelude_profile = strdup(tmp);
  140. + free(rule);
  141. + }
  142. +
  143. }
  145. void parse_var(char *c_rule, char *accept)
  146. @@ -1426,6 +1482,10 @@
  147. }else{
  148. n_acl->fH = 0;
  149. }
  150. + n_acl->prelude_impact_severity = gVars.prelude_impact_severity;
  151. + n_acl->prelude_impact_completion = gVars.prelude_impact_completion;
  152. + n_acl->prelude_impact_type = gVars.prelude_impact_type;
  153. + n_acl->prelude_confidence_rating = gVars.prelude_confidence_rating;
  155. // FIELD 0 - required - Get the h_proto
  156. n_acl->h_proto_h = 0xFFFF;
  157. @@ -2061,6 +2121,46 @@
  158. n_acl->retro = true;
  159. continue;
  160. }
  161. + if(strcmp(tok,"severity")==0)
  162. + {
  163. + if((tmp = get_tok(rules,accept))==NULL)
  164. + {
  165. + syslog(LOG_ERR,"Format error, severity specified but no option provided%s\n",rule);
  166. + return;
  167. + }
  168. + n_acl->prelude_impact_severity = strdup(tmp);
  169. + continue;
  170. + }
  171. + if(strcmp(tok,"completion")==0)
  172. + {
  173. + if((tmp = get_tok(rules,accept))==NULL)
  174. + {
  175. + syslog(LOG_ERR,"Format error, completion specified but no option provided%s\n",rule);
  176. + return;
  177. + }
  178. + n_acl->prelude_impact_completion = strdup(tmp);
  179. + continue;
  180. + }
  181. + if(strcmp(tok,"type")==0)
  182. + {
  183. + if((tmp = get_tok(rules,accept))==NULL)
  184. + {
  185. + syslog(LOG_ERR,"Format error, type specified but no option provided%s\n",rule);
  186. + return;
  187. + }
  188. + n_acl->prelude_impact_type = strdup(tmp);
  189. + continue;
  190. + }
  191. + if(strcmp(tok,"confidence")==0)
  192. + {
  193. + if((tmp = get_tok(rules,accept))==NULL)
  194. + {
  195. + syslog(LOG_ERR,"Format error, confidence specified but no option provided%s\n",rule);
  196. + return;
  197. + }
  198. + n_acl->prelude_confidence_rating = strdup(tmp);
  199. + continue;
  200. + }
  201. syslog(LOG_ERR,"Skipping, invalid option in rule: %s %s\n", tok,*rules);
  202. return;
  203. }
  204. diff -ruN sancp-1.6.1-stable.vanilla/docs/README sancp-1.6.1-stable/docs/README
  205. --- sancp-1.6.1-stable.vanilla/docs/README 2007-07-06 03:33:14.000000000 +0200
  206. +++ sancp-1.6.1-stable/docs/README 2007-07-24 13:44:01.000000000 +0200
  207. @@ -277,6 +277,10 @@
  208. strip-80211 { disable|enable }
  209. node <number>
  210. debug_pcap_raw { disable|enable }
  211. + prelude_impact_severity [string]
  212. + prelude_impact_completion [string]
  213. + prelude_impact_type [string]
  214. + prelude_confidence_rating [string]
  216. known_port syntax:
  217. -----------------------:
  218. @@ -310,6 +314,9 @@
  219. b) tagging options
  220. i.e. status=16 rid=1112 node=2
  222. + c) prelude options
  223. + i.e. severity=severe, completion=succeeded, type=other, confidence=high
  224. +
  225. [<ether protocol>[-<end_range>] [<src_ip{/<CIDR>|<dotted>}>] [<dst_ip{/<CIDR>|<dotted>}>] [{tcp|udp|icmp|<proto number>[-<end_range>] }]
  226. [<src_port>{-[<end_port_range>]}] [<dst_port>{-[<end_port_range>]}]
  227. { ignore | stats [{log|pass}] | realtime [{log|pass}] |
  228. diff -ruN sancp-1.6.1-stable.vanilla/gvars.h sancp-1.6.1-stable/gvars.h
