├── .gitignore ├── COPYING ├── LICENSE ├── Makefile.am ├── README ├── RELEASE.NOTES ├── autogen.sh ├── configure.ac ├── doc ├── INSTALL ├── Makefile.am ├── README.aruba ├── README.database ├── README.sguil ├── README.sig_suppress └── README.snortsam ├── etc ├── Makefile.am └── barnyard2.conf ├── m4 ├── Makefile.am └── libprelude.m4 ├── rpm ├── Makefile.am ├── barnyard2 ├── barnyard2.config └── barnyard2.spec ├── schemas ├── Makefile.am ├── SCHEMA_ACCESS ├── create_db2 ├── create_mssql ├── create_mysql ├── create_oracle.sql └── create_postgresql ├── src ├── Makefile.am ├── barnyard2.c ├── barnyard2.h ├── bounds.h ├── checksum.h ├── debug.c ├── debug.h ├── decode.c ├── decode.h ├── fatal.h ├── generators.h ├── input-plugins │ ├── Makefile.am │ ├── spi_unified2.c │ └── spi_unified2.h ├── ipv6_port.h ├── log.c ├── log.h ├── log_text.c ├── log_text.h ├── map.c ├── map.h ├── mstring.c ├── mstring.h ├── output-plugins │ ├── Makefile.am │ ├── spo_alert_arubaaction.c │ ├── spo_alert_arubaaction.h │ ├── spo_alert_bro.c │ ├── spo_alert_bro.h │ ├── spo_alert_cef.c │ ├── spo_alert_cef.h │ ├── spo_alert_csv.c │ ├── spo_alert_csv.h │ ├── spo_alert_fast.c │ ├── spo_alert_fast.h │ ├── spo_alert_full.c │ ├── spo_alert_full.h │ ├── spo_alert_fwsam.c │ ├── spo_alert_fwsam.h │ ├── spo_alert_prelude.c │ ├── spo_alert_prelude.h │ ├── spo_alert_sf_socket.c │ ├── spo_alert_sf_socket.h │ ├── spo_alert_syslog.c │ ├── spo_alert_syslog.h │ ├── spo_alert_test.c │ ├── spo_alert_test.h │ ├── spo_alert_unixsock.c │ ├── spo_alert_unixsock.h │ ├── spo_common.c │ ├── spo_common.h │ ├── spo_database.c │ ├── spo_database.h │ ├── spo_database_cache.c │ ├── spo_database_cache.h │ ├── spo_echidna.c │ ├── spo_echidna.h │ ├── spo_log_ascii.c │ ├── spo_log_ascii.h │ ├── spo_log_null.c │ ├── spo_log_null.h │ ├── spo_log_tcpdump.c │ ├── spo_log_tcpdump.h │ ├── spo_sguil.c │ ├── spo_sguil.h │ ├── spo_syslog_full.c │ └── spo_syslog_full.h ├── parser.c ├── parser.h ├── pcap_pkthdr32.h ├── plugbase.c ├── plugbase.h ├── rules.h ├── sf_protocols.h ├── sf_types.h ├── sfutil │ ├── Makefile.am │ ├── bitop.h │ ├── getopt.h │ ├── getopt1.h │ ├── getopt_long.c │ ├── sf_ip.c │ ├── sf_ip.h │ ├── sf_iph.c │ ├── sf_iph.h │ ├── sf_ipvar.c │ ├── sf_ipvar.h │ ├── sf_textlog.c │ ├── sf_textlog.h │ ├── sf_vartable.c │ ├── sf_vartable.h │ ├── sfhashfcn.h │ ├── sfmemcap.c │ ├── sfmemcap.h │ ├── sfprimetable.c │ ├── sfprimetable.h │ ├── sfxhash.c │ └── sfxhash.h ├── spooler.c ├── spooler.h ├── strlcatu.c ├── strlcatu.h ├── strlcpyu.c ├── strlcpyu.h ├── timersub.h ├── twofish.c ├── twofish.h ├── unified2.h ├── util.c └── util.h └── tools └── odlaw /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | *.o 3 | aclocal.m4 4 | autom4te.cache/ 5 | cflags.out 6 | /config.* 7 | configure 8 | cppflags.out 9 | install-sh 10 | libtool 11 | ltmain.sh 12 | m4/libtool.m4 13 | m4/lt~obsolete.m4 14 | m4/ltoptions.m4 15 | m4/ltsugar.m4 16 | m4/ltversion.m4 17 | Makefile 18 | Makefile.in 19 | missing 20 | src/barnyard2 21 | src/input-plugins/libspi.a 22 | src/output-plugins/libspo.a 23 | src/sfutil/libsfutil.a 24 | stamp-h1 25 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | ## $Id$ 2 | AUTOMAKE_OPTIONS = foreign no-dependencies 3 | 4 | ACLOCAL_AMFLAGS = -I m4 5 | 6 | SUBDIRS = src etc doc rpm schemas m4 7 | 8 | AM_CPPFLAGS = @INCLUDES@ 9 | 10 | EXTRA_DIST = COPYING LICENSE README RELEASE.NOTES ltmain.sh autogen.sh 11 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | It's been a minute, sadly I this project has not seen any love in nearly a 2 | decade and it's probably time to put it out to pasture. Thanks for the 3 | memories <3 4 | 5 | 6 | ------------------------------------------------------------------------------ 7 | 0. SUMMARY 8 | ------------------------------------------------------------------------------ 9 | 10 | Barnyard2 - version 2-1.14 11 | 12 | This README contains some quick information about how to set up and 13 | configure barnyard2 to ensure it works as it should. 14 | 15 | 16 | ------------------------------------------------------------------------------ 17 | 1. COPYRIGHT 18 | ------------------------------------------------------------------------------ 19 | 20 | Copyright (C)2008-2013 Ian Firns 21 | Copyright (C)2008-2010 SecurixLive 22 | 23 | This program is free software; you can redistribute it and/or modify 24 | it under the terms of the GNU General Public License Version 2 as 25 | published by the Free Software Foundation. You may not use, modify or 26 | distribute this program under any other version of the GNU General 27 | Public License. 28 | 29 | This program is distributed in the hope that it will be useful, 30 | but WITHOUT ANY WARRANTY; without even the implied warranty of 31 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 32 | GNU General Public License for more details. 33 | 34 | You should have received a copy of the GNU General Public License 35 | along with this program; if not, write to the Free Software 36 | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 37 | 38 | Some of this code has been taken from Snort, which was developed by 39 | Martin Roesch and The Snort Team (http://www.snort.org/team.html). 40 | 41 | Some of this code has been taken from barnyard, which was developed by 42 | Martin Roesch and Andrew R. Baker. 43 | 44 | Some of this code has been taken from tcpdump, which was developed 45 | by the Network Research Group at Lawrence Berkeley National Lab, 46 | and is copyrighted by the University of California Regents. 47 | 48 | 49 | ------------------------------------------------------------------------------ 50 | 2. DESCRIPTION 51 | ------------------------------------------------------------------------------ 52 | 53 | Barnyard2 is an open source interpreter for Snort unified2 binary output files. 54 | Its primary use is allowing Snort to write to disk in an efficient manner and 55 | leaving the task of parsing binary data into various formats to a separate 56 | process that will not cause Snort to miss network traffic. 57 | 58 | Barnyard2 has 3 modes of operation: 59 | 1. batch (or one-shot), 60 | 2. continual, and 61 | 3. continual w/ bookmark. 62 | 63 | In batch (or one-shot) mode, barnyard2 will process the explicitly specified 64 | file(s) and exit. 65 | 66 | In continual mode, barnyard2 will start with a location to look and a specified 67 | file pattern and continue to process new data (and new spool files) as they 68 | appear. 69 | 70 | Continual mode w/ bookmarking will also use a checkpoint file (or waldo file in 71 | the snort world) to track where it is. In the event the barnyard2 process ends 72 | while a waldo file is in use, barnyard2 will resume processing at the last 73 | entry as listed in the waldo file. 74 | 75 | The "-f", "-w", and "-o" options are used to determine which mode barnyard2 76 | will run in. It is legal for both the "-f" and "-w" options to be used on the 77 | command line at the same time, however any data that exists in the waldo file 78 | will override the command line data from the "-f" and "-d" options. See the 79 | command directives section below for more detail. 80 | 81 | Barnyard2 processing is controlled by two main types of directives: input 82 | processors and output plugins. The input processors read information in from a 83 | specific format ( currently the spo_unified2 output module of Snort ) and 84 | output them in one of several ways. 85 | 86 | 87 | ------------------------------------------------------------------------------ 88 | 3. USAGE 89 | ------------------------------------------------------------------------------ 90 | 91 | Command line: 92 | 93 | barnyard2 [-options] 94 | 95 | 96 | Gernal Options: 97 | 98 | -c Use configuration file 99 | -C Read the classification map from 100 | -D Run barnyard2 in background (daemon) mode 101 | -e Display the second layer header info 102 | -E Log alert messages to NT Eventlog. (Win32 only) 103 | -F Turn off fflush() calls after binary log writes 104 | -g Run barnyard2 gid as group (or gid) after initialization 105 | -G Read the gen-msg map from 106 | -h Define the hostname . For logging purposes only 107 | -i Define the interface . For logging purposes only 108 | -I Add Interface name to alert output 109 | -l Log to directory 110 | -m Set umask = 111 | -O Obfuscate the logged IP addresses 112 | -q Quiet. Don't show banner and status report 113 | -r Include 'id' in barnyard2_intf.pid file name 114 | -R Read the reference map from 115 | -S Read the sid-msg map from 116 | -t Chroots process to after initialization 117 | -T Test and report on the current barnyard2 configuration 118 | -u Run barnyard2 uid as user (or uid) after initialization 119 | -U Use UTC for timestamps 120 | -v Be verbose 121 | -V Show version number 122 | -? Show this information 123 | 124 | Continual Processing Options: 125 | -a Archive processed files to 126 | -f Use as the base filename pattern 127 | -d Spool files from 128 | -n Only process new events 129 | -w Enable bookmarking using 130 | 131 | Batch Processing Mode Options: 132 | -o Enable batch processing mode 133 | 134 | 135 | Longname options and their corresponding single char version 136 | --reference Same as -R 137 | --classification Same as -C 138 | --gen-msg Same as -G 139 | --sid-msg Same as -S 140 | --alert-on-each-packet-in-stream Call output plugins on each packet in an alert stream 141 | --process-new-records-only Same as -n 142 | --pid-path Specify the directory for the barnyard2 PID file 143 | --help Same as -? 144 | --version Same as -V 145 | --create-pidfile Create PID file, even when not in Daemon mode 146 | --nolock-pidfile Do not try to lock barnyard2 PID file 147 | --max-mpls-labelchain-len Specify the max MPLS label chain 148 | --mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS 149 | 150 | 151 | Examples: 152 | 153 | 1. Using barnyard2 in continuous mode with a waldo file 154 | 155 | # ./barnyard2 -c /etc/barnyard2.conf -d /var/snort -f snort.u2 -w /var/snort/snort.waldo 156 | 157 | 2. Using barnyard2 in batch mode 158 | 159 | # ./barnyard2 -c /etc/barnyard2.conf -o file1.u2 file2.u2 file3.u2 160 | -------------------------------------------------------------------------------- /autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Run this to generate all the initial makefiles, etc. 3 | if which libtoolize > /dev/null; then 4 | echo "Found libtoolize" 5 | libtoolize -c 6 | elif which glibtoolize > /dev/null; then 7 | echo "Found glibtoolize" 8 | glibtoolize -c 9 | else 10 | echo "Failed to find libtoolize or glibtoolize, please ensure it is installed and accessible via your PATH env variable" 11 | exit 1 12 | fi; 13 | #autoreconf -fv --install 14 | autoreconf -fvi 15 | echo "You can now run \"./configure\" and then \"make\"." 16 | -------------------------------------------------------------------------------- /doc/INSTALL: -------------------------------------------------------------------------------- 1 | 2 | ------------------------------------------------------------------------------- 3 | 0. BARNYARD2 QUICK INSTALL 4 | ------------------------------------------------------------------------------- 5 | 6 | The "generic" notes for putting this thing together are below. Here's the 7 | short version. 8 | 9 | The quick install notes for getting people up and running in with minimal fuss 10 | are below. Detailed instructions will follow later. 11 | 12 | 1. *** Make sure you have libpcap HEADERS installed!!! *** 13 | 2. ./autogen.sh 14 | 3. ./configure 15 | 4. make 16 | 5. make install 17 | 6. Create a sample rules file (eg. look at etc/barnyard2.conf) 18 | 7. barnyard2 -? 19 | 8. HAVE FUN! 20 | 21 | 22 | ------------------------------------------------------------------------------- 23 | 1. BARNYARD2 CONFIGURE-TIME SWITCHES 24 | ------------------------------------------------------------------------------- 25 | 26 | `--enable-debug' 27 | Enable debugging options (bugreports and developers only). 28 | 29 | `--with-tcl=DIR' 30 | Support for Tcl, turn this on if you want to use the Sguil plugin. An 31 | alternative location can be supplied for non-standard Tcl installs. 32 | 33 | `--with-libpcap-includes=DIR' 34 | Specify location for pcap header files. 35 | 36 | `--with-mysql=DIR' 37 | Support for mysql, turn this on if you want to use ACID/BASE with MySQL. 38 | NOTE: Specifying a directory will be deprecated in the future. 39 | 40 | `--with-mysql-libraries=DIR' 41 | Specify location for mysql client library. 42 | 43 | `--with-mysql-includes=DIR' 44 | Specify location for mysql header files. 45 | 46 | `--with-odbc=DIR' 47 | Support for ODBC databases, turn this on if you want to use ACID/BASE with 48 | a non-listed DB. 49 | 50 | `--with-postgresql=DIR' 51 | Support for Postgresql databases, turn this on if you want to use ACID/BASE 52 | with PostgreSQL. 53 | 54 | `--with-oracle=DIR' 55 | Support for Oracle databases, turn this on if you want to use ACID/BASE 56 | with Oracle. 57 | 58 | 59 | ------------------------------------------------------------------------------- 60 | 2. BASIC INSTALLATION 61 | ------------------------------------------------------------------------------- 62 | 63 | These are generic installation instructions. 64 | 65 | The `configure' shell script attempts to guess correct values for various 66 | system-dependent variables used during compilation. It uses those values to 67 | create a `Makefile' in each directory of the package. It may also create one or 68 | more `.h' files containing system-dependent definitions. Finally, it creates a 69 | shell script `config.status' that you can run in the future to recreate the 70 | current configuration, a file `config.cache' that saves the results of its 71 | tests to speed up reconfiguring, and a file `config.log' containing compiler 72 | output (useful mainly for debugging `configure'). 73 | 74 | If you need to do unusual things to compile the package, please try to 75 | figure out how `configure' could check whether to do them, and mail diffs or 76 | instructions to the address given in the `README' so they can be considered for 77 | the next release. If at some point `config.cache' contains results you don't 78 | want to keep, you may remove or edit it. 79 | 80 | The file `configure.in' is used to create `configure' by a program called 81 | `autoconf'. You only need `configure.in' if you want to change it or 82 | regenerate `configure' using a newer version of `autoconf'. 83 | 84 | The simplest way to compile this package is: 85 | 86 | 1. `cd' to the directory containing the package's source code and type 87 | `./configure' to configure the package for your system. If you're using 88 | `csh' on an old version of System V, you might need to type 89 | `sh ./configure' instead to prevent `csh' from trying to execute 90 | `configure' itself. 91 | 92 | Running `configure' takes awhile. While running, it prints some messages 93 | telling which features it is checking for. 94 | 95 | 2. Type `make' to compile the package. 96 | 97 | 3. Optionally, type `make check' to run any self-tests that come with the 98 | package. 99 | 100 | 4. Type `make install' to install the programs and any data files and 101 | documentation. 102 | 103 | 5. You can remove the program binaries and object files from the source code 104 | directory by typing `make clean'. To also remove the files that 105 | `configure' created (so you can compile the package for a different kind 106 | of computer), type `make distclean'. There is also a 107 | `make maintainer-clean' target, but that is intended mainly for the 108 | package's developers. If you use it, you may have to get all sorts of 109 | other programs in order to regenerate files that came with the 110 | distribution. 111 | -------------------------------------------------------------------------------- /doc/Makefile.am: -------------------------------------------------------------------------------- 1 | ## $Id$ 2 | AUTOMAKE_OPTIONS=foreign no-dependencies 3 | 4 | EXTRA_DIST = INSTALL README.aruba README.database README.sguil README.snortsam 5 | -------------------------------------------------------------------------------- /doc/README.sguil: -------------------------------------------------------------------------------- 1 | 2 | ------------------------------------------------------------------------------ 3 | 0. SUMMARY 4 | ------------------------------------------------------------------------------ 5 | 6 | The sguil output plug-in enables barnyard to talk to the sguil daemon. 7 | 8 | This README contains some quick information about how to set up and 9 | configure sguil logging with in barnyard2. 10 | 11 | Questions or comments about the sguil plugin can be directed to SecurixLive 12 | development . 13 | 14 | 15 | ------------------------------------------------------------------------------ 16 | 1. SGUIL SETUP 17 | ------------------------------------------------------------------------------ 18 | 19 | To get this plug-in working you must have a sguil set up and configured 20 | properly. Take the the following steps to get things working. 21 | 22 | 1) More to follow ... 23 | 24 | 25 | ------------------------------------------------------------------------------ 26 | 2. PLUGIN CONFIGURATION 27 | ------------------------------------------------------------------------------ 28 | 29 | You must add some information to the barnyard2 configuration file 30 | to enable sguil logging. The configuration file distributed with barnyard 31 | has some sample configuration lines. 32 | 33 | The configuration line will be of the following format: 34 | 35 | output sguil: [parameter list] 36 | 37 | Arguments: 38 | 39 | [parameter list] - The parameter list consists of key value 40 | pairs. The proper format is a list of key=value pairs each 41 | separated a space. 42 | 43 | All parameters are optional but may be necessary depending 44 | on how you have configured your sguil daemons and associated 45 | databases. 46 | 47 | agent_port - the name of the sguil agent port you are connecting to. 48 | The default value is assumed to be 7735. 49 | 50 | sensor_name - specify your own name for this snort sensor. If you do 51 | not specify a name one will be generated automatically. 52 | 53 | Example(s): 54 | 55 | output sguil: agent_port=7000 sensor_name=thor 56 | 57 | -------------------------------------------------------------------------------- /doc/README.sig_suppress: -------------------------------------------------------------------------------- 1 | -=Barnyard2 Team=- 2 | 3 | ================================================== 4 | 5 | Barnyard2 support event suppression at the 6 | spooler level using the configuration directive sig_suppress. 7 | 8 | Syntax: 9 | ======= 10 | config sig_suppress: (GID):(SID) 11 | 12 | Note: 13 | GID is optional and SID can be a single SID or a range (START)-(END) (see below). 14 | 15 | EX: 16 | ======= 17 | config sig_suppress: 1:10 18 | AND 19 | config sig_suppress: 10 20 | 21 | The above expressions ARE equivalent. 22 | 23 | config sig_suppress: 1:10 24 | AND 25 | config sig_suppress: 112:10 26 | 27 | The above expressions ARE NOT equivalent because one speficy gid 1 (alert) while the other speficy gid 112 (spp_arpspoof) 28 | 29 | config sig_suppress: 10-40 <= RANGE 30 | IS equivalent to 31 | config sig_suppress: 1:10-40 <= RANGE 32 | AND ALSO equivalent to 33 | config sig_suppress: 10,11,12,13,14,15,16....,38,39,40 34 | 35 | NOTE: single entries are less effective,especially if you have large lists. 36 | 37 | As the time of this writing, if you change the list you will need to restart the process (STOP/START) and not SIGHUP 38 | if you want the changes to be applied to event processing. 39 | 40 | If we define the following list (overlaping entries are ignored or replaced when a range covering them is encountered): 41 | config sig_suppress: 1:10,20,1:30,2:90-102 42 | config sig_suppress: 1:10,1:30-40,15,10-40,25 43 | config sig_suppress: 1:10,50-55,15,10-20,80,51-52,31-35 44 | config sig_suppress: 2:93,2:95,2:100-101,2:91-122,22-27,2008175,2657,2011766,9900009,2001972,2101623 45 | 46 | So with the example above the final list is the following: 47 | 48 | +[ Signature Suppress list ]+ 49 | ---------------------------- 50 | -- Element type:[RANGE ] gid:[2] sid min:[90] sid max:[122] 51 | -- Element type:[RANGE ] gid:[1] sid min:[30] sid max:[40] 52 | -- Element type:[RANGE ] gid:[1] sid min:[50] sid max:[55] 53 | -- Element type:[RANGE ] gid:[1] sid min:[10] sid max:[20] 54 | -- Element type:[SINGLE] gid:[1] sid min:[80] sid max:[80] 55 | -- Element type:[RANGE ] gid:[1] sid min:[22] sid max:[27] 56 | -- Element type:[SINGLE] gid:[1] sid min:[2008175] sid max:[2008175] 57 | -- Element type:[SINGLE] gid:[1] sid min:[2657] sid max:[2657] 58 | -- Element type:[SINGLE] gid:[1] sid min:[2011766] sid max:[2011766] 59 | -- Element type:[SINGLE] gid:[1] sid min:[9900009] sid max:[9900009] 60 | -- Element type:[SINGLE] gid:[1] sid min:[2001972] sid max:[2001972] 61 | -- Element type:[SINGLE] gid:[1] sid min:[2101623] sid max:[2101623] 62 | ---------------------------- 63 | +[ Signature Suppress list ]+ 64 | 65 | -------------------------------------------------------------------------------- /doc/README.snortsam: -------------------------------------------------------------------------------- 1 | 2 | ------------------------------------------------------------------------------ 3 | 0. SUMMARY 4 | ------------------------------------------------------------------------------ 5 | 6 | The SnortSam output plug-in enables barnyard2 to talk to a SnortSam firewall 7 | managments station. 8 | 9 | This README contains some quick information about how to set up and 10 | configure sguil logging with in barnyard2. 11 | 12 | Questions or comments about the snortsam plugin can be directed to SecurixLive 13 | devlopment . 14 | 15 | 16 | ------------------------------------------------------------------------------ 17 | 1. SGUIL SETUP 18 | ------------------------------------------------------------------------------ 19 | 20 | To get this plug-in working you must have a sguil set up and configured 21 | properly. Take the the following steps to get things working. 22 | 23 | 1) More to follow ... 24 | 25 | 26 | ------------------------------------------------------------------------------ 27 | 2. PLUGIN CONFIGURATION 28 | ------------------------------------------------------------------------------ 29 | 30 | You must add some information to the barnyard configuration file 31 | to enable snortsam connectivity. The configuration file distributed with 32 | barnyard2 has some sample configuration lines. 33 | 34 | The configuration line will be of the following format: 35 | 36 | output alert_fwsam: :/ 37 | 38 | Arguments: 39 | 40 | station - IP address or host name of the host running SnortSam. 41 | port - Port the remote SnortSam service listens on (default 898). 42 | key - Key used for authentication (encryption really) of the 43 | communication to the remote service. 44 | 45 | Example(s): 46 | 47 | output alert_fwsam: snortsambox/idspassword 48 | output alert_fwsam: fw1.domain.tld:898/mykey 49 | output alert_fwsam: 192.168.0.1/borderfw 192.168.1.254/wanfw 50 | 51 | 52 | ------------------------------------------------------------------------------ 53 | 2. SNORTSAM RULE CONFIGURATION 54 | ------------------------------------------------------------------------------ 55 | 56 | In order for the snort-sam plugin to know what needs to be actioned on the 57 | receipt of an event a block (or action) map needs to be generated and available 58 | in the same location as the barnyard2 configuration file. 59 | 60 | The filename is currently hardcoded as "sid-block.map" but will be fully 61 | configurable in future releases. 62 | 63 | The block map contains a SnortSam rule per line with the syntax described below. 64 | 65 | The snortsam rules take the form of: 66 | 67 | sid: who[how],time; 68 | 69 | Arguments: 70 | 71 | sid - The Snort ID that the this Snort Sam rule is associated with. 72 | 73 | who - src, source, dst, dest, destination 74 | IP address to be blocked according to snort rule (some rules 75 | are reversed, i.e. homenet -> any [and you want to block any]). 