diff -r -c -N snort-2.8.5.1_org/etc/snort.conf snort-2.8.5.1/etc/snort.conf *** snort-2.8.5.1_org/etc/snort.conf 2009-10-19 23:09:14.000000000 +0200 --- snort-2.8.5.1/etc/snort.conf 2009-10-22 20:26:58.626346589 +0200 *************** *** 699,704 **** --- 699,724 ---- # output database: log, mssql, dbname=snort user=snort password=test # output database: log, oracle, dbname=snort user=snort password=test + # alert_unixsock_db: log via unix socket/FLoP to database + # ------------------------------------------------------- + # + # The default is to write all alerts to the socket. + # + # However, you can also write only the log packets to the socket + # or both, log and alerts. In the latter case the log packets are + # checked if they are already written as an alert packet. In this + # case it is omitted to avoid twice logging the same packet. + # + # The syntax is quite easy: + # + # output alert_unixsock_db: /path/to/socket, method + # + # where method is one of log, alert or all (if none is + # mentioned then the default is "alert") + # + # output alert_unixsock_db: /tmp/snort, all + + # unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- # The unified output plugin provides two new formats for logging and generating diff -r -c -N snort-2.8.5.1_org/src/output-plugins/Makefile.am snort-2.8.5.1/src/output-plugins/Makefile.am *** snort-2.8.5.1_org/src/output-plugins/Makefile.am 2007-08-20 19:26:04.000000000 +0200 --- snort-2.8.5.1/src/output-plugins/Makefile.am 2009-10-22 20:26:58.626346589 +0200 *************** *** 10,15 **** --- 10,16 ---- spo_log_null.c spo_log_null.h spo_log_tcpdump.c \ spo_log_tcpdump.h spo_unified.c spo_unified2.c spo_unified.h spo_unified2.h \ spo_log_ascii.c spo_log_ascii.h spo_alert_sf_socket.h spo_alert_sf_socket.c \ + spo_alert_unixsock_db.c spo_alert_unixsock_db.h \ spo_alert_prelude.c spo_alert_prelude.h spo_alert_arubaaction.c spo_alert_arubaaction.h \ spo_alert_test.c spo_alert_test.h diff -r -c -N snort-2.8.5.1_org/src/output-plugins/Makefile.in snort-2.8.5.1/src/output-plugins/Makefile.in *** snort-2.8.5.1_org/src/output-plugins/Makefile.in 2009-10-19 23:08:09.000000000 +0200 --- snort-2.8.5.1/src/output-plugins/Makefile.in 2009-10-22 20:26:59.014346541 +0200 *************** *** 57,62 **** --- 57,63 ---- spo_log_tcpdump.$(OBJEXT) spo_unified.$(OBJEXT) \ spo_unified2.$(OBJEXT) spo_log_ascii.$(OBJEXT) \ spo_alert_sf_socket.$(OBJEXT) spo_alert_prelude.$(OBJEXT) \ + spo_alert_unixsock_db.$(OBJEXT) \ spo_alert_arubaaction.$(OBJEXT) spo_alert_test.$(OBJEXT) libspo_a_OBJECTS = $(am_libspo_a_OBJECTS) DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir) *************** *** 201,206 **** --- 202,208 ---- spo_log_null.c spo_log_null.h spo_log_tcpdump.c \ spo_log_tcpdump.h spo_unified.c spo_unified2.c spo_unified.h spo_unified2.h \ spo_log_ascii.c spo_log_ascii.h spo_alert_sf_socket.h spo_alert_sf_socket.c \ + spo_alert_unixsock_db.c spo_alert_unixsock_db.h \ spo_alert_prelude.c spo_alert_prelude.h spo_alert_arubaaction.c spo_alert_arubaaction.h \ spo_alert_test.c spo_alert_test.h diff -r -c -N snort-2.8.5.1_org/src/output-plugins/spo_alert_unixsock_db.c snort-2.8.5.1/src/output-plugins/spo_alert_unixsock_db.c *** snort-2.8.5.1_org/src/output-plugins/spo_alert_unixsock_db.c 1970-01-01 01:00:00.000000000 +0100 --- snort-2.8.5.1/src/output-plugins/spo_alert_unixsock_db.c 2009-10-22 20:26:59.086346557 +0200 *************** *** 0 **** --- 1,725 ---- + /* + ** This plugin is based on the spo_alert_unixsock plugin of the + ** snort program. + ** + ** Copyright (C) 2002-2006 Dirk Geschke + ** Portions Copyright (C) 1998-2002 Martin Roesch + ** Portions Copyright (C) 2000,2001 Andrew R. Baker + ** + ** This file is part of the FLoP project and is used in the program + ** servsock. + ** FLoP is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License as published by + ** the Free Software Foundation; either version 2 of the License, or + ** (at your option) any later version. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + + /* spo_alert_unixsock_db + * + * Purpose: output plugin for Unix Socket alerting + * + */ + + #include "spo_alert_unixsock_db.h" + + /* Should be equal to DG_MAXBUF in sockserv.c */ + #define DGSNDBUF 131072 + + #ifdef GENUA + #warning GENUA defined! + #endif + + #define LOG 1 + #define ALERT 2 + #define ALL 3 + #define MAX_NRPL 32 + + /* + * Win32 does not support Unix sockets (sockaddr_un). This file + * will not be compiled on Win32 until a proper patch is supported. + */ + #ifndef WIN32 + + static int alertsd[MAX_NRPL]; + static int sndbuflen; + static Event LastAlertEvent; + static int nrpl=0; + static int registered=0; + + void AlertUnixSockDBInit(char *); + void AlertUnixSockDB(Packet *, char *, void *, Event *); + void LogUnixSockDB(Packet *, char *, void *, Event *); + int ParseAlertUnixSockDBArgs(char *); + void AlertUnixSockDBCleanExit(int, void *); + /* void AlertUnixSockDBRestart(int, void *); */ + void OpenAlertSockDB(); + int send2socket(void *data, int size); + + struct sockaddr_un unix_addr[MAX_NRPL]; + + /* external globals from rules.c */ + extern char *file_name; + extern int file_line; + + /* + * Function: AlertUnixSockDBSetup() + * + * Purpose: Registers the output plugin keyword and initialization + * function into the output plugin list. This is the function that + * gets called from InitOutputPlugins() in plugbase.c. + * + * Arguments: None. + * + * Returns: void function + * + */ + void AlertUnixSockDBSetup() + { + /* link the output keyword to the init function in + the output list */ + RegisterOutputPlugin("alert_unixsock_db", OUTPUT_TYPE_FLAG__ALERT, + AlertUnixSockDBInit); + DEBUG_WRAP(DebugMessage(DEBUG_INIT, + "Output plugin: AlertUnixSockDB is setup...\n");); + } + + + /* + * Function: AlertUnixSockDBInit(u_char *) + * + * Purpose: Calls the argument parsing function, performs final setup on data + * structs, links the output function into the function list. + * + * Arguments: args => ptr to argument string + * + * Returns: void function + * + */ + void AlertUnixSockDBInit(char *args) + { + int facility; + + DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Output: AlertUnixSock intializing\n");); + + /* parse the argument list from the rules file */ + facility=ParseAlertUnixSockDBArgs(args); + + #ifdef DEBUG_UDB + printf("Facility: %u\n",facility); + #endif + + /* Clear LastAlertEvent for the case we only use the log function */ + + bzero(&LastAlertEvent,sizeof(Event)); + + DEBUG_WRAP(DebugMessage(DEBUG_INIT, + "Linking UnixSockAlert functions to call lists...