[Snort-devel] plugin priority framework

Brian Caswell bmc at ...227...
Tue Apr 24 00:38:02 EDT 2001


I've written (ripped more correctly :P) code that sets up priorities
for plugins that generate alerts.  The output plugins do not yet have
a mechanism to figure out where the priority came from so there is no
easy way to actually USE this data yet, but the data exists :)

-brian
-------------- next part --------------
Index: classification.config
===================================================================
RCS file: /cvsroot/snort/snort/classification.config,v
retrieving revision 1.4
diff -u -r1.4 classification.config
--- classification.config	2001/04/20 12:11:17	1.4
+++ classification.config	2001/04/24 04:29:43
@@ -40,3 +40,5 @@
 config classification: successful-user,Successful User Privilege Gain,9
 config classification: attempted-admin,Attempted Administrator Privilege Gain,10
 config classification: successful-admin,Successful Administrator Privilege Gain,11
+
+config plugin_priority: portscan,attempted-recon,3
Index: parser.c
===================================================================
RCS file: /cvsroot/snort/snort/parser.c,v
retrieving revision 1.17
diff -u -r1.17 parser.c
--- parser.c	2001/04/17 05:31:29	1.17
+++ parser.c	2001/04/24 04:29:44
@@ -29,6 +29,122 @@
 
 /****************************************************************************
  *
+ * Function: ProcessPluginPriorityConfig(char *)
+ *
+ * Purpose: parses the classification configuration
+ *
+ * Arguments: filespec => the file specification
+ *
+ * Returns: void function
+ *
+ ***************************************************************************/
+void ProcessPluginPriorityConfig(char *args)
+{
+    char **ctoks;
+    int num_ctoks;
+    int i;
+    char *data;
+    PluginPriority *newNode;
+    PluginPriority *current = pv.pp;
+
+    ctoks = mSplit(args, ",",3, &num_ctoks, '\\');
+
+    if(num_ctoks < 1)
+    {
+        ErrorMessage("WARNING %s(%d): You must supply at least ONE"
+                " plugin_priority arguement\n", file_name, file_line);
+        ErrorMessage("WARNING %s(%d): Ignoring configuration directive (%s: %d)"
+                "\"config plugin_priority: %s\"\n", file_name, file_line, args);
+        return;
+    }
+    
+    data = ctoks[0];
+    while(isspace((int)*data)) data++;
+
+    while(current != NULL)
+    {
+        if(!strncasecmp(current->plugin, data, strlen(current->plugin)))
+        {
+            ErrorMessage("WARNING %s(%d): Duplicate plugin_priority\"%s\""
+                    "found, ignoring this line\n", file_name, file_line, data);
+            return;
+        }
+
+        current = current->next;
+    }
+
+    /* Create the new node */
+    if((newNode = (PluginPriority *) calloc(sizeof(PluginPriority), sizeof(char)))
+            == NULL)
+    {
+        FatalError("ERROR => Can't add a new plugin_priority type, calloc failed\n");
+    }
+
+    newNode->type = strdup(ctoks[0]);
+
+    if(num_ctoks == 2)
+    {
+        data = ctoks[1];
+        while (isspace((int)*data)) data++;
+        newNode->priority = atoi(data);
+
+        data = ctoks[0];
+        while (isspace((int)*data)) data++;
+        newNode->plugin = strdup(data);
+    }
+    else
+    {
+        data = ctoks[0];
+        while (isspace((int)*data)) data++;
+        newNode->plugin = strdup(data);
+
+        data = ctoks[1];
+        while (isspace((int)*data)) data++;
+        newNode->type = strdup(data);
+
+        data = ctoks[2];
+        while (isspace((int)*data)) data++;
+        newNode->priority = atoi(data);
+    }
+
+    /* Add the node to the list */
+    if(pv.pp == NULL)
+    {
+        pv.pp = newNode;
+    }
+    else
+    {
+        current = pv.pp;
+
+        while(current->next != NULL)
+            current = current->next;
+        
+        current->next = newNode;
+    }
+
+    for(i=0; i<num_ctoks; i++)
+    {
+        free(ctoks[i]);
+    }
+
+
+#ifdef DEBUG
+    printf("plugin_priority list:\n");
+    current = pv.pp;
+    i = 0;
+    while(current != NULL)
+    {
+        printf("Node %d   type: %s   plugin: %s   pri: %d\n", i, current->type,
+                current->plugin, current->priority);
+        i++;
+        current = current->next;
+    }
+#endif
+
+    return;
+}
+/****************************************************************************
+ *
  * Function: ProcessClassificationConfig(char *)
  *
  * Purpose: parses the classification configuration
@@ -257,6 +373,11 @@
     else if(!strcasecmp(config, "classification"))
     {
         ProcessClassificationConfig(args);
+        return;
+    }
+    else if(!strcasecmp(config, "plugin_priority"))
+    {
+        ProcessPluginPriorityConfig(args);
         return;
     }
     else if(!strcasecmp(config, "decode_arp"))
Index: snort.h
===================================================================
RCS file: /cvsroot/snort/snort/snort.h,v
retrieving revision 1.43
diff -u -r1.43 snort.h
--- snort.h	2001/04/19 15:01:29	1.43
+++ snort.h	2001/04/24 04:29:47
@@ -162,6 +162,14 @@
   struct _ClassTypes *next;
 } ClassTypes;
 
+typedef struct _PluginPriority
+{
+   char *plugin;
+   char *type;
+   int priority;
+   struct _PluginPriority *next;
+} PluginPriority;
+
 /* struct to contain the program variables and command line args */
 typedef struct _progvars
 {
@@ -215,6 +223,7 @@
     int include_year;
     int ghetto_msg_flag;
     ClassTypes *ct;  /* rule classification types */
+    PluginPriority *pp;
 } PV;
 
 /* struct to collect packet statistics */


More information about the Snort-devel mailing list