76 | src denotes IP to the left of -> and dst denotes IP to the right 77 | 78 | how - In, out, src, dest, either, both, this, conn, connection 79 | An optional parameter that tells SnortSam to block packets 80 | INcoming from host, OUTgoing to host, EITHERway, or only THIS 81 | connection (IP/Service pair). 82 | 83 | See 'fw sam' on Firewall-1 for more information. This option may 84 | be ignored by other plugins. 85 | 86 | time - Duration of block in seconds. (Accepts 'days', 'months', 'weeks', 87 | 'years', 'minutes', 'seconds', 'hours'. Alternatively, a value of 88 | 0, or the keyword PERManent, INFinite, or ALWAYS, will block the 89 | host permanently. Be careful with this! 90 | 91 | Tells SnortSam how long to inhibit packets from the host. 92 | 93 | Example(s): 94 | 95 | 1487: src[either],15min; 96 | 1292: dst[in], 2 days 4 hours 97 | 1638: src, 1 hour 98 | 99 | 100 | -------------------------------------------------------------------------------- /etc/Makefile.am: -------------------------------------------------------------------------------- 1 | ## $Id$ 2 | AUTOMAKE_OPTIONS=foreign no-dependencies 3 | 4 | EXTRA_DIST = barnyard2.conf 5 | 6 | install-data-am: 7 | test -e $(DESTDIR)$(sysconfdir) || \ 8 | $(mkinstalldirs) $(DESTDIR)$(sysconfdir) 9 | test -e $(DESTDIR)$(sysconfdir)/barnyard2.conf || \ 10 | $(INSTALL_DATA) -m 600 $(top_srcdir)/etc/barnyard2.conf \ 11 | $(DESTDIR)$(sysconfdir)/barnyard2.conf 12 | -------------------------------------------------------------------------------- /m4/Makefile.am: -------------------------------------------------------------------------------- 1 | ## $Id$ 2 | AUTOMAKE_OPTIONS=foreign no-dependencies 3 | 4 | EXTRA_DIST = Makefile.am \ 5 | libprelude.m4 6 | -------------------------------------------------------------------------------- /rpm/Makefile.am: -------------------------------------------------------------------------------- 1 | ## $Id$ 2 | AUTOMAKE_OPTIONS=foreign no-dependencies 3 | 4 | EXTRA_DIST = Makefile.am \ 5 | barnyard2 \ 6 | barnyard2.spec \ 7 | barnyard2.config 8 | -------------------------------------------------------------------------------- /rpm/barnyard2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Init file for Barnyard2 4 | # 5 | # 6 | # chkconfig: 2345 40 60 7 | # description: Barnyard2 is an output processor for snort. 8 | # 9 | # processname: barnyard2 10 | # config: /etc/sysconfig/barnyard2 11 | # config: /etc/snort/barnyard.conf 12 | # pidfile: /var/lock/subsys/barnyard2.pid 13 | 14 | source /etc/rc.d/init.d/functions 15 | source /etc/sysconfig/network 16 | 17 | ### Check that networking is up. 18 | [ "${NETWORKING}" == "no" ] && exit 0 19 | 20 | [ -x /usr/sbin/snort ] || exit 1 21 | [ -r /etc/snort/snort.conf ] || exit 1 22 | 23 | ### Default variables 24 | SYSCONFIG="/etc/sysconfig/barnyard2" 25 | 26 | ### Read configuration 27 | [ -r "$SYSCONFIG" ] && source "$SYSCONFIG" 28 | 29 | RETVAL=0 30 | prog="barnyard2" 31 | desc="Snort Output Processor" 32 | 33 | start() { 34 | echo -n $"Starting $desc ($prog): " 35 | for INT in $INTERFACES; do 36 | PIDFILE="/var/lock/subsys/barnyard2-$INT.pid" 37 | ARCHIVEDIR="$SNORTDIR/$INT/archive" 38 | WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo" 39 | BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS" 40 | daemon $prog $BARNYARD_OPTS 41 | done 42 | RETVAL=$? 43 | echo 44 | [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog 45 | return $RETVAL 46 | } 47 | 48 | stop() { 49 | echo -n $"Shutting down $desc ($prog): " 50 | killproc $prog 51 | RETVAL=$? 52 | echo 53 | [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog 54 | return $RETVAL 55 | } 56 | 57 | restart() { 58 | stop 59 | start 60 | } 61 | 62 | 63 | reload() { 64 | echo -n $"Reloading $desc ($prog): " 65 | killproc $prog -HUP 66 | RETVAL=$? 67 | echo 68 | return $RETVAL 69 | } 70 | 71 | 72 | case "$1" in 73 | start) 74 | start 75 | ;; 76 | stop) 77 | stop 78 | ;; 79 | restart) 80 | restart 81 | ;; 82 | reload) 83 | reload 84 | ;; 85 | condrestart) 86 | [ -e /var/lock/subsys/$prog ] && restart 87 | RETVAL=$? 88 | ;; 89 | status) 90 | status $prog 91 | RETVAL=$? 92 | ;; 93 | dump) 94 | dump 95 | ;; 96 | *) 97 | echo $"Usage: $0 {start|stop|restart|reload|condrestart|status|dump}" 98 | RETVAL=1 99 | esac 100 | 101 | exit $RETVAL 102 | -------------------------------------------------------------------------------- /rpm/barnyard2.config: -------------------------------------------------------------------------------- 1 | # Config file for /etc/init.d/barnyard2 2 | LOG_FILE="snort_unified.log" 3 | 4 | # You probably don't want to change this, but in case you do 5 | SNORTDIR="/var/log/snort" 6 | INTERFACES="eth0" 7 | 8 | # Probably not this either 9 | CONF=/etc/snort/barnyard2.conf 10 | 11 | EXTRA_ARGS="" 12 | -------------------------------------------------------------------------------- /rpm/barnyard2.spec: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | # Snort.org's SPEC file for Snort 3 | 4 | ################################################################ 5 | # rpmbuild Package Options 6 | # ======================== 7 | # --with mysql 8 | # Builds a binary/package with support for MySQL. 9 | # 10 | # --with postgresql 11 | # Builds a binary/package with support for PostgreSQL. 12 | # 13 | # --with oracle 14 | # Builds a binary/package with support for Oracle. 15 | # 16 | # --with libpcap1 17 | # Uses Vincent Cojot's libpcap1-devel rpm instead of libpcap-devel 18 | # 19 | # See pg 399 of _Red_Hat_RPM_Guide_ for rpmbuild --with and --without options. 20 | ################################################################ 21 | 22 | # Other useful bits 23 | %define OracleHome /opt/oracle/OraHome1 24 | 25 | # Default of no MySQL, but --with mysql will enable it 26 | %define mysql 0 27 | %{?_with_mysql:%define mysql 1} 28 | 29 | # Default of no PostgreSQL, but --with postgresql will enable it 30 | %define postgresql 0 31 | %{?_with_postgresql:%define postgresql 1} 32 | 33 | # Default of no Oracle, but --with oracle will enable it 34 | %define oracle 0 35 | %{?_with_oracle:%define oracle 1} 36 | 37 | # Build with libpcap1 from Vincent Cojot's snort packages 38 | # Default to standard libpcap, but --with libpcap1 will enable libpcap1 39 | # http://vscojot.free.fr/dist/snort/ 40 | %define libpcap1 0 41 | %{?_with_libpcap1:%define libpcap1 1} 42 | 43 | 44 | Summary: Snort Log Backend 45 | Name: barnyard2 46 | Version: 1.14 47 | Source0: https://github.com/firnsy/barnyard2/archive/barnyard2-%{version}.tar.gz 48 | Release: 1%{?dist} 49 | License: GPL 50 | Group: Applications/Internet 51 | Url: http://www.github.com/firnsy/barnyard2 52 | 53 | BuildRoot: %{_tmppath}/%{name}-%{version}-root 54 | BuildRequires: libtool 55 | %if %{libpcap1} 56 | BuildRequires: libpcap1-devel 57 | %else 58 | BuildRequires: libpcap-devel 59 | %endif 60 | BuildRequires: libdnet-devel 61 | 62 | 63 | %description 64 | Barnyard has 3 modes of operation: 65 | One-shot, continual, continual w/ checkpoint. In one-shot mode, 66 | barnyard will process the specified file and exit. In continual mode, 67 | barnyard will start with the specified file and continue to process 68 | new data (and new spool files) as it appears. Continual mode w/ 69 | checkpointing will also use a checkpoint file (or waldo file in the 70 | snort world) to track where it is. In the event the barnyard process 71 | ends while a waldo file is in use, barnyard will resume processing at 72 | the last entry as listed in the waldo file. 73 | 74 | 75 | %package mysql 76 | Summary: barnyard2 with MySQL support 77 | Group: Applications/Internet 78 | Requires: %{name} = %{epoch}:%{version}-%{release} 79 | %if %{mysql} 80 | Requires: mysql 81 | BuildRequires: mysql-devel 82 | %endif 83 | %description mysql 84 | barnyard2 binary compiled with mysql support. 85 | 86 | %package postgresql 87 | Summary: barnyard2 with PostgreSQL support 88 | Group: Applications/Internet 89 | Requires: %{name} = %{epoch}:%{version}-%{release} 90 | %if %{postgresql} 91 | Requires: postgresql 92 | BuildRequires: postgresql-devel 93 | %endif 94 | %description postgresql 95 | barnyard2 binary compiled with postgresql support. 96 | 97 | %package oracle 98 | Summary: barnyard2 with Oracle support 99 | Group: Applications/Internet 100 | Requires: %{name} = %{epoch}:%{version}-%{release} 101 | %description oracle 102 | barnyard2 binary compiled with Oracle support. 103 | 104 | EXPERIMENTAL!! I don't have a way to test this, so let me know if it works! 105 | ORACLE_HOME=%{OracleHome} 106 | 107 | %prep 108 | %setup -q 109 | 110 | 111 | %build 112 | ./autogen.sh 113 | 114 | %configure \ 115 | %if %{libpcap1} 116 | --with-libpcap-includes=/usr/libpcap1/include \ 117 | --with-libpcap-libraries=/usr/%{_lib}/libpcap1/%{_lib} \ 118 | %endif 119 | %if %{postgresql} 120 | --with-postgresql \ 121 | %endif 122 | %if %{oracle} 123 | --with-oracle \ 124 | %endif 125 | %if %{mysql} 126 | --with-mysql-libraries=/usr/%{_lib} \ 127 | %endif 128 | 129 | make 130 | 131 | %install 132 | %makeinstall 133 | 134 | %{__install} -d -p $RPM_BUILD_ROOT%{_sysconfdir}/{sysconfig,rc.d/init.d,snort} 135 | %{__install} -d -p $RPM_BUILD_ROOT%{_datadir}/snort 136 | %{__install} -m 644 rpm/barnyard2.config $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/barnyard2 137 | %{__install} -m 755 rpm/barnyard2 $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/barnyard2 138 | %{__mv} $RPM_BUILD_ROOT%{_sysconfdir}/barnyard2.conf $RPM_BUILD_ROOT%{_sysconfdir}/snort/ 139 | if [ %{mysql} = 1 ]; then 140 | %{__install} -m 755 schemas/create_mysql $RPM_BUILD_ROOT%{_datadir}/snort/create_mysql 141 | fi 142 | if [ %{oracle} = 1 ]; then 143 | %{__install} -m 755 schemas/create_oracle.sql $RPM_BUILD_ROOT%{_datadir}/snort/create_oracle.sql 144 | fi 145 | if [ %{postgresql} = 1 ]; then 146 | %{__install} -m 755 schemas/create_postgresql $RPM_BUILD_ROOT%{_datadir}/snort/create_postgresql 147 | fi 148 | 149 | %clean 150 | if [ -d $RPM_BUILD_ROOT ] && [ "$RPM_BUILD_ROOT" != "/" ] ; then 151 | rm -rf $RPM_BUILD_ROOT 152 | fi 153 | 154 | %files 155 | %defattr(-,root,root) 156 | %doc LICENSE doc/INSTALL doc/README.* 157 | %attr(755,root,root) %{_bindir}/barnyard2 158 | %attr(640,root,root) %config(noreplace) %{_sysconfdir}/snort/barnyard2.conf 159 | %attr(755,root,root) %config(noreplace) %{_sysconfdir}/rc.d/init.d/barnyard2 160 | %attr(644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/barnyard2 161 | 162 | %if %{mysql} 163 | %files mysql 164 | %attr(755,root,root) %{_datadir}/snort/create_mysql 165 | %endif 166 | 167 | %if %{postgresql} 168 | %files postgresql 169 | %attr(755,root,root) %{_datadir}/snort/create_postgresql 170 | %endif 171 | 172 | %if %{oracle} 173 | %files oracle 174 | %attr(755,root,root) %{_datadir}/snort/create_oracle.sql 175 | %endif 176 | 177 | %changelog 178 | * Wed Aug 28 2013 Bill Bernsen 179 | - Added conditional packaging of database schemas 180 | - Added ./autogen.sh 181 | - BuildRequires libtool 182 | - Changed Source0 name to streamline packaging 183 | 184 | * Thu Feb 02 2012 Brent Woodruff 185 | - Removed Source2 and Source3 186 | - Removed unused realname variable 187 | - Removed unused noShell variable 188 | - Removed unused SnortRulesDir variable 189 | - Added BuildRequires: libpcap-devel 190 | - Added --with libpcap1 option 191 | - Removed unneeded -n barnyard2-%{version} from setup 192 | - Removed empty directories created by install 193 | - Removed duplicate barnyard2.conf from install command 194 | - Add mv command to put barnyard2.conf installed by %makeinstall in /etc/snort 195 | (mv instead of rm, doesn't really matter either way) 196 | - Changed doc/* to doc/INSTALL doc/README.* 197 | 198 | * Mon Jan 10 2011 Jason Haar 199 | - updated spec file 200 | 201 | * Sat Jan 16 2010 Ian Firns 202 | - barnyard2-1.8-beta2 203 | 204 | * Mon Sep 13 2009 Tom McLaughlin 205 | - barnyard2-1.7-beta2 206 | 207 | * Mon Apr 27 2009 Jason Haar 208 | - Converted barnyard-0.2.0 .spec 209 | 210 | * Wed Sep 13 2006 Matthew Hall 0.2.0-3%{?dist} 211 | - Apply Colin Grady's schema patches 212 | 213 | * Tue Jun 06 2006 Fabien Bourdaire 0.2.0-1%{?dist} 214 | - Build for FireHat 2.0 215 | 216 | * Sat Sep 04 2004 Ralf Spenneberg 217 | - migrated to Barnyard 0.2.0 and Fedora Core 2 218 | 219 | * Sun Apr 13 2003 Ralf Spenneberg 220 | - changed numbering scheme to reflect RH 8.0 221 | 222 | * Wed Apr 09 2003 Ralf Spenneberg 223 | - based on Barnyard Final Release 0.1.0 224 | 225 | * Tue Oct 22 2002 Ralf Spenneberg 226 | - based on Barnyard Release Candidate 3 227 | - built on RedHat 8.0 228 | 229 | * Wed Jul 24 2002 Ralf Spenneberg 230 | - based on Barnyard Release Candidate 2 231 | - removed classification.config gen-msg.map sid-msg.map 232 | 233 | * Sat Apr 06 2002 Ralf Spenneberg 234 | - Based on Barnyard Beta 4 235 | - Created barnyard rpm 236 | 237 | -------------------------------------------------------------------------------- /schemas/Makefile.am: -------------------------------------------------------------------------------- 1 | ## $Id$ 2 | AUTOMAKE_OPTIONS=foreign no-dependencies 3 | 4 | EXTRA_DIST = Makefile.am \ 5 | create_mssql \ 6 | create_mysql \ 7 | create_oracle.sql \ 8 | create_postgresql \ 9 | create_db2 10 | -------------------------------------------------------------------------------- /schemas/SCHEMA_ACCESS: -------------------------------------------------------------------------------- 1 | The default schema creation scripts does not create ACL's for database access. 2 | This file define what type of access barnyard2 require for the database output plugin to work correctly. 3 | 4 | ============= 5 | TABLE : sensor 6 | ============= 7 | INSERT 8 | SELECT 9 | UPDATE 10 | ============= 11 | 12 | ============= 13 | TABLE : event 14 | ============= 15 | SELECT 16 | INSERT 17 | ============= 18 | 19 | ============= 20 | TABLE : iphdr 21 | ============= 22 | SELECT 23 | INSERT 24 | ============= 25 | 26 | ============= 27 | TABLE : tcphdr 28 | ============= 29 | SELECT 30 | INSERT 31 | ============= 32 | 33 | ============= 34 | TABLE : udphdr 35 | ============= 36 | SELECT 37 | INSERT 38 | ============= 39 | 40 | ============= 41 | TABLE : opt 42 | ============= 43 | SELECT 44 | INSERT 45 | ============= 46 | 47 | ============= 48 | TABLE : icmphdr 49 | ============= 50 | SELECT 51 | INSERT 52 | ============= 53 | 54 | ============= 55 | TABLE : data 56 | ============= 57 | SELECT 58 | INSERT 59 | ============= 60 | 61 | ============= 62 | TABLE : reference_system 63 | ============= 64 | INSERT 65 | SELECT 66 | ============= 67 | 68 | ============= 69 | TABLE : reference 70 | ============= 71 | INSERT 72 | SELECT 73 | ============= 74 | 75 | ============= 76 | TABLE : schema 77 | ============= 78 | SELECT 79 | ============= 80 | 81 | ============= 82 | TABLE : sig_class 83 | ============= 84 | INSERT 85 | SELECT 86 | ============= 87 | 88 | ============= 89 | TABLE : signature 90 | ============= 91 | INSERT 92 | SELECT 93 | UPDATE 94 | ============= 95 | 96 | ============= 97 | TABLE : sig_reference 98 | ============= 99 | SELECT 100 | INSERT 101 | ============= -------------------------------------------------------------------------------- /schemas/create_postgresql: -------------------------------------------------------------------------------- 1 | -- Copyright (C) 2000-2002 Carnegie Mellon University 2 | -- 3 | -- Maintainer: Roman Danyliw , 4 | -- 5 | -- Original Author(s): Jed Pickel (2000-2001) 6 | -- Roman Danyliw 7 | -- Todd Schrubb 8 | -- 9 | -- This program is free software; you can redistribute it and/or modify 10 | -- it under the terms of the GNU General Public License Version 2 as 11 | -- published by the Free Software Foundation. You may not use, modify or 12 | -- distribute this program under any other version of the GNU General 13 | -- Public License. 14 | -- 15 | -- This program is distributed in the hope that it will be useful, 16 | -- but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | -- GNU General Public License for more details. 19 | -- 20 | -- You should have received a copy of the GNU General Public License 21 | -- along with this program; if not, write to the Free Software 22 | -- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 23 | 24 | CREATE TABLE schema ( vseq INT4 NOT NULL, 25 | ctime TIMESTAMP with time zone NOT NULL, 26 | PRIMARY KEY (vseq)); 27 | INSERT INTO schema (vseq, ctime) VALUES ('107', now()); 28 | 29 | CREATE TABLE signature ( sig_id SERIAL NOT NULL, 30 | sig_name TEXT NOT NULL, 31 | sig_class_id INT8, 32 | sig_priority INT8, 33 | sig_rev INT8, 34 | sig_sid INT8, 35 | sig_gid INT8, 36 | PRIMARY KEY (sig_id)); 37 | CREATE INDEX sig_name_idx ON signature (sig_name); 38 | CREATE INDEX sig_class_idx ON signature (sig_class_id); 39 | 40 | CREATE TABLE sig_reference (sig_id INT4 NOT NULL, 41 | ref_seq INT4 NOT NULL, 42 | ref_id INT4 NOT NULL, 43 | PRIMARY KEY(sig_id, ref_seq)); 44 | 45 | CREATE TABLE reference ( ref_id SERIAL, 46 | ref_system_id INT4 NOT NULL, 47 | ref_tag TEXT NOT NULL, 48 | PRIMARY KEY (ref_id)); 49 | 50 | CREATE TABLE reference_system ( ref_system_id SERIAL, 51 | ref_system_name TEXT, 52 | PRIMARY KEY (ref_system_id)); 53 | 54 | CREATE TABLE sig_class ( sig_class_id SERIAL, 55 | sig_class_name TEXT NOT NULL, 56 | PRIMARY KEY (sig_class_id) ); 57 | CREATE INDEX sig_class_name_idx ON sig_class (sig_class_name); 58 | 59 | CREATE TABLE event ( sid INT4 NOT NULL, 60 | cid INT8 NOT NULL, 61 | signature INT4 NOT NULL, 62 | timestamp timestamp with time zone NOT NULL, 63 | PRIMARY KEY (sid,cid)); 64 | CREATE INDEX signature_idx ON event (signature); 65 | CREATE INDEX timestamp_idx ON event (timestamp); 66 | 67 | -- store info about the sensor supplying data 68 | CREATE TABLE sensor ( sid SERIAL, 69 | hostname TEXT, 70 | interface TEXT, 71 | filter TEXT, 72 | detail INT2, 73 | encoding INT2, 74 | last_cid INT8 NOT NULL, 75 | PRIMARY KEY (sid)); 76 | 77 | -- All of the fields of an ip header 78 | CREATE TABLE iphdr ( sid INT4 NOT NULL, 79 | cid INT8 NOT NULL, 80 | ip_src INT8 NOT NULL, 81 | ip_dst INT8 NOT NULL, 82 | ip_ver INT2, 83 | ip_hlen INT2, 84 | ip_tos INT2, 85 | ip_len INT4, 86 | ip_id INT4, 87 | ip_flags INT2, 88 | ip_off INT4, 89 | ip_ttl INT2, 90 | ip_proto INT2 NOT NULL, 91 | ip_csum INT4, 92 | PRIMARY KEY (sid,cid)); 93 | CREATE INDEX ip_src_idx ON iphdr (ip_src); 94 | CREATE INDEX ip_dst_idx ON iphdr (ip_dst); 95 | 96 | -- All of the fields of a tcp header 97 | CREATE TABLE tcphdr( sid INT4 NOT NULL, 98 | cid INT8 NOT NULL, 99 | tcp_sport INT4 NOT NULL, 100 | tcp_dport INT4 NOT NULL, 101 | tcp_seq INT8, 102 | tcp_ack INT8, 103 | tcp_off INT2, 104 | tcp_res INT2, 105 | tcp_flags INT2 NOT NULL, 106 | tcp_win INT4, 107 | tcp_csum INT4, 108 | tcp_urp INT4, 109 | PRIMARY KEY (sid,cid)); 110 | CREATE INDEX tcp_sport_idx ON tcphdr (tcp_sport); 111 | CREATE INDEX tcp_dport_idx ON tcphdr (tcp_dport); 112 | CREATE INDEX tcp_flags_idx ON tcphdr (tcp_flags); 113 | 114 | -- All of the fields of a udp header 115 | CREATE TABLE udphdr( sid INT4 NOT NULL, 116 | cid INT8 NOT NULL, 117 | udp_sport INT4 NOT NULL, 118 | udp_dport INT4 NOT NULL, 119 | udp_len INT4, 120 | udp_csum INT4, 121 | PRIMARY KEY (sid,cid)); 122 | CREATE INDEX udp_sport_idx ON udphdr (udp_sport); 123 | CREATE INDEX udp_dport_idx ON udphdr (udp_dport); 124 | 125 | -- All of the fields of an icmp header 126 | CREATE TABLE icmphdr( sid INT4 NOT NULL, 127 | cid INT8 NOT NULL, 128 | icmp_type INT2 NOT NULL, 129 | icmp_code INT2 NOT NULL, 130 | icmp_csum INT4, 131 | icmp_id INT4, 132 | icmp_seq INT4, 133 | PRIMARY KEY (sid,cid)); 134 | CREATE INDEX icmp_type_idx ON icmphdr (icmp_type); 135 | 136 | -- Protocol options 137 | CREATE TABLE opt ( sid INT4 NOT NULL, 138 | cid INT8 NOT NULL, 139 | optid INT2 NOT NULL, 140 | opt_proto INT2 NOT NULL, 141 | opt_code INT2 NOT NULL, 142 | opt_len INT4, 143 | opt_data TEXT, 144 | PRIMARY KEY (sid,cid,optid)); 145 | 146 | -- Packet payload 147 | CREATE TABLE data ( sid INT4 NOT NULL, 148 | cid INT8 NOT NULL, 149 | data_payload TEXT, 150 | PRIMARY KEY (sid,cid)); 151 | 152 | -- encoding is a lookup table for storing encoding types 153 | CREATE TABLE encoding(encoding_type INT2 NOT NULL, 154 | encoding_text TEXT NOT NULL, 155 | PRIMARY KEY (encoding_type)); 156 | INSERT INTO encoding (encoding_type, encoding_text) VALUES (0, 'hex'); 157 | INSERT INTO encoding (encoding_type, encoding_text) VALUES (1, 'base64'); 158 | INSERT INTO encoding (encoding_type, encoding_text) VALUES (2, 'ascii'); 159 | 160 | -- detail is a lookup table for storing different detail levels 161 | CREATE TABLE detail (detail_type INT2 NOT NULL, 162 | detail_text TEXT NOT NULL, 163 | PRIMARY KEY (detail_type)); 164 | INSERT INTO detail (detail_type, detail_text) VALUES (0, 'fast'); 165 | INSERT INTO detail (detail_type, detail_text) VALUES (1, 'full'); 166 | 167 | -- be sure to also use the snortdb-extra tables if you want 168 | -- mappings for tcp flags, protocols, and ports 169 | -------------------------------------------------------------------------------- /src/Makefile.am: -------------------------------------------------------------------------------- 1 | ## $Id$ 2 | AUTOMAKE_OPTIONS=foreign no-dependencies 3 | 4 | bin_PROGRAMS = barnyard2 5 | 6 | barnyard2_SOURCES = barnyard2.c barnyard2.h \ 7 | bounds.h \ 8 | checksum.h \ 9 | debug.c debug.h \ 10 | decode.c decode.h \ 11 | fatal.h \ 12 | ipv6_port.h \ 13 | generators.h \ 14 | log.c log.h \ 15 | log_text.c log_text.h \ 16 | map.c map.h \ 17 | mstring.c mstring.h \ 18 | parser.c parser.h \ 19 | pcap_pkthdr32.h \ 20 | plugbase.c plugbase.h \ 21 | rules.h \ 22 | sf_types.h \ 23 | spooler.c spooler.h \ 24 | strlcatu.c strlcatu.h \ 25 | strlcpyu.c strlcpyu.h \ 26 | sf_protocols.h \ 27 | timersub.h \ 28 | twofish.c twofish.h \ 29 | unified2.h \ 30 | util.c util.h 31 | 32 | barnyard2_LDADD = output-plugins/libspo.a \ 33 | input-plugins/libspi.a \ 34 | sfutil/libsfutil.a 35 | 36 | SUBDIRS = sfutil output-plugins input-plugins 37 | 38 | AM_CPPFLAGS = -Isfutil 39 | -------------------------------------------------------------------------------- /src/bounds.h: -------------------------------------------------------------------------------- 1 | #ifndef _BOUNDS_H 2 | #define _BOUNDS_H 3 | /* 4 | ** Copyright (C) 2003-2009 Sourcefire, Inc. 5 | ** Chris Green 6 | ** 7 | ** This program is free software; you can redistribute it and/or modify 8 | ** it under the terms of the GNU General Public License Version 2 as 9 | ** published by the Free Software Foundation. You may not use, modify or 10 | ** distribute this program under any other version of the GNU General 11 | ** Public License. 12 | ** 13 | ** This program is distributed in the hope that it will be useful, 14 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | ** GNU General Public License for more details. 