\n");); + + /* Set the output function into the function list */ + + if (!registered) + { + if ( facility & ALERT) + { + DEBUG_WRAP(DebugMessage(DEBUG_INIT, + "Output: AlertUnixSock added ALERT func\n");); + #ifdef DEBUG_UDB + printf("Added Alert func\n"); + #endif + AddFuncToOutputList(AlertUnixSockDB, OUTPUT_TYPE_FLAG__ALERT, NULL); + } + if ( facility & LOG) + { + DEBUG_WRAP(DebugMessage(DEBUG_INIT, + "Output: AlertUnixSock added LOG func\n");); + #ifdef DEBUG_UDB + printf("Added Log func\n"); + #endif + AddFuncToOutputList(LogUnixSockDB, OUTPUT_TYPE_FLAG__LOG, NULL); + AddFuncToCleanExitList(AlertUnixSockDBCleanExit,NULL); + AddFuncToRestartList(AlertUnixSockDBCleanExit,NULL); + } + registered=1; + } + } + + + /* + * Function: ParseAlertUnixSockArgs(char *) + * + * Purpose: Process the output arguements from the rules file and + * initialize the output's data struct. This function doesn't + * have to exist if it makes sense to parse the args in the init + * function. + * + * Arguments: args => argument list + * + * Returns: void function + */ + int ParseAlertUnixSockDBArgs(char *args) + { + char **toks; + int num_toks,retval=0; + char *filename; + + DEBUG_WRAP(DebugMessage(DEBUG_LOG,"ParseAlertUnixSockArgs: %s\n", args);); + + /* Set default to use only alert function */ + retval=ALERT; + + /* eventually we may support more than one socket */ + if(args == NULL) + { + filename=NULL; + } + else + { + toks = mSplit(args, " ,", 2, &num_toks, 0); + filename = strdup(toks[0]); + if (num_toks >= 2) + { + if (!strncasecmp(toks[1],"log",3)) + { + retval=LOG; + } + + if (!strncasecmp(toks[1],"alert",5)) + { + retval=ALERT; + } + + if (!strncasecmp(toks[1],"all",3)) + { + retval=ALL; + } + } + + if (num_toks >2 ) + { + ErrorMessage("Using Socketname: %s\n",filename); + ErrorMessage("Remaining options ignored!\n"); + } + mSplitFree(&toks,num_toks); + } + + OpenAlertSockDB(filename); + + return(retval); + } + + /**************************************************************************** + * + * Function: AlertUnixSockDBAlert(Packet *, char *) + * + * Arguments: p => pointer to the packet data struct + * msg => the message to print in the alert + * + * Returns: void function + * + ***************************************************************************/ + void AlertUnixSockDB(Packet *p, char *msg, void *arg, Event *event) + { + static AlertpktDB alertpkt; + int size,i; + #ifdef DEBUG_UDB + time_t timep; + char * tmp; + #endif + + #ifdef DEBUG_UDB + printf("gen: %u, id: %u, rev: %u, cls: %u, prio: %u, eid: %u, erev: %u\n", + event->sig_generator, event->sig_id, event->sig_rev, + event->classification, event->priority, event->event_id, + event->event_reference); + printf("Time: %u.%u\n", (uint) event->ref_time.tv_sec, + (uint) event->ref_time.tv_usec); + #endif + + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "Logging Alert data!\n");); + + bzero((char *)&alertpkt,sizeof(alertpkt)); + + snprintf(alertpkt.Tag,8,"FLOPPKT"); + + if (event) + { + bcopy((const void *)event,(void *)&alertpkt.event,sizeof(Event)); + } + + if(p && p->pkt) + { + bcopy((const void *)p->pkth, (void *)&alertpkt.pkth, + sizeof(struct pcap_pkthdr)); + alertpkt.frag_flag = p->frag_flag; + alertpkt.frag_offset = p->frag_offset; + } + else + alertpkt.val|=NOPACKET_STRUCT; + + #ifndef GENUA + if (msg) + { + bcopy((const void *)msg,(void *)alertpkt.alertmsg, + strlen(msg)>ALERTMSG_LENGTH-1 ? ALERTMSG_LENGTH - 1 : strlen(msg)); + } + #endif + + /* some data which will help monitoring utility to dissect packet */ + if(!