[Snort-devel] modification request

Joe McAlerney joey at ...60...
Tue Aug 21 19:45:24 EDT 2001


Hello everyone,

A while back, Jim Hoagland and I made requests to implement a mechanism
by which output plugins could receive the identity as well as extra
information from input plugins when they were called on to report.  With
the addition of the Event data structure, the identity issue has been
solved (and gratefully appreciated I might add).  However, we're still
unable to pass input plugin data to the output plugins.  This can be a
useful feature with state-based plugins such as Spade or the portscan
detector. 

To illustrate, lets use the spp_portscan as an example.  The portscan
detector would be able to supply additional scan information such as
ports targeted, destination hosts targeted, packet details, and time
specifics.  This means that output plugins would have access to data,
similar to what is put in the portscan.log file, and choose to parse or
ignore it.  This would enable the database plugin (for example) to log
portscan details, which is a common request.

Other features this would provide include:

+ passing of extra data besides what is contained in one packet
   + this might save the need to encode the data in the msg string
and/or to decode it later

+ preprocessor plugins or even the rule code can request special
treatment from output plugins that understand the request.

+ implementing this would create a very flexible system of message
passing
   + can be used in novel and unanticipated ways
   + no more new arguments to CallAlertFuncs, saving that hassle
   + backwards compatible
   + almost no overhead for plugins that don't use it

The changes need only be made to log.c and log.h.  Please see the
attached diffs for the details.  As always, we'd love to hear your
comments.  If there are no objections, would someone with CVS write
please commit the patches?

Thanks,

-Joe M.

-- 
|   Joe McAlerney     joey at ...63...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+
-------------- next part --------------
--- ./log.c.orig	Tue Aug 21 15:29:14 2001
+++ ./log.c	Tue Aug 21 15:29:53 2001
@@ -2531,6 +2531,7 @@
     event->sig_rev = rev;
     event->classification = classification;
     event->priority = priority;
+    event->out_messages = NULL;
 
     /* if it's a new event, increment the event id reference counter */
     if(event_ref == 0)
-------------- next part --------------
--- ./log.h.orig	Tue Aug 21 15:29:14 2001
+++ ./log.h	Tue Aug 21 15:29:57 2001
@@ -44,6 +44,30 @@
 #define GENERIC_LOG	  5
 
 /*  D A T A  S T R U C T U R E S  *********************************************/
+
+/* data structures for message passing *******/
+#define PLUGIN_MESSAGE_PASSING
+typedef enum {EXTRA_FIELDS, ALTERNATE_FIELDS, IDMEF_OUTPUT_SPEC} 
+output_msg_type
+;
+
+typedef struct {
+        output_msg_type type; /* the type of the message */
+        void *msg;  /* type-specific message contents */
+} output_msg_info;
+
+typedef union {
+        struct {
+                double anomscore;
+        } spade;
+        /* add a struct for your "extra field" providing data source here */
+} extra_fields;
+
+typedef union {
+        /* add a struct for your "alternate field" providing data 
+	    source here */
+} alt_fields;
+
 typedef struct _Event
 {
     u_int32_t sig_generator;   /* which part of snort generated the alert? */
@@ -52,6 +76,8 @@
     u_int32_t classification;  /* event classification */
     u_int32_t priority;        /* event priority */
     u_int32_t event_reference; /* reference counter */
+    output_msg_info *out_messages;  /* NULL terminated array of 
+				       output messages */
 } Event;
 
 void (*LogFunc)(Packet *, char *, void *, Event *);


More information about the Snort-devel mailing list