17 | ** 18 | ** You should have received a copy of the GNU General Public License 19 | ** along with this program; if not, write to the Free Software 20 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 21 | ** 22 | */ 23 | 24 | 25 | #ifdef HAVE_CONFIG_H 26 | #include "config.h" 27 | #endif 28 | 29 | #ifdef OSF1 30 | #include 31 | #endif 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | 40 | #define SAFEMEM_ERROR 0 41 | #define SAFEMEM_SUCCESS 1 42 | 43 | #include "debug.h" 44 | #ifndef DEBUG 45 | #define ERRORRET return SAFEMEM_ERROR; 46 | #else 47 | #define ERRORRET assert(0==1) 48 | #endif /* DEBUG */ 49 | 50 | #include "sf_types.h" 51 | 52 | 53 | /* 54 | * Check to make sure that p is less than or equal to the ptr range 55 | * pointers 56 | * 57 | * 1 means it's in bounds, 0 means it's not 58 | */ 59 | static INLINE int inBounds(const uint8_t *start, const uint8_t *end, const uint8_t *p) 60 | { 61 | if(p >= start && p < end) 62 | { 63 | return 1; 64 | } 65 | 66 | return 0; 67 | } 68 | 69 | /** 70 | * A Safer Memcpy 71 | * 72 | * @param dst where to copy to 73 | * @param src where to copy from 74 | * @param n number of bytes to copy 75 | * @param start start of the dest buffer 76 | * @param end end of the dst buffer 77 | * 78 | * @return 0 on failure, 1 on success 79 | */ 80 | static INLINE int SafeMemcpy(void *dst, const void *src, size_t n, const void *start, const void *end) 81 | { 82 | void *tmp; 83 | 84 | if(n < 1) 85 | { 86 | ERRORRET; 87 | } 88 | 89 | if (!dst || !src || !start || !end) 90 | { 91 | ERRORRET; 92 | } 93 | 94 | tmp = ((uint8_t*)dst) + (n-1); 95 | if (tmp < dst) 96 | { 97 | ERRORRET; 98 | } 99 | 100 | if(!inBounds(start,end, dst) || !inBounds(start,end,tmp)) 101 | { 102 | ERRORRET; 103 | } 104 | 105 | memcpy(dst, src, n); 106 | 107 | return SAFEMEM_SUCCESS; 108 | } 109 | 110 | /** 111 | * A Safer Memmove 112 | * dst and src can be in the same buffer 113 | * 114 | * @param dst where to copy to 115 | * @param src where to copy from 116 | * @param n number of bytes to copy 117 | * @param start start of the dest buffer 118 | * @param end end of the dst buffer 119 | * 120 | * @return 0 on failure, 1 on success 121 | */ 122 | static INLINE int SafeMemmove(void *dst, const void *src, size_t n, const void *start, const void *end) 123 | { 124 | void *tmp; 125 | 126 | if(n < 1) 127 | { 128 | ERRORRET; 129 | } 130 | 131 | if (!dst || !src || !start || !end) 132 | { 133 | ERRORRET; 134 | } 135 | 136 | tmp = ((uint8_t*)dst) + (n-1); 137 | if (tmp < dst) 138 | { 139 | ERRORRET; 140 | } 141 | 142 | if(!inBounds(start,end, dst) || !inBounds(start,end,tmp)) 143 | { 144 | ERRORRET; 145 | } 146 | 147 | memmove(dst, src, n); 148 | 149 | return SAFEMEM_SUCCESS; 150 | } 151 | 152 | /** 153 | * A Safer *a = *b 154 | * 155 | * @param start start of the dst buffer 156 | * @param end end of the dst buffer 157 | * @param dst the location to write to 158 | * @param src the source to read from 159 | * 160 | * @return 0 on failure, 1 on success 161 | */ 162 | static INLINE int SafeWrite(uint8_t *start, uint8_t *end, uint8_t *dst, uint8_t *src) 163 | { 164 | if(!inBounds(start, end, dst)) 165 | { 166 | ERRORRET; 167 | } 168 | 169 | *dst = *src; 170 | return 1; 171 | } 172 | 173 | static INLINE int SafeRead(uint8_t *start, uint8_t *end, uint8_t *src, uint8_t *read) 174 | { 175 | if(!inBounds(start,end, src)) 176 | { 177 | ERRORRET; 178 | } 179 | 180 | *read = *start; 181 | return 1; 182 | } 183 | 184 | #endif /* _BOUNDS_H */ 185 | -------------------------------------------------------------------------------- /src/debug.c: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | /* 3 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 4 | ** Copyright (C) 1998-2002 Martin Roesch 5 | ** 6 | ** This program is free software; you can redistribute it and/or modify 7 | ** it under the terms of the GNU General Public License Version 2 as 8 | ** published by the Free Software Foundation. You may not use, modify or 9 | ** distribute this program under any other version of the GNU General 10 | ** Public License. 11 | ** 12 | ** This program is distributed in the hope that it will be useful, 13 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ** GNU General Public License for more details. 16 | ** 17 | ** You should have received a copy of the GNU General Public License 18 | ** along with this program; if not, write to the Free Software 19 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | #ifdef HAVE_CONFIG_H 23 | #include "config.h" 24 | #endif 25 | 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | 33 | #include "debug.h" 34 | 35 | #include "barnyard2.h" 36 | 37 | 38 | 39 | #ifdef DEBUG 40 | int debuglevel = DEBUG_ALL; 41 | char *DebugMessageFile = NULL; 42 | int DebugMessageLine = 0; 43 | 44 | extern Barnyard2Config *barnyard2_conf; 45 | 46 | int DebugThis(int level) 47 | { 48 | if (!(level & GetDebugLevel())) 49 | return 0; 50 | 51 | return 1; 52 | } 53 | 54 | int GetDebugLevel(void) 55 | { 56 | static int debug_init = 0; 57 | static unsigned int debug_level = 0; 58 | 59 | // declared here for compatibility with older compilers 60 | // not initialized here cuz the next step is done once 61 | const char* key; 62 | 63 | if (debug_init) 64 | return debug_level; 65 | 66 | key = getenv(DEBUG_VARIABLE); 67 | 68 | if ( key ) 69 | debug_level = strtoul(key, NULL, 0); 70 | else 71 | debug_level = 0; 72 | 73 | debug_init = 1; 74 | return debug_level; 75 | } 76 | 77 | void DebugMessageFunc(int level, char *fmt, ...) 78 | { 79 | va_list ap; 80 | 81 | if (!(level & GetDebugLevel())) 82 | return; 83 | 84 | va_start(ap, fmt); 85 | 86 | if ((barnyard2_conf != NULL) && BcDaemonMode()) 87 | { 88 | char buf[STD_BUF]; 89 | int buf_len = sizeof(buf); 90 | char *buf_ptr = buf; 91 | 92 | buf[buf_len - 1] = '\0'; 93 | 94 | /* filename and line number information */ 95 | if (DebugMessageFile != NULL) 96 | { 97 | snprintf(buf, buf_len - 1, "%s:%d: ", 98 | DebugMessageFile, DebugMessageLine); 99 | buf_ptr += strlen(buf); 100 | buf_len -= strlen(buf); 101 | } 102 | 103 | vsnprintf(buf_ptr, buf_len - 1, fmt, ap); 104 | syslog(LOG_DAEMON | LOG_DEBUG, "%s", buf); 105 | } 106 | else 107 | { 108 | if (DebugMessageFile != NULL) 109 | printf("%s:%d: ", DebugMessageFile, DebugMessageLine); 110 | vprintf(fmt, ap); 111 | } 112 | 113 | va_end(ap); 114 | } 115 | 116 | #ifdef HAVE_WCHAR_H 117 | void DebugWideMessageFunc(int level, wchar_t *fmt, ...) 118 | { 119 | va_list ap; 120 | wchar_t buf[STD_BUF+1]; 121 | 122 | 123 | if (!(level & GetDebugLevel())) 124 | { 125 | return; 126 | } 127 | buf[STD_BUF]= (wchar_t)0; 128 | 129 | /* filename and line number information */ 130 | if (DebugMessageFile != NULL) 131 | printf("%s:%d: ", DebugMessageFile, DebugMessageLine); 132 | 133 | va_start(ap, fmt); 134 | 135 | if(BcDaemonMode()) 136 | { 137 | #if defined(WIN32) && (defined(__USE_ISOC95) || defined(__USE_UNIX98)) 138 | _vsnwprintf(buf, STD_BUF, fmt, ap); 139 | #else 140 | #if defined(HAVE_VSWPRINTF) && (defined(__USE_ISOC95) || defined(__USE_UNIX98)) 141 | 142 | vswprintf(buf, STD_BUF, fmt, ap); 143 | #endif 144 | #endif 145 | //syslog(LOG_DAEMON | LOG_DEBUG, "%s", buf); 146 | } 147 | else 148 | { 149 | #if defined(HAVE_WPRINTF) && (defined(__USE_ISOC95) || defined(__USE_UNIX98)) 150 | vwprintf(fmt, ap); 151 | #endif 152 | } 153 | 154 | va_end(ap); 155 | } 156 | #endif 157 | #else 158 | void DebugMessageFunc(int level, char *fmt, ...) 159 | { 160 | } 161 | #ifdef HAVE_WCHAR_H 162 | void DebugWideMessageFunc(int level, wchar_t *fmt, ...) 163 | { 164 | } 165 | #endif 166 | #endif /* DEBUG */ 167 | -------------------------------------------------------------------------------- /src/debug.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | /* 3 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 4 | ** Copyright (C) 1998-2002 Martin Roesch 5 | ** 6 | ** This program is free software; you can redistribute it and/or modify 7 | ** it under the terms of the GNU General Public License Version 2 as 8 | ** published by the Free Software Foundation. You may not use, modify or 9 | ** distribute this program under any other version of the GNU General 10 | ** Public License. 11 | ** 12 | ** This program is distributed in the hope that it will be useful, 13 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ** GNU General Public License for more details. 16 | ** 17 | ** You should have received a copy of the GNU General Public License 18 | ** along with this program; if not, write to the Free Software 19 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | 23 | #ifndef DEBUG_H 24 | #define DEBUG_H 25 | 26 | #ifdef HAVE_CONFIG_H 27 | #include "config.h" 28 | #endif 29 | 30 | #ifdef WIN32 31 | #define INLINE __inline 32 | #else /* WIN32 */ 33 | #define INLINE inline 34 | #endif /* WIN32 */ 35 | 36 | #include 37 | #ifdef HAVE_WCHAR_H 38 | /* ISOC99 is defined to get required prototypes */ 39 | #ifndef __USE_ISOC99 40 | #define __USE_ISOC99 41 | #endif 42 | #include 43 | #endif 44 | 45 | #define DEBUG_VARIABLE "BARNYARD2_DEBUG" 46 | 47 | #define DEBUG_ALL 0xffffffff /* 4294967295 */ 48 | #define DEBUG_INIT 0x00000001 /* 1 */ 49 | #define DEBUG_CONFIGRULES 0x00000002 /* 2 */ 50 | #define DEBUG_PLUGIN 0x00000004 /* 4 */ 51 | #define DEBUG_VARS 0x00000010 /* 16 */ 52 | #define DEBUG_LOG 0x00000020 /* 32 */ 53 | #define DEBUG_FLOW 0x00000040 54 | #define DEBUG_DECODE 0x00000080 55 | #define DEBUG_DATALINK 0x00000100 56 | #define DEBUG_INPUT_PLUGIN 0x00000200 57 | #define DEBUG_OUTPUT_PLUGIN 0x00000400 58 | #define DEBUG_SPOOLER 0x00000800 59 | #define DEBUG_MAPS 0x00001000 60 | #define DEBUG_MAPS_DEEP 0x00002000 61 | #define DEBUG_PATTERN_MATCH 0x00080000 62 | #define DEBUG_SID_SUPPRESS 0x00100000 63 | #define DEBUG_SID_SUPPRESS_PARSE 0x00200000 64 | 65 | void DebugMessageFunc(int dbg,char *fmt, ...); 66 | #ifdef HAVE_WCHAR_H 67 | void DebugWideMessageFunc(int dbg,wchar_t *fmt, ...); 68 | #endif 69 | 70 | #ifdef DEBUG 71 | 72 | extern char *DebugMessageFile; 73 | extern int DebugMessageLine; 74 | 75 | #define DebugMessage DebugMessageFile = __FILE__; DebugMessageLine = __LINE__; DebugMessageFunc 76 | #define DebugWideMessage DebugMessageFile = __FILE__; DebugMessageLine = __LINE__; DebugWideMessageFunc 77 | 78 | int GetDebugLevel (void); 79 | int DebugThis(int level); 80 | #else 81 | 82 | #ifdef WIN32 83 | /* Visual C++ uses the keyword "__inline" rather than "__inline__" */ 84 | #define __inline__ __inline 85 | #endif 86 | 87 | #endif /* DEBUG */ 88 | 89 | 90 | #ifdef DEBUG 91 | #define DEBUG_WRAP(code) code 92 | void DebugMessageFunc(int dbg,char *fmt, ...); 93 | #ifdef HAVE_WCHAR_H 94 | void DebugWideMessageFunc(int dbg,wchar_t *fmt, ...); 95 | #endif 96 | #else 97 | #define DEBUG_WRAP(code) 98 | /* I would use DebugMessage(dbt,fmt...) but that only works with GCC */ 99 | 100 | #endif 101 | 102 | #endif /* DEBUG_H */ 103 | -------------------------------------------------------------------------------- /src/fatal.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | /* 3 | ** Copyright (C) 2002-2008 Sourcefire, Inc. 4 | ** Copyright (C) 1998-2002 Martin Roesch 5 | ** 6 | ** This program is free software; you can redistribute it and/or modify 7 | ** it under the terms of the GNU General Public License Version 2 as 8 | ** published by the Free Software Foundation. You may not use, modify or 9 | ** distribute this program under any other version of the GNU General 10 | ** Public License. 11 | ** 12 | ** This program is distributed in the hope that it will be useful, 13 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ** GNU General Public License for more details. 16 | ** 17 | ** You should have received a copy of the GNU General Public License 18 | ** along with this program; if not, write to the Free Software 19 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | #ifndef __FATAL_H__ 23 | #define __FATAL_H__ 24 | 25 | 26 | /* 27 | * in debugging mode print out the filename and the line number where the 28 | * failure have occured 29 | */ 30 | 31 | 32 | #ifdef DEBUG 33 | #define FATAL(msg) { printf("%s:%d: ", __FILE__, __LINE__); FatalError( (char *) msg); } 34 | #else 35 | #define FATAL(msg) FatalError( (char *) msg) 36 | #endif 37 | 38 | 39 | 40 | #endif /* __FATAL_H__ */ 41 | -------------------------------------------------------------------------------- /src/input-plugins/Makefile.am: -------------------------------------------------------------------------------- 1 | ## $Id$ 2 | AUTOMAKE_OPTIONS=foreign no-dependencies 3 | 4 | noinst_LIBRARIES = libspi.a 5 | 6 | libspi_a_SOURCES = spi_unified2.c spi_unified2.h 7 | 8 | AM_CPPFLAGS = -I.. -I../sfutil 9 | -------------------------------------------------------------------------------- /src/input-plugins/spi_unified2.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** 3 | ** Copyright (C) 2008-2013 Ian Firns (SecurixLive) 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | ** 20 | ** 21 | */ 22 | 23 | #ifndef __SPI_UNIFIED2_H__ 24 | #define __SPI_UNIFIED2_H__ 25 | 26 | void Unified2Setup(void); 27 | 28 | #endif /* __SPI_UNIFIED2_H__ */ 29 | -------------------------------------------------------------------------------- /src/ipv6_port.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2007-2009 Sourcefire, Inc. 3 | ** 4 | ** This program is free software; you can redistribute it and/or modify 5 | ** it under the terms of the GNU General Public License Version 2 as 6 | ** published by the Free Software Foundation. You may not use, modify or 7 | ** distribute this program under any other version of the GNU General 8 | ** Public License. 9 | ** 10 | ** This program is distributed in the hope that it will be useful, 11 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | ** GNU General Public License for more details. 14 | ** 15 | ** You should have received a copy of the GNU General Public License 16 | ** along with this program; if not, write to the Free Software 17 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 18 | */ 19 | 20 | #ifndef IPV6_PORT_H 21 | #define IPV6_PORT_H 22 | 23 | #include "sf_types.h" 24 | #include "debug.h" 25 | 26 | /////////////////// 27 | /* IPv6 and IPv4 */ 28 | #ifdef SUP_IP6 29 | 30 | #include "sf_ip.h" 31 | 32 | typedef sfip_t snort_ip; 33 | typedef sfip_t *snort_ip_p; 34 | 35 | #define IpAddrNode sfip_node_t 36 | #define IpAddrSet sfip_var_t 37 | #define IpAddrSetContains(x,y) sfvar_ip_in(x, y) 38 | #define IpAddrSetPrint sfvar_print 39 | 40 | #ifdef inet_ntoa 41 | #undef inet_ntoa 42 | #endif 43 | #define inet_ntoa sfip_ntoa 44 | 45 | #define GET_SRC_IP(p) (p->iph_api->iph_ret_src(p)) 46 | #define GET_DST_IP(p) (p->iph_api->iph_ret_dst(p)) 47 | 48 | #define GET_ORIG_SRC(p) (p->orig_iph_api->orig_iph_ret_src(p)) 49 | #define GET_ORIG_DST(p) (p->orig_iph_api->orig_iph_ret_dst(p)) 50 | 51 | /* These are here for backwards compatibility */ 52 | #define GET_SRC_ADDR(x) GET_SRC_IP(x) 53 | #define GET_DST_ADDR(x) GET_DST_IP(x) 54 | 55 | #define IP_EQUALITY(x,y) (sfip_compare(x,y) == SFIP_EQUAL) 56 | #define IP_EQUALITY_UNSET(x,y) (sfip_compare_unset(x,y) == SFIP_EQUAL) 57 | #define IP_LESSER(x,y) (sfip_compare(x,y) == SFIP_LESSER) 58 | #define IP_GREATER(x,y) (sfip_compare(x,y) == SFIP_GREATER) 59 | 60 | #define GET_IPH_TOS(p) p->iph_api->iph_ret_tos(p) 61 | #define GET_IPH_LEN(p) p->iph_api->iph_ret_len(p) 62 | #define GET_IPH_TTL(p) p->iph_api->iph_ret_ttl(p) 63 | #define GET_IPH_ID(p) p->iph_api->iph_ret_id(p) 64 | #define GET_IPH_OFF(p) p->iph_api->iph_ret_off(p) 65 | #define GET_IPH_VER(p) p->iph_api->iph_ret_ver(p) 66 | #define GET_IPH_PROTO(p) p->iph_api->iph_ret_proto(p) 67 | 68 | #define GET_ORIG_IPH_PROTO(p) p->orig_iph_api->orig_iph_ret_proto(p) 69 | #define GET_ORIG_IPH_VER(p) p->orig_iph_api->orig_iph_ret_ver(p) 70 | #define GET_ORIG_IPH_LEN(p) p->orig_iph_api->orig_iph_ret_len(p) 71 | #define GET_ORIG_IPH_OFF(p) p->orig_iph_api->orig_iph_ret_off(p) 72 | #define GET_ORIG_IPH_PROTO(p) p->orig_iph_api->orig_iph_ret_proto(p) 73 | 74 | #define IS_IP4(x) (x->family == AF_INET) 75 | #define IS_IP6(x) (x->family == AF_INET6) 76 | /* XXX make sure these aren't getting confused with sfip_is_valid within the code */ 77 | #define IPH_IS_VALID(p) iph_is_valid(p) 78 | 79 | #define IP_CLEAR(x) x.bits = x.family = x.ip32[0] = x.ip32[1] = x.ip32[2] = x.ip32[3] = 0; 80 | 81 | #define IS_SET(x) sfip_is_set(&x) 82 | 83 | /* This loop trickery is intentional. If each copy is performed 84 | * individually on each field, then the following expression gets broken: 85 | * 86 | * if(conditional) IP_COPY_VALUE(a,b); 87 | * 88 | * If the macro is instead enclosed in braces, then having a semicolon 89 | * trailing the macro causes compile breakage. 90 | * So: use loop. */ 91 | #define IP_COPY_VALUE(x,y) \ 92 | do { \ 93 | x.bits = y->bits; \ 94 | x.family = y->family; \ 95 | x.ip32[0] = y->ip32[0]; \ 96 | x.ip32[1] = y->ip32[1]; \ 97 | x.ip32[2] = y->ip32[2]; \ 98 | x.ip32[3] = y->ip32[3]; \ 99 | } while(0) 100 | 101 | #define GET_IPH_HLEN(p) (p->iph_api->iph_ret_hlen(p)) 102 | #define SET_IPH_HLEN(p, val) 103 | 104 | #define GET_IP_DGMLEN(p) IS_IP6(p) ? (ntohs(GET_IPH_LEN(p)) + (GET_IPH_HLEN(p) << 2)) : ntohs(GET_IPH_LEN(p)) 105 | #define GET_IP_PAYLEN(p) IS_IP6(p) ? ntohs(GET_IPH_LEN(p)) : (ntohs(GET_IPH_LEN(p)) - (GET_IPH_HLEN(p) << 2)) 106 | 107 | #define IP_ARG(ipt) (&ipt) 108 | #define IP_PTR(ipp) (ipp) 109 | #define IP_VAL(ipt) (*ipt) 110 | #define IP_SIZE(ipp) (sfip_size(ipp)) 111 | 112 | static INLINE int sfip_equal (snort_ip* ip1, snort_ip* ip2) 113 | { 114 | if ( ip1->family != ip2->family ) 115 | { 116 | return 0; 117 | } 118 | if ( ip1->family == AF_INET ) 119 | { 120 | return _ip4_cmp(ip1->ip32[0], ip2->ip32[0]) == SFIP_EQUAL; 121 | } 122 | if ( ip1->family == AF_INET6 ) 123 | { 124 | return _ip6_cmp(ip1, ip2) == SFIP_EQUAL; 125 | } 126 | return 0; 127 | } 128 | 129 | #else 130 | /////////////// 131 | /* IPv4 only */ 132 | #include 133 | #ifdef HAVE_CONFIG_H 134 | #include 135 | #endif 136 | 137 | typedef u_int32_t snort_ip; /* 32 bits only -- don't use unsigned long */ 138 | typedef u_int32_t snort_ip_p; /* 32 bits only -- don't use unsigned long */ 139 | 140 | #define IP_SRC_EQUALITY(x,y) (x->ip_addr == (y->iph->ip_src.s_addr & x->netmask)) 141 | #define IP_DST_EQUALITY(x,y) (x->ip_addr == (y->iph->ip_dst.s_addr & x->netmask)) 142 | 143 | #define GET_SRC_IP(x) x->iph->ip_src.s_addr 144 | #define GET_DST_IP(x) x->iph->ip_dst.s_addr 145 | 146 | #define GET_ORIG_SRC(p) (p->orig_iph->ip_src.s_addr) 147 | #define GET_ORIG_DST(p) (p->orig_iph->ip_dst.s_addr) 148 | 149 | #define GET_SRC_ADDR(x) x->iph->ip_src 150 | #define GET_DST_ADDR(x) x->iph->ip_dst 151 | 152 | #define IP_CLEAR_SRC(x) x->iph->ip_src.s_addr = 0 153 | #define IP_CLEAR_DST(x) x->iph->ip_dst.s_addr = 0 154 | 155 | #define IP_EQUALITY(x,y) (x == y) 156 | #define IP_EQUALITY_UNSET(x,y) (x == y) 157 | #define IP_LESSER(x,y) (x < y) 158 | #define IP_GREATER(x,y) (x > y) 159 | 160 | #define GET_IPH_PROTO(p) p->iph->ip_proto 161 | #define GET_IPH_TOS(p) p->iph->ip_tos 162 | #define GET_IPH_LEN(p) p->iph->ip_len 163 | #define GET_IPH_TTL(p) p->iph->ip_ttl 164 | #define GET_IPH_VER(p) ((p->iph->ip_verhl & 0xf0) >> 4) 165 | #define GET_IPH_ID(p) p->iph->ip_id 166 | #define GET_IPH_OFF(p) p->iph->ip_off 167 | 168 | #define GET_ORIG_IPH_VER(p) IP_VER(p->orig_iph) 169 | #define GET_ORIG_IPH_LEN(p) p->orig_iph->ip_len 170 | #define GET_ORIG_IPH_OFF(p) p->orig_iph->ip_off 171 | #define GET_ORIG_IPH_PROTO(p) p->orig_iph->ip_proto 172 | 173 | #define IS_IP4(x) 1 174 | #define IS_IP6(x) 0 175 | #define IPH_IS_VALID(p) p->iph 176 | 177 | #define IP_CLEAR(x) x = 0; 178 | #define IS_SET(x) x 179 | 180 | #define IP_COPY_VALUE(x,y) x = y 181 | 182 | #define GET_IPH_HLEN(p) ((p)->iph->ip_verhl & 0x0f) 183 | #define SET_IPH_HLEN(p, val) (((IPHdr *)(p)->iph)->ip_verhl = (unsigned char)(((p)->iph->ip_verhl & 0xf0) | ((val) & 0x0f))) 184 | 185 | #define GET_IP_DGMLEN(p) ntohs(GET_IPH_LEN(p)) 186 | #define GET_IP_PAYLEN(p) ntohs(GET_IPH_LEN(p)) - (GET_IPH_HLEN(p) << 2) 187 | 188 | #define IP_ARG(ipt) (ipt) 189 | #define IP_PTR(ipp) (&ipp) 190 | #define IP_VAL(ipt) (ipt) 191 | #define IP_SIZE(ipp) (sizeof(ipp)) 192 | 193 | static INLINE int sfip_equal (snort_ip ip1, snort_ip ip2) 194 | { 195 | return IP_EQUALITY(ip1, ip2); 196 | } 197 | 198 | #endif /* SUP_IP6 */ 199 | 200 | #if !defined(IPPROTO_IPIP) && defined(WIN32) /* Needed for some Win32 */ 201 | #define IPPROTO_IPIP 4 202 | #endif 203 | 204 | #endif /* IPV6_PORT_H */ 205 | -------------------------------------------------------------------------------- /src/log.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* $Id$ */ 22 | #ifndef __LOG_H__ 23 | #define __LOG_H__ 24 | 25 | #ifdef HAVE_CONFIG_H 26 | #include "config.h" 27 | #endif 28 | 29 | #include 30 | 31 | #include "decode.h" 32 | 33 | #if defined (SUNOS) || defined (SOLARIS) || defined (HPUX) || defined (IRIX) \ 34 | || defined (AIX) || defined (OSF1) 35 | #define LOG_AUTHPRIV LOG_AUTH 36 | #endif 37 | 38 | #ifndef LOG_AUTHPRIV 39 | #define LOG_AUTHPRIV LOG_AUTH 40 | #endif 41 | 42 | #define FRAME_SIZE 66 43 | #define C_OFFSET 49 44 | 45 | /* P R O T O T Y P E S ******************************************************/ 46 | 47 | 48 | void PrintIPPkt(FILE *, int,Packet*); 49 | void PrintEapolPkt(FILE *, Packet *); 50 | void PrintEapolKey(FILE *, Packet *); 51 | void PrintNetData(FILE *, const u_char *, const int); 52 | void ClearDumpBuf(void); 53 | void Print2ndHeader(FILE *, Packet *); 54 | void PrintEthHeader(FILE *, Packet *); 55 | #ifdef MPLS 56 | void PrintMPLSHeader(FILE *, Packet *); 57 | #endif 58 | void PrintIPHeader(FILE *, Packet *); 59 | void PrintTCPHeader(FILE *, Packet *); 60 | void PrintTcpOptions(FILE *, Packet *); 61 | void PrintIpOptions(FILE *, Packet *); 62 | void PrintICMPHeader(FILE *, Packet *); 63 | void PrintICMPEmbeddedIP(FILE *, Packet *); 64 | void PrintEmbeddedICMPHeader(FILE *, const ICMPHdr *); 65 | void PrintUDPHeader(FILE *, Packet *); 66 | void PrintPriorityData(FILE *, int); 67 | void PrintXrefs(FILE *, int); 68 | void CreateTCPFlagString(Packet *, char *); 69 | 70 | #ifndef NO_NON_ETHER_DECODER 71 | void PrintEapolPkt(FILE *, Packet *); 72 | void PrintEapolKey(FILE *, Packet *); 73 | void PrintWifiPkt(FILE *, Packet *); 74 | void PrintTrHeader(FILE *, Packet *); 75 | void PrintWifiHeader(FILE *, Packet *); 76 | void PrintSLLHeader(FILE *, Packet *); 77 | void PrintArpHeader(FILE *, Packet *); 78 | void PrintEapolHeader(FILE *, Packet *); 79 | void PrintEAPHeader(FILE *, Packet *); 80 | #endif 81 | 82 | void NoLog(Packet *, char *, void *, void *); 83 | void NoAlert(Packet *, char *, void *, void *); 84 | FILE *OpenAlertFile(const char *); 85 | int RollAlertFile(const char *); 86 | 87 | #endif /* __LOG_H__ */ 88 | 89 | -------------------------------------------------------------------------------- /src/log_text.h: -------------------------------------------------------------------------------- 1 | 2 | /**************************************************************************** 3 | * 4 | * Copyright (C) 2003-2009 Sourcefire, Inc. 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License Version 2 as 8 | * published by the Free Software Foundation. You may not use, modify or 9 | * distribute this program under any other version of the GNU General 10 | * Public License. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | * 21 | ****************************************************************************/ 22 | 23 | /** 24 | * @file log_text.h 25 | * @author Russ Combs 26 | * @date Fri Jun 27 10:34:37 2003 27 | * 28 | * @brief logging to text file 29 | * 30 | * Use these methods to write to a TextLog. 31 | */ 32 | 33 | #ifndef _LOG_TEXT_H 34 | #define _LOG_TEXT_H 35 | 36 | #include "map.h" 37 | #include "sfutil/sf_textlog.h" 38 | 39 | void LogPriorityData(TextLog*, u_int32_t, u_int32_t, bool); 40 | void LogXrefs(TextLog*, SigNode*, bool doNewLine); 41 | 42 | void LogIPPkt(TextLog*, int type, Packet*); 43 | 44 | void LogTimeStamp(TextLog*, Packet*); 45 | void LogTrHeader(TextLog*, Packet*); 46 | void Log2ndHeader(TextLog*, Packet*); 47 | void LogIPHeader(TextLog*, Packet*); 48 | void LogTCPHeader(TextLog*, Packet*); 49 | void LogUDPHeader(TextLog*, Packet*); 50 | void LogICMPHeader(TextLog*, Packet*); 51 | void LogArpHeader(TextLog*, Packet*); 52 | 53 | #if 0 54 | /* these are implemented in log_text.c but not public */ 55 | static void LogEthHeader(TextLog*, Packet*); 56 | static void LogSLLHeader(TextLog*, Packet*); 57 | static void LogWifiHeader(TextLog*, Packet*); 58 | static void LogIpOptions(TextLog* , Packet*); 59 | static void LogTcpOptions(TextLog*, Packet*); 60 | static void LogEmbeddedICMPHeader(TextLog*, const ICMPHdr*); 61 | static void LogICMPEmbeddedIP(TextLog*, Packet*); 62 | static void LogReference(TextLog*, ReferenceNode*); 63 | static void LogCharData(TextLog*, char* data, int len); 64 | static void LogNetData (TextLog*, const u_char* data, const int len); 65 | #endif 66 | 67 | #if 0 68 | /* these are only in log.c: */ 69 | /* called from snort.c: */ 70 | void PrintEapolPkt(FILE*, Packet*); 71 | /* *Key() and *Header() should be static/private */ 72 | void PrintEapolKey(FILE*, Packet*); 73 | void PrintEapolHeader(FILE*, Packet*); 74 | void PrintEAPHeader(FILE*, Packet*); 75 | 76 | /* commented out all over the place! */ 77 | /* still called in snort.c and spp_stream4.c */ 78 | void ClearDumpBuf(void); 79 | 80 | /* called from snort.c */ 81 | void PrintWifiPkt(FILE*, Packet*); 82 | 83 | /* called in a few places including log_text.c */ 84 | void CreateTCPFlagString(Packet*, char*); 85 | #endif 86 | 87 | #endif /* _LOG_TEXT_H */ 88 | 89 | -------------------------------------------------------------------------------- /src/map.