(alertpkt.val & NOPACKET_STRUCT)) + { + if(p) + { + if (p->eh) { + alertpkt.dlthdr=(char *)p->eh-(char *)p->pkt; + } + + /* we don't log any headers besides eth yet */ + if (p->iph && p->pkt) { + alertpkt.nethdr=(char *)p->iph-(char *)p->pkt; + bcopy((const void *)p->iph,(void *)&alertpkt.iph,sizeof(IPHdr)); + + for (i=0; i < (int) p->tcp_option_count; i++) + { + alertpkt.ip_options[i].offset = + (u_int8_t *)p->ip_options[i].data + - (u_int8_t *) p->pkt; + alertpkt.ip_options[i].code=p->ip_options[i].code; + alertpkt.ip_options[i].len=p->ip_options[i].len; + } + switch(p->iph->ip_proto) + { + case IPPROTO_TCP: + if (p->tcph) + { + alertpkt.transhdr=(char *)p->tcph-(char *)p->pkt; + bcopy((const void *)p->tcph, (void *)&alertpkt.tcph, + sizeof(TCPHdr)); + alertpkt.tcp_option_count = p->tcp_option_count; + for (i=0; i< (int) p->tcp_option_count; i++) + { + alertpkt.tcp_options[i].offset = + (u_int8_t *)p->tcp_options[i].data + - (u_int8_t *) p->pkt; + alertpkt.tcp_options[i].code= + p->tcp_options[i].code; + alertpkt.tcp_options[i].len= + p->tcp_options[i].len; + } + } + break; + + case IPPROTO_UDP: + if (p->udph) + { + alertpkt.transhdr=(char *)p->udph-(char *)p->pkt; + bcopy((const void *)p->udph, (void *)&alertpkt.udph, + sizeof(UDPHdr)); + } + break; + + case IPPROTO_ICMP: + if (p->icmph) + { + alertpkt.transhdr=(char *)p->icmph-(char *)p->pkt; + alertpkt.icmp_csum=p->icmph->csum; + alertpkt.icmp_type=p->icmph->type; + alertpkt.icmp_code=p->icmph->code; + alertpkt.icmp_ext=1; + alertpkt.icmp_extid=p->icmph->s_icmp_id; + alertpkt.icmp_extseqno=p->icmph->s_icmp_seq; + } + break; + + default: + /* alertpkt.transhdr is null due to initial bzero */ + alertpkt.val|=NO_TRANSHDR; + } + } + + if (p->data && p->pkt) alertpkt.data=p->data - p->pkt; + } + } + + size=sizeof(AlertpktDB); + #ifdef DEBUG_UDB + printf("Size: %i,%i\n",size,sizeof(size)); + printf("Event ID: %i\n",alertpkt.event.event_id); + #endif + + /* Check size of pcap packet. This must be less or equal + * the size of sendbuffer of the socket sndbuflen + * if the packet is largen then truncate it in both, + * alertpkt and pkth and write a warning + */ + + if ( (!(alertpkt.val & NOPACKET_STRUCT)) && + (alertpkt.pkth.caplen > sndbuflen)) + { + ErrorMessage("ERROR: alert_unixsock_db: network packet larger than " + "send buffer: %i > %i \n",alertpkt.pkth.caplen,sndbuflen); + ErrorMessage("WARNING: alert_unixsock_db: Truncating packet!\n"); + alertpkt.pkth.caplen=sndbuflen; + /* DG p->pkth->caplen=sndbuflen; */ + } + + send2socket((void *)&alertpkt,size); + + if(!(alertpkt.val & NOPACKET_STRUCT)) + { + #ifdef DEBUG_UDB + timep=p->pkth->ts.tv_sec; + printf("Time %i, %s\n",(int) alertpkt.pkth.ts.tv_sec, ctime(&timep)); + #endif + + send2socket((void *)p->pkt,alertpkt.pkth.caplen); + + #ifdef DEBUG_UDB + printf("Packetsize: %i, %i\n",sndbuflen,alertpkt.pkth.caplen); + tmp=fasthex((u_char *)p->pkt,alertpkt.pkth.caplen); + printf("Content: %s\n",tmp); + free(tmp); + #endif + } + /* Save Event to compare with log functions to avoid alering + * twice on the same event + */ + memcpy(&LastAlertEvent,event,sizeof(Event)); + + } + + /**************************************************************************** + * + * Function: LogUnixSockDBAlert(Packet *, char *) + * + * Arguments: p => pointer to the packet data struct + * msg => the message to print in the alert + * + * Returns: void function + * + ***************************************************************************/ + void LogUnixSockDB(Packet *p, char *msg, void *arg, Event *event) + { + static AlertpktDB alertpkt; + int size,i; + #ifdef DEBUG_UDB + time_t timep; + char * tmp; + #endif + + #ifdef DEBUG_UDB + printf("LogUnixSockDB called\n"); + printf("gen: %u, id: %u, rev: %u, cls: %u, prio: %u, eid: %u, erev: %u\n", + event->sig_generator, event->sig_id, event->sig_rev, + event->classification, event->priority, event->event_id, + event->event_reference); + printf("Time: %u.