[Snort-devel] prelude alert patch

Andrea Barisani andrea at ...2860...
Tue Feb 7 11:59:05 EST 2006


Hello snorters!

I'm attaching a mostly trivial patch that adds previously missing icmp 
header exporting for the Prelude output plugin and fixes an incorrect 
double inclusion of frag_offset in the alert. I tested it and it works
for me. Feedback is of course welcome.

It would be nice to see it in next release.

Bye and thx!

-- 
Andrea Barisani                             Inverse Path Ltd
Chief Security Engineer                     -----> <--------

<andrea at ...2860...>          http://www.inversepath.com
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
       "Pluralitas non est ponenda sine necessitate"
-------------- next part --------------
diff -urN snort-2.4.3/src/output-plugins/spo_alert_prelude.c snort-2.4.3-patch/src/output-plugins/spo_alert_prelude.c
--- snort-2.4.3/src/output-plugins/spo_alert_prelude.c	2005-08-30 19:27:36.000000000 +0200
+++ snort-2.4.3-patch/src/output-plugins/spo_alert_prelude.c	2006-02-06 16:34:19.000000000 +0100
@@ -235,6 +235,44 @@
 
 
 
+static int add_string_data(idmef_alert_t *alert, const char *meaning, char *data)
+{
+        int ret;
+        prelude_string_t *str;
+        idmef_additional_data_t *ad;
+
+        if ( ! data )
+                return 0;
+        
+        ret = idmef_alert_new_additional_data(alert, &ad, -1);
+        if ( ret < 0 )
+                return ret;
+
+        ret = idmef_additional_data_set_string_ref(ad, data);
+        if ( ret < 0 ) {
+                ErrorMessage("%s: error setting char string data: %s.\n",
+                             prelude_strsource(ret), prelude_strerror(ret));
+                return -1;
+        }
+
+        ret = idmef_additional_data_new_meaning(ad, &str);
+        if ( ret < 0 ) {
+                ErrorMessage("%s: error creating additional-data meaning: %s.\n",
+                             prelude_strsource(ret), prelude_strerror(ret));
+                return -1;
+        }
+        
+        ret = prelude_string_set_ref(str, meaning);
+        if ( ret < 0 ) {
+                ErrorMessage("%s: error setting char string data meaning: %s.\n",
+                             prelude_strsource(ret), prelude_strerror(ret));
+        }
+                
+        return -1;
+}
+
+
+
 static int add_int_data(idmef_alert_t *alert, const char *meaning, uint32_t data)
 {
         int ret;
@@ -284,7 +322,6 @@
                 add_int_data(alert, "ip_len", ntohs(p->iph->ip_len));
                 add_int_data(alert, "ip_id", ntohs(p->iph->ip_id));
                 add_int_data(alert, "ip_flags", p->frag_flag);
-                add_int_data(alert, "ip_off", ntohs(p->frag_offset));
                 add_int_data(alert, "ip_ttl", p->iph->ip_ttl);
                 add_int_data(alert, "ip_proto", p->iph->ip_proto);
                 add_int_data(alert, "ip_csum", ntohs(p->iph->ip_csum));
@@ -305,6 +342,51 @@
                 add_int_data(alert, "udp_len", ntohl(p->udph->uh_len));
                 add_int_data(alert, "udp_chk", ntohl(p->udph->uh_chk));
         }
+       
+        else if ( p->icmph ) {
+                add_int_data(alert, "icmp_type", p->icmph->type);
+                add_int_data(alert, "icmp_code", p->icmph->code);
+                add_int_data(alert, "icmp_csum", ntohs(p->icmph->csum));
+
+
+                switch(p->icmph->type)
+                {
+                        case ICMP_ECHO:
+                        case ICMP_ECHOREPLY:
+                        case ICMP_INFO_REQUEST:
+                        case ICMP_INFO_REPLY:
+                        case ICMP_ADDRESS:
+                        case ICMP_TIMESTAMP:
+                        add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
+                        add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
+                        break;
+                
+                        case ICMP_ADDRESSREPLY:
+                        add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
+                        add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
+                        add_int_data(alert, "icmp_mask", (u_int) ntohl(p->icmph->s_icmp_mask));
+                        break;
+                
+                        case ICMP_REDIRECT:
+                        add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr));
+                        break;
+                
+                        case ICMP_ROUTER_ADVERTISE:
+                        add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs);
+                        add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa);
+                        add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime));
+                        break;
+                
+                        case ICMP_TIMESTAMPREPLY:
+                        add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
+                        add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
+                        add_int_data(alert, "icmp_otime",p->icmph->s_icmp_otime);
+                        add_int_data(alert, "icmp_rtime",p->icmph->s_icmp_rtime);
+                        add_int_data(alert, "icmp_ttime",p->icmph->s_icmp_ttime);
+                        break;
+               }        
+
+        }
 
         add_byte_data(alert, "payload", p->data, p->dsize);
         


More information about the Snort-devel mailing list