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** 3 | ** Copyright (C) 2008-2013 Ian Firns (SecurixLive) 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | ** 20 | ** 21 | */ 22 | 23 | /* 24 | ** Description: 25 | ** In memory linked list structures of sid-msg.map, gen-msg.map and 26 | ** classification.config 27 | ** 28 | ** Author(s): 29 | ** firnsy 30 | ** SecurixLive.com Team 31 | ** 32 | ** Comments: 33 | ** Ideas stolen liberally from: 34 | ** 1. the orginal barnyard (A. Baker, M. Roesch) 35 | ** 36 | */ 37 | 38 | #ifndef __MAP_H__ 39 | #define __MAP_H__ 40 | 41 | #ifdef HAVE_CONFIG_H 42 | #include "config.h" 43 | #endif 44 | 45 | #include 46 | #include 47 | #include "sf_types.h" 48 | 49 | #define BUGTRAQ_URL_HEAD "http://www.securityfocus.com/bid/" 50 | #define CVE_URL_HEAD "http://cve.mitre.org/cgi-bin/cvename.cgi?name=" 51 | #define ARACHNIDS_URL_HEAD "http://www.whitehats.com/info/IDS" 52 | #define MCAFEE_URL_HEAD "http://vil.nai.com/vil/content/v_" 53 | #define URL_HEAD "http://" 54 | #define NESSUS_URL_HEAD "http://cgi.nessus.org/plugins/dump.php3?id=" 55 | 56 | #define BUFFER_SIZE 1024 57 | 58 | 59 | #define SOURCE_SID_MSG 0x0001 60 | #define SOURCE_GEN_MSG 0x0002 61 | #define SOURCE_GEN_RUNTIME 0x0004 62 | 63 | struct _Barnyard2Config; 64 | 65 | /* this contains a list of the URLs for various reference systems */ 66 | typedef struct _ReferenceSystemNode 67 | { 68 | char *name; 69 | char *url; 70 | struct _ReferenceSystemNode *next; 71 | 72 | } ReferenceSystemNode; 73 | 74 | typedef struct _ReferenceNode 75 | { 76 | char *id; 77 | ReferenceSystemNode *system; 78 | struct _ReferenceNode *next; 79 | } ReferenceNode; 80 | 81 | 82 | typedef struct _ClassType 83 | { 84 | char *type; 85 | char *name; /* "pretty" name */ 86 | uint32_t id; 87 | uint32_t priority; 88 | struct _ClassType *next; 89 | 90 | 91 | } ClassType; 92 | 93 | typedef struct _SigNode 94 | { 95 | struct _SigNode *next; 96 | uint32_t generator; /* generator ID */ 97 | uint32_t id; /* Snort ID */ 98 | uint32_t rev; /* revision (for future expansion) */ 99 | uint32_t class_id; 100 | uint32_t priority; 101 | u_int8_t source_file; /* where was it parsed from */ 102 | char *classLiteral; /* sid-msg.map v2 type only */ 103 | char *msg; /* messages */ 104 | ReferenceNode *refs; /* references (eg bugtraq) */ 105 | 106 | } SigNode; 107 | 108 | 109 | #define SS_SINGLE 0x0001 110 | #define SS_RANGE 0x0002 111 | 112 | typedef struct _SigSuppress_list 113 | { 114 | u_int8_t ss_type; /* Single or Range */ 115 | u_int8_t flag; /* Flagged for deletion */ 116 | unsigned long gid; /* Generator id */ 117 | unsigned long ss_min; /* VAL for SS_SINGLE, MIN VAL for RANGE */ 118 | unsigned long ss_max; /* VAL for SS_SINGLE, MAX VAL for RANGE */ 119 | struct _SigSuppress_list *next; 120 | } SigSuppress_list; 121 | 122 | 123 | 124 | ReferenceSystemNode * ReferenceSystemAdd(ReferenceSystemNode **, char *, char *); 125 | ReferenceSystemNode * ReferenceSystemLookup(ReferenceSystemNode *, char *); 126 | ReferenceNode * AddReference(struct _Barnyard2Config *, ReferenceNode **, char *, char *); 127 | 128 | SigNode *GetSigByGidSid(uint32_t, uint32_t, uint32_t); 129 | SigNode *CreateSigNode(SigNode **,u_int8_t); 130 | 131 | ClassType * ClassTypeLookupByType(struct _Barnyard2Config *, char *); 132 | ClassType * ClassTypeLookupById(struct _Barnyard2Config *, int); 133 | 134 | int ReadReferenceFile(struct _Barnyard2Config *, const char *); 135 | int ReadClassificationFile(struct _Barnyard2Config *); 136 | int ReadSidFile(struct _Barnyard2Config *); 137 | int ReadGenFile(struct _Barnyard2Config *); 138 | int SignatureResolveClassification(ClassType *class,SigNode *sig,char *sid_map_file,char *classification_file); 139 | 140 | void DeleteReferenceSystems(struct _Barnyard2Config *); 141 | void DeleteReferences(struct _Barnyard2Config *); 142 | 143 | void ParseReferenceSystemConfig(struct _Barnyard2Config *, char *args); 144 | void ParseClassificationConfig(struct _Barnyard2Config *, char *args); 145 | void ParseSidMapLine(struct _Barnyard2Config *, char *); 146 | void ParseGenMapLine(char *); 147 | 148 | /* Destructors */ 149 | void FreeSigNodes(SigNode **); 150 | void FreeClassifications(ClassType **); 151 | void FreeReferences(ReferenceSystemNode **); 152 | void FreeSigSuppression(SigSuppress_list **); 153 | 154 | 155 | #endif /* __MAP_H__ */ 156 | -------------------------------------------------------------------------------- /src/mstring.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* $Id$ */ 22 | 23 | #ifndef __MSTRING_H__ 24 | #define __MSTRING_H__ 25 | 26 | /* D E F I N E S *******************************************************/ 27 | #define TOKS_BUF_SIZE 100 28 | 29 | 30 | /* P R O T O T Y P E S *************************************************/ 31 | char ** mSplit(const char *, const char *, const int, int *, const char); 32 | char **mSplitSpecial(char *, const char *, int, int *, const char); 33 | void mSplitFree(char ***toks, int numtoks); 34 | int mContainsSubstr(const char *, int, const char *, int); 35 | int mSearch(const char *, int, const char *, int, int *, int *); 36 | int mSearchCI(const char *, int, const char *, int, int *, int *); 37 | int mSearchREG(const char *, int, const char *, int, int *, int *); 38 | int *make_skip(char *, int); 39 | int *make_shift(char *, int); 40 | 41 | #endif /* __MSTRING_H__ */ 42 | -------------------------------------------------------------------------------- /src/output-plugins/Makefile.am: -------------------------------------------------------------------------------- 1 | ## $Id$ 2 | AUTOMAKE_OPTIONS=foreign no-dependencies 3 | 4 | noinst_LIBRARIES = libspo.a 5 | 6 | libspo_a_SOURCES = \ 7 | spo_alert_arubaaction.c spo_alert_arubaaction.h \ 8 | spo_alert_bro.c spo_alert_bro.h \ 9 | spo_alert_cef.c spo_alert_cef.h \ 10 | spo_alert_csv.c spo_alert_csv.h \ 11 | spo_alert_fast.c spo_alert_fast.h \ 12 | spo_alert_full.c spo_alert_full.h \ 13 | spo_alert_fwsam.c spo_alert_fwsam.h \ 14 | spo_alert_prelude.c spo_alert_prelude.h \ 15 | spo_alert_syslog.c spo_alert_syslog.h \ 16 | spo_alert_test.c spo_alert_test.h \ 17 | spo_alert_unixsock.c spo_alert_unixsock.h \ 18 | spo_common.c spo_common.h \ 19 | spo_log_ascii.c spo_log_ascii.h \ 20 | spo_log_null.c spo_log_null.h \ 21 | spo_log_tcpdump.c spo_log_tcpdump.h \ 22 | spo_sguil.c spo_sguil.h \ 23 | spo_echidna.c spo_echidna.h \ 24 | spo_syslog_full.c spo_syslog_full.h \ 25 | spo_database.c spo_database.h \ 26 | spo_database_cache.c spo_database_cache.h 27 | 28 | AM_CPPFLAGS = -I.. -I ../sfutil 29 | -------------------------------------------------------------------------------- /src/output-plugins/spo_alert_arubaaction.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2006 Joshua Wright 3 | ** 4 | ** This program is free software; you can redistribute it and/or modify 5 | ** it under the terms of the GNU General Public License Version 2 as 6 | ** published by the Free Software Foundation. You may not use, modify or 7 | ** distribute this program under any other version of the GNU General 8 | ** Public License. 9 | ** 10 | ** This program is distributed in the hope that it will be useful, 11 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | ** GNU General Public License for more details. 14 | ** 15 | ** You should have received a copy of the GNU General Public License 16 | ** along with this program; if not, write to the Free Software 17 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 18 | */ 19 | 20 | /* $Id$ */ 21 | 22 | #ifndef __SPO_ALERT_ARUBAACTION_H__ 23 | #define __SPO_ALERT_ARUBAACTION_H__ 24 | 25 | void AlertArubaActionSetup(void); 26 | 27 | #endif /* __SPO_ALERT_ARUBAACTION_H__ */ 28 | 29 | -------------------------------------------------------------------------------- /src/output-plugins/spo_alert_bro.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2010 Seth Hall 3 | ** 4 | ** This program is free software; you can redistribute it and/or modify 5 | ** it under the terms of the GNU General Public License Version 2 as 6 | ** published by the Free Software Foundation. You may not use, modify or 7 | ** distribute this program under any other version of the GNU General 8 | ** Public License. 9 | ** 10 | ** This program is distributed in the hope that it will be useful, 11 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | ** GNU General Public License for more details. 14 | ** 15 | ** You should have received a copy of the GNU General Public License 16 | ** along with this program; if not, write to the Free Software 17 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 18 | */ 19 | 20 | /* $Id$ */ 21 | 22 | #ifndef __SPO_BROCCOLI_H__ 23 | #define __SPO_BROCCOLI_H__ 24 | 25 | void AlertBroSetup(void); 26 | 27 | #endif /* __SPO_BROCOLLI_H__ */ 28 | -------------------------------------------------------------------------------- /src/output-plugins/spo_alert_cef.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* $Id$ */ 22 | 23 | /* This file gets included in plugbase.h when it is integrated into the rest 24 | * of the program. Sometime in The Future, I'll whip up a bad ass Perl script 25 | * to handle automatically loading all the required info into the plugbase.* 26 | * files. 27 | */ 28 | 29 | #ifndef __SPO_CEF_H__ 30 | #define __SPO_CEF_H__ 31 | 32 | void AlertCEFSetup(void); 33 | 34 | #endif /* __SPO_CEF_H__ */ 35 | -------------------------------------------------------------------------------- /src/output-plugins/spo_alert_csv.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** Copyright (C) 2001 Brian Caswell 5 | ** 6 | ** This program is free software; you can redistribute it and/or modify 7 | ** it under the terms of the GNU General Public License Version 2 as 8 | ** published by the Free Software Foundation. You may not use, modify or 9 | ** distribute this program under any other version of the GNU General 10 | ** Public License. 11 | ** 12 | ** This program is distributed in the hope that it will be useful, 13 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ** GNU General Public License for more details. 16 | ** 17 | ** You should have received a copy of the GNU General Public License 18 | ** along with this program; if not, write to the Free Software 19 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | /* $Id$ */ 23 | 24 | /* This file gets included in plugbase.h when it is integrated into the rest 25 | * of the program. Sometime in The Future, I'll whip up a bad ass Perl script 26 | * to handle automatically loading all the required info into the plugbase.* 27 | * files. 28 | */ 29 | 30 | #ifndef __SPO_CSV_H__ 31 | #define __SPO_CSV_H__ 32 | 33 | void AlertCSVSetup(void); 34 | 35 | #endif /* __SPO_CSV_H__ */ 36 | -------------------------------------------------------------------------------- /src/output-plugins/spo_alert_fast.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** Copyright (C) 2000,2001 Andrew R. Baker 5 | ** 6 | ** This program is free software; you can redistribute it and/or modify 7 | ** it under the terms of the GNU General Public License Version 2 as 8 | ** published by the Free Software Foundation. You may not use, modify or 9 | ** distribute this program under any other version of the GNU General 10 | ** Public License. 11 | ** 12 | ** This program is distributed in the hope that it will be useful, 13 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ** GNU General Public License for more details. 16 | ** 17 | ** You should have received a copy of the GNU General Public License 18 | ** along with this program; if not, write to the Free Software 19 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | /* $Id$ */ 23 | 24 | /* This file gets included in plugbase.h when it is integrated into the rest 25 | * of the program. Sometime in The Future, I'll whip up a bad ass Perl script 26 | * to handle automatically loading all the required info into the plugbase.* 27 | * files. 28 | */ 29 | 30 | #ifndef __SPO_ALERT_FAST_H__ 31 | #define __SPO_ALERT_FAST_H__ 32 | 33 | void AlertFastSetup(void); 34 | 35 | #endif /* __SPO_ALERT_FAST_H__ */ 36 | 37 | -------------------------------------------------------------------------------- /src/output-plugins/spo_alert_full.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** Copyright (C) 2000,2001 Andrew R. Baker 5 | ** 6 | ** This program is free software; you can redistribute it and/or modify 7 | ** it under the terms of the GNU General Public License Version 2 as 8 | ** published by the Free Software Foundation. You may not use, modify or 9 | ** distribute this program under any other version of the GNU General 10 | ** Public License. 11 | ** 12 | ** This program is distributed in the hope that it will be useful, 13 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ** GNU General Public License for more details. 16 | ** 17 | ** You should have received a copy of the GNU General Public License 18 | ** along with this program; if not, write to the Free Software 19 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | /* $Id$ */ 23 | 24 | /* This file gets included in plugbase.h when it is integrated into the rest 25 | * of the program. Sometime in The Future, I'll whip up a bad ass Perl script 26 | * to handle automatically loading all the required info into the plugbase.* 27 | * files. 28 | */ 29 | 30 | #ifndef __SPO_FULLALERT_H__ 31 | #define __SPO_FULLALERT_H__ 32 | 33 | void AlertFullSetup(void); 34 | 35 | #endif /* __SPO_FULLALERT_H__ */ 36 | 37 | -------------------------------------------------------------------------------- /src/output-plugins/spo_alert_fwsam.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** 3 | ** spo_alert_fwsam.h 4 | ** 5 | ** Copyright (c) 2001-2005 Frank Knobbe 6 | ** Copyright (c) 2012 Ian Firns 7 | ** 8 | ** This program is free software; you can redistribute it and/or modify 9 | ** it under the terms of the GNU General Public License as published by 10 | ** the Free Software Foundation; either version 2 of the License, or 11 | ** (at your option) any later version. 12 | ** 13 | ** This program is distributed in the hope that it will be useful, 14 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | ** GNU General Public License for more details. 17 | ** 18 | ** You should have received a copy of the GNU General Public License 19 | ** along with this program; if not, write to the Free Software 20 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 21 | */ 22 | 23 | /* This file gets included in plugbase.c when it is integrated into the rest 24 | * of the program. 25 | * 26 | * For more info, see the beginning of spo_alert_fwsam.c 27 | * 28 | */ 29 | 30 | #ifndef __SPO_FWSAM_H__ 31 | #define __SPO_FWSAM_H__ 32 | 33 | void AlertFWsamSetup(void); 34 | 35 | #endif /* __SPO_FWSAM_H__ */ 36 | -------------------------------------------------------------------------------- /src/output-plugins/spo_alert_prelude.h: -------------------------------------------------------------------------------- 1 | /***** 2 | * 3 | * Copyright (C) 2005 PreludeIDS Technologies. All Rights Reserved. 4 | * Author: Yoann Vandoorselaere 5 | * 6 | * This file is part of the Snort program. 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License Version 2 as 10 | * published by the Free Software Foundation. You may not use, modify or 11 | * distribute this program under any other version of the GNU General 12 | * Public License. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; see the file COPYING. If not, write to 21 | * the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. 22 | * 23 | *****/ 24 | 25 | void AlertPreludeSetup(void); 26 | 27 | void AlertPreludeSetupAfterSetuid(void); 28 | -------------------------------------------------------------------------------- /src/output-plugins/spo_alert_sf_socket.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2003-2009 Sourcefire, Inc. 3 | ** 4 | ** This program is free software; you can redistribute it and/or modify 5 | ** it under the terms of the GNU General Public License Version 2 as 6 | ** published by the Free Software Foundation. You may not use, modify or 7 | ** distribute this program under any other version of the GNU General 8 | ** Public License. 9 | ** 10 | ** This program is distributed in the hope that it will be useful, 11 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | ** GNU General Public License for more details. 14 | ** 15 | ** You should have received a copy of the GNU General Public License 16 | ** along with this program; if not, write to the Free Software 17 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 18 | */ 19 | 20 | #ifndef __SPO_ALERT_SF_SOCKET_H__ 21 | #define __SPO_ALERT_SF_SOCKET_H__ 22 | 23 | void AlertSFSocket_Setup(void); 24 | 25 | #endif /* __SPO_ALERT_SF_SOCKET_H__ */ 26 | 27 | -------------------------------------------------------------------------------- /src/output-plugins/spo_alert_syslog.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* $Id$ */ 22 | 23 | /* This file gets included in plugbase.h when it is integrated into the rest 24 | * of the program. Sometime in The Future, I'll whip up a bad ass Perl script 25 | * to handle automatically loading all the required info into the plugbase.* 26 | * files. 27 | */ 28 | 29 | #ifndef __SPO_SYSLOG_H__ 30 | #define __SPO_SYSLOG_H__ 31 | 32 | void AlertSyslogSetup(void); 33 | 34 | #endif /* __SPO_SYSLOG_H__ */ 35 | -------------------------------------------------------------------------------- /src/output-plugins/spo_alert_test.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2007-2009 Sourcefire, Inc. 3 | ** 4 | ** This program is free software; you can redistribute it and/or modify 5 | ** it under the terms of the GNU General Public License Version 2 as 6 | ** published by the Free Software Foundation. You may not use, modify or 7 | ** distribute this program under any other version of the GNU General 8 | ** Public License. 9 | ** 10 | ** This program is distributed in the hope that it will be useful, 11 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | ** GNU General Public License for more details. 14 | ** 15 | ** You should have received a copy of the GNU General Public License 16 | ** along with this program; if not, write to the Free Software 17 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 18 | */ 19 | 20 | /* $Id$ */ 21 | 22 | /* This file gets included in plugbase.h when it is integrated into the rest 23 | * of the program. Sometime in The Future, I'll whip up a bad ass Perl script 24 | * to handle automatically loading all the required info into the plugbase.* 25 | * files. 26 | */ 27 | 28 | #ifndef __SPO_ALERT_TEST_H__ 29 | #define __SPO_ALERT_TEST_H__ 30 | 31 | void AlertTestSetup(void); 32 | 33 | #endif /* __SPO_ALERT_FAST_H__ */ 34 | 35 | -------------------------------------------------------------------------------- /src/output-plugins/spo_alert_unixsock.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | /* 3 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 4 | ** Copyright (C) 1998-2002 Martin Roesch 5 | ** Copyright (C) 2000,2001 Andrew R. Baker 6 | ** 7 | ** This program is free software; you can redistribute it and/or modify 8 | ** it under the terms of the GNU General Public License Version 2 as 9 | ** published by the Free Software Foundation. You may not use, modify or 10 | ** distribute this program under any other version of the GNU General 11 | ** Public License. 12 | ** 13 | ** This program is distributed in the hope that it will be useful, 14 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | ** GNU General Public License for more details. 17 | ** 18 | ** You should have received a copy of the GNU General Public License 19 | ** along with this program; if not, write to the Free Software 20 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 21 | */ 22 | 23 | /* This file gets included in plugbase.h when it is integrated into the rest 24 | * of the program. Sometime in The Future, I'll whip up a bad ass Perl script 25 | * to handle automatically loading all the required info into the plugbase.* 26 | * files. 27 | */ 28 | 29 | #ifndef __SPO_ALERT_UNIXSOCK_H__ 30 | #define __SPO_ALERT_UNIXSOCK_H__ 31 | 32 | #include 33 | #include 34 | 35 | #include "decode.h" 36 | #include "unified2.h" 37 | 38 | /* this struct is for the alert socket code.... */ 39 | typedef struct _Alertpkt 40 | { 41 | uint8_t alertmsg[ALERTMSG_LENGTH]; /* variable.. */ 42 | struct pcap_pkthdr pkth; 43 | uint32_t dlthdr; /* datalink header offset. (ethernet, etc.. ) */ 44 | uint32_t nethdr; /* network header offset. (ip etc...) */ 45 | uint32_t transhdr; /* transport header offset (tcp/udp/icmp ..) */ 46 | uint32_t data; 47 | uint32_t val; /* which fields are valid. (NULL could be 48 | * valids also) */ 49 | /* Packet struct --> was null */ 50 | #define NOPACKET_STRUCT 0x1 51 | /* no transport headers in packet */ 52 | #define NO_TRANSHDR 0x2 53 | uint8_t pkt[PKT_SNAPLEN]; 54 | Unified2EventCommon event; 55 | } Alertpkt; 56 | 57 | void AlertUnixSockSetup(void); 58 | 59 | #endif /* __SPO_ALERT_UNIXSOCK_H__ */ 60 | 61 | -------------------------------------------------------------------------------- /src/output-plugins/spo_common.c: -------------------------------------------------------------------------------- 1 | 2 | #ifdef HAVE_CONFIG_H 3 | #include "config.h" 4 | #endif 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | #include "barnyard2.h" 11 | #include "debug.h" 12 | #include "util.h" 13 | 14 | #include "spo_common.h" 15 | 16 | /**************************************************************************** 17 | * 18 | * Function: ts_print2(uint32_t, uint32_t, char *) 19 | * 20 | * Purpose: Generate a time stamp and stuff it in a buffer. This one has 21 | * millisecond precision. Oh yeah, I ripped this code off from 22 | * TCPdump, props to those guys. 23 | * 24 | * Arguments: timeval => clock struct coming out of libpcap 25 | * timebuf => buffer to stuff timestamp into 26 | * 27 | * Returns: void function 28 | * 29 | ****************************************************************************/ 30 | void syslog_timestamp(uint32_t sec, uint32_t usec, char *timebuf) 31 | { 32 | register int s; 33 | int localzone; 34 | time_t Time; 35 | struct tm *lt; /* place to stick the adjusted clock data */ 36 | char *arr_month[] = {"Jan", "Feb", "Mar", "Apr", "May", 37 | "Jun", "Jul", "Aug", "Sep", "Oct", 38 | "Nov", "Dec"}; 39 | localzone = barnyard2_conf->thiszone; 40 | 41 | /* 42 | ** If we're doing UTC, then make sure that the timezone is correct. 43 | */ 44 | if(BcOutputUseUtc()) 45 | localzone = 0; 46 | 47 | s = (sec + localzone) % 86400; 48 | Time = (sec + localzone) - s; 49 | 50 | lt = gmtime(&Time); 51 | 52 | SnortSnprintf(timebuf, TIMEBUF_SIZE, "%s %2d %02d:%02d:%02d", 53 | arr_month[lt->tm_mon], lt->tm_mday, s / 3600, (s % 3600) / 60, s % 60); 54 | } 55 | -------------------------------------------------------------------------------- /src/output-plugins/spo_common.h: -------------------------------------------------------------------------------- 1 | 2 | /* This file holds common functions amongst the output plugins 3 | */ 4 | 5 | #ifndef __SPO_COMMON_H__ 6 | #define __SPO_COMMON_H__ 7 | 8 | #ifdef HAVE_CONFIG_H 9 | #include "config.h" 10 | #endif 11 | 12 | #include 13 | 14 | void syslog_timestamp(uint32_t, uint32_t, char *); 15 | 16 | #endif /* __SPO_COMMON_H__ */ 17 | 18 | -------------------------------------------------------------------------------- /src/output-plugins/spo_database_cache.h: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | ** This program is free software; you can redistribute it and/or modify 4 | ** it under the terms of the GNU General Public License Version 2 as 5 | ** published by the Free Software Foundation. You may not use, modify or 6 | ** distribute this program under any other version of the GNU General 7 | ** Public License. 