%u\n", (uint) event->ref_time.tv_sec, + (uint) event->ref_time.tv_usec); + printf("\nLastAlertEvent:\n"); + printf("gen: %u, id: %u, rev: %u, cls: %u, prio: %u, eid: %u, erev: %u\n", + LastAlertEvent.sig_generator, LastAlertEvent.sig_id, + LastAlertEvent.sig_rev, LastAlertEvent.classification, + LastAlertEvent.priority, LastAlertEvent.event_id, + LastAlertEvent.event_reference); + printf("Time: %u.%u\n", (uint) LastAlertEvent.ref_time.tv_sec, + (uint) LastAlertEvent.ref_time.tv_usec); + #endif + + /* Check if the event is already logged via alert function + * + * NOTE: Since the LastAlertEvent is set to zero later on + * we will even log tagged packets with the same event_id + */ + + if ((LastAlertEvent.event_id) && + (event->event_id == LastAlertEvent.event_id)) + { + return; + } + + #ifdef UDB_CHECK + /* + * This part is no longer needed(?). With older versions of snort + * the log packets got another event_id but it seems that they now + * (at least version 2.1.1, probably done by 2004-01-16 Jeremy + * Hewlett ) get the same id as the alert packets. + */ + + /* First check if there is a ref_time value */ + if (LastAlertEvent.ref_time.tv_sec || LastAlertEvent.ref_time.tv_usec) + { + /* Are the ref_times equal? Maybe we already called + * the alert function with this alert? + */ + + if ( (LastAlertEvent.ref_time.tv_sec == event->ref_time.tv_sec) && + (LastAlertEvent.ref_time.tv_usec == event->ref_time.tv_usec) ) + { + /* Probably we have already seen this alert ? + * + * the first 20 bytes of struct _Event contain the + * sig_generator, sig_id, sig_ref, classification + * and the priority. If the event is the same then + * we have the alert already seen + */ + if ( (memcmp (&LastAlertEvent,event,20) == 0) && + (abs(LastAlertEvent.event_id - event->event_id) < 2) ) + { + return; + } + } + } + else + { + /* We have no reference time */ + if ( (memcmp (&LastAlertEvent,event,20) == 0) && + (abs(LastAlertEvent.event_id - event->event_id) < 2 ) ) + { + return; + } + } + + #endif + + #ifdef DEBUG_UDB + printf("LogUnixSockDB called with new Event\n"); + #endif + + /* Clear the old event */ + bzero(&LastAlertEvent,sizeof(Event)); + + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "Logging Log data!\n");); + + bzero((char *)&alertpkt,sizeof(alertpkt)); + snprintf(alertpkt.Tag,8,"FLOPPKT"); + if (event) + { + bcopy((const void *)event,(void *)&alertpkt.event,sizeof(Event)); + } + + if(p && p->pkt) + { + bcopy((const void *)p->pkth, (void *)&alertpkt.pkth, + sizeof(struct pcap_pkthdr)); + alertpkt.frag_flag = p->frag_flag; + alertpkt.frag_offset = p->frag_offset; + } + else + alertpkt.val|=NOPACKET_STRUCT; + + #ifndef GENUA + if (msg) + { + bcopy((const void *)msg, (void *)alertpkt.alertmsg, + strlen(msg)>ALERTMSG_LENGTH-1 ? ALERTMSG_LENGTH-1 : strlen(msg)); + } + #endif + + /* some data which will help monitoring utility to dissect packet */ + if(!