  229. --- sancp-1.6.1-stable.vanilla/gvars.h 2007-07-05 18:12:20.000000000 +0200
  230. +++ sancp-1.6.1-stable/gvars.h 2007-07-24 13:44:01.000000000 +0200
  231. @@ -17,7 +17,8 @@
  232. /* Make certain all id's are represented in the same order (as strings) in fmtnames[] */
  233. /* 'null' is a place holder - in the list for field 0 */
  235. -enum id {null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_local,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac };
  236. +enum id
  237. +{null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_local,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac,prelude_impact_sevirty,prelude_impact_completion,prelude_impact_type,prelude_confidence_rating,prelude_profile };
  239. struct cnx_queue {
  240. struct cnx *head;
  241. @@ -102,5 +103,10 @@
  242. int stdout_fmt_len;
  243. pcap_t *ph; // pcap handle
  244. struct pcap_pkthdr *g_pkthdr;//
  245. + char *prelude_impact_severity;
  246. + char *prelude_impact_completion;
  247. + char *prelude_impact_type;
  248. + char *prelude_confidence_rating;
  249. + char *prelude_profile;
  250. };
  252. diff -ruN sancp-1.6.1-stable.vanilla/sancp.cc sancp-1.6.1-stable/sancp.cc
  253. --- sancp-1.6.1-stable.vanilla/sancp.cc 2007-07-05 18:12:20.000000000 +0200
  254. +++ sancp-1.6.1-stable/sancp.cc 2007-07-24 13:44:01.000000000 +0200
  255. @@ -48,7 +48,40 @@
  256. //char dfltfmt[]= { sancp_id,start_time_gmt,src_mac,dst_mac,eth_proto,src_ip_dotted,dst_ip_dotted,ip_proto,src_port,dst_port };
  257. char dfltfmt_human_readable[]= { sancp_id,start_time_gmt,stop_time_gmt,erased_time_gmt,eth_proto,ip_proto,src_ip_dotted,src_port,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,dflags_hex,cflags_hex,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac };
  259. +prelude_client_t *client;
  260. +static idmef_analyzer_t *idmef_analyzer;
  262. +int sancp_alert_init(prelude_client_t *client)
  263. +{
  264. + int ret;
  265. + prelude_string_t *string;
  266. +
  267. + idmef_analyzer = prelude_client_get_analyzer(client);
  268. + if ( ! idmef_analyzer )
  269. + return -1;
  270. +
  271. + ret = idmef_analyzer_new_model(idmef_analyzer, &string);
  272. + if ( ret < 0 )
  273. + return -1;
  274. + prelude_string_set_constant(string, PRELUDE_ANALYZER_MODEL);
  275. +
  276. + ret = idmef_analyzer_new_class(idmef_analyzer, &string);
  277. + if ( ret < 0 )
  278. + return -1;
  279. + prelude_string_set_constant(string, PRELUDE_ANALYZER_CLASS);
  280. +
  281. + ret = idmef_analyzer_new_manufacturer(idmef_analyzer, &string);
  282. + if ( ret < 0 )
  283. + return -1;
  284. + prelude_string_set_constant(string, PRELUDE_ANALYZER_MANUFACTURER);
  285. +
  286. + ret = idmef_analyzer_new_version(idmef_analyzer, &string);
  287. + if ( ret < 0 )
  288. + return -1;
  289. + prelude_string_set_constant(string, VERSION);
  290. +
  291. + return 0;
  292. +}
  293. /*************
  294. * Main *
  295. *************/
  296. @@ -56,6 +89,7 @@
  297. int main(int argc, char *argv[]) {
  298. extern struct gvars gVars;
  299. int cKey;
  300. + int ret;
  301. pid_t pid=0;
  303. /*
  304. @@ -102,6 +136,14 @@
  305. gVars.stdout_delimiter=DEFAULT_DELIMITER;
  306. gVars.stdout_eor=DEFAULT_EOR;