8 | ** 9 | ** This program is distributed in the hope that it will be useful, 10 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | ** GNU General Public License for more details. 13 | ** 14 | ** You should have received a copy of the GNU General Public License 15 | ** along with this program; if not, write to the Free Software 16 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 17 | */ 18 | 19 | /* 20 | * Maintainers : The Barnyard2 Team 2011-2012 21 | * 22 | * Special thanks to: Rusell Fuleton for helping us stress test 23 | * this in production for us. 24 | * 25 | * 26 | */ 27 | 28 | 29 | 30 | #ifndef __SPO_DATABASE_CACHE_H__ 31 | #define __SPO_DATABASE_CACHE_H__ 32 | 33 | #ifdef HAVE_CONFIG_H 34 | #include "config.h" 35 | #endif 36 | 37 | 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | 44 | #include "barnyard2.h" 45 | #include "debug.h" 46 | #include "map.h" 47 | #include "unified2.h" 48 | 49 | 50 | #ifndef CLASS_NAME_LEN 51 | #define CLASS_NAME_LEN 60 52 | #endif /* CLASS_NAME_LEN */ 53 | 54 | #ifndef SYSTEM_NAME_LEN 55 | #define SYSTEM_NAME_LEN 20 56 | #endif /* SYSTEM_NAME_LEN */ 57 | 58 | #ifndef SYSTEM_URL_LEN 59 | #define SYSTEM_URL_LEN 255 /* Use a shortener if your not happy ;) */ 60 | #endif /* SYSTEM_URL_LEN */ 61 | 62 | #ifndef REF_TAG_LEN 63 | #define REF_TAG_LEN 255 /* fix some issue with some ruleset */ 64 | #endif /* REF_TAG_LEN */ 65 | 66 | #ifndef SIG_NAME_LEN 67 | #define SIG_NAME_LEN 42 68 | #endif /* SIG_NAME_LEN */ 69 | 70 | #ifndef SIG_MSG_LEN 71 | #define SIG_MSG_LEN 255 72 | #endif /* SIG_MSG_LEN */ 73 | 74 | #ifndef MAX_REF_OBJ 75 | #define MAX_REF_OBJ 255 76 | #endif /* MAX_REF_OBJ */ 77 | 78 | #ifndef CACHE_SQL_QUERY 79 | #define CACHE_SQL_QUERY 80 | 81 | #define NUM_ROW_SIGREF 3 82 | #define NUM_ROW_REFERENCE_SYSTEM 2 83 | #define NUM_ROW_REF 3 84 | #define NUM_ROW_CLASSIFICATION 2 85 | #define NUM_ROW_SIGNATURE 7 86 | 87 | /* 88 | #if defined(ENABLE_POSTGRESQL) 89 | 90 | ** Note : ELZ 91 | ** 92 | ** Initially i tought that using E'' would escape some issue. 93 | ** It turns out it would also create other issue like automatically 94 | ** encode special sequence and its not a good thing since in initial testing non of the signature has such char, but it turned out 95 | ** some had and it would wreck logical havock, so to prevent bugs Queries have been keept commented but the code has been reverted to normal behavior. 96 | ** Ref: http://www.postgresql.org/docs/9.1/static/datatype-binary.html 97 | 98 | #define PGSQL_SQL_INSERT_SPECIFIC_REFERENCE_SYSTEM "INSERT INTO reference_system (ref_system_name) VALUES (E'%s');" 99 | #define PGSQL_SQL_SELECT_SPECIFIC_REFERENCE_SYSTEM "SELECT `ref_system_id` FROM reference_system WHERE ref_system_name = E'%s';" 100 | #define PGSQL_SQL_INSERT_SPECIFIC_REF "INSERT INTO reference (`ref_system_id`,ref_tag) VALUES ('%u',E'%s');" 101 | #define PGSQL_SQL_SELECT_SPECIFIC_REF "SELECT ref_id FROM reference WHERE `ref_system_id` = '%u' AND ref_tag = E'%s';" 102 | #define PGSQL_SQL_INSERT_CLASSIFICATION "INSERT INTO sig_class (sig_class_name) VALUES (E'%s');" 103 | #define PGSQL_SQL_SELECT_SPECIFIC_CLASSIFICATION "SELECT sig_class_id FROM sig_class WHERE sig_class_name = E'%s';" 104 | #define PGSQL_SQL_INSERT_SIGNATURE "INSERT INTO signature (sig_sid, sig_gid, sig_rev, sig_class_id, sig_priority, sig_name) VALUES ('%u','%u','%u','%u','%u',E'%s');" 105 | #define PGSQL_SQL_SELECT_SPECIFIC_SIGNATURE "SELECT sig_id FROM signature WHERE " \ 106 | "(sig_sid = '%u') AND " \ 107 | "(sig_gid = '%u') AND " \ 108 | "(sig_rev = '%u') AND " \ 109 | "(sig_class_id = '%u') AND " \ 110 | "(sig_priority = '%u') AND " \ 111 | "(sig_name = E'%s'); " \ 112 | #endif 113 | */ 114 | 115 | //#if defined(ENABLE_MYSQL) || defined (ENABLE_ODBC) || defined (ENABLE_ORACLE) || defined (ENABLE_MSSQL) 116 | //#endif 117 | 118 | 119 | #define SQL_INSERT_SPECIFIC_REFERENCE_SYSTEM "INSERT INTO reference_system (ref_system_name) VALUES ('%s');" 120 | #define SQL_SELECT_SPECIFIC_REFERENCE_SYSTEM "SELECT `ref_system_id` FROM reference_system WHERE ref_system_name = '%s';" 121 | #define SQL_INSERT_SPECIFIC_REF "INSERT INTO reference (`ref_system_id`,ref_tag) VALUES ('%u','%s');" 122 | #define SQL_SELECT_SPECIFIC_REF "SELECT ref_id FROM reference WHERE `ref_system_id` = '%u' AND ref_tag = '%s';" 123 | #define SQL_INSERT_CLASSIFICATION "INSERT INTO sig_class (sig_class_name) VALUES ('%s');" 124 | #define SQL_SELECT_SPECIFIC_CLASSIFICATION "SELECT sig_class_id FROM sig_class WHERE sig_class_name = '%s';" 125 | #define SQL_INSERT_SIGNATURE "INSERT INTO signature (sig_sid, sig_gid, sig_rev, sig_class_id, sig_priority, sig_name) VALUES ('%u','%u','%u','%u','%u','%s');" 126 | #define SQL_SELECT_SPECIFIC_SIGNATURE "SELECT sig_id FROM signature WHERE " \ 127 | "(sig_sid = '%u') AND " \ 128 | "(sig_gid = '%u') AND " \ 129 | "(sig_rev = '%u') AND " \ 130 | "(sig_class_id = '%u') AND " \ 131 | "(sig_priority = '%u') AND " \ 132 | "(sig_name = '%s'); " \ 133 | 134 | 135 | /* Used for backward compatibility with older barnyard process */ 136 | #define SQL_SELECT_SPECIFIC_SIGNATURE_WITHOUT_MESSAGE "SELECT sig_id FROM signature WHERE " \ 137 | "(sig_sid = '%u') AND " \ 138 | "(sig_gid = '%u') AND " \ 139 | "(sig_rev = '%u') AND " \ 140 | "(sig_class_id = '%u') AND " \ 141 | "(sig_priority = '%u');" \ 142 | /* Used for backward compatibility with older barnyard process */ 143 | 144 | 145 | #define SQL_SELECT_ALL_SIGREF "SELECT ref_id, sig_id, ref_seq FROM sig_reference ORDER BY sig_id,ref_seq;" 146 | #define SQL_INSERT_SIGREF "INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('%u','%u','%u');" 147 | #define SQL_SELECT_SPECIFIC_SIGREF "SELECT ref_id FROM sig_reference WHERE (ref_id = '%u') AND (sig_id = '%u') AND (ref_seq='%u');" 148 | #define SQL_SELECT_ALL_REFERENCE_SYSTEM "SELECT `ref_system_id`, ref_system_name FROM reference_system;" 149 | #define SQL_SELECT_ALL_REF "SELECT ref_id, `ref_system_id`, ref_tag FROM reference; " 150 | #define SQL_SELECT_ALL_CLASSIFICATION "SELECT sig_class_id, sig_class_name FROM sig_class ORDER BY sig_class_id ASC; " 151 | #define SQL_SELECT_ALL_SIGNATURE "SELECT sig_id, sig_sid, sig_gid,sig_rev, sig_class_id, sig_priority, sig_name FROM signature;" 152 | #define SQL_UPDATE_SPECIFIC_SIGNATURE "UPDATE signature SET " \ 153 | "sig_class_id = '%u'," \ 154 | "sig_priority = '%u'," \ 155 | "sig_rev = '%u' " \ 156 | "WHERE sig_id = '%u'; " 157 | 158 | #endif /* CACHE_SQL_QUERY */ 159 | 160 | 161 | #ifndef CACHE_FLAGS 162 | #define CACHE_FLAGS 163 | #define CACHE_INTERNAL_ONLY 0x00000001 164 | #define CACHE_DATABASE_ONLY 0x00000010 165 | #define CACHE_BOTH 0x00000100 /* Digging a grave */ 166 | #endif /* CACHE_FLAGS */ 167 | 168 | 169 | #ifndef CACHE_FLUSH_FLAGS 170 | #define CACHE_FLUSH_SIGNATURE 0x00000001 171 | #define CACHE_FLUSH_CLASSIFICATION 0x00000002 172 | #define CACHE_FLUSH_SYSTEM_REF 0x00000004 173 | #define CACHE_FLUSH_SIGREF 0x00000008 174 | #define CACHE_FLUSH_ALL 0xFFFFFFFF 175 | #endif /* CACHE_FLUSH_FLAGS*/ 176 | 177 | 178 | 179 | #endif /*__SPO_DATABASE_CACHE_H__ */ 180 | 181 | -------------------------------------------------------------------------------- /src/output-plugins/spo_echidna.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2008-2013 Ian Firns (SecurixLive) 3 | ** 4 | ** This program is free software; you can redistribute it and/or modify 5 | ** it under the terms of the GNU General Public License Version 2 as 6 | ** published by the Free Software Foundation. You may not use, modify or 7 | ** distribute this program under any other version of the GNU General 8 | ** Public License. 9 | ** 10 | ** This program is distributed in the hope that it will be useful, 11 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | ** GNU General Public License for more details. 14 | ** 15 | ** You should have received a copy of the GNU General Public License 16 | ** along with this program; if not, write to the Free Software 17 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 18 | ** 19 | ** 20 | */ 21 | 22 | 23 | #ifndef __SPO_ECHIDNA_H__ 24 | #define __SPO_ECHIDNA_H__ 25 | 26 | void EchidnaSetup(); 27 | 28 | #endif /* __SPO_ECHIDNA_H__ */ 29 | -------------------------------------------------------------------------------- /src/output-plugins/spo_log_ascii.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 | ** 4 | ** Author(s): Andrew R. Baker 5 | ** 6 | ** 7 | ** This program is free software; you can redistribute it and/or modify 8 | ** it under the terms of the GNU General Public License Version 2 as 9 | ** published by the Free Software Foundation. You may not use, modify or 10 | ** distribute this program under any other version of the GNU General 11 | ** Public License. 12 | ** 13 | ** This program is distributed in the hope that it will be useful, 14 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | ** GNU General Public License for more details. 17 | ** 18 | ** You should have received a copy of the GNU General Public License 19 | ** along with this program; if not, write to the Free Software 20 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 21 | */ 22 | 23 | /* $Id$ */ 24 | 25 | 26 | #ifndef __SPO_LOG_ASCII_H__ 27 | #define __SPO_LOG_ASCII_H__ 28 | 29 | void LogAsciiSetup(void); 30 | 31 | #endif /* __SPO_LOG_ASCII_H__ */ 32 | -------------------------------------------------------------------------------- /src/output-plugins/spo_log_null.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | /* $Id$ */ 21 | 22 | /* spo_log_null 23 | * 24 | * Purpose: 25 | * 26 | * This module is a NULL placeholder for people that want to turn off 27 | * logging for whatever reason. Please note that logging is separate from 28 | * alerting, they are completely separate output facilities within Snort. 29 | * 30 | * Arguments: 31 | * 32 | * None. 33 | * 34 | * Effect: 35 | * 36 | * None. 37 | * 38 | * Comments: 39 | * 40 | */ 41 | 42 | #include 43 | 44 | #include "decode.h" 45 | #include "plugbase.h" 46 | #include "parser.h" 47 | #include "debug.h" 48 | #include "map.h" 49 | #include "unified2.h" 50 | 51 | #include "barnyard2.h" 52 | 53 | /* list of function prototypes for this output plugin */ 54 | void LogNullInit(char *); 55 | void LogNull(Packet *, void *, uint32_t, void *); 56 | void LogNullCleanExitFunc(int, void *); 57 | void LogNullRestartFunc(int, void *); 58 | 59 | void LogNullSetup(void) 60 | { 61 | /* link the preprocessor keyword to the init function in 62 | the preproc list */ 63 | RegisterOutputPlugin("log_null", OUTPUT_TYPE_FLAG__LOG, LogNullInit); 64 | 65 | DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Output plugin: LogNull is setup...\n");); 66 | } 67 | 68 | 69 | void LogNullInit(char *args) 70 | { 71 | DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Output: LogNull Initialized\n");); 72 | 73 | /* Set the preprocessor function into the function list */ 74 | AddFuncToOutputList(LogNull, OUTPUT_TYPE__LOG, NULL); 75 | AddFuncToCleanExitList(LogNullCleanExitFunc, NULL); 76 | AddFuncToRestartList(LogNullRestartFunc, NULL); 77 | } 78 | 79 | 80 | 81 | void LogNull(Packet *p, void *event, uint32_t event_type, void *arg) 82 | { 83 | return; 84 | } 85 | 86 | 87 | void LogNullCleanExitFunc(int signal, void *arg) 88 | { 89 | return; 90 | } 91 | 92 | void LogNullRestartFunc(int signal, void *arg) 93 | { 94 | return; 95 | } 96 | -------------------------------------------------------------------------------- /src/output-plugins/spo_log_null.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* $Id$ */ 22 | 23 | 24 | #ifndef __SPO_LOG_NULL_H__ 25 | #define __SPO_LOG_NULL_H__ 26 | 27 | void LogNullSetup(void); 28 | 29 | #endif /* __SPO_LOG_NULL_H__ */ 30 | -------------------------------------------------------------------------------- /src/output-plugins/spo_log_tcpdump.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | /* $Id$ */ 22 | 23 | /* This file gets included in plugbase.h when it is integrated into the rest 24 | * of the program. Sometime in The Future, I'll whip up a bad ass Perl script 25 | * to handle automatically loading all the required info into the plugbase.* 26 | * files. 27 | */ 28 | 29 | #ifndef __SPO_LOG_TCPDUMP_H__ 30 | #define __SPO_LOG_TCPDUMP_H__ 31 | 32 | void LogTcpdumpSetup(void); 33 | void LogTcpdumpReset(void); 34 | 35 | #endif /* __SPO_SYSLOG_H__ */ 36 | -------------------------------------------------------------------------------- /src/output-plugins/spo_sguil.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2008-2013 Ian Firns (SecurixLive) 3 | ** Copyright (C) 2002-2005 Robert (Bamm) Visscher 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | ** 20 | ** 21 | */ 22 | 23 | 24 | #ifndef __SPO_SGUIL_H__ 25 | #define __SPO_SGUIL_H__ 26 | 27 | void SguilSetup(); 28 | 29 | #endif /* __SPO_SGUIL_H__ */ 30 | -------------------------------------------------------------------------------- /src/output-plugins/spo_syslog_full.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2011 Tim Shelton 3 | ** Copyright (C) 2011 HAWK Network Defense, Inc. hawkdefense.com 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | #ifndef __OP_SYSLOG_FULL_H_ 22 | #define __OP_SYSLOG_FULL_H_ 23 | 24 | 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | 37 | #include "barnyard2.h" 38 | #include "map.h" 39 | #include "mstring.h" 40 | #include "parser.h" 41 | #include "plugbase.h" 42 | #include "strlcpyu.h" 43 | #include "unified2.h" 44 | 45 | 46 | #define OUT_MODE_DEFAULT 0 47 | #define OUT_MODE_FULL 1 48 | 49 | #define LOG_UDP 0 50 | #define LOG_TCP 1 51 | 52 | #define ENCODE_HEX 0x0000 53 | #define ENCODE_ASCII 0x0001 54 | #define ENCODE_BASE64 0x0002 55 | 56 | #define SYSLOG_MAX_QUERY_SIZE MAX_QUERY_LENGTH 57 | 58 | typedef struct _OpSyslog_Data 59 | { 60 | char *server; 61 | char *sensor_name; 62 | 63 | u_int8_t log_context; 64 | u_int8_t payload_encoding; 65 | u_int8_t operation_mode; 66 | u_int8_t local_logging; 67 | u_int32_t priority; 68 | u_int32_t facility; 69 | 70 | char payload_escape_buffer[MAX_QUERY_LENGTH]; 71 | 72 | 73 | char syslog_tx_facility[16]; 74 | char syslog_tx_priority[16]; 75 | 76 | 77 | u_int32_t port; 78 | u_int16_t detail; 79 | u_int16_t proto; 80 | 81 | char delim; 82 | char field_separators; 83 | 84 | struct hostent *hostPtr; 85 | struct sockaddr_in sockaddr; 86 | int socket; 87 | 88 | char *payload; 89 | char *formatBuffer; 90 | u_int32_t payload_current_pos; 91 | u_int32_t format_current_pos; 92 | 93 | 94 | } OpSyslog_Data; 95 | 96 | void OpSyslog_Setup(void); 97 | void OpSyslog_Init(char *args,u_int8_t context); 98 | 99 | 100 | #endif /* __OP_SYSLOG_FULL_H_ */ 101 | 102 | -------------------------------------------------------------------------------- /src/parser.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** Copyright (C) 2000-2001 Andrew R. Baker 5 | ** 6 | ** This program is free software; you can redistribute it and/or modify 7 | ** it under the terms of the GNU General Public License Version 2 as 8 | ** published by the Free Software Foundation. You may not use, modify or 9 | ** distribute this program under any other version of the GNU General 10 | ** Public License. 11 | ** 12 | ** This program is distributed in the hope that it will be useful, 13 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ** GNU General Public License for more details. 16 | ** 17 | ** You should have received a copy of the GNU General Public License 18 | ** along with this program; if not, write to the Free Software 19 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | /* $Id$ */ 23 | #ifndef __PARSER_H__ 24 | #define __PARSER_H__ 25 | 26 | #ifdef HAVE_CONFIG_H 27 | # include "config.h" 28 | #endif 29 | 30 | #include 31 | 32 | #include "rules.h" 33 | #include "decode.h" 34 | #include "barnyard2.h" 35 | #include "util.h" 36 | 37 | /* Macros *********************************************************************/ 38 | #define BARNYARD2_CONF_KEYWORD__CONFIG "config" 39 | #define BARNYARD2_CONF_KEYWORD__INPUT "input" 40 | #define BARNYARD2_CONF_KEYWORD__OUTPUT "output" 41 | #define BARNYARD2_CONF_KEYWORD__IPVAR "ipvar" 42 | #define BARNYARD2_CONF_KEYWORD__VAR "var" 43 | #define BARNYARD2_CONF_KEYWORD__VERSION "version" 44 | 45 | /* Config options */ 46 | #define CONFIG_OPT__DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM "disable_alert_on_each_packet_in_stream" 47 | #define CONFIG_OPT__EVENT_CACHE_SIZE "event_cache_size" 48 | #define CONFIG_OPT__ALERT_ON_EACH_PACKET_IN_STREAM "alert_on_each_packet_in_stream" 49 | #define CONFIG_OPT__ALERT_WITH_IFACE_NAME "alert_with_interface_name" 50 | #define CONFIG_OPT__ARCHIVE_DIR "archivedir" 51 | #define CONFIG_OPT__CHROOT_DIR "chroot" 52 | #define CONFIG_OPT__CLASSIFICATION "classification" 53 | #define CONFIG_OPT__CLASSIFICATION_FILE "classification_file" 54 | #define CONFIG_OPT__DAEMON "daemon" 55 | #define CONFIG_OPT__DECODE_DATA_LINK "decode_data_link" 56 | #define CONFIG_OPT__DUMP_CHARS_ONLY "dump_chars_only" 57 | #define CONFIG_OPT__DUMP_PAYLOAD "dump_payload" 58 | #define CONFIG_OPT__DUMP_PAYLOAD_VERBOSE "dump_payload_verbose" 59 | #define CONFIG_OPT__GEN_FILE "gen_file" 60 | #define CONFIG_OPT__HOSTNAME "hostname" 61 | #define CONFIG_OPT__INTERFACE "interface" 62 | #define CONFIG_OPT__LOG_DIR "logdir" 63 | #define CONFIG_OPT__OBFUSCATE "obfuscate" 64 | #define CONFIG_OPT__PID_PATH "pidpath" 65 | #define CONFIG_OPT__PROCESS_NEW_RECORDS_ONLY "process_new_records_only" 66 | #define CONFIG_OPT__QUIET "quiet" 67 | #define CONFIG_OPT__REFERENCE "reference" 68 | #define CONFIG_OPT__REFERENCE_FILE "reference_file" 69 | #define CONFIG_OPT__REFERENCE_NET "reference_net" 70 | #define CONFIG_OPT__SET_GID "set_gid" 71 | #define CONFIG_OPT__SET_UID "set_uid" 72 | #define CONFIG_OPT__SHOW_YEAR "show_year" 73 | #define CONFIG_OPT__SID_FILE "sid_file" 74 | #define CONFIG_OPT__STATEFUL "stateful" 75 | #define CONFIG_OPT__UMASK "umask" 76 | #define CONFIG_OPT__UTC "utc" 77 | #define CONFIG_OPT__VERBOSE "verbose" 78 | #define CONFIG_OPT__WALDO_FILE "waldo_file" 79 | #define CONFIG_OPT__SIGSUPPRESS "sig_suppress" 80 | #ifdef MPLS 81 | # define CONFIG_OPT__MAX_MPLS_LABELCHAIN_LEN "max_mpls_labelchain_len" 82 | # define CONFIG_OPT__MPLS_PAYLOAD_TYPE "mpls_payload_type" 83 | #endif /* MPLS */ 84 | 85 | 86 | 87 | /* exported values */ 88 | extern char *file_name; 89 | extern int file_line; 90 | 91 | /* rule setup funcs */ 92 | Barnyard2Config * ParseBarnyard2Conf(void); 93 | 94 | void ParseInput(Barnyard2Config *, char *); 95 | void ParseOutput(Barnyard2Config *, char *); 96 | void OrderRuleLists(Barnyard2Config *, char *); 97 | 98 | char * VarGet(char *); 99 | char * ProcessFileOption(Barnyard2Config *, const char *); 100 | void SetRuleStates(Barnyard2Config *); 101 | 102 | void ParserCleanup(void); 103 | void FreeRuleLists(Barnyard2Config *); 104 | void VarTablesFree(Barnyard2Config *); 105 | 106 | void ResolveOutputPlugins(Barnyard2Config *, Barnyard2Config *); 107 | void ConfigureInputPlugins(Barnyard2Config *); 108 | void ConfigureOutputPlugins(Barnyard2Config *); 109 | 110 | NORETURN void ParseError(const char *, ...); 111 | void ParseMessage(const char *, ...); 112 | 113 | void ConfigDisableAlertOnEachPacketInStream(Barnyard2Config *, char *); 114 | void ConfigAlertOnEachPacketInStream(Barnyard2Config *, char *); 115 | void ConfigAlertWithInterfaceName(Barnyard2Config *, char *); 116 | void ConfigArchiveDir(Barnyard2Config *, char *); 117 | void ConfigChrootDir(Barnyard2Config *, char *); 118 | void ConfigClassification(Barnyard2Config *, char *); 119 | void ConfigClassificationFile(Barnyard2Config *, char *); 120 | void ConfigCreatePidFile(Barnyard2Config *, char *); 121 | void ConfigDaemon(Barnyard2Config *, char *); 122 | void ConfigDecodeDataLink(Barnyard2Config *, char *); 123 | void ConfigDumpCharsOnly(Barnyard2Config *, char *); 124 | void ConfigDumpPayload(Barnyard2Config *, char *); 125 | void ConfigDumpPayloadVerbose(Barnyard2Config *, char *); 126 | void ConfigGenFile(Barnyard2Config *, char *); 127 | void ConfigHostname(Barnyard2Config *, char *); 128 | void ConfigInterface(Barnyard2Config *, char *); 129 | void ConfigLogDir(Barnyard2Config *, char *); 130 | void ConfigNoLoggingTimestamps(Barnyard2Config *, char *); 131 | void ConfigObfuscate(Barnyard2Config *, char *); 132 | void ConfigObfuscationMask(Barnyard2Config *, char *); 133 | void ConfigPidPath(Barnyard2Config *, char *); 134 | void ConfigProcessNewRecordsOnly(Barnyard2Config *, char *); 135 | void ConfigQuiet(Barnyard2Config *, char *); 136 | void ConfigReference(Barnyard2Config *, char *); 137 | void ConfigReferenceFile(Barnyard2Config *, char *); 138 | void ConfigReferenceNet(Barnyard2Config *, char *); 139 | void ConfigSetGid(Barnyard2Config *, char *); 140 | void ConfigSetUid(Barnyard2Config *, char *); 141 | void ConfigSidFile(Barnyard2Config *, char *); 142 | void ConfigShowYear(Barnyard2Config *, char *); 143 | void ConfigStateful(Barnyard2Config *, char *); 144 | void ConfigSpoolFilebase(Barnyard2Config *, char *); 145 | void ConfigSpoolDirectory(Barnyard2Config *, char *); 146 | void ConfigUmask(Barnyard2Config *, char *); 147 | void ConfigUtc(Barnyard2Config *, char *); 148 | void ConfigVerbose(Barnyard2Config *, char *); 149 | void ConfigWaldoFile(Barnyard2Config *, char *); 150 | void ConfigSetEventCacheSize(Barnyard2Config *, char *); 151 | #ifdef MPLS 152 | void ConfigMaxMplsLabelChain(Barnyard2Config *, char *); 153 | void ConfigMplsPayloadType(Barnyard2Config *, char *); 154 | #endif 155 | void ConfigSigSuppress(Barnyard2Config *, char *); 156 | void DisplaySigSuppress(SigSuppress_list **); 157 | 158 | 159 | // use this so mSplit doesn't split IP lists (try c = ';') 160 | char* FixSeparators (char* rule, char c, const char* err); 161 | 162 | // use this as an alternative to mSplit when you just want name, value 163 | void GetNameValue (char* arg, char** nam, char** val, const char* err); 164 | 165 | #endif /* __PARSER_H__ */ 166 | 167 | -------------------------------------------------------------------------------- /src/pcap_pkthdr32.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2007-2009 Sourcefire, Inc. 3 | ** 4 | ** This program is free software; you can redistribute it and/or modify 5 | ** it under the terms of the GNU General Public License Version 2 as 6 | ** published by the Free Software Foundation. You may not use, modify or 7 | ** distribute this program under any other version of the GNU General 8 | ** Public License. 9 | ** 10 | ** This program is distributed in the hope that it will be useful, 11 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | ** GNU General Public License for more details. 14 | ** 15 | ** You should have received a copy of the GNU General Public License 16 | ** along with this program; if not, write to the Free Software 17 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 18 | */ 19 | 20 | #ifndef __PCAP_PKTHDR32_H__ 21 | #define __PCAP_PKTHDR32_H__ 22 | 23 | #ifdef HAVE_CONFIG_H 24 | #include "config.h" 25 | #endif 26 | 27 | #ifdef WIN32 28 | #include 29 | #else 30 | #include 31 | #endif 32 | 33 | #include 34 | #include 35 | #include 36 | 37 | #include "sf_types.h" 38 | 39 | 40 | /* we must use fixed size of 32 bits, because on-disk 41 | * format of savefiles uses 32-bit tv_sec (and tv_usec) 42 | */ 43 | struct sf_timeval32 44 | { 45 | uint32_t tv_sec; /* seconds */ 46 | uint32_t tv_usec; /* microseconds */ 47 | }; 48 | 49 | /* this is equivalent to the pcap pkthdr struct, but we need 50 | * a 32 bit one for unified output 51 | */ 52 | struct pcap_pkthdr32 53 | { 54 | struct sf_timeval32 ts; /* packet timestamp */ 55 | uint32_t caplen; /* packet capture length */ 56 | uint32_t pktlen; /* packet "real" length */ 57 | }; 58 | 59 | 60 | #endif // __PCAP_PKTHDR32_H__ 61 | 62 | -------------------------------------------------------------------------------- /src/plugbase.h: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 4 | ** Copyright (C) 1998-2002 Martin Roesch 5 | ** 6 | ** This program is free software; you can redistribute it and/or modify 7 | ** it under the terms of the GNU General Public License Version 2 as 8 | ** published by the Free Software Foundation. You may not use, modify or 9 | ** distribute this program under any other version of the GNU General 10 | ** Public License. 