(alertpkt.val & NOPACKET_STRUCT)) + { + if(p) + { + if (p->eh) { + alertpkt.dlthdr=(char *)p->eh-(char *)p->pkt; + } + + /* we don't log any headers besides eth yet */ + if (p->iph && p->pkt) { + alertpkt.nethdr=(char *)p->iph-(char *)p->pkt; + bcopy((const void *)p->iph, (void *)&alertpkt.iph, + sizeof(IPHdr)); + + for (i=0; i < (int) p->tcp_option_count; i++) + { + alertpkt.ip_options[i].offset = + (u_int8_t *)p->ip_options[i].data + - (u_int8_t *) p->pkt; + alertpkt.ip_options[i].code=p->ip_options[i].code; + alertpkt.ip_options[i].len=p->ip_options[i].len; + } + switch(p->iph->ip_proto) + { + case IPPROTO_TCP: + if (p->tcph) + { + alertpkt.transhdr=(char *)p->tcph-(char *)p->pkt; + bcopy((const void *)p->tcph, (void *)&alertpkt.tcph, + sizeof(TCPHdr)); + alertpkt.tcp_option_count = p->tcp_option_count; + for (i=0; i< (int) p->tcp_option_count; i++) + { + alertpkt.tcp_options[i].offset = + (u_int8_t *)p->tcp_options[i].data + - (u_int8_t *) p->pkt; + alertpkt.tcp_options[i].code = + p->tcp_options[i].code; + alertpkt.tcp_options[i].len = + p->tcp_options[i].len; + } + } + break; + + case IPPROTO_UDP: + if (p->udph) + { + alertpkt.transhdr=(char *)p->udph-(char *)p->pkt; + bcopy((const void *)p->udph, (void *)&alertpkt.udph, + sizeof(UDPHdr)); + } + break; + + case IPPROTO_ICMP: + if (p->icmph) + { + alertpkt.transhdr=(char *)p->icmph-(char *)p->pkt; + alertpkt.icmp_csum=p->icmph->csum; + alertpkt.icmp_type=p->icmph->type; + alertpkt.icmp_code=p->icmph->code; + alertpkt.icmp_ext=1; + alertpkt.icmp_extid=p->icmph->s_icmp_id; + alertpkt.icmp_extseqno=p->icmph->s_icmp_seq; + } + break; + + default: + /* alertpkt.transhdr is null due to initial bzero */ + alertpkt.val|=NO_TRANSHDR; + } + } + + if (p->data && p->pkt) alertpkt.data=p->data - p->pkt; + } + } + + size=sizeof(AlertpktDB); + #ifdef DEBUG_UDB + printf("Size: %i,%i\n",size,sizeof(size)); + printf("Event ID: %i\n",alertpkt.event.event_id); + #endif + send2socket((void *)&alertpkt,size); + + if(!(alertpkt.val & NOPACKET_STRUCT)) + { + #ifdef DEBUG_UDB + timep=p->pkth->ts.tv_sec; + printf("Time %i, %s\n",(int) alertpkt.pkth.ts.tv_sec, ctime(&timep)); + #endif + send2socket((void *)p->pkt,alertpkt.pkth.caplen); + #ifdef DEBUG_UDB + printf("Packetsize: %i, %i\n",sndbuflen,alertpkt.pkth.caplen); + tmp=fasthex((u_char *)p->pkt,alertpkt.pkth.caplen); + printf("Content: %s\n",tmp); + free(tmp); + #endif + } + + } + + + /* + * Function: OpenAlertSockDB + * + * Purpose: Connect to UNIX socket for alert logging.. + * + * Arguments: none.. + * + * Returns: void function + */ + void OpenAlertSockDB(char *filename) + { + char *srv; + socklen_t optlen; + int old; + + if (nrpl >= MAX_NRPL) { + FatalError("ERROR: alert_unixsock_db: Too many sockets specified! Reduce or increase MAX_NRPL (now %i) and recompile",MAX_NRPL); + } + if (filename==NULL) + { + srv = UNSOCK_FILE; + } + else + { + srv = filename; + } + + if(access(srv, W_OK)) + { + ErrorMessage("WARNING: alert_unixsock_db: %s file doesn't exist or isn't writable!\n", + srv); + } + + bzero((char *) &unix_addr[nrpl], sizeof(unix_addr[nrpl])); + + /* we trust what we define */ + bcopy((const void *) srv, (void *) unix_addr[nrpl].sun_path, strlen(srv)); + + unix_addr[nrpl].sun_family = AF_UNIX; + + if((alertsd[nrpl] = socket(AF_UNIX, SOCK_DGRAM, 0)) < 0) + { + FatalError("socket() call failed: %s", strerror(errno)); + } + + getsockopt(alertsd[nrpl], SOL_SOCKET, SO_SNDBUF, &sndbuflen, &optlen); + + /* Try to set the send buffer of the socket to DGSNDBUF + * We increase in 1k steps until we get an error so