  308. + gVars.prelude_impact_severity=PRELUDE_IMPACT_SEVERITY;
  309. + gVars.prelude_impact_completion=PRELUDE_IMPACT_COMPLETION;
  310. + gVars.prelude_impact_type=PRELUDE_IMPACT_TYPE;
  311. + gVars.prelude_confidence_rating=PRELUDE_CONFIDENCE_RATING;
  312. + gVars.prelude_profile=PRELUDE_PROFILE;
  313. +
  314. +
  315. +
  316. for(cKey=0; cKey<HASH_KEYS; cKey++)
  317. {
  318. gVars.cnx_head[cKey]=NULL;
  319. @@ -116,6 +158,8 @@
  321. parse_args(argc, argv);
  323. +
  324. +
  325. if(gVars.human_readable){
  326. if(gVars.realtime_fmt_len!=sizeof(dfltfmt_human_readable)){
  327. free(gVars.realtime_fmt);
  328. @@ -143,7 +187,15 @@
  330. setsid();
  331. }
  332. + prelude_log_set_flags((prelude_log_flags_t)PRELUDE_LOG_FLAGS_SYSLOG);
  333. }
  334. +
  335. + /* Initialize prelude */
  336. + ret = prelude_init(&argc, argv);
  337. + if (ret < 0) {
  338. + prelude_perror(ret, "unable to initialize the prelude library");
  339. + exit_all(0);
  340. + }
  341. /* Retrieve the last cnxid from cache file if we haven't already in parse_args() */
  343. if(!gVars.cnx_id)
  344. @@ -197,6 +249,29 @@
  346. build_config(1);
  348. + /* Create prelude sensor */
  349. +
  350. + ret = prelude_client_new(&client, gVars.prelude_profile);
  351. + if ( ! client ) {
  352. + prelude_perror(ret, "Unable to create a prelude client object");
  353. + exit_all(0);
  354. + }
  355. +
  356. + /* Start prelude sensor */
  357. + sancp_alert_init(client);
  358. + ret = prelude_client_start(client);
  359. + if ( ret < 0 ) {
  360. + prelude_perror(ret, "Unable to start prelude client");
  361. + exit_all(0);
  362. + }
  363. +
  364. + ret = prelude_client_set_flags(client, (prelude_client_flags_t)
  365. + (PRELUDE_CLIENT_FLAGS_ASYNC_SEND|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER));
  366. + if ( ret < 0 ) {
  367. + fprintf(stderr, "Unable to set asynchronous send and timer.\n");
  368. + exit_all(0);
  369. + }
  370. +
  371. /* Open files for output */
  372. /* Be r3al l33t h3r3 */
  374. diff -ruN sancp-1.6.1-stable.vanilla/sancp.h sancp-1.6.1-stable/sancp.h
  375. --- sancp-1.6.1-stable.vanilla/sancp.h 2007-07-06 06:18:04.000000000 +0200
  376. +++ sancp-1.6.1-stable/sancp.h 2007-07-24 13:44:01.000000000 +0200
  377. @@ -47,6 +47,10 @@
  378. #include "gvars.h"
  379. #endif
  381. +#include <libprelude/prelude.h>
  382. +#include <libprelude/prelude-log.h>
  383. +#include <netdb.h>
  384. +
  385. #define NCP_H
  386. #define Y 'Y'
  387. #define N 'N'
  388. @@ -79,6 +83,7 @@
  389. struct vars *next;
  390. };
  392. +extern prelude_client_t *client;
  393. int main(int argc, char *argv[]);
  394. struct cnx *process(struct cnx*, int len, u_char * pkt);
  395. char * createPcapFileName();
  396. @@ -185,6 +190,15 @@
  397. #define OMODE_RULE 5
  398. #define OMODE_UNIQ 6
  400. +#define PRELUDE_IMPACT_SEVERITY "medium"
  401. +#define PRELUDE_IMPACT_COMPLETION "succeeded"
  402. +#define PRELUDE_IMPACT_TYPE "other"
  403. +#define PRELUDE_CONFIDENCE_RATING "high"
  404. +#define PRELUDE_ANALYZER_MODEL "Sancp"
  405. +#define PRELUDE_ANALYZER_CLASS "NIDS"
  406. +#define PRELUDE_ANALYZER_MANUFACTURER "http://www.metre.net/sancp.html"