11 | ** 12 | ** This program is distributed in the hope that it will be useful, 13 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ** GNU General Public License for more details. 16 | ** 17 | ** You should have received a copy of the GNU General Public License 18 | ** along with this program; if not, write to the Free Software 19 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | /* $Id$ */ 23 | #ifndef __PLUGBASE_H__ 24 | #define __PLUGBASE_H__ 25 | 26 | #ifdef HAVE_CONFIG_H 27 | # include "config.h" 28 | #endif 29 | 30 | //#include "rules.h" 31 | #include "sf_types.h" 32 | #include "debug.h" 33 | 34 | #ifndef WIN32 35 | # include 36 | #endif /* !WIN32 */ 37 | 38 | #ifdef ENABLE_SSL 39 | # ifdef Free 40 | /* Free macro in radix.h if defined, will conflict with OpenSSL definition */ 41 | # undef Free 42 | # endif 43 | #endif 44 | 45 | #if defined(FREEBSD) || defined(OPENBSD) 46 | # include 47 | #endif 48 | 49 | #if !defined(__SOLARIS__) && !defined(__CYGWIN32__) && !defined(__CYGWIN__) && \ 50 | !defined( __CYGWIN64__) 51 | #include 52 | #endif 53 | 54 | #ifdef ENABLE_SSL 55 | # undef Free 56 | #endif 57 | 58 | #if defined(SOLARIS) || defined(FREEBSD) || defined(OPENBSD) 59 | # include 60 | #endif 61 | 62 | #if defined(FREEBSD) || defined(OPENBSD) || defined(NETBSD) || defined(OSF1) 63 | # include 64 | #endif 65 | 66 | #ifndef IFNAMSIZ /* IFNAMSIZ is defined in all platforms I checked.. */ 67 | # include 68 | #endif 69 | 70 | #include "decode.h" 71 | 72 | #define SMALLBUFFER 32 73 | 74 | typedef enum _InputType 75 | { 76 | INPUT_TYPE__UNIFIED_LOG = 1, 77 | INPUT_TYPE__UNIFIED_ALERT, 78 | INPUT_TYPE__UNIFIED, 79 | INPUT_TYPE__UNIFIED2, 80 | INPUT_TYPE__MAX 81 | 82 | } InputType; 83 | 84 | typedef enum _OutputType 85 | { 86 | OUTPUT_TYPE__ALERT = 1, 87 | OUTPUT_TYPE__LOG, 88 | OUTPUT_TYPE__SPECIAL, 89 | OUTPUT_TYPE__MAX 90 | 91 | } OutputType; 92 | 93 | typedef enum _OutputTypeFlag 94 | { 95 | OUTPUT_TYPE_FLAG__ALERT = 0x00000001, 96 | OUTPUT_TYPE_FLAG__LOG = 0x00000002, 97 | OUTPUT_TYPE_FLAG__ALL = 0x7fffffff 98 | 99 | } OutputTypeFlag; 100 | 101 | 102 | /***************************** Input Plugin API ******************************/ 103 | typedef void (*InputConfigFunc)(char *); 104 | typedef int (*InputReadHeaderFunc)(void *); 105 | typedef int (*InputReadRecordFunc)(void *); 106 | 107 | typedef struct _InputConfigFuncNode 108 | { 109 | char *keyword; 110 | InputConfigFunc func; 111 | struct _InputConfigFuncNode *next; 112 | 113 | } InputConfigFuncNode; 114 | 115 | typedef struct _InputFuncNode 116 | { 117 | char *keyword; 118 | int configured_flag; 119 | 120 | void *arg; 121 | int (*readRecordHeader)(void *); 122 | int (*readRecord)(void *); 123 | 124 | struct _InputFuncNode *next; 125 | } InputFuncNode; 126 | 127 | void RegisterInputPlugins(void); 128 | void InitInputPlugins(); 129 | int ActivateInputPlugin(char *plugin_name, char *plugin_options); 130 | void RegisterInputPlugin(char *, InputConfigFunc); 131 | InputConfigFunc GetInputConfigFunc(char *); 132 | InputFuncNode *GetInputPlugin(char *); 133 | void DumpInputPlugins(); 134 | int AddArgToInputList(char *plugin_name, void *arg); 135 | 136 | int AddReadRecordHeaderFuncToInputList(char *plugin_name, int (*readRecordHeader)(void *)); 137 | int AddReadRecordFuncToInputList(char *plugin_name, int (*readRecord)(void *)); 138 | 139 | int InputFuncNodeConfigured(InputFuncNode *ifn); 140 | 141 | 142 | /***************************** Output Plugin API *****************************/ 143 | typedef void (*OutputConfigFunc)(char *); 144 | typedef void (*OutputFunc)(Packet *, void *, uint32_t, void *); 145 | 146 | typedef struct _OutputConfigFuncNode 147 | { 148 | char *keyword; 149 | int output_type_flags; 150 | OutputConfigFunc func; 151 | struct _OutputConfigFuncNode *next; 152 | 153 | } OutputConfigFuncNode; 154 | 155 | typedef struct _OutputFuncNode 156 | { 157 | void *arg; 158 | OutputFunc func; 159 | struct _OutputFuncNode *next; 160 | 161 | } OutputFuncNode; 162 | 163 | void RegisterOutputPlugins(void); 164 | void RegisterOutputPlugin(char *, int, OutputConfigFunc); 165 | OutputConfigFunc GetOutputConfigFunc(char *); 166 | int GetOutputTypeFlags(char *); 167 | void DumpOutputPlugins(void); 168 | void AddFuncToOutputList(OutputFunc, OutputType, void *); 169 | void FreeOutputConfigFuncs(void); 170 | void FreeOutputList(OutputFuncNode *); 171 | void CallOutputPlugins(OutputType, Packet *, void *, uint32_t); 172 | 173 | 174 | /*************************** Miscellaneous API ***************************/ 175 | typedef void (*PluginSignalFunc)(int, void *); 176 | 177 | typedef struct _PluginSignalFuncNode 178 | { 179 | void *arg; 180 | PluginSignalFunc func; 181 | struct _PluginSignalFuncNode *next; 182 | 183 | } PluginSignalFuncNode; 184 | 185 | /* Used for both rule options and output. Preprocessors have their own */ 186 | void AddFuncToRestartList(PluginSignalFunc, void *); 187 | void AddFuncToCleanExitList(PluginSignalFunc, void *); 188 | void AddFuncToShutdownList(PluginSignalFunc, void *); 189 | void AddFuncToPostConfigList(PluginSignalFunc, void *); 190 | void AddFuncToSignalList(PluginSignalFunc, void *, PluginSignalFuncNode **); 191 | void PostConfigInitPlugins(PluginSignalFuncNode *); 192 | void FreePluginSigFuncs(PluginSignalFuncNode *); 193 | void FreeInputPlugins(void); 194 | #endif /* __PLUGBASE_H__ */ 195 | 196 | -------------------------------------------------------------------------------- /src/sf_protocols.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | /**************************************************************************** 3 | * 4 | * Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 5 | * Copyright (C) 2005-2013 Sourcefire, Inc. 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License Version 2 as 9 | * published by the Free Software Foundation. You may not use, modify or 10 | * distribute this program under any other version of the GNU General 11 | * Public License. 12 | * 13 | * This program is distributed in the hope that it will be useful, 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | * GNU General Public License for more details. 17 | * 18 | * You should have received a copy of the GNU General Public License 19 | * along with this program; if not, write to the Free Software 20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 21 | * 22 | ****************************************************************************/ 23 | 24 | #ifndef __SF_PROTOCOLS_H__ 25 | #define __SF_PROTOCOLS_H__ 26 | 27 | typedef uint8_t IpProto; 28 | 29 | typedef enum { 30 | PROTO_ETH, /* DecodeEthPkt */ 31 | 32 | PROTO_IP4, /* DecodeIP */ 33 | /* DecodeIPOptions - handled with IP4 */ 34 | PROTO_ICMP4, /* DecodeICMP */ 35 | PROTO_ICMP_IP4, /* DecodeICMPEmbeddedIP */ 36 | 37 | PROTO_UDP, /* DecodeUDP */ 38 | PROTO_TCP, /* DecodeTCP */ 39 | /* DecodeTCPOptions - handled with TCP */ 40 | 41 | PROTO_IP6, /* DecodeIPV6 */ 42 | /* DecodeIPV6Extensions - nothing to do here, calls below */ 43 | PROTO_IP6_HOP_OPTS, /* DecodeIPV6Options - ip6 hop, dst, rte, and frag exts */ 44 | PROTO_IP6_DST_OPTS, 45 | PROTO_ICMP6, /* DecodeICMP6 */ 46 | PROTO_ICMP_IP6, /* DecodeICMPEmbeddedIP6 */ 47 | PROTO_VLAN, /* DecodeVlan */ 48 | #ifdef GRE 49 | PROTO_GRE, /* DecodeGRE */ 50 | /* DecodeTransBridging - basically same as DecodeEthPkt */ 51 | PROTO_ERSPAN, /* DecodeERSPANType2 and DecodeERSPANType3 */ 52 | #endif 53 | PROTO_PPPOE, /* DecodePPPoEPkt */ 54 | PROTO_PPP_ENCAP, /* DecodePppPktEncapsulated */ 55 | PROTO_MPLS, /* DecodeMPLS - decoder changes pkth len/caplen! */ 56 | /* DecodeEthOverMPLS - basically same as straight eth */ 57 | PROTO_ARP, /* DecodeARP */ 58 | PROTO_GTP, /* DecodeGTP */ 59 | PROTO_AH, /* DecodeAH - Authentication Header (IPSec stuff) */ 60 | 61 | #ifndef NO_NON_ETHER_DECODER 62 | PROTO_TR, /* DecodeTRPkt */ 63 | PROTO_FDDI, /* DecodeFDDIPkt */ 64 | PROTO_LSLL, /* DecodeLinuxSLLPkt sockaddr_ll for "any" device and */ 65 | /* certain misbehaving link layer encapsulations */ 66 | PROTO_80211, /* DecodeIEEE80211Pkt */ 67 | PROTO_SLIP, /* DecodeSlipPkt - actually, based on header size, this */ 68 | /* must be CSLIP (TCP/IP header compression) but all it */ 69 | /* does is skip over the presumed header w/o expanding */ 70 | /* and then jumps into IP4 decoding only; also, the actual */ 71 | /* esc/end sequences must already have been removed because */ 72 | /* there is no attempt to do that. */ 73 | PROTO_L2I4, /* DecodeI4LRawIPPkt - always skips 2 bytes and then does */ 74 | /* IP4 decoding only */ 75 | PROTO_L2I4C, /* DecodeI4LCiscoIPPkt -always skips 4 bytes and then does */ 76 | /* IP4 decoding only */ 77 | PROTO_CHDLC, /* DecodeChdlcPkt - skips 4 bytes and decodes IP4 only. */ 78 | PROTO_PFLOG, /* DecodePflog */ 79 | PROTO_OLD_PFLOG, /* DecodeOldPflog */ 80 | PROTO_PPP, /* DecodePppPkt - weird - optionally skips addr and cntl */ 81 | /* bytes; what about flag and protocol? */ 82 | /* calls only DecodePppPktEncapsulated. */ 83 | PROTO_PPP_SERIAL, /* DecodePppSerialPkt - also weird - requires addr, cntl, */ 84 | /* and proto (no flag) but optionally skips only 2 bytes */ 85 | /* (presumably the trailer w/chksum is already stripped) */ 86 | /* Calls either DecodePppPktEncapsulated or DecodeChdlcPkt. */ 87 | PROTO_ENC, /* DecodeEncPkt - skips 12 bytes and decodes IP4 only. */ 88 | /* (add family + "spi" + "flags" - don't know what this is) */ 89 | PROTO_EAP, /* DecodeEAP */ 90 | PROTO_EAPOL, /* DecodeEapol - leaf decoder */ 91 | PROTO_EAPOL_KEY, /* DecodeEapolKey - leaf decoder */ 92 | #endif /* NO_NON_ETHER_DECODER */ 93 | 94 | PROTO_MAX 95 | } PROTO_ID; 96 | 97 | /* DecodeIPX - just counts; no decoding */ 98 | /* DecodeEthLoopback - same as ipx */ 99 | /* DecodeRawPkt - jumps straight into IP4 decoding */ 100 | /* there is nothing to do */ 101 | /* DecodeNullPkt - same as DecodeRawPkt */ 102 | 103 | typedef struct { 104 | PROTO_ID proto; 105 | uint16_t length; 106 | uint8_t* start; 107 | } Layer; 108 | 109 | #endif /* __PROTOCOLS_H__ */ 110 | 111 | -------------------------------------------------------------------------------- /src/sf_types.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 3 | ** Copyright (C) 2007-2013 Sourcefire, Inc. 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 19 | */ 20 | 21 | #ifndef __SF_TYPES_H__ 22 | #define __SF_TYPES_H__ 23 | 24 | #include 25 | 26 | #ifdef HAVE_CONFIG_H 27 | #include "config.h" 28 | 29 | #ifdef WIN32 30 | # include "stdint.h" 31 | # include "inttypes.h" 32 | #else 33 | /* Autoconf uses , and as standard includes for 34 | * determining if these exist so there shouldn't be any typedef conflicts with 35 | * including , or since these would be 36 | * defined already */ 37 | # if !defined(HAVE_UINT8_T) || !defined(HAVE_U_INT8_T) 38 | # if !defined(HAVE_UINT8_T) && !defined(HAVE_U_INT8_T) 39 | typedef unsigned char u_int8_t; 40 | typedef unsigned char uint8_t; 41 | # elif defined(HAVE_UINT8_T) 42 | typedef uint8_t u_int8_t; 43 | # else 44 | typedef u_int8_t uint8_t; 45 | # endif /* !defined(HAVE_UINT8_T) && !defined(HAVE_U_INT8_T) */ 46 | # endif /* !defined(HAVE_UINT8_T) || !defined(HAVE_U_INT8_T) */ 47 | # if !defined(HAVE_UINT16_T) || !defined(HAVE_U_INT16_T) 48 | # if !defined(HAVE_UINT16_T) && !defined(HAVE_U_INT16_T) 49 | typedef unsigned short u_int16_t; 50 | typedef unsigned short uint16_t; 51 | # elif defined(HAVE_UINT16_T) 52 | typedef uint16_t u_int16_t; 53 | # else 54 | typedef u_int16_t uint16_t; 55 | # endif /* !defined(HAVE_UINT16_T) && !defined(HAVE_U_INT16_T) */ 56 | # endif /* !defined(HAVE_UINT16_T) || !defined(HAVE_U_INT16_T) */ 57 | # if !defined(HAVE_UINT32_T) || !defined(HAVE_U_INT32_T) 58 | # if !defined(HAVE_UINT32_T) && !defined(HAVE_U_INT32_T) 59 | # if SIZEOF_UNSIGNED_LONG_INT == 4 60 | typedef unsigned long int u_int32_t; 61 | typedef unsigned long int uint32_t; 62 | # elif SIZEOF_UNSIGNED_INT == 4 63 | typedef unsigned int u_int32_t; 64 | typedef unsigned int uint32_t; 65 | # endif /* SIZEOF_UNSIGNED_LONG_INT == 4 */ 66 | # elif defined(HAVE_UINT32_T) 67 | typedef uint32_t u_int32_t; 68 | # else 69 | typedef u_int32_t uint32_t; 70 | # endif /* !defined(HAVE_UINT32_T) && !defined(HAVE_U_INT32_T) */ 71 | # endif /* !defined(HAVE_UINT32_T) || !defined(HAVE_U_INT32_T) */ 72 | # if !defined(HAVE_UINT64_T) || !defined(HAVE_U_INT64_T) 73 | # if !defined(HAVE_UINT64_T) && !defined(HAVE_U_INT64_T) 74 | # if SIZEOF_UNSIGNED_LONG_LONG_INT == 8 75 | typedef unsigned long long int u_int64_t; 76 | typedef unsigned long long int uint64_t; 77 | # elif SIZEOF_UNSIGNED_LONG_INT == 8 78 | typedef unsigned long int u_int64_t; 79 | typedef unsigned long int uint64_t; 80 | # endif 81 | # elif defined(HAVE_UINT64_T) 82 | typedef uint64_t u_int64_t; 83 | # else 84 | typedef u_int64_t uint64_t; 85 | # endif /* !defined(HAVE_UINT64_T) && !defined(HAVE_U_INT64_T) */ 86 | # endif /* !defined(HAVE_UINT64_T) || !defined(HAVE_U_INT64_T) */ 87 | # ifndef HAVE_INT8_T 88 | typedef char int8_t; 89 | # endif 90 | # ifndef HAVE_INT16_T 91 | typedef short int16_t; 92 | # endif 93 | # ifndef HAVE_INT32_T 94 | # if SIZEOF_LONG_INT == 4 95 | typedef long int int32_t; 96 | # else 97 | typedef int int32_t; 98 | # endif 99 | # endif 100 | # ifndef HAVE_INT64_T 101 | # if SIZEOF_LONG_LONG_INT == 8 102 | typedef long long int int64_t; 103 | # else 104 | typedef long int int64_t; 105 | # endif 106 | # endif 107 | # ifndef WIN32 108 | # ifdef HAVE_INTTYPES_H 109 | /* includes */ 110 | # include 111 | # elif HAVE_STDINT_H 112 | # include 113 | # else 114 | /* Solaris - if inttypes.h is present, it should bring this in */ 115 | # ifndef SYS_INT_TYPES_H 116 | # if defined(_LP64) || defined(_I32LPx) 117 | typedef long int intptr_t; 118 | typedef unsigned long int uintptr_t; 119 | # else 120 | typedef int intptr_t; 121 | typedef unsigned int uintptr_t; 122 | # endif /* defined(_LP64) || defined(_I32LPx) */ 123 | # endif /* SYS_INT_TYPES_H */ 124 | # endif /* HAVE_INTTYPES_H elseif HAVE_STDINT_H */ 125 | # endif 126 | #endif /* WIN32 */ 127 | #endif /* HAVE_CONFIG_H */ 128 | 129 | /* if PRIu64 isn't in 130 | * we define it and similar here */ 131 | #ifndef PRIu64 132 | # if SIZEOF_UNSIGNED_LONG_INT == 8 133 | # define _SF_PREFIX "l" 134 | # else 135 | # define _SF_PREFIX "ll" 136 | # endif /* SIZEOF_UNSIGNED_LONG_INT == 8 */ 137 | # define PRIu64 _SF_PREFIX "u" 138 | # define PRIi64 _SF_PREFIX "i" 139 | # define PRIx64 _SF_PREFIX "x" 140 | #endif /* PRIu64 */ 141 | 142 | /* use these macros (and those in ) 143 | * for 64 bit format portability 144 | */ 145 | #define STDu64 "%" PRIu64 146 | #define CSVu64 STDu64 "," 147 | #define FMTu64(fmt) "%" fmt PRIu64 148 | 149 | #define STDi64 "%" PRIi64 150 | #define CSVi64 STDi64 "," 151 | #define FMTi64(fmt) "%" fmt PRIi64 152 | 153 | #define STDx64 "%" PRIx64 154 | #define CSVx64 STDx64 "," 155 | #define FMTx64(fmt) "%" fmt PRIx64 156 | 157 | #ifndef UINT8_MAX 158 | # define UINT8_MAX 0xff 159 | #endif 160 | #ifndef USHRT_MAX 161 | # define USHRT_MAX 0xffff 162 | #endif 163 | #ifndef UINT16_MAX 164 | # define UINT16_MAX 0xffff 165 | #endif 166 | #ifndef UINT32_MAX 167 | # define UINT32_MAX (4294967295U) 168 | #endif 169 | #ifndef UINT64_MAX 170 | # if SIZEOF_UNSIGNED_LONG_INT == 8 171 | # define UINT64_MAX (18446744073709551615UL) 172 | # else 173 | # define UINT64_MAX (18446744073709551615ULL) 174 | # endif /* SIZEOF_UNSIGNED_LONG_INT == 8 */ 175 | #endif /* UINT64_MAX */ 176 | 177 | /* Somewhat arbitrary, but should be enough for this application 178 | * since files shouldn't be buried too deep. This provides about 179 | * 15 levels of 255 character path components */ 180 | #ifndef PATH_MAX 181 | # define PATH_MAX 4096 182 | #endif 183 | 184 | /* utilities */ 185 | #ifndef boolean 186 | #ifndef HAVE_BOOLEAN 187 | typedef unsigned char boolean; 188 | #endif 189 | #endif 190 | 191 | #ifndef TRUE 192 | # define TRUE 1 193 | #endif 194 | 195 | #ifndef FALSE 196 | # define FALSE 0 197 | #endif 198 | 199 | #ifdef HAVE_STDBOOL_H 200 | # include 201 | #else 202 | # ifndef HAVE__BOOL 203 | # ifdef __cplusplus 204 | typedef bool _Bool; 205 | # else 206 | # define _Bool signed char 207 | # endif 208 | # endif 209 | # define bool _Bool 210 | # define false 0 211 | # define true 1 212 | # define __bool_true_false_are_defined 1 213 | #endif 214 | 215 | #endif /* __SF_TYPES_H__ */ 216 | 217 | -------------------------------------------------------------------------------- /src/sfutil/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS=foreign no-dependencies 2 | 3 | noinst_LIBRARIES = libsfutil.a 4 | 5 | libsfutil_a_SOURCES = bitop.h \ 6 | getopt_long.c getopt.h getopt1.h \ 7 | sfhashfcn.h \ 8 | sfmemcap.c sfmemcap.h \ 9 | sfprimetable.c sfprimetable.h \ 10 | sfxhash.c sfxhash.h \ 11 | sf_ip.c sf_ip.h \ 12 | sf_iph.c sf_iph.h \ 13 | sf_ipvar.c sf_ipvar.h \ 14 | sf_textlog.c sf_textlog.h \ 15 | sf_vartable.c sf_vartable.h 16 | 17 | 18 | AM_CPPFLAGS = -I.. 19 | -------------------------------------------------------------------------------- /src/sfutil/bitop.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** $Id$ 3 | ** 4 | ** bitopt.c 5 | ** 6 | ** Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 7 | ** Copyright (C) 2002-2013 Sourcefire, Inc. 8 | ** Dan Roelker 9 | ** Marc Norton 10 | ** 11 | ** This program is free software; you can redistribute it and/or modify 12 | ** it under the terms of the GNU General Public License Version 2 as 13 | ** published by the Free Software Foundation. You may not use, modify or 14 | ** distribute this program under any other version of the GNU General 15 | ** Public License. 16 | ** 17 | ** This program is distributed in the hope that it will be useful, 18 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 19 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 20 | ** GNU General Public License for more details. 21 | ** 22 | ** You should have received a copy of the GNU General Public License 23 | ** along with this program; if not, write to the Free Software 24 | ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 25 | ** 26 | ** NOTES 27 | ** 5.15.02 - Initial Source Code. Norton/Roelker 28 | ** 5.23.02 - Moved bitop functions to bitop.h to inline. Norton/Roelker 29 | ** 1.21.04 - Added static initialization. Roelker 30 | ** 9.13.05 - Separated type and inline func definitions. Sturges 31 | ** 32 | */ 33 | 34 | #ifndef _BITOP_H 35 | #define _BITOP_H 36 | 37 | typedef struct _BITOP { 38 | unsigned char *pucBitBuffer; 39 | unsigned int uiBitBufferSize; 40 | unsigned int uiMaxBits; 41 | } BITOP; 42 | 43 | #endif /* _BITOP_H */ 44 | -------------------------------------------------------------------------------- /src/sfutil/getopt.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | /* 3 | ** Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 4 | ** Copyright (C) 2002-2013 Sourcefire, Inc. 5 | ** Copyright (C) 2002 Martin Roesch 6 | ** 7 | ** This program is free software; you can redistribute it and/or modify 8 | ** it under the terms of the GNU General Public License Version 2 as 9 | ** published by the Free Software Foundation. You may not use, modify or 10 | ** distribute this program under any other version of the GNU General 11 | ** Public License. 12 | ** 13 | ** This program is distributed in the hope that it will be useful, 14 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | ** GNU General Public License for more details. 17 | ** 18 | ** You should have received a copy of the GNU General Public License 19 | ** along with this program; if not, write to the Free Software 20 | ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 21 | */ 22 | 23 | #ifndef _SNORT_GETOPT_H_ 24 | #define _SNORT_GETOPT_H_ 25 | 26 | #ifdef SNORT_GETOPT 27 | #define _next_char(string) (char)(*(string+1)) 28 | 29 | extern char * optarg; 30 | extern int optind; 31 | 32 | int getopt(int, char**, char*); 33 | 34 | #else 35 | #include 36 | #endif 37 | 38 | #endif /* _SNORT_GETOPT_H_ */ 39 | -------------------------------------------------------------------------------- /src/sfutil/getopt1.h: -------------------------------------------------------------------------------- 1 | /* Declarations for getopt. 2 | Copyright (C) 1989, 1990, 1991, 1992, 1993 Free Software Foundation, Inc. 3 | 4 | This program is free software; you can redistribute it and/or modify it 5 | it under the terms of the GNU General Public License Version 2 as 6 | published by the Free Software Foundation. You may not use, modify or 7 | distribute this program under any other version of the GNU General 8 | Public License. 9 | 10 | This program is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | GNU General Public License for more details. */ 14 | 15 | #ifndef _GETOPT1_H 16 | #define _GETOPT1_H 1 17 | 18 | #ifndef HAVE_GETOPT_LONG 19 | 20 | #ifdef __cplusplus 21 | extern "C" { 22 | #endif 23 | 24 | /* For communication from `getopt' to the caller. 25 | When `getopt' finds an option that takes an argument, 26 | the argument value is returned here. 27 | Also, when `ordering' is RETURN_IN_ORDER, 28 | each non-option ARGV-element is returned here. */ 29 | 30 | extern char *optarg; 31 | 32 | /* Index in ARGV of the next element to be scanned. 33 | This is used for communication to and from the caller 34 | and for communication between successive calls to `getopt'. 35 | 36 | On entry to `getopt', zero means this is the first call; initialize. 37 | 38 | When `getopt' returns EOF, this is the index of the first of the 39 | non-option elements that the caller should itself scan. 40 | 41 | Otherwise, `optind' communicates from one call to the next 42 | how much of ARGV has been scanned so far. */ 43 | 44 | extern int optind; 45 | 46 | /* Callers store zero here to inhibit the error message `getopt' prints 47 | for unrecognized options. */ 48 | 49 | extern int opterr; 50 | 51 | /* Set to an option character which was unrecognized. */ 52 | 53 | extern int optopt; 54 | 55 | /* Describe the long-named options requested by the application. 56 | The LONG_OPTIONS argument to getopt_long or getopt_long_only is a vector 57 | of `struct option' terminated by an element containing a name which is 58 | zero. 59 | 60 | The field `has_arg' is: 61 | no_argument (or 0) if the option does not take an argument, 62 | required_argument (or 1) if the option requires an argument, 63 | optional_argument (or 2) if the option takes an optional argument. 64 | 65 | If the field `flag' is not NULL, it points to a variable that is set 66 | to the value given in the field `val' when the option is found, but 67 | left unchanged if the option is not found. 