diff options
Diffstat (limited to 'security/snort/files/patch-alert.csv.diff')
| -rw-r--r-- | security/snort/files/patch-alert.csv.diff | 476 |
1 files changed, 476 insertions, 0 deletions
diff --git a/security/snort/files/patch-alert.csv.diff b/security/snort/files/patch-alert.csv.diff new file mode 100644 index 0000000..5c61e93 --- /dev/null +++ b/security/snort/files/patch-alert.csv.diff @@ -0,0 +1,476 @@ +diff -ur ../snort-2.9.5.6.old/src/output-plugins/spo_csv.c ./src/output-plugins/spo_csv.c +--- ../snort-2.9.5.6.old/src/output-plugins/spo_csv.c 2012-07-14 05:12:03.000000000 +0000 ++++ ./src/output-plugins/spo_csv.c 2012-07-14 05:25:31.000000000 +0000 +@@ -68,6 +68,7 @@ + #include "sfutil/sf_textlog.h" + #include "log_text.h" + ++enum _COLUMNS { _TIMESTAMP,_SIG_GENERATOR,_SIG_ID,_SIG_REV,_MSG,_PROTO,_SRC,_SRCPORT,_DST,_DSTPORT,_ETHSRC,_ETHDST,_ETHLEN,_TCPFLAGS,_TCPSEQ,_TCPACK,_TCPLEN,_TCPWINDOW,_TTL,_TOS,_ID,_DGMLEN,_IPLEN,_ICMPTYPE,_ICMPCODE,_ICMPID,_ICMPSEQ,_PRIORITY,_CLASIFICATION,_ETHTYPE,_UDPLENGTH, _XREF }; + #define DEFAULT_CSV "timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,ethsrc,ethdst,ethlen,tcpflags,tcpseq,tcpack,tcpln,tcpwindow,ttl,tos,id,dgmlen,iplen,icmptype,icmpcode,icmpid,icmpseq" + + #define DEFAULT_FILE "alert.csv" +@@ -76,6 +77,7 @@ + + typedef struct _AlertCSVConfig + { ++ enum _COLUMNS ctype; + char *type; + struct _AlertCSVConfig *next; + } AlertCSVConfig; +@@ -89,6 +91,7 @@ + AlertCSVConfig *config; + } AlertCSVData; + ++extern OptTreeNode *otn_tmp; + + /* list of function prototypes for this preprocessor */ + static void AlertCSVInit(char *); +@@ -96,8 +99,7 @@ + static void AlertCSV(Packet *, const char *, void *, Event *); + static void AlertCSVCleanExit(int, void *); + static void RealAlertCSV( +- Packet*, const char* msg, char **args, int numargs, Event*, TextLog* +-); ++ Packet*, const char* msg, AlertCSVData *, Event*); + + /* + * Function: SetupCSV() +@@ -165,7 +167,8 @@ + char **toks; + int num_toks; + AlertCSVData *data; +- char* filename = NULL; ++ AlertCSVConfig *col, *coltmp; ++ char *type, *filename = NULL; + unsigned long limit = DEFAULT_LIMIT; + int i; + +@@ -197,6 +200,8 @@ + break; + + case 2: ++ if (tok == NULL) ++ break; + limit = strtol(tok, &end, 10); + + if ( tok == end ) +@@ -234,12 +239,101 @@ + data->log = TextLog_Init(filename, LOG_BUFFER, limit); + if ( filename ) free(filename); + ++ data->config = SnortAlloc(sizeof(AlertCSVConfig)); ++ if (data->config == NULL) { ++ FatalError("alert_csv: could not allocate memory"); ++ return data; ++ } ++ col = data->config; ++ col->next = NULL; ++ for (i = 0; i < data->numargs; i++) { ++ //printf("----------------------------------------------------------------------------%d\n", i); ++ if (i > 0) { ++ coltmp = SnortAlloc(sizeof(AlertCSVConfig)); ++ if (coltmp == NULL) { ++ FatalError("alert_csv: could not allocate memory"); ++ return data; ++ } ++ col->next = coltmp; ++ col = coltmp; ++ col->next = NULL; ++ } ++ type = data->args[i]; ++ ++ if (!strcasecmp("timestamp", type)) ++ col->ctype = _TIMESTAMP; ++ else if (!strcasecmp("sig_generator", type)) ++ col->ctype = _SIG_GENERATOR; ++ else if (!strcasecmp("sig_id", type)) ++ col->ctype = _SIG_ID; ++ else if (!strcasecmp("sig_rev", type)) ++ col->ctype = _SIG_REV; ++ else if (!strcasecmp("msg", type)) ++ col->ctype = _MSG; ++ else if (!strcasecmp("proto", type)) ++ col->ctype = _PROTO; ++ else if (!strcasecmp("ethsrc", type)) ++ col->ctype = _ETHSRC; ++ else if (!strcasecmp("ethdst", type)) ++ col->ctype = _ETHDST; ++ else if (!strcasecmp("ethtype", type)) ++ col->ctype = _ETHTYPE; ++ else if (!strcasecmp("udplength", type)) ++ col->ctype = _UDPLENGTH; ++ else if (!strcasecmp("ethlen", type)) ++ col->ctype = _ETHLEN; ++ else if (!strcasecmp("srcport", type)) ++ col->ctype = _SRCPORT; ++ else if (!strcasecmp("dstport", type)) ++ col->ctype = _DSTPORT; ++ else if (!strcasecmp("src", type)) ++ col->ctype = _SRC; ++ else if (!strcasecmp("dst", type)) ++ col->ctype = _DST; ++ else if (!strcasecmp("icmptype", type)) ++ col->ctype = _ICMPTYPE; ++ else if (!strcasecmp("icmpcode", type)) ++ col->ctype = _ICMPCODE; ++ else if (!strcasecmp("icmpid", type)) ++ col->ctype = _ICMPID; ++ else if (!strcasecmp("icmpseq", type)) ++ col->ctype = _ICMPSEQ; ++ else if (!strcasecmp("ttl", type)) ++ col->ctype = _TTL; ++ else if (!strcasecmp("tos", type)) ++ col->ctype = _TOS; ++ else if (!strcasecmp("id", type)) ++ col->ctype = _ID; ++ else if (!strcasecmp("iplen", type)) ++ col->ctype = _IPLEN; ++ else if (!strcasecmp("dgmlen", type)) ++ col->ctype = _DGMLEN; ++ else if (!strcasecmp("tcpseq", type)) ++ col->ctype = _TCPSEQ; ++ else if (!strcasecmp("tcpack", type)) ++ col->ctype = _TCPACK; ++ else if (!strcasecmp("tcplen", type)) ++ col->ctype = _TCPLEN; ++ else if (!strcasecmp("tcpwindow", type)) ++ col->ctype = _TCPWINDOW; ++ else if (!strcasecmp("tcpflags",type)) ++ col->ctype = _TCPFLAGS; ++ else if (!strcasecmp("classification",type)) ++ col->ctype = _CLASIFICATION; ++ else if (!strcasecmp("priority",type)) ++ col->ctype = _PRIORITY; ++ else if (!strcasecmp("xref",type)) ++ col->ctype = _XREF; ++ } ++ + return data; + } + + static void AlertCSVCleanup(int signal, void *arg, const char* msg) + { + AlertCSVData *data = (AlertCSVData *)arg; ++ AlertCSVConfig *col; ++ + /* close alert file */ + DEBUG_WRAP(DebugMessage(DEBUG_LOG,"%s\n", msg);); + +@@ -248,6 +342,14 @@ + mSplitFree(&data->args, data->numargs); + if (data->log) TextLog_Term(data->log); + free(data->csvargs); ++ if (data->config != NULL) { ++ while (data->config != NULL) { ++ col = data->config; ++ data->config = col->next; ++ free(col); ++ } ++ } ++ + /* free memory from SpoCSVData */ + free(data); + } +@@ -261,7 +363,7 @@ + static void AlertCSV(Packet *p, char *msg, void *arg, Event *event) + { + AlertCSVData *data = (AlertCSVData *)arg; +- RealAlertCSV(p, msg, data->args, data->numargs, event, data->log); ++ RealAlertCSV(p, msg, data, event); + } + + /* +@@ -278,49 +380,43 @@ + * Returns: void function + * + */ +-static void RealAlertCSV(Packet * p, const char *msg, char **args, +- int numargs, Event *event, TextLog* log) ++static void RealAlertCSV(Packet * p, const char *msg, AlertCSVData *data, ++ Event *event) + { +- int num; +- char *type; ++ AlertCSVConfig *col; ++ TextLog* log; + char tcpFlags[9]; + + if(p == NULL) + return; ++ if (data->config == NULL) ++ return; + + DEBUG_WRAP(DebugMessage(DEBUG_LOG,"Logging CSV Alert data\n");); + +- for (num = 0; num < numargs; num++) +- { +- type = args[num]; +- +- DEBUG_WRAP(DebugMessage(DEBUG_LOG, "CSV Got type %s %d\n", type, num);); +- +- if (!strcasecmp("timestamp", type)) +- { ++ log = data->log; ++ col = data->config; ++ while (col != NULL) { ++ switch (col->ctype) { ++ case _TIMESTAMP: + LogTimeStamp(log, p); +- } +- else if (!strcasecmp("sig_generator", type)) +- { ++ break; ++ case _SIG_GENERATOR: + if (event != NULL) + TextLog_Print(log, "%lu", (unsigned long) event->sig_generator); +- } +- else if (!strcasecmp("sig_id", type)) +- { ++ break; ++ case _SIG_ID: + if (event != NULL) + TextLog_Print(log, "%lu", (unsigned long) event->sig_id); +- } +- else if (!strcasecmp("sig_rev", type)) +- { ++ break; ++ case _SIG_REV: + if (event != NULL) + TextLog_Print(log, "%lu", (unsigned long) event->sig_rev); +- } +- else if (!strcasecmp("msg", type)) +- { ++ break; ++ case _MSG: + TextLog_Quote(log, msg); /* Don't fatal */ +- } +- else if (!strcasecmp("proto", type)) +- { ++ break; ++ case _PROTO: + if (IPH_IS_VALID(p)) + { + switch (GET_IPH_PROTO(p)) +@@ -338,49 +434,36 @@ + break; + } + } +- } +- else if (!strcasecmp("ethsrc", type)) +- { ++ break; ++ case _ETHSRC: + if (p->eh != NULL) + { + TextLog_Print(log, "%02X:%02X:%02X:%02X:%02X:%02X", p->eh->ether_src[0], + p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3], + p->eh->ether_src[4], p->eh->ether_src[5]); + } +- } +- else if (!strcasecmp("ethdst", type)) +- { ++ break; ++ case _ETHDST: + if (p->eh != NULL) + { + TextLog_Print(log, "%02X:%02X:%02X:%02X:%02X:%02X", p->eh->ether_dst[0], + p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3], + p->eh->ether_dst[4], p->eh->ether_dst[5]); + } +- } +- else if (!strcasecmp("ethtype", type)) +- { ++ break; ++ case _ETHTYPE: + if (p->eh != NULL) + TextLog_Print(log, "0x%X", ntohs(p->eh->ether_type)); +- } +- else if (!strcasecmp("udplength", type)) +- { ++ break; ++ case _UDPLENGTH: + if (p->udph != NULL) + TextLog_Print(log, "%d", ntohs(p->udph->uh_len)); +- } +- else if (!strcasecmp("ethlen", type)) +- { ++ break; ++ case _ETHLEN: + if (p->eh != NULL) + TextLog_Print(log, "0x%X", p->pkth->pktlen); +- } +-#ifndef NO_NON_ETHER_DECODER +- else if (!strcasecmp("trheader", type)) +- { +- if (p->trh != NULL) +- LogTrHeader(log, p); +- } +-#endif +- else if (!strcasecmp("srcport", type)) +- { ++ break; ++ case _SRCPORT: + if (IPH_IS_VALID(p)) + { + switch (GET_IPH_PROTO(p)) +@@ -393,9 +476,8 @@ + break; + } + } +- } +- else if (!strcasecmp("dstport", type)) +- { ++ break; ++ case _DSTPORT: + if (IPH_IS_VALID(p)) + { + switch (GET_IPH_PROTO(p)) +@@ -408,102 +490,95 @@ + break; + } + } +- } +- else if (!strcasecmp("src", type)) +- { ++ break; ++ case _SRC: + if (IPH_IS_VALID(p)) + TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p))); +- } +- else if (!strcasecmp("dst", type)) +- { ++ break; ++ case _DST: + if (IPH_IS_VALID(p)) + TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); +- } +- else if (!strcasecmp("icmptype", type)) +- { ++ break; ++ case _ICMPTYPE: + if (p->icmph != NULL) + TextLog_Print(log, "%d", p->icmph->type); +- } +- else if (!strcasecmp("icmpcode", type)) +- { ++ break; ++ case _ICMPCODE: + if (p->icmph != NULL) + TextLog_Print(log, "%d", p->icmph->code); +- } +- else if (!strcasecmp("icmpid", type)) +- { ++ break; ++ case _ICMPID: + if (p->icmph != NULL) + TextLog_Print(log, "%d", ntohs(p->icmph->s_icmp_id)); +- } +- else if (!strcasecmp("icmpseq", type)) +- { ++ break; ++ case _ICMPSEQ: + if (p->icmph != NULL) + TextLog_Print(log, "%d", ntohs(p->icmph->s_icmp_seq)); +- } +- else if (!strcasecmp("ttl", type)) +- { ++ break; ++ case _TTL: + if (IPH_IS_VALID(p)) + TextLog_Print(log, "%d", GET_IPH_TTL(p)); +- } +- else if (!strcasecmp("tos", type)) +- { ++ break; ++ case _TOS: + if (IPH_IS_VALID(p)) + TextLog_Print(log, "%d", GET_IPH_TOS(p)); +- } +- else if (!strcasecmp("id", type)) +- { ++ break; ++ case _ID: + if (IPH_IS_VALID(p)) + { + TextLog_Print(log, "%u", IS_IP6(p) ? ntohl(GET_IPH_ID(p)) + : ntohs((uint16_t)GET_IPH_ID(p))); + } +- } +- else if (!strcasecmp("iplen", type)) +- { ++ break; ++ case _IPLEN: + if (IPH_IS_VALID(p)) + TextLog_Print(log, "%d", GET_IPH_LEN(p) << 2); +- } +- else if (!strcasecmp("dgmlen", type)) +- { ++ break; ++ case _DGMLEN: + if (IPH_IS_VALID(p)) + { + // XXX might cause a bug when IPv6 is printed? + TextLog_Print(log, "%d", ntohs(GET_IPH_LEN(p))); + } +- } +- else if (!strcasecmp("tcpseq", type)) +- { ++ break; ++ case _TCPSEQ: + if (p->tcph != NULL) + TextLog_Print(log, "0x%lX", (u_long)ntohl(p->tcph->th_seq)); +- } +- else if (!strcasecmp("tcpack", type)) +- { ++ break; ++ case _TCPACK: + if (p->tcph != NULL) + TextLog_Print(log, "0x%lX", (u_long)ntohl(p->tcph->th_ack)); +- } +- else if (!strcasecmp("tcplen", type)) +- { ++ break; ++ case _TCPLEN: + if (p->tcph != NULL) + TextLog_Print(log, "%d", TCP_OFFSET(p->tcph) << 2); +- } +- else if (!strcasecmp("tcpwindow", type)) +- { ++ break; ++ case _TCPWINDOW: + if (p->tcph != NULL) + TextLog_Print(log, "0x%X", ntohs(p->tcph->th_win)); +- } +- else if (!strcasecmp("tcpflags",type)) +- { ++ break; ++ case _TCPFLAGS: + if (p->tcph != NULL) + { + CreateTCPFlagString(p, tcpFlags); + TextLog_Print(log, "%s", tcpFlags); + } +- } +- +- if (num < numargs - 1) +- TextLog_Putc(log, ','); ++ break; ++ case _CLASIFICATION: ++ if (otn_tmp != NULL) TextLog_Print(log, "%s", otn_tmp->sigInfo.classType->name); ++ break; ++ case _PRIORITY: ++ if (otn_tmp != NULL) TextLog_Print(log, "%d", otn_tmp->sigInfo.priority); ++ break; ++ case _XREF: ++ if (IPH_IS_VALID(p)) ++ LogXrefs(data->log, 0); ++ break; ++ } ++ TextLog_Puts(log, ","); ++ col = col->next; + } + + TextLog_NewLine(log); + TextLog_Flush(log); + } +- |