  407. +#define PRELUDE_PROFILE "sancp"
  408. +
  409. // Need to distinguish between classes of variables
  410. #define VCLASS_0 1 // eth_proto class vars
  411. #define VCLASS_1 2 // ip_addr class vars
  412. @@ -276,6 +290,10 @@
  413. u_int16_t rgid;
  414. u_int16_t node;
  415. u_int16_t zone;
  416. + char *prelude_impact_severity;
  417. + char *prelude_impact_completion;
  418. + char *prelude_impact_type;
  419. + char *prelude_confidence_rating;
  420. CBuffer *CBufferPtr;
  421. struct acl *next;
  422. };
  423. @@ -314,6 +332,10 @@
  424. u_int16_t rgid;
  425. u_int16_t node;
  426. u_int16_t zone;
  427. + char *prelude_impact_severity;
  428. + char *prelude_impact_completion;
  429. + char *prelude_impact_type;
  430. + char *prelude_confidence_rating;
  431. CBuffer *CBufferPtr;
  432. struct os_info os_info;
  433. struct os_info os_info2;
  434. diff -ruN sancp-1.6.1-stable.vanilla/statefull_logging.cc sancp-1.6.1-stable/statefull_logging.cc
  435. --- sancp-1.6.1-stable.vanilla/statefull_logging.cc 2007-07-05 18:12:20.000000000 +0200
  436. +++ sancp-1.6.1-stable/statefull_logging.cc 2007-07-24 13:44:01.000000000 +0200
  437. @@ -183,6 +183,208 @@
  438. snprintf(buf,len,"%s",currenttime);
  439. }
  441. +static int add_idmef_object(idmef_message_t *message, const char *object, const char *value)
  442. +{
  443. + int ret;
  444. + idmef_value_t *val;
  445. + idmef_path_t *path;
  446. +
  447. + ret = idmef_path_new(&path, object);
  448. + if ( ret < 0 )
  449. + return -1;
  450. +
  451. + ret = idmef_value_new_from_path(&val, path, value);
  452. + if ( ret < 0 ) {
  453. + idmef_path_destroy(path);
  454. + return -1;
  455. + }
  456. +
  457. + ret = idmef_path_set(path, message, val);
  458. +
  459. + idmef_value_destroy(val);
  460. + idmef_path_destroy(path);
  461. +
  462. + return ret;
  463. +}
  464. +
  465. +#define IDMEF(x) { \
  466. + int ret = (x); \
  467. + if (ret < 0) { idmef_message_destroy(idmef); printf("error\n"); return; } \
  468. + }
  469. +
  470. +void record_prelude(struct cnx *cn) {
  471. + char LOG[MAXENTRYLEN];
  472. +
  473. + idmef_message_t *idmef;
  474. + idmef_alert_t *alert;
  475. + idmef_time_t *time;
  476. +
  477. + struct servent *sourceservent;
  478. + struct protoent *protoent;
  479. +
  480. + IDMEF(idmef_message_new(&idmef));
  481. + IDMEF(idmef_message_new_alert(idmef, &alert));
  482. +
  483. + /* alert.detecttime */
  484. + if (cn->start_time) {
  485. + IDMEF(idmef_time_new_from_time(&time, &cn->start_time));
  486. + } else {
  487. + /* using the curen time */
  488. + IDMEF(idmef_time_new_from_gettimeofday(&time));
  489. + }
  490. + idmef_alert_set_detect_time(alert, time);
  491. +
  492. + /* alert.createtime */
  493. + time = NULL;
  494. + IDMEF(idmef_time_new_from_gettimeofday(&time));
  495. + idmef_alert_set_create_time(alert, time);
  496. +
  497. + /* alert.analyzer */
  498. + idmef_alert_set_analyzer(alert,idmef_analyzer_ref(prelude_client_get_analyzer(client)),0);
  499. +
  500. + /* alert.classification.text */
  501. + add_idmef_object(idmef, "alert.classification.text",
  502. + "Unauthorized network connectivity");
  503. +
  504. + /* alert.messageid */
