[Snort-users] [Fwd: [Snort-devel] doh... spo_csv with attachments.]

Brian Caswell bmc at ...312...
Tue Mar 13 23:57:40 EST 2001


I've forwarded on the updated diff, thanks to Eugene Tsyrklevich.  Geez,
some days I just need to drink a beer before I code.

-brian
-------------- next part --------------
Index: Makefile.am
===================================================================
RCS file: /cvsroot/snort/snort/Makefile.am,v
retrieving revision 1.29
diff -u -r1.29 Makefile.am
--- Makefile.am 2001/03/14 00:18:37     1.29
+++ Makefile.am 2001/03/14 03:52:22
@@ -24,7 +24,8 @@
 checksum.h sp_reference.c sp_reference.h sp_ip_fragbits.c             \
 sp_ip_fragbits.h spp_anomsensor.h spp_anomsensor.c tag.c tag.h        \
 spp_unidecode.c spp_unidecode.h codes.c codes.h fatal.h smalloc.h     \
-strlcpyu.c strlcpyu.h strlcatu.c strlcatu.h debug.c debug.h
+strlcpyu.c strlcpyu.h strlcatu.c strlcatu.h debug.c debug.h          \
+spo_csv.c spo_csv.h

 EXTRA_DIST = BUGS RULES.SAMPLE CREDITS snort.conf USAGE backdoor.rules \
 info.rules smtp.rules ddos.rules local.rules telnet.rules dns.rules   \
Index: log.c
===================================================================
RCS file: /cvsroot/snort/snort/log.c,v
retrieving revision 1.38
diff -u -r1.38 log.c
--- log.c	2001/03/13 16:17:20	1.38
+++ log.c	2001/03/13 22:28:06
@@ -773,6 +819,240 @@
         fputs("\n\n", file);
     }
             