68 | 69 | To have a long-named option do something other than set an `int' to 70 | a compiled-in constant, such as set a value from `optarg', set the 71 | option's `flag' field to zero and its `val' field to a nonzero 72 | value (the equivalent single-letter option character, if there is 73 | one). For long options that have a zero `flag' field, `getopt' 74 | returns the contents of the `val' field. */ 75 | 76 | struct option 77 | { 78 | #if __STDC__ 79 | const char *name; 80 | #else 81 | char *name; 82 | #endif 83 | /* has_arg can't be an enum because some compilers complain about 84 | type mismatches in all the code that assumes it is an int. */ 85 | int has_arg; 86 | int *flag; 87 | int val; 88 | }; 89 | 90 | /* Names for the values of the `has_arg' field of `struct option'. */ 91 | 92 | #define no_argument 0 93 | #define required_argument 1 94 | #define optional_argument 2 95 | 96 | #if __STDC__ 97 | 98 | #ifndef HAVE_GETOPT 99 | extern int getopt (int argc, char *const *argv, const char *optstring); 100 | #endif 101 | 102 | extern int getopt_long (int argc, char *const *argv, const char *shortopts, 103 | const struct option *longopts, int *longind); 104 | extern int getopt_long_only (int argc, char *const *argv, 105 | const char *shortopts, 106 | const struct option *longopts, int *longind); 107 | 108 | /* Internal only. Users should not call this directly. */ 109 | extern int _getopt_internal (int argc, char *const *argv, 110 | const char *shortopts, 111 | const struct option *longopts, int *longind, 112 | int long_only); 113 | #else /* not __STDC__ */ 114 | 115 | #ifndef HAVE_GETOPT 116 | extern int getopt (); 117 | #endif 118 | extern int getopt_long (); 119 | extern int getopt_long_only (); 120 | 121 | extern int _getopt_internal (); 122 | #endif /* not __STDC__ */ 123 | 124 | #ifdef __cplusplus 125 | } 126 | #endif 127 | 128 | #endif /* HAVE_GETOPT_LONG */ 129 | 130 | #endif /* _GETOPT_H */ 131 | -------------------------------------------------------------------------------- /src/sfutil/sf_iph.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 3 | ** Copyright (C) 2007-2013 Sourcefire, Inc. 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if nto, write to the Free Software 18 | ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, 19 | ** USA 20 | */ 21 | 22 | #ifndef SFIPH_H 23 | #define SFIPH_H 24 | 25 | struct _Packet; 26 | 27 | typedef struct _IPH_API 28 | { 29 | sfip_t * (*iph_ret_src)(const struct _Packet *); 30 | sfip_t * (*iph_ret_dst)(const struct _Packet *); 31 | uint16_t (*iph_ret_tos)(const struct _Packet *); 32 | uint8_t (*iph_ret_ttl)(const struct _Packet *); 33 | uint16_t (*iph_ret_len)(const struct _Packet *); 34 | uint32_t (*iph_ret_id)(const struct _Packet *); 35 | uint8_t (*iph_ret_proto)(const struct _Packet *); 36 | uint16_t (*iph_ret_off)(const struct _Packet *); 37 | uint8_t (*iph_ret_ver)(const struct _Packet *); 38 | uint8_t (*iph_ret_hlen)(const struct _Packet *); 39 | 40 | sfip_t * (*orig_iph_ret_src)(const struct _Packet *); 41 | sfip_t * (*orig_iph_ret_dst)(const struct _Packet *); 42 | uint16_t (*orig_iph_ret_tos)(const struct _Packet *); 43 | uint8_t (*orig_iph_ret_ttl)(const struct _Packet *); 44 | uint16_t (*orig_iph_ret_len)(const struct _Packet *); 45 | uint32_t (*orig_iph_ret_id)(const struct _Packet *); 46 | uint8_t (*orig_iph_ret_proto)(const struct _Packet *); 47 | uint16_t (*orig_iph_ret_off)(const struct _Packet *); 48 | uint8_t (*orig_iph_ret_ver)(const struct _Packet *); 49 | uint8_t (*orig_iph_ret_hlen)(const struct _Packet *); 50 | 51 | char ver; 52 | } IPH_API; 53 | 54 | extern IPH_API ip4; 55 | extern IPH_API ip6; 56 | 57 | #define IPH_API_V4 4 58 | #define IPH_API_V6 6 59 | 60 | #define iph_is_valid(p) ((p)->family != NO_IP) 61 | #define NO_IP 0 62 | 63 | void sfiph_build(struct _Packet *p, const void *hdr, int family); 64 | void sfiph_orig_build(struct _Packet *p, const void *hdr, int family); 65 | 66 | /* Sets the callbacks to point at the family selected by 67 | * * "family". "family" is either AF_INET or AF_INET6 */ 68 | #define CALLBACK_IP 0 69 | #define CALLBACK_ICMP_ORIG 1 70 | 71 | void set_callbacks(struct _Packet *p, int family, char orig); 72 | 73 | #endif 74 | -------------------------------------------------------------------------------- /src/sfutil/sf_ipvar.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 3 | ** Copyright (C) 1998-2013 Sourcefire, Inc. 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 19 | */ 20 | 21 | /* 22 | * Adam Keeton 23 | * sf_ipvar.h 24 | * 11/17/06 25 | */ 26 | 27 | 28 | #ifndef SF_IPVAR_H 29 | #define SF_IPVAR_H 30 | 31 | /* Flags */ 32 | #define SFIP_NEGATED 1 33 | #define SFIP_ANY 2 34 | 35 | #include 36 | #include "sf_ip.h" 37 | 38 | /* Selects which mode a given variable is using to 39 | * store and lookup IP addresses */ 40 | typedef enum _modes { 41 | SFIP_LIST, 42 | SFIP_TABLE 43 | } MODES; 44 | 45 | /* Used by the "list" mode. A doubly linked list of sfip_t objects. */ 46 | typedef struct _ip_node { 47 | sfip_t *ip; 48 | #define ip_addr ip /* To ease porting Snort */ 49 | struct _ip_node *next; 50 | int flags; 51 | // XXX 52 | int addr_flags; /* Flags used exlusively by Snort */ 53 | /* Keeping these variables seperate keeps 54 | * this from stepping on Snort's toes. */ 55 | /* Should merge them later */ 56 | } sfip_node_t; 57 | 58 | /* An IP variable onkect */ 59 | typedef struct _var_t { 60 | /* Selects whether or not to use the list, the table, 61 | * or any other method added later */ 62 | MODES mode; 63 | 64 | /* Linked lists. Switch to something faster later */ 65 | sfip_node_t *head; 66 | sfip_node_t *neg_head; 67 | 68 | /* The mode above will select whether to use the sfip_node_t linked list 69 | * or the IP routing table */ 70 | // sfrt rt; 71 | 72 | /* Linked list of IP variables for the variable table */ 73 | struct _var_t *next; 74 | 75 | uint32_t id; 76 | char *name; 77 | char *value; 78 | } sfip_var_t; 79 | 80 | /* A variable table for storing and looking up variables */ 81 | /* Expand later to use a faster data structure */ 82 | typedef struct _vartable_t { 83 | sfip_var_t *head; 84 | uint32_t id; 85 | } vartable_t; 86 | 87 | /* Creates a new variable that is an alias of another variable 88 | * Does a "deep" copy so it owns it's own pointers */ 89 | sfip_var_t * sfvar_create_alias(const sfip_var_t *alias_from, const char *alias_to); 90 | 91 | /* Returns 1 if the two variables are aliases of each other, 0 otherwise */ 92 | int sfvar_is_alias(const sfip_var_t *one, const sfip_var_t *two); 93 | 94 | /* Allocates a new variable as according to "str" */ 95 | sfip_var_t *sfvar_alloc(vartable_t *table, char *str, SFIP_RET *status); 96 | 97 | /* Makes sure there are no IP address conflicts in the variable */ 98 | /* Returns SFIP_CONFLICT if so */ 99 | SFIP_RET sfvar_validate(sfip_var_t *var); 100 | 101 | /* Parses an IP list described by 'str' and saves the results in 'var'. */ 102 | SFIP_RET sfvar_parse_iplist(vartable_t *table, sfip_var_t *var, 103 | char *str, int negation); 104 | 105 | /* Allocaties and returns an IP node described by 'str' */ 106 | sfip_node_t *sfipnode_alloc(char *str, SFIP_RET *status); 107 | 108 | /* Adds a deep copy of src to dst */ 109 | /* Ordering is not necessarily preserved */ 110 | SFIP_RET sfvar_add(sfip_var_t *dst, sfip_var_t *src); 111 | 112 | /* Adds the nodes in 'src' to the variable 'dst' */ 113 | /* The mismatch of types is for ease-of-supporting Snort4 and 114 | * Snort6 simultaneously */ 115 | SFIP_RET sfvar_add_node(sfip_var_t *dst, sfip_node_t *src, int negated); 116 | 117 | /* Compares two variables. Necessary when building RTN structure */ 118 | SFIP_RET sfvar_compare(const sfip_var_t *one, const sfip_var_t *two); 119 | 120 | /* Deep copy. Returns identical, new, linked list of sfipnodes. */ 121 | sfip_var_t *sfvar_deep_copy(const sfip_var_t *src); 122 | 123 | /* Free an allocated variable */ 124 | void sfvar_free(sfip_var_t *var); 125 | 126 | /* Returns non-zero if ip is contained in 'var', 0 otherwise */ 127 | /* If either argument is NULL, 0 is returned. */ 128 | int sfvar_ip_in(sfip_var_t *var, sfip_t *ip); 129 | 130 | /* Prints the variable "var" to the file descriptor 'f' */ 131 | void sfvar_print(const char *prefix, sfip_var_t *var); 132 | void sfip_set_print(const char *prefix, sfip_node_t *head); 133 | 134 | void sfvar_print_to_file(FILE *f, sfip_var_t *var); 135 | void sfip_set_print_to_file(FILE *f, sfip_node_t *head); 136 | 137 | /* Returns the node's flags */ 138 | int sfvar_flags(sfip_node_t *node); 139 | 140 | #endif 141 | -------------------------------------------------------------------------------- /src/sfutil/sf_textlog.h: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | * 3 | * Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 4 | * Copyright (C) 2003-2013 Sourcefire, Inc. 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License Version 2 as 8 | * published by the Free Software Foundation. You may not use, modify or 9 | * distribute this program under any other version of the GNU General 10 | * Public License. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 | * 21 | ****************************************************************************/ 22 | 23 | /** 24 | * @file sf_textlog.h 25 | * @author Russ Combs 26 | * @date Fri Jun 27 10:34:37 2003 27 | * 28 | * @brief declares buffered text stream for logging 29 | * 30 | * Declares a TextLog_*() api for buffered logging. This allows 31 | * relatively painless transition from fprintf(), fwrite(), etc. 32 | * to a buffer that is formatted in memory and written with one 33 | * fwrite(). 34 | * 35 | * Additionally, the file is capped at a maximum size. Beyond 36 | * that, the file is closed, renamed, and reopened. The current 37 | * file always has the same name. Old files are renamed to that 38 | * name plus a timestamp. 39 | */ 40 | 41 | #ifndef _SF_TEXT_LOG_H 42 | #define _SF_TEXT_LOG_H 43 | 44 | #include 45 | #include 46 | #include 47 | 48 | #define K_BYTES (1024) 49 | #define M_BYTES (K_BYTES*K_BYTES) 50 | #define G_BYTES (K_BYTES*M_BYTES) 51 | 52 | /* 53 | * DO NOT ACCESS STRUCT MEMBERS DIRECTLY 54 | * EXCEPT FROM WITHIN THE IMPLEMENTATION! 55 | */ 56 | typedef struct _TextLog 57 | { 58 | /* private: */ 59 | /* file attributes: */ 60 | FILE* file; 61 | char* name; 62 | size_t size; 63 | size_t maxFile; 64 | time_t last; 65 | 66 | /* buffer attributes: */ 67 | unsigned int pos; 68 | unsigned int maxBuf; 69 | char buf[1]; 70 | } TextLog; 71 | 72 | TextLog* TextLog_Init ( 73 | const char* name, unsigned int maxBuf, size_t maxFile 74 | ); 75 | void TextLog_Term (TextLog* this); 76 | 77 | bool TextLog_Putc(TextLog*, char); 78 | bool TextLog_Quote(TextLog*, const char*); 79 | bool TextLog_Write(TextLog*, const char*, int len); 80 | bool TextLog_Print(TextLog*, const char* format, ...); 81 | 82 | bool TextLog_Flush(TextLog*); 83 | 84 | /*------------------------------------------------------------------- 85 | * helper functions 86 | *------------------------------------------------------------------- 87 | */ 88 | static inline int TextLog_Tell (TextLog* this) 89 | { 90 | return this->pos; 91 | } 92 | 93 | static inline int TextLog_Avail (TextLog* this) 94 | { 95 | return this->maxBuf - this->pos - 1; 96 | } 97 | 98 | static inline void TextLog_Reset (TextLog* this) 99 | { 100 | this->pos = 0; 101 | this->buf[this->pos] = '\0'; 102 | } 103 | 104 | static inline bool TextLog_NewLine (TextLog* this) 105 | { 106 | return TextLog_Putc(this, '\n'); 107 | } 108 | 109 | static inline bool TextLog_Puts (TextLog* this, const char* str) 110 | { 111 | return TextLog_Write(this, str, strlen(str)); 112 | } 113 | 114 | #endif /* _SF_TEXT_LOG_H */ 115 | 116 | -------------------------------------------------------------------------------- /src/sfutil/sf_vartable.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 3 | ** Copyright (C) 1998-2013 Sourcefire, Inc. 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 19 | */ 20 | 21 | /* 22 | * Adam Keeton 23 | * sf_vartable.h 24 | * 11/17/06 25 | * 26 | * Library for implementing a variable table. 27 | * All API calls have the prefix "sfvt". 28 | */ 29 | 30 | #ifndef SF_VARTABLE_H 31 | #define SF_VARTABLE_H 32 | 33 | #include "ipv6_port.h" 34 | #include "sf_ipvar.h" 35 | 36 | /* Allocates new variable table */ 37 | vartable_t * sfvt_alloc_table(void); 38 | void sfvt_free_table(vartable_t *table); 39 | 40 | /* Adds the variable described by "str" to the table "table" */ 41 | SFIP_RET sfvt_add_str(vartable_t *table, char *str, sfip_var_t **); 42 | SFIP_RET sfvt_define(vartable_t *table, char *name, char *value); 43 | 44 | /* Adds the variable described by "str" to the variable "dst", 45 | * using the vartable for looking variables used within "str" */ 46 | SFIP_RET sfvt_add_to_var(vartable_t *table, sfip_var_t *dst, char *src); 47 | 48 | /* Looks up a variable from the table using the name as the key */ 49 | sfip_var_t *sfvt_lookup_var(vartable_t *table, char *name); 50 | 51 | /* Prints a table's contents */ 52 | void sfvt_print(FILE *f, vartable_t *table); 53 | 54 | #endif 55 | -------------------------------------------------------------------------------- /src/sfutil/sfhashfcn.h: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | * 3 | * Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 4 | * Copyright (C) 2003-2013 Sourcefire, Inc. 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License Version 2 as 8 | * published by the Free Software Foundation. You may not use, modify or 9 | * distribute this program under any other version of the GNU General 10 | * Public License. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 | * 21 | ****************************************************************************/ 22 | 23 | /* 24 | sfhashfcn.h 25 | */ 26 | #ifndef SFHASHFCN_INCLUDE 27 | #define SFHASHFCN_INCLUDE 28 | 29 | #include 30 | #include 31 | #include 32 | #include 33 | 34 | #define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k)))) 35 | 36 | #define mix(a,b,c) \ 37 | { \ 38 | a -= c; a ^= rot(c, 4); c += b; \ 39 | b -= a; b ^= rot(a, 6); a += c; \ 40 | c -= b; c ^= rot(b, 8); b += a; \ 41 | a -= c; a ^= rot(c,16); c += b; \ 42 | b -= a; b ^= rot(a,19); a += c; \ 43 | c -= b; c ^= rot(b, 4); b += a; \ 44 | } 45 | 46 | #define final(a,b,c) \ 47 | { \ 48 | c ^= b; c -= rot(b,14); \ 49 | a ^= c; a -= rot(c,11); \ 50 | b ^= a; b -= rot(a,25); \ 51 | c ^= b; c -= rot(b,16); \ 52 | a ^= c; a -= rot(c,4); \ 53 | b ^= a; b -= rot(a,14); \ 54 | c ^= b; c -= rot(b,24); \ 55 | } 56 | 57 | typedef struct _SFHASHFCN { 58 | 59 | unsigned seed; 60 | unsigned scale; 61 | unsigned hardener; 62 | unsigned (*hash_fcn)(struct _SFHASHFCN * p, 63 | unsigned char *d, 64 | int n ); 65 | int (*keycmp_fcn)( const void *s1, 66 | const void *s2, 67 | size_t n); 68 | } SFHASHFCN; 69 | 70 | SFHASHFCN * sfhashfcn_new( int nrows ); 71 | void sfhashfcn_free( SFHASHFCN * p ); 72 | void sfhashfcn_static( SFHASHFCN * p ); 73 | 74 | unsigned sfhashfcn_hash( SFHASHFCN * p, unsigned char *d, int n ); 75 | 76 | int sfhashfcn_set_keyops( SFHASHFCN * p, 77 | unsigned (*hash_fcn)( SFHASHFCN * p, 78 | unsigned char *d, 79 | int n), 80 | int (*keycmp_fcn)( const void *s1, 81 | const void *s2, 82 | size_t n)); 83 | 84 | 85 | 86 | #endif 87 | -------------------------------------------------------------------------------- /src/sfutil/sfmemcap.c: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | * 3 | * Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 4 | * Copyright (C) 2003-2013 Sourcefire, Inc. 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License Version 2 as 8 | * published by the Free Software Foundation. You may not use, modify or 9 | * distribute this program under any other version of the GNU General 10 | * Public License. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 | * 21 | ****************************************************************************/ 22 | 23 | /* 24 | sfmemcap.c 25 | 26 | These functions wrap the alloc & free functions. They enforce a memory cap using 27 | the MEMCAP structure. The MEMCAP structure tracks memory usage. Each allocation 28 | has 4 bytes added to it so we can store the allocation size. This allows us to 29 | free a block and accurately track how much memory was recovered. 30 | 31 | Marc Norton 32 | */ 33 | #include 34 | #include 35 | #include 36 | 37 | #ifdef HAVE_CONFIG_H 38 | #include "config.h" 39 | #endif 40 | 41 | #include "sf_types.h" 42 | #include "sfmemcap.h" 43 | #include "util.h" 44 | 45 | /* 46 | * Set max # bytes & init other variables. 47 | */ 48 | void sfmemcap_init( MEMCAP * mc, unsigned long nbytes ) 49 | { 50 | mc->memcap = nbytes; 51 | mc->memused= 0; 52 | mc->nblocks= 0; 53 | } 54 | 55 | /* 56 | * Create and Init a MEMCAP - use free to release it 57 | */ 58 | MEMCAP * sfmemcap_new( unsigned nbytes ) 59 | { 60 | MEMCAP * mc; 61 | 62 | mc = (MEMCAP*)calloc(1,sizeof(MEMCAP)); 63 | 64 | if( mc ) sfmemcap_init( mc, nbytes ); 65 | 66 | return mc; 67 | } 68 | 69 | /* 70 | * Release the memcap structure 71 | */ 72 | void sfmemcap_delete( MEMCAP * p ) 73 | { 74 | if(p)free( p ); 75 | } 76 | 77 | /* 78 | * Allocate some memory 79 | */ 80 | void * sfmemcap_alloc( MEMCAP * mc, unsigned long nbytes ) 81 | { 82 | long * data; 83 | 84 | //printf("sfmemcap_alloc: %d bytes requested, memcap=%d, used=%d\n",nbytes,mc->memcap,mc->memused); 85 | 86 | nbytes += sizeof(long); 87 | 88 | 89 | /* Check if we are limiting memory use */ 90 | if( mc->memcap > 0 ) 91 | { 92 | /* Check if we've maxed out our memory - if we are tracking memory */ 93 | if( (mc->memused + nbytes) > mc->memcap ) 94 | { 95 | return 0; 96 | } 97 | } 98 | 99 | //data = (long *) malloc( nbytes ); 100 | data = (long *)SnortAlloc( nbytes ); 101 | 102 | if( data == NULL ) 103 | { 104 | return 0; 105 | } 106 | 107 | *data++ = (long)nbytes; 108 | 109 | mc->memused += nbytes; 110 | mc->nblocks++; 111 | 112 | return data; 113 | } 114 | 115 | /* 116 | * Free some memory 117 | */ 118 | void sfmemcap_free( MEMCAP * mc, void * p ) 119 | { 120 | long * q; 121 | 122 | q = (long*)p; 123 | q--; 124 | mc->memused -= (unsigned)(*q); 125 | mc->nblocks--; 126 | 127 | free(q); 128 | } 129 | 130 | /* 131 | * For debugging. 132 | */ 133 | void sfmemcap_showmem( MEMCAP * mc ) 134 | { 135 | fprintf(stderr, "memcap: memcap = %lu bytes,",mc->memcap); 136 | fprintf(stderr, " memused= %lu bytes,",mc->memused); 137 | fprintf(stderr, " nblocks= %d blocks\n",mc->nblocks); 138 | } 139 | 140 | /* 141 | * String Dup Some memory. 142 | */ 143 | char * sfmemcap_strdup( MEMCAP * mc, const char *str ) 144 | { 145 | char *data = NULL; 146 | int data_size; 147 | 148 | data_size = strlen(str) + 1; 149 | data = (char *)sfmemcap_alloc(mc, data_size); 150 | 151 | if(data == NULL) 152 | { 153 | return 0 ; 154 | } 155 | 156 | SnortStrncpy(data, str, data_size); 157 | 158 | return data; 159 | } 160 | 161 | /* 162 | * Dup Some memory. 163 | */ 164 | void * sfmemcap_dupmem( MEMCAP * mc, void * src, unsigned long n ) 165 | { 166 | void * data = (char *)sfmemcap_alloc( mc, n ); 167 | if(data == NULL) 168 | { 169 | return 0; 170 | } 171 | 172 | memcpy( data, src, n ); 173 | 174 | return data; 175 | } 176 | -------------------------------------------------------------------------------- /src/sfutil/sfmemcap.h: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | * 3 | * Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 4 | * Copyright (C) 2003-2013 Sourcefire, Inc. 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License Version 2 as 8 | * published by the Free Software Foundation. You may not use, modify or 9 | * distribute this program under any other version of the GNU General 10 | * Public License. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 | * 21 | ****************************************************************************/ 22 | 23 | /* 24 | ** sfmemcap.h 25 | */ 26 | #ifndef __SF_MEMCAP_H__ 27 | #define __SF_MEMCAP_H__ 28 | 29 | typedef struct 30 | { 31 | unsigned long memused; 32 | unsigned long memcap; 33 | int nblocks; 34 | 35 | }MEMCAP; 36 | 37 | void sfmemcap_init(MEMCAP * mc, unsigned long nbytes); 38 | MEMCAP * sfmemcap_new( unsigned nbytes ); 39 | void sfmemcap_delete( MEMCAP * mc ); 40 | void * sfmemcap_alloc(MEMCAP * mc, unsigned long nbytes); 41 | void sfmemcap_showmem(MEMCAP * mc ); 42 | void sfmemcap_free( MEMCAP * mc, void * memory); 43 | char * sfmemcap_strdup(MEMCAP * mc, const char *str); 44 | void * sfmemcap_dupmem(MEMCAP * mc, void * src, unsigned long n ); 45 | 46 | #endif 47 | -------------------------------------------------------------------------------- /src/sfutil/sfprimetable.h: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | * 3 | * Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 4 | * Copyright (C) 2006-2013 Sourcefire, Inc. 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License Version 2 as 8 | * published by the Free Software Foundation. You may not use, modify or 9 | * distribute this program under any other version of the GNU General 10 | * Public License. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 | * 21 | ****************************************************************************/ 22 | 23 | #ifndef SF_PRIME_TABLE 24 | #define SF_PRIME_TABLE 25 | 26 | int sf_nearest_prime( int n ); 27 | 28 | #endif 29 | -------------------------------------------------------------------------------- /src/sfutil/sfxhash.h: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | * 3 | * Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. 4 | * Copyright (C) 2003-2013 Sourcefire, Inc. 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License Version 2 as 8 | * published by the Free Software Foundation. You may not use, modify or 9 | * distribute this program under any other version of the GNU General 10 | * Public License. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 | * 21 | ****************************************************************************/ 22 | 23 | /* 24 | * 25 | * sfxhash.h 26 | * 27 | * generic hash table - stores and maps key + data pairs 28 | * (supports memcap and automatic memory recovery when out of memory) 29 | * 30 | * Author: Marc Norton 31 | * 32 | */ 33 | 34 | #ifndef _SFXHASH_ 35 | #define _SFXHASH_ 36 | 37 | #include 38 | #include 39 | #include 40 | 41 | #include "sfmemcap.h" 42 | #include "sfhashfcn.h" 43 | /* 44 | * ERROR DEFINES 45 | */ 46 | #define SFXHASH_NOMEM -2 47 | #define SFXHASH_ERR -1 48 | #define SFXHASH_OK 0 49 | #define SFXHASH_INTABLE 1 50 | 51 | /** 52 | * HASH NODE 53 | */ 54 | typedef struct _sfxhash_node 55 | { 56 | struct _sfxhash_node * gnext, * gprev; /// global node list - used for ageing nodes 57 | struct _sfxhash_node * next, * prev; /// row node list 58 | 59 | int rindex; /// row index of table this node belongs to. 60 | 61 | void * key; /// Pointer to the key. 62 | void * data; /// Pointer to the users data, this is not copied ! 63 | 64 | } SFXHASH_NODE; 65 | 66 | typedef int (*SFXHASH_FREE_FCN)( void * key, void * data ); 67 | /** 68 | * SFGX HASH Table 69 | */ 70 | typedef struct _sfxhash 71 | { 72 | SFHASHFCN * sfhashfcn; /// hash function 73 | int keysize; /// bytes in key, if <= 0 -> keys are strings 74 | int datasize; /// bytes in key, if == 0 -> user data 75 | SFXHASH_NODE ** table; /// array of node ptr's */ 76 | unsigned nrows; /// # rows int the hash table use a prime number 211, 9871 77 | unsigned count; /// total # nodes in table 78 | 79 | unsigned crow; /// findfirst/next row in table 80 | unsigned pad; 81 | SFXHASH_NODE * cnode; /// findfirst/next node ptr 82 | int splay; /// whether to splay nodes with same hash bucket 83 | 84 | unsigned max_nodes; ///maximum # of nodes within a hash 85 | MEMCAP mc; 86 | unsigned overhead_bytes; /// # of bytes that will be unavailable for nodes inside the table 87 | unsigned overhead_blocks; /// # of blocks consumed by the table 88 | unsigned find_fail; 89 | unsigned find_success; 90 | 91 | SFXHASH_NODE * ghead, * gtail; /// global - root of all nodes allocated in table 92 | 93 | SFXHASH_NODE * fhead, * ftail; /// list of free nodes, which are recyled 94 | SFXHASH_NODE * gnode; /* gfirst/gnext node ptr */ 95 | int recycle_nodes; /// recycle nodes. Nodes are not freed, but are used for subsequent new nodes 96 | 97 | /**Automatic Node Recover (ANR): When number of nodes in hash is equal to max_nodes, remove the least recently 98 | * used nodes and use it for the new node. anr_tries indicates # of ANR tries.