  505. + snprintf(LOG,MAXENTRYLEN,"%lld",cn->cid);
  506. + add_idmef_object(idmef, "alert.messageid", LOG);
  507. +
  508. + /* alert.impact.severity */
  509. + add_idmef_object(idmef, "alert.assessment.impact.severity",
  510. + cn->prelude_impact_severity);
  511. +
  512. + /* alert.impact.completion */
  513. + add_idmef_object(idmef, "alert.assessment.impact.completion",
  514. + cn->prelude_impact_completion);
  515. +
  516. + /* alert.impact.type */
  517. + add_idmef_object(idmef, "alert.assessment.impact.type",
  518. + cn->prelude_impact_type);
  519. +
  520. + /* alert.confidence.rating */
  521. + add_idmef_object(idmef, "alert.assessment.confidence.rating",
  522. + cn->prelude_confidence_rating);
  523. +
  524. + /* alert.additionaldata(0) */
  525. + add_idmef_object(idmef, "alert.additionaldata(0).type", "integer");
  526. + add_idmef_object(idmef, "alert.additionaldata(0).meaning", "status");
  527. + snprintf(LOG,MAXENTRYLEN,"%u",cn->status);
  528. + add_idmef_object(idmef, "alert.additionaldata(0).integer", LOG);
  529. +
  530. + /* alert.additionaldata(1) */
  531. + add_idmef_object(idmef, "alert.additionaldata(1).type", "integer");
  532. + add_idmef_object(idmef, "alert.additionaldata(1).meaning", "Network node");
  533. + snprintf(LOG,MAXENTRYLEN,"%u",cn->node);
  534. + add_idmef_object(idmef, "alert.additionaldata(1).integer", LOG);
  535. +
  536. + /* IP versios */
  537. + if (cn->h_proto == 8) {
  538. + add_idmef_object(idmef, "alert.source(0).service.ip_version", "4");
  539. + add_idmef_object(idmef, "alert.target(0).service.ip_version", "4");
  540. + } else {
  541. + /* bail out */
  542. + idmef_message_destroy(idmef);
  543. + return;
  544. + }
  545. +
  546. + /* alert.source(0).node.address(0) (ip address) */
  547. + if(cn->reversed==CNX_REVERSED){
  548. + snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0');
  549. + }else{
  550. + snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0');
  551. + }
  552. + add_idmef_object(idmef, "alert.source(0).node.address(0).category",
  553. + "ipv4-addr");
  554. + add_idmef_object(idmef, "alert.source(0).node.address(0).address", LOG);
  555. +
  556. + /* alert.source(0).node.address(1) (mac address) */
  557. + add_idmef_object(idmef, "alert.source(0).node.address(1).category", "mac");
  558. + {
  559. + struct myether_addr *es=(struct myether_addr *)&cn->eth_hdr.ether_shost;
  560. + snprintf(LOG,MAXENTRYLEN,"%0x:%0x:%0x:%0x:%0x:%0x",es->octet[0],es->octet[1],es->octet[2],es->octet[3],es->octet[4],es->octet[5]);
  561. + }
  562. + add_idmef_object(idmef, "alert.source(0).node.address(1).address", LOG);
  563. +
  564. + protoent = getprotobynumber(cn->proto);
  565. +
  566. + /* alert.source(0).iana_protocol_number */
  567. + snprintf(LOG,MAXENTRYLEN,"%u",(cn->proto));
  568. + add_idmef_object(idmef, "alert.source(0).service.iana_protocol_number", LOG);
  569. +
  570. + /* alert.target(0).iana_protocol_number */
  571. + add_idmef_object(idmef, "alert.target(0).service.iana_protocol_number", LOG);
  572. +
  573. +
  574. + if (protoent) {
  575. + /* alert.source(0).iana_protocol_name */
  576. + add_idmef_object(idmef, "alert.source(0).service.iana_protocol_name",