+
+    return;
+}
+
+
+/*
+ * Function: CSVAlert(Packet *, char *, void *, char *, const int )
+ *
+ * Purpose: Stub function for compatability
+ *
+ * Arguments:    p => ptr to packet data
+ *             msg => message to send to alert facility
+ *             arg => arguments to the alert facility
+ *	      args => CSV arguements 
+ *	   numargs => number of arguements
+ * Returns: void function
+ */
+void CSVAlert(Packet * p, char *msg, void *arg, char **args, int numargs)
+{
+    AlertCSV(p, msg, alert, args, numargs);
+    return;
+}
+
+/*
+ *
+ * Function: AlertCSV(Packet *, char *, FILE *, char *, numargs const int)
+ *
+ * Purpose: Write a user defined CSV message
+ *
+ * Arguments:     p => packet. (could be NULL)
+ * 	        msg => the message to send
+ *             file => file pointer to print data to
+ *             args => CSV output arguements 
+ *          numargs => number of arguements
+ * Returns: void function
+ *
+ */
+void AlertCSV(Packet * p, char *msg, FILE * file, char **args, int numargs)
+{
+    char timestamp[TIMEBUF_SIZE];
+    int num; 
+    char *type;
+    char tcpFlags[9];
+
+    bzero((char *) timestamp, TIMEBUF_SIZE);
+    ts_print(p == NULL ? NULL : (struct timeval *) & p->pkth->ts, timestamp);
+
+    DebugMessage(DEBUG_LOG, "Logging CSV Alert data\n"); 
+
+    for (num = 0; num < numargs; num++)
+    {
+        type = args[num];
+
+        DebugMessage(DEBUG_LOG, "CSV Got type %s %d\n", type, num); 
+
+       if(!strncasecmp("timestamp", type, 9))
+       {
+            fwrite(timestamp, strlen(timestamp), 1, file);
+       }
+       else if(!strncasecmp("msg", type, 3))
+       {
+       	    fwrite(msg, strlen(msg),1,file);
+       }
+       else if(!strncasecmp("proto", type, 5))
+       {
+	    switch (p->iph->ip_proto)
+	    {
+		case IPPROTO_UDP:
+		    fwrite("UDP", 3,1,file);
+		    break;
+		case IPPROTO_TCP:
+		    fwrite("TCP", 3,1,file);
+		    break;
+		case IPPROTO_ICMP:
+		    fwrite("ICMP", 4,1,file);
+		    break;
+	     }
+       }
+       else if(!strncasecmp("ethsrc", type, 6))
+       {
+            if(p && p->eh)
+	    {
+               fprintf(file, "%X:%X:%X:%X:%X:%X", p->eh->ether_src[0],
+                  p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3],
+                  p->eh->ether_src[4], p->eh->ether_src[5]);
+            }
+       } 
+       else if(!strncasecmp("ethdst", type, 6))
+       {
+            if(p && p->eh)
+            {
+               fprintf(file, "%X:%X:%X:%X:%X:%X", p->eh->ether_dst[0],
+                  p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3],
+                  p->eh->ether_dst[4], p->eh->ether_dst[5]);
+            }
+       }
+       else if(!strncasecmp("ethtype", type, 7))
+       {
+            if(p && p->eh)
+            {
+		fprintf(file,"0x%X",ntohs(p->eh->ether_type));
+	    }
+       }
+       else if(!strncasecmp("udplength", type, 9))
+       {
+	    if(p->udph)
+	        fprintf(file,"%d",ntohs(p->udph->uh_len));
+       }
+       else if(!strncasecmp("ethlen", type, 6))
+       {
+            if(p && p->eh)
+		fprintf(file,"0x%X",p->pkth->len);
+       }
+       else if(!strncasecmp("trheader", type, 8))
+       {
+            if(p && p->trh)
+                PrintTrHeader(file, p);
+       }
+       else if(!strncasecmp("src", type, 3))
+       {
+            fputs(inet_ntoa(p->iph->ip_src), file);
+       }
+       else if(!strncasecmp("dst", type, 3))
+       {
+            fputs(inet_ntoa(p->iph->ip_dst), file); 
+       }
+       else if(!strncasecmp("srcport", type, 7))
+       {
+	    switch(p->iph->ip_proto)
+	    {
+ 		case IPPROTO_UDP:
+		case IPPROTO_TCP:
+         		fprintf(file, "%d", p->sp);
+			break;
+	    }	 
+        }
+       else if(!strncasecmp("dstport", type, 7))
+       {
+	    switch(p->iph->ip_proto)
+	    {
+ 		case IPPROTO_UDP:
+		case IPPROTO_TCP:
+         		fprintf(file, "%d", p->dp);
+			break;
+	    }	 
+        }
+       else if(!strncasecmp("icmptype",type,8))
+       {
+	    if(p->icmph)
+	    {
+		fprintf(file,"%d",p->icmph->type);
+	    }
+       }
+       else if(!strncasecmp("icmpcode",type,8))
+       {
+	    if(p->icmph)
+	    {
+		fprintf(file,"%d",p->icmph->code);
+	    }
+       }
+      else if(!strncasecmp("icmpid",type,6))
+       {
+	    if(p->ext)
+	    {
+		fprintf(file,"%d",ntohs(p->ext->id));
+	    }
+       }
+       else if(!strncasecmp("icmpseq",type,7))
+       {
+            if(p->ext)
+ 	        fprintf(file,"%d",ntohs(p->ext->seqno));
+       }
+       else if(!strncasecmp("ttl",type,3))
+       {
+	    if(p->iph)
+		fprintf(file,"%d",p->iph->ip_ttl);
+       }
+       else if(!strncasecmp("tos",type,3))
+       {
+	    if(p->iph)
+		fprintf(file,"%d",p->iph->ip_tos);
+       }
+       else if(!strncasecmp("id",type,2))
+       {
+	    if(p->iph)
+		fprintf(file,"%d",ntohs(p->iph->ip_id));
+       }
+       else if(!strncasecmp("iplen",type,5))
+       {
+	    if(p->iph)
+		fprintf(file,"%d",p->iph->ip_hlen << 2);
+       }
+       else if(!strncasecmp("dgmlen",type,6))
+       {
+	    if(p->iph)
+		fprintf(file,"%d",ntohs(p->iph->ip_len));
+       }
+       else if(!strncasecmp("tcpseq",type,6))
+       {
+	    if(p->tcph)
+		fprintf(file,"0x%lX",(u_long) ntohl(p->tcph->th_seq));
+       }
+       else if(!strncasecmp("tcpack",type,6))
+       {
+	    if(p->tcph)
+		fprintf(file,"0x%lX",(u_long) ntohl(p->tcph->th_ack));
+       }
+       else if(!strncasecmp("tcplen",type,6))
+       {
+	    if(p->tcph)
+		fprintf(file,"%d",p->tcph->th_off << 2);
+       }
+       else if(!strncasecmp("tcpwindow",type,9))
+       {
+	    if(p->tcph)
+		fprintf(file,"0x%X",ntohs(p->tcph->th_win));
+       }
+       else if(!strncasecmp("tcpflags",type,8))
+       {
+	    if(p->tcph)
+    	    {   
+ 		CreateTCPFlagString(p, tcpFlags);
+		fprintf(file,"%s", tcpFlags);
+	    }
+       }
+
+       if (num < numargs - 1) 
+          fputc(',',file);
+    }
+    fputc('\n', file);
+   
 
     return;
 }
Index: log.h
===================================================================
RCS file: /cvsroot/snort/snort/log.h,v
retrieving revision 1.7
diff -u -r1.7 log.h
--- log.h	2001/01/02 08:06:00	1.7
+++ log.h	2001/03/13 22:28:07
@@ -79,6 +79,9 @@
 void AlertFast(Packet *, char *, FILE *);
 void AlertFull(Packet *, char *, FILE *);
 
+void AlertCSV(Packet *, char *, FILE *, char **, const int); 
+void CSVAlert(Packet *, char *, void *, char **, const int);
+
 void FastAlert(Packet *, char *, void *);
 void FullAlert(Packet *, char *, void *);
 void NoAlert(Packet *, char *, void *);
Index: plugbase.c
===================================================================
RCS file: /cvsroot/snort/snort/plugbase.c,v
retrieving revision 1.20
diff -u -r1.20 plugbase.c
--- plugbase.c	2001/03/12 21:51:12	1.20
+++ plugbase.c	2001/03/13 22:28:08
@@ -95,6 +95,7 @@
     SetupAlertSmb();
     SetupAlertUnixSock();
     SetupXml();
+    SetupCSV();
 }
 
 
Index: plugbase.h
===================================================================
RCS file: /cvsroot/snort/snort/plugbase.h,v
retrieving revision 1.25
diff -u -r1.25 plugbase.h
--- plugbase.h	2001/03/12 21:51:12	1.25
+++ plugbase.h	2001/03/13 22:28:09
@@ -62,6 +62,7 @@
 #include "spo_alert_smb.h"
 #include "spo_alert_unixsock.h"
 #include "spo_xml.h"
+#include "spo_csv.h"
 
 #include <sys/ioctl.h>


More information about the Snort-users mailing list