[Snort-devel] Patch to spo_csv module to extend signatures/references to data output

wagnerch at ...948... wagnerch at ...948...
Thu Nov 15 18:54:03 EST 2001


This patch will extend signatures and the first listed reference system and
identifier to the spo_csv module and allow the user to include that data
in their log.



diff -urN snort-1.8.1-RELEASE/spo_csv.c snort-1.8.1-RELEASE.new/spo_csv.c
--- snort-1.8.1-RELEASE/spo_csv.c	Mon Jul  2 00:16:48 2001
+++ snort-1.8.1-RELEASE.new/spo_csv.c	Wed Oct 24 19:34:49 2001
@@ -39,6 +39,7 @@
 /* external globals from rules.c */
 extern char *file_name;
 extern int file_line;
+extern OptTreeNode *otn_tmp;
 
 /*
  * Function: SetupCSV()
@@ -100,7 +101,7 @@
 void SpoCSV(Packet *p, char *msg, void *arg, Event *event)
 {
     SpoCSVData *data = (SpoCSVData *)arg;
-    AlertCSV(p, msg, data->file, data->args, data->numargs); 
+    AlertCSV(p, msg, data->file, data->args, data->numargs, event); 
     return;
 }
 
@@ -197,7 +198,7 @@
 
 
 /*
- * Function: CSVAlert(Packet *, char *, void *, char *, const int )
+ * Function: CSVAlert(Packet *, char *, void *, char *, const int, Event * )
  *
  * Purpose: Stub function for compatability
  *
@@ -206,17 +207,20 @@
  *             arg => arguments to the alert facility
  *            args => CSV arguements 
  *         numargs => number of arguements
+ *           event => ptr to event data
  * Returns: void function
  */
-void CSVAlert(Packet * p, char *msg, void *arg, char **args, int numargs)
+void CSVAlert(Packet * p, char *msg, void *arg, char **args, int numargs,
+   Event *event)
 {
-    AlertCSV(p, msg, alert, args, numargs);
+    AlertCSV(p, msg, alert, args, numargs, event);
     return;
 }
 
 /*
  *
- * Function: AlertCSV(Packet *, char *, FILE *, char *, numargs const int)
+ * Function: AlertCSV(Packet *, char *, FILE *, char *, numargs const int,
+ *              Event *)
  *
  * Purpose: Write a user defined CSV message
  *
@@ -225,15 +229,18 @@
  *             file => file pointer to print data to
  *             args => CSV output arguements 
  *          numargs => number of arguements
+ *            event => ptr to event data
  * Returns: void function
  *
  */
-void AlertCSV(Packet * p, char *msg, FILE * file, char **args, int numargs)
+void AlertCSV(Packet * p, char *msg, FILE * file, char **args, int numargs,
+   Event *event)
 {
     char timestamp[TIMEBUF_SIZE];
     int num; 
     char *type;
     char tcpFlags[9];
+    ReferenceData *ds_ptr = NULL;
 
     if(p == NULL)
         return;
@@ -241,6 +248,9 @@
     bzero((char *) timestamp, TIMEBUF_SIZE);
     ts_print(p == NULL ? NULL : (struct timeval *) & p->pkth->ts, timestamp);
 
+    if (otn_tmp)
+        ds_ptr = (ReferenceData *) otn_tmp->ds_list[PLUGIN_REFERENCE_NUMBER];
+
 #ifdef DEBUG
         printf("Logging CSV Alert data\n"); 
 #endif
@@ -421,6 +431,31 @@
                 CreateTCPFlagString(p, tcpFlags);
                 fprintf(file,"%s", tcpFlags);
             }
+       }
+       else if(!strncasecmp("sig_generator",type,13))
+       {
+            if(event)
+                fprintf(file, "%lu", (unsigned long) event->sig_generator);
+       }
+       else if(!strncasecmp("sig_id",type,6))
+       {
+            if(event)
+                fprintf(file, "%lu", (unsigned long) event->sig_id);
+       }
+       else if(!strncasecmp("sig_rev",type,7))
+       {
+            if(event)
+                fprintf(file, "%lu", (unsigned long) event->sig_rev);
+       }
+       else if(!strncasecmp("ref_id",type,6))
+       {
+            if (ds_ptr)
+                fprintf(file, "%s", ds_ptr->id);
+       }
+       else if(!strncasecmp("ref_system",type,10))
+       {
+            if (ds_ptr)
+                fprintf(file, "%s", ds_ptr->system);
        }
 
        if (num < numargs - 1) 
diff -urN snort-1.8.1-RELEASE/spo_csv.h snort-1.8.1-RELEASE.new/spo_csv.h
--- snort-1.8.1-RELEASE/spo_csv.h	Mon Jun 11 01:49:28 2001
+++ snort-1.8.1-RELEASE.new/spo_csv.h	Wed Oct 24 19:33:08 2001
@@ -55,7 +55,7 @@
 void CSVCleanExitFunc(int, void *);
 void CSVRestartFunc(int, void *);
 
-void AlertCSV(Packet *, char *, FILE *, char **, const int);
-void CSVAlert(Packet *, char *, void *, char **, const int);
+void AlertCSV(Packet *, char *, FILE *, char **, const int, Event *);
+void CSVAlert(Packet *, char *, void *, char **, const int, Event *);
 
 #endif  /* __SPO_CSV_H__ */





More information about the Snort-devel mailing list