  577. + protoent->p_name);
  578. +
  579. + /* alert.target(0).iana_protocol_name */
  580. + add_idmef_object(idmef, "alert.target(0).service.iana_protocol_name",
  581. + protoent->p_name);
  582. +
  583. + /* alert.source(0).service */
  584. + setservent(1);
  585. + if(cn->reversed==CNX_REVERSED){
  586. + snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->d_port));
  587. + sourceservent = getservbyport(ntohs(cn->d_port), protoent->p_name);
  588. + }else{
  589. + snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->s_port));
  590. + sourceservent = getservbyport(ntohs(cn->s_port), protoent->p_name);
  591. + }
  592. +
  593. + if (sourceservent && sourceservent->s_name)
  594. + add_idmef_object(idmef, "alert.source(0).service.name",
  595. + sourceservent->s_name );
  596. + add_idmef_object(idmef, "alert.source(0).service.port",
  597. + LOG);
  598. + add_idmef_object(idmef, "alert.source(0).service.protocol",
  599. + protoent->p_name);
  600. +
  601. + /* alert.target(0).service */
  602. + if(cn->reversed==CNX_REVERSED){
  603. + snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->s_port));
  604. + sourceservent = getservbyport(ntohs(cn->s_port), protoent->p_name);
  605. + }else{
  606. + snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->d_port));
  607. + sourceservent = getservbyport(ntohs(cn->d_port), protoent->p_name);
  608. + }
  609. +
  610. + if (sourceservent && sourceservent->s_name)
  611. + add_idmef_object(idmef, "alert.target(0).service.name",
  612. + sourceservent->s_name );
  613. + add_idmef_object(idmef, "alert.target(0).service.port",
  614. + LOG);
  615. + add_idmef_object(idmef, "alert.target(0).service.protocol",
  616. + protoent->p_name);
  617. + }
  618. +/*
  619. +*/
  620. +
  621. + /* alert.target(0).node.address(0) (ip address) */
  622. + if(cn->reversed==CNX_REVERSED){
  623. + snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0');
  624. + }else{
  625. + snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0');
  626. + }
  627. + add_idmef_object(idmef, "alert.target(0).node.address(0).category",
  628. + "ipv4-addr");
  629. + add_idmef_object(idmef, "alert.target(0).node.address(0).address", LOG);
  630. +
  631. + /* alert.target(0).node_address(1) (mac address) */
  632. + add_idmef_object(idmef, "alert.target(0).node.address(1).category", "mac");
  633. + {
  634. + struct myether_addr *es=(struct myether_addr *)&cn->eth_hdr.ether_dhost;
  635. + snprintf(LOG,MAXENTRYLEN,"%0x:%0x:%0x:%0x:%0x:%0x",es->octet[0],es->octet[1],es->octet[2],es->octet[3],es->octet[4],es->octet[5]);
  636. + }
  637. + add_idmef_object(idmef, "alert.target(0).node.address(1).address", LOG);
  638. +
  639. + prelude_client_send_idmef(client, idmef);
  640. + idmef_message_destroy(idmef);
  641. +}
  642. +
  644. void record(struct cnx *cn, outputFileHandle *fH)
  645. {
  646. @@ -199,8 +401,15 @@
  648. char eor=fH->getEor();
  650. + /* do we want prelude alert generation for this record? */
  651. +
  652. bzero(LOG,MAXENTRYLEN);
  654. + if (fH == gVars.sfH) {
  655. + record_prelude(cn);
  656. + }
  657. +
  658. +
  660. /*
  661. * Structure of a 48-bit Ethernet address.