hopefully + * at least the buffer is increased to write an alert atomically... + */ + + old=sndbuflen; + while (sndbuflen < DGSNDBUF && + setsockopt(alertsd[nrpl], SOL_SOCKET, SO_SNDBUF , &sndbuflen, + sizeof(sndbuflen))==0) + { + sndbuflen +=1024; + } + + LogMessage("AlertUnixSockDB: Set socket send buffer %i (%s) to %i (%i)\n", + nrpl,srv,sndbuflen,old); + nrpl++; + } + + #endif /* !WIN32 */ + + int send2socket( void * data, int size) + { + time_t timep; + int error=0; + int i; + + for (i=0; i + ** Copyright (C) 1998-2002 Martin Roesch + ** Copyright (C) 2000,2001 Andrew R. Baker + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License as published by + ** the Free Software Foundation; either version 2 of the License, or + ** (at your option) any later version. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + + #ifndef __SPO_ALERT_UNIXSOCK_DB_H__ + #define __SPO_ALERT_UNIXSOCK_DB_H__ + + /* this struct is for the alert socket code.... */ + + #ifdef HAVE_CONFIG_H + #include "config.h" + #endif + + #include + #include + #include + #include + #include + #include + + #include "event.h" + #include "decode.h" + #include "plugbase.h" + #include "parser.h" + #include "debug.h" + #include "util.h" + #include "mstring.h" + #include "snort.h" + #include + + #define UNSOCK_FILE "/tmp/snort_alert" + + typedef struct _DGOptions + { + u_int32_t len; + u_int8_t code; + u_int8_t offset; /* Offset to packet pointer *pkt_ptr */ + } DGOptions; + + /* It is real overhead to save tcp, udp and icmp values in + one structure. But it makes live much easier... */ + + typedef struct _AlertpktDB + { + char Tag[8]; + #ifndef GENUA + u_int8_t alertmsg[ALERTMSG_LENGTH]; /* variable.. */ + #endif + struct pcap_pkthdr pkth; + IPHdr iph; + DGOptions ip_options[40]; + u_int32_t ip_option_count; + u_int8_t icmp_type; + u_int16_t icmp_code; + u_int16_t icmp_csum; + u_int8_t icmp_ext; /* >0 if icmpextensions */ + u_int16_t icmp_extid; + u_int16_t icmp_extseqno; + UDPHdr udph; + TCPHdr tcph; + DGOptions tcp_options[40]; /* only useful for tcp... */ + u_int32_t tcp_option_count; /* only useful for tcp... */ + u_int8_t frag_flag; + u_int16_t frag_offset; + u_int32_t dlthdr; /* datalink header offset. (ethernet, etc.. ) */ + u_int32_t nethdr; /* network header offset. (ip etc...) */ + u_int32_t transhdr; /* transport header offset (tcp/udp/icmp ..) */ + u_int32_t data; + u_int32_t val; /* which fields are valid. (NULL could be + * valids also) + * */ + /* Packet struct --> was null */ + #define NOPACKET_STRUCT 0x1 + /* no transport headers in packet */ + #define NO_TRANSHDR 0x2 + /*DG u_int8_t pkt[SNAPLEN];*/ + Event event; + } AlertpktDB; + + + #endif /* __SPO_ALERT_UNIXSOCK_BD_H__ */ + diff -r -c -N snort-2.8.5.1_org/src/plugbase.c snort-2.8.5.1/src/plugbase.c *** snort-2.8.5.1_org/src/plugbase.c 2009-08-10 22:41:41.000000000 +0200 --- snort-2.8.5.1/src/plugbase.c 2009-10-22 20:26:59.218346728 +0200 *************** *** 110,115 **** --- 110,116 ---- #include "output-plugins/spo_log_null.h" #include "output-plugins/spo_log_ascii.h" #include "output-plugins/spo_unified2.h" + #include "output-plugins/spo_alert_unixsock_db.h" #ifdef ARUBA #include "output-plugins/spo_alert_arubaaction.h" *************** *** 1214,1219 **** --- 1215,1221 ---- #ifndef WIN32 /* Win32 doesn't support AF_UNIX sockets */ AlertUnixSockSetup(); + AlertUnixSockDBSetup(); #endif /* !WIN32 */ AlertCSVSetup(); LogNullSetup();