*/ 99 | unsigned anr_tries; 100 | unsigned anr_count; /// # ANR ops performaed 101 | int anr_flag; /// 0=off, !0=on 102 | 103 | SFXHASH_FREE_FCN anrfree; 104 | SFXHASH_FREE_FCN usrfree; 105 | 106 | } SFXHASH; 107 | 108 | /* 109 | * HASH PROTOTYPES 110 | */ 111 | int sfxhash_calcrows(int num); 112 | SFXHASH * sfxhash_new( int nrows, int keysize, int datasize, unsigned long memcap, 113 | int anr_flag, 114 | SFXHASH_FREE_FCN anrfunc, 115 | SFXHASH_FREE_FCN usrfunc, 116 | int recycle_flag ); 117 | 118 | void sfxhash_set_max_nodes( SFXHASH *h, int max_nodes ); 119 | 120 | void sfxhash_delete( SFXHASH * h ); 121 | int sfxhash_make_empty(SFXHASH *); 122 | 123 | int sfxhash_add ( SFXHASH * h, void * key, void * data ); 124 | SFXHASH_NODE * sfxhash_get_node( SFXHASH * t, const void * key ); 125 | int sfxhash_remove( SFXHASH * h, void * key ); 126 | 127 | /*! 128 | * Get the # of Nodes in HASH the table 129 | * 130 | * @param t SFXHASH table pointer 131 | * 132 | */ 133 | static inline unsigned sfxhash_count( SFXHASH * t ) 134 | { 135 | return t->count; 136 | } 137 | 138 | /*! 139 | * Get the # auto recovery 140 | * 141 | * @param t SFXHASH table pointer 142 | * 143 | */ 144 | static inline unsigned sfxhash_anr_count( SFXHASH * t ) 145 | { 146 | return t->anr_count; 147 | } 148 | 149 | /*! 150 | * Get the # finds 151 | * 152 | * @param t SFXHASH table pointer 153 | * 154 | */ 155 | static inline unsigned sfxhash_find_total( SFXHASH * t ) 156 | { 157 | return t->find_success + t->find_fail; 158 | } 159 | 160 | /*! 161 | * Get the # unsucessful finds 162 | * 163 | * @param t SFXHASH table pointer 164 | * 165 | */ 166 | static inline unsigned sfxhash_find_fail( SFXHASH * t ) 167 | { 168 | return t->find_fail; 169 | } 170 | 171 | /*! 172 | * Get the # sucessful finds 173 | * 174 | * @param t SFXHASH table pointer 175 | * 176 | */ 177 | static inline unsigned sfxhash_find_success( SFXHASH * t ) 178 | { 179 | return t->find_success; 180 | } 181 | 182 | /*! 183 | * Get the # of overhead bytes 184 | * 185 | * @param t SFXHASH table pointer 186 | * 187 | */ 188 | static inline unsigned sfxhash_overhead_bytes( SFXHASH * t ) 189 | { 190 | return t->overhead_bytes; 191 | } 192 | 193 | /*! 194 | * Get the # of overhead blocks 195 | * 196 | * @param t SFXHASH table pointer 197 | * 198 | */ 199 | static inline unsigned sfxhash_overhead_blocks( SFXHASH * t ) 200 | { 201 | return t->overhead_blocks; 202 | } 203 | 204 | void * sfxhash_mru( SFXHASH * t ); 205 | void * sfxhash_lru( SFXHASH * t ); 206 | SFXHASH_NODE * sfxhash_mru_node( SFXHASH * t ); 207 | SFXHASH_NODE * sfxhash_lru_node( SFXHASH * t ); 208 | void * sfxhash_find( SFXHASH * h, void * key ); 209 | SFXHASH_NODE * sfxhash_find_node( SFXHASH * t, const void * key); 210 | 211 | SFXHASH_NODE * sfxhash_findfirst( SFXHASH * h ); 212 | SFXHASH_NODE * sfxhash_findnext ( SFXHASH * h ); 213 | 214 | SFXHASH_NODE * sfxhash_ghead( SFXHASH * h ); 215 | SFXHASH_NODE * sfxhash_gnext( SFXHASH_NODE * n ); 216 | void sfxhash_gmovetofront( SFXHASH *t, SFXHASH_NODE * hnode ); 217 | 218 | 219 | void sfxhash_splaymode( SFXHASH * h, int mode ); 220 | 221 | void * sfxhash_alloc( SFXHASH * t, unsigned nbytes ); 222 | void sfxhash_free( SFXHASH * t, void * p ); 223 | int sfxhash_free_node(SFXHASH *t, SFXHASH_NODE *node); 224 | 225 | unsigned sfxhash_maxdepth( SFXHASH * t ); 226 | 227 | 228 | int sfxhash_set_keyops( SFXHASH *h , 229 | unsigned (*hash_fcn)( SFHASHFCN * p, 230 | unsigned char *d, 231 | int n), 232 | int (*keycmp_fcn)( const void *s1, 233 | const void *s2, 234 | size_t n)); 235 | 236 | 237 | SFXHASH_NODE *sfxhash_gfindfirst( SFXHASH * t ); 238 | SFXHASH_NODE *sfxhash_gfindnext( SFXHASH * t ); 239 | int sfxhash_add_return_data_ptr( SFXHASH * t, const void * key, void **data ); 240 | #endif 241 | 242 | -------------------------------------------------------------------------------- /src/spooler.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** 3 | ** Copyright (C) 2008-2013 Ian Firns (SecurixLive) 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | ** 20 | ** 21 | */ 22 | 23 | #ifndef __SPOOLER_H__ 24 | #define __SPOOLER_H__ 25 | 26 | #ifdef HAVE_CONFIG_H 27 | #include "config.h" 28 | #endif 29 | 30 | #include 31 | 32 | #include "plugbase.h" 33 | 34 | #define SPOOLER_EXTENSION_FOUND 0 35 | #define SPOOLER_EXTENSION_NONE 1 36 | #define SPOOLER_EXTENSION_EPARAM 2 37 | #define SPOOLER_EXTENSION_EOPEN 3 38 | 39 | #define SPOOLER_STATE_OPENED 0 40 | #define SPOOLER_STATE_HEADER_READ 1 41 | #define SPOOLER_STATE_RECORD_READ 2 42 | 43 | #define WALDO_STATE_ENABLED 0x01 44 | #define WALDO_STATE_OPEN 0x02 45 | #define WALDO_STATE_DIRTY 0x04 46 | 47 | #define WALDO_MODE_NULL 0 48 | #define WALDO_MODE_READ 1 49 | #define WALDO_MODE_WRITE 2 50 | 51 | #define WALDO_FILE_SUCCESS 0 52 | #define WALDO_FILE_EEXIST 1 53 | #define WALDO_FILE_EOPEN 2 54 | #define WALDO_FILE_ETRUNC 3 55 | #define WALDO_FILE_ECORRUPT 4 56 | #define WALDO_STRUCT_EMPTY 10 57 | 58 | 59 | #define MAX_FILEPATH_BUF 1024 60 | 61 | typedef struct _Record 62 | { 63 | /* raw data */ 64 | void *header; 65 | void *data; 66 | 67 | Packet *pkt; /* decoded packet */ 68 | } Record; 69 | 70 | typedef struct _EventRecordNode 71 | { 72 | uint32_t type; /* type of event stored */ 73 | void *data; /* unified2 event (eg IPv4, IPV6, MPLS, etc) */ 74 | uint8_t used; /* has the event be retrieved */ 75 | uint32_t time_used; /* time it has fired */ 76 | uint32_t event_id; /* extracted from event original */ 77 | uint32_t event_second; /* extracted from event originale */ 78 | 79 | struct _EventRecordNode *next; /* reference to next event record */ 80 | } EventRecordNode; 81 | 82 | typedef struct _PacketRecordNode 83 | { 84 | Packet *data; /* packet information */ 85 | 86 | struct _PacketRecordNode *next; /* reference to next event record */ 87 | } PacketRecordNode; 88 | 89 | typedef struct _Spooler 90 | { 91 | InputFuncNode *ifn; // Processing function of input file 92 | 93 | int fd; // file descriptor of input file 94 | char filepath[MAX_FILEPATH_BUF]; // file path of input file 95 | time_t timestamp; // time stamp of input file 96 | uint32_t state; // current read state 97 | uint32_t offset; // current file offest 98 | uint32_t record_idx; // current record number 99 | 100 | uint32_t magic; 101 | void *header; // header of input file 102 | 103 | Record record; // data of current Record 104 | 105 | EventRecordNode *event_cache; // linked list of cached events 106 | uint32_t events_cached; 107 | 108 | PacketRecordNode *packet_cache; // linked list of concurrent packets 109 | uint32_t packets_cached; 110 | } Spooler; 111 | 112 | typedef struct _WaldoData 113 | { 114 | char spool_dir[MAX_FILEPATH_BUF]; 115 | char spool_filebase[MAX_FILEPATH_BUF]; 116 | uint32_t timestamp; 117 | uint32_t record_idx; 118 | } WaldoData; 119 | 120 | typedef struct _Waldo 121 | { 122 | int fd; // file descriptor of the waldo 123 | char filepath[MAX_FILEPATH_BUF]; // filepath to the waldo 124 | uint8_t mode; // read/write 125 | uint8_t state; 126 | 127 | WaldoData data; 128 | } Waldo; 129 | 130 | int ProcessContinuous(const char *, const char *, uint32_t, uint32_t); 131 | int ProcessContinuousWithWaldo(struct _Waldo *); 132 | int ProcessBatch(const char *, const char *); 133 | int ProcessWaldoFile(const char *); 134 | 135 | int spoolerReadWaldo(Waldo *); 136 | void spoolerEventCacheFlush(Spooler *); 137 | void RegisterSpooler(Spooler *); 138 | void UnRegisterSpooler(Spooler *); 139 | 140 | int spoolerCloseWaldo(Waldo *); 141 | int spoolerClose(Spooler *); 142 | 143 | #endif /* __SPOOLER_H__ */ 144 | 145 | 146 | -------------------------------------------------------------------------------- /src/strlcatu.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998 Todd C. Miller 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. The name of the author may not be used to endorse or promote products 14 | * derived from this software without specific prior written permission. 15 | * 16 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 17 | * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 18 | * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 19 | * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 20 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 21 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 22 | * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 24 | * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 25 | * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | */ 27 | 28 | /* $Id$ */ 29 | 30 | #ifdef HAVE_CONFIG_H 31 | #include "config.h" 32 | #endif 33 | 34 | #ifndef HAVE_STRLCAT 35 | 36 | #if defined(LIBC_SCCS) && !defined(lint) 37 | static char *rcsid = "$OpenBSD: strlcat.c,v 1.5 2001/01/13 16:17:24 millert Exp $"; 38 | #endif /* LIBC_SCCS and not lint */ 39 | 40 | #include 41 | #include 42 | 43 | /* 44 | * Appends src to string dst of size siz (unlike strncat, siz is the 45 | * full size of dst, not space left). At most siz-1 characters 46 | * will be copied. Always NUL terminates (unless siz <= strlen(dst)). 47 | * Returns strlen(initial dst) + strlen(src); if retval >= siz, 48 | * truncation occurred. 49 | */ 50 | size_t strlcat(char *dst, const char *src, size_t siz) 51 | { 52 | register char *d = dst; 53 | register const char *s = src; 54 | register size_t n = siz; 55 | size_t dlen; 56 | 57 | /* Find the end of dst and adjust bytes left but don't go past end */ 58 | while (n-- != 0 && *d != '\0') 59 | d++; 60 | dlen = d - dst; 61 | n = siz - dlen; 62 | 63 | if (n == 0) 64 | return(dlen + strlen(s)); 65 | while (*s != '\0') { 66 | if (n != 1) { 67 | *d++ = *s; 68 | n--; 69 | } 70 | s++; 71 | } 72 | *d = '\0'; 73 | 74 | return(dlen + (s - src)); /* count does not include NUL */ 75 | } 76 | #endif 77 | -------------------------------------------------------------------------------- /src/strlcatu.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | /* 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | #ifndef __STRLCAT_H__ 22 | #define __STRLCAT_H__ 23 | 24 | size_t strlcat(char *, const char *, size_t); 25 | 26 | #endif /* __STRLCAT_H__ */ 27 | -------------------------------------------------------------------------------- /src/strlcpyu.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998 Todd C. Miller 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. The name of the author may not be used to endorse or promote products 14 | * derived from this software without specific prior written permission. 15 | * 16 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 17 | * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 18 | * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 19 | * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 20 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 21 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 22 | * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 24 | * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 25 | * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | */ 27 | 28 | /* $Id$ */ 29 | 30 | #ifdef HAVE_CONFIG_H 31 | #include "config.h" 32 | #endif 33 | 34 | #ifndef HAVE_STRLCPY 35 | 36 | #if defined(LIBC_SCCS) && !defined(lint) 37 | static char *rcsid = "$OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $"; 38 | #endif /* LIBC_SCCS and not lint */ 39 | 40 | #include 41 | #include 42 | 43 | /* 44 | * Copy src to string dst of size siz. At most siz-1 characters 45 | * will be copied. Always NUL terminates (unless siz == 0). 46 | * Returns strlen(src); if retval >= siz, truncation occurred. 47 | */ 48 | size_t strlcpy(char *dst, const char *src, size_t siz) 49 | { 50 | register char *d = dst; 51 | register const char *s = src; 52 | register size_t n = siz; 53 | 54 | /* Copy as many bytes as will fit */ 55 | if (n != 0 && --n != 0) { 56 | do { 57 | if ((*d++ = *s++) == 0) 58 | break; 59 | } while (--n != 0); 60 | } 61 | 62 | /* Not enough room in dst, add NUL and traverse rest of src */ 63 | if (n == 0) { 64 | if (siz != 0) 65 | *d = '\0'; /* NUL-terminate dst */ 66 | while (*s++) 67 | ; 68 | } 69 | 70 | return(s - src - 1); /* count does not include NUL */ 71 | } 72 | #endif 73 | -------------------------------------------------------------------------------- /src/strlcpyu.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | /* 3 | ** Copyright (C) 1998-2002 Martin Roesch 4 | ** 5 | ** This program is free software; you can redistribute it and/or modify 6 | ** it under the terms of the GNU General Public License Version 2 as 7 | ** published by the Free Software Foundation. You may not use, modify or 8 | ** distribute this program under any other version of the GNU General 9 | ** Public License. 10 | ** 11 | ** This program is distributed in the hope that it will be useful, 12 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | ** GNU General Public License for more details. 15 | ** 16 | ** You should have received a copy of the GNU General Public License 17 | ** along with this program; if not, write to the Free Software 18 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 | */ 20 | 21 | #ifndef __STRLCPY_H__ 22 | #define __STRLCPY_H__ 23 | 24 | size_t strlcpy(char *, const char *, size_t); 25 | 26 | #endif /* __STRLCPY_H__ */ 27 | -------------------------------------------------------------------------------- /src/timersub.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1991-1994,96,97,98,99,2000,01,02 2 | Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, write to the Free 17 | Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 18 | 02111-1307 USA. */ 19 | 20 | /* never worry about timersub type activies again -- from GLIBC and upcased. */ 21 | #define TIMERSUB(a, b, result) \ 22 | do { \ 23 | (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ 24 | (result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \ 25 | if ((result)->tv_usec < 0) { \ 26 | --(result)->tv_sec; \ 27 | (result)->tv_usec += 1000000; \ 28 | } \ 29 | } while (0) 30 | 31 | -------------------------------------------------------------------------------- /src/unified2.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** 3 | ** Copyright (C) 2008-2013 Ian Firns (SecurixLive) 4 | ** 5 | ** Copyright (C) 2002-2009 Sourcefire, Inc. 6 | ** Copyright (C) 1998-2002 Martin Roesch 7 | ** 8 | ** This program is free software; you can redistribute it and/or modify 9 | ** it under the terms of the GNU General Public License Version 2 as 10 | ** published by the Free Software Foundation. You may not use, modify or 11 | ** distribute this program under any other version of the GNU General 12 | ** Public License. 13 | ** 14 | ** This program is distributed in the hope that it will be useful, 15 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | ** GNU General Public License for more details. 18 | ** 19 | ** You should have received a copy of the GNU General Public License 20 | ** along with this program; if not, write to the Free Software 21 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 22 | ** 23 | ** 24 | */ 25 | 26 | #ifndef __UNIFIED2_H__ 27 | #define __UNIFIED2_H__ 28 | 29 | #ifdef HAVE_CONFIG_H 30 | #include "config.h" 31 | #endif 32 | 33 | //SNORT DEFINES 34 | //Long time ago... 35 | #define UNIFIED2_EVENT 1 36 | 37 | //CURRENT 38 | #define UNIFIED2_PACKET 2 39 | #define UNIFIED2_IDS_EVENT 7 40 | #define UNIFIED2_IDS_EVENT_IPV6 72 41 | #define UNIFIED2_IDS_EVENT_MPLS 99 42 | #define UNIFIED2_IDS_EVENT_IPV6_MPLS 100 43 | #define UNIFIED2_IDS_EVENT_VLAN 104 44 | #define UNIFIED2_IDS_EVENT_IPV6_VLAN 105 45 | #define UNIFIED2_EXTRA_DATA 110 46 | 47 | #if defined(FEAT_OPEN_APPID) 48 | #define UNIFIED2_IDS_EVENT_APPID 111 49 | #define UNIFIED2_IDS_EVENT_APPID_IPV6 112 50 | #define UNIFIED2_IDS_EVENT_APPSTAT 113 51 | 52 | #define MAX_EVENT_APPNAME_LEN 16 53 | #endif 54 | 55 | /* Each unified2 record will start out with one of these */ 56 | typedef struct _Unified2RecordHeader 57 | { 58 | uint32_t type; 59 | uint32_t length; 60 | } Unified2RecordHeader; 61 | 62 | //UNIFIED2_IDS_EVENT_VLAN = type 104 63 | //comes from SFDC to EStreamer archive in serialized form with the extended header 64 | typedef struct _Unified2IDSEvent 65 | { 66 | uint32_t sensor_id; 67 | uint32_t event_id; 68 | uint32_t event_second; 69 | uint32_t event_microsecond; 70 | uint32_t signature_id; 71 | uint32_t generator_id; 72 | uint32_t signature_revision; 73 | uint32_t classification_id; 74 | uint32_t priority_id; 75 | uint32_t ip_source; 76 | uint32_t ip_destination; 77 | uint16_t sport_itype; 78 | uint16_t dport_icode; 79 | uint8_t protocol; 80 | uint8_t impact_flag;//overloads packet_action 81 | uint8_t impact; 82 | uint8_t blocked; 83 | uint32_t mpls_label; 84 | uint16_t vlanId; 85 | uint16_t pad2;//Policy ID 86 | #if defined(FEAT_OPEN_APPID) 87 | char app_name[MAX_EVENT_APPNAME_LEN]; 88 | #endif /* defined(FEAT_OPEN_APPID) */ 89 | } Unified2IDSEvent; 90 | 91 | //UNIFIED2_IDS_EVENT_IPV6_VLAN = type 105 92 | typedef struct _Unified2IDSEventIPv6 93 | { 94 | uint32_t sensor_id; 95 | uint32_t event_id; 96 | uint32_t event_second; 97 | uint32_t event_microsecond; 98 | uint32_t signature_id; 99 | uint32_t generator_id; 100 | uint32_t signature_revision; 101 | uint32_t classification_id; 102 | uint32_t priority_id; 103 | struct in6_addr ip_source; 104 | struct in6_addr ip_destination; 105 | uint16_t sport_itype; 106 | uint16_t dport_icode; 107 | uint8_t protocol; 108 | uint8_t impact_flag; 109 | uint8_t impact; 110 | uint8_t blocked; 111 | uint32_t mpls_label; 112 | uint16_t vlanId; 113 | uint16_t pad2;/*could be IPS Policy local id to support local sensor alerts*/ 114 | #if defined(FEAT_OPEN_APPID) 115 | char app_name[MAX_EVENT_APPNAME_LEN]; 116 | #endif /* defined(FEAT_OPEN_APPID) */ 117 | } Unified2IDSEventIPv6; 118 | 119 | //UNIFIED2_PACKET = type 2 120 | typedef struct _Unified2Packet 121 | { 122 | uint32_t sensor_id; 123 | uint32_t event_id; 124 | uint32_t event_second; 125 | uint32_t packet_second; 126 | uint32_t packet_microsecond; 127 | uint32_t linktype; 128 | uint32_t packet_length; 129 | uint8_t packet_data[4]; /* For debugging */ 130 | } Unified2Packet; 131 | 132 | 133 | typedef struct _Unified2ExtraDataHdr{ 134 | uint32_t event_type; 135 | uint32_t event_length; 136 | }Unified2ExtraDataHdr; 137 | 138 | 139 | //UNIFIED2_EXTRA_DATA - type 110 140 | typedef struct _Unified2ExtraData{ 141 | uint32_t sensor_id; 142 | uint32_t event_id; 143 | uint32_t event_second; 144 | uint32_t type; /* EventInfo */ 145 | uint32_t data_type; /*EventDataType */ 146 | uint32_t blob_length; /* Length of the data + sizeof(blob_length) + sizeof(data_type)*/ 147 | } Unified2ExtraData; 148 | 149 | typedef enum _EventInfoEnum 150 | { 151 | EVENT_INFO_XFF_IPV4 = 1, 152 | EVENT_INFO_XFF_IPV6 , 153 | EVENT_INFO_REVIEWED_BY, 154 | EVENT_INFO_GZIP_DATA 155 | }EventInfoEnum; 156 | 157 | typedef enum _EventDataType 158 | { 159 | EVENT_DATA_TYPE_BLOB = 1, 160 | EVENT_DATA_TYPE_MAX 161 | }EventDataType; 162 | 163 | #define EVENT_TYPE_EXTRA_DATA 4 164 | 165 | #define MAX_XFF_WRITE_BUF_LENGTH (sizeof(Unified2RecordHeader) + \ 166 | sizeof(Unified2ExtraDataHdr) + sizeof(Unified2ExtraData) \ 167 | + sizeof(struct in6_addr)) 168 | 169 | 170 | //---------------LEGACY, type '7' 171 | //These structures are not used anymore in the product 172 | typedef struct Unified2IDSEvent_legacy 173 | { 174 | uint32_t sensor_id; 175 | uint32_t event_id; 176 | uint32_t event_second; 177 | uint32_t event_microsecond; 178 | uint32_t signature_id; 179 | uint32_t generator_id; 180 | uint32_t signature_revision; 181 | uint32_t classification_id; 182 | uint32_t priority_id; 183 | uint32_t ip_source; 184 | uint32_t ip_destination; 185 | uint16_t sport_itype; 186 | uint16_t dport_icode; 187 | uint8_t protocol; 188 | uint8_t impact_flag;//sets packet_action 189 | uint8_t impact; 190 | uint8_t blocked; 191 | } Unified2IDSEvent_legacy; 192 | 193 | //----------LEGACY, type '72' 194 | typedef struct Unified2IDSEventIPv6_legacy 195 | { 196 | uint32_t sensor_id; 197 | uint32_t event_id; 198 | uint32_t event_second; 199 | uint32_t event_microsecond; 200 | uint32_t signature_id; 201 | uint32_t generator_id; 202 | uint32_t signature_revision; 203 | uint32_t classification_id; 204 | uint32_t priority_id; 205 | struct in6_addr ip_source; 206 | struct in6_addr ip_destination; 207 | uint16_t sport_itype; 208 | uint16_t dport_icode; 209 | uint8_t protocol; 210 | uint8_t impact_flag; 211 | uint8_t impact; 212 | uint8_t blocked; 213 | } Unified2IDSEventIPv6_legacy; 214 | 215 | ////////////////////-->LEGACY 216 | 217 | /* 218 | ** Smaller subset of feature common across event,packet and extradata 219 | ** 220 | ** 221 | */ 222 | typedef struct _Unified2CacheCommon 223 | { 224 | uint32_t sensor_id; 225 | uint32_t event_id; 226 | uint32_t event_second; 227 | } Unified2CacheCommon; 228 | 229 | /* 230 | ** The Unified2EventCommon structure is the common structure that occurs 231 | ** at the beginning of all Unified2Event* structures. 232 | ** 233 | ** This structure allows the safe casting of any Unified2Event* structure 234 | ** in order to obtain common event information 235 | */ 236 | typedef struct _Unified2EventCommon 237 | { 238 | uint32_t sensor_id; 239 | uint32_t event_id; 240 | uint32_t event_second; 241 | uint32_t event_microsecond; 242 | uint32_t signature_id; 243 | uint32_t generator_id; 244 | uint32_t signature_revision; 245 | uint32_t classification_id; 246 | uint32_t priority_id; 247 | } Unified2EventCommon; 248 | 249 | #endif /* __UNIFIED2_H__ */ 250 | -------------------------------------------------------------------------------- /tools/odlaw: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # 3 | # odlaw - the waldo file viewer and manipulator 4 | # 5 | 6 | use strict; 7 | use warnings; 8 | #use 5.010; 9 | 10 | # 11 | # PERL INCLUDES 12 | # 13 | use Data::Dumper; 14 | use Getopt::Long; 15 | 16 | use constant { MAX_FILEPATH_BUF => 1024 }; 17 | 18 | my $options = { 19 | file_read => '', 20 | file_edit => '', 21 | help => 0, 22 | spooler_dir => '', 23 | spooler_filebase => '', 24 | record => 0, 25 | timestamp => 0, 26 | verbose => 0, 27 | force => 0, 28 | }; 29 | 30 | 31 | # 32 | # 33 | # 34 | sub usage 35 | { 36 | print "\n"; 37 | print "USAGE: $0 [-options]\n"; 38 | print "\n"; 39 | print " General Options:\n"; 40 | print " -h You're reading it.\n"; 41 | print " -v Verbose output.\n"; 42 | print " -f Force (skip validation).\n"; 43 | print " -r File to read.\n"; 44 | print " -e File to edit.\n"; 45 | print "\n"; 46 | print " Long Options:\n"; 47 | print " --help Same as '?'\n"; 48 | print " --verbose Same as 'v'\n"; 49 | print " --force Same as 'f'\n"; 50 | print " --read Same as 'r'\n"; 51 | print " --edit Same as 'e'\n"; 52 | print " --filebase Filebase to filter files on.\n"; 53 | print " --directory Directory to spool for files.\n"; 54 | print " --timestamp Timestamp of file being processed (default: 0).\n"; 55 | print " --record Record index of file being processed (default: 0).\n"; 56 | print "\n"; 57 | } 58 | 59 | sub waldo_read 60 | { 61 | my ($file) = @_; 62 | 63 | my @fields = ('spooler_dir', 'spooler_filebase', 'timestamp', 'record'); 64 | my %values; 65 | @values{@fields} = ('', '', 0, 0); 66 | 67 | # read the data 68 | if ( open (FD, "<$file") ) 69 | { 70 | my $waldo_raw = ; 71 | # unpack 72 | @values{@fields} = unpack("Z[".MAX_FILEPATH_BUF."] Z[".MAX_FILEPATH_BUF."] L L", $waldo_raw); 73 | 74 | close(FD); 75 | } 76 | 77 | # return as hash reference 78 | return \%values; 79 | } 80 | 81 | sub waldo_validate 82 | { 83 | my ($data) = @_; 84 | 85 | return ( $options->{force} || ( 86 | defined($data->{spooler_dir}) && ( -e $data->{spooler_dir} ) && 87 | defined($data->{spooler_filebase}) && 88 | defined($data->{timestamp}) && 89 | defined($data->{record}) 90 | ) 91 | ); 92 | } 93 | 94 | sub waldo_print 95 | { 96 | my ($data) = @_; 97 | 98 | print "{\n"; 99 | print " directory = " . $data->{spooler_dir} . "\n"; 100 | print " filebase = " . $data->{spooler_filebase} . "\n"; 101 | print " timestamp = " . $data->{timestamp} . "\n"; 102 | print " record = " . $data->{record} . "\n"; 103 | print "}\n"; 104 | } 105 | 106 | sub waldo_write 107 | { 108 | my ($file, $data) = @_; 109 | 110 | # validate input 111 | if ( ! waldo_validate($data) ) 112 | { 113 | print "[!] Provided waldo data is incomplete or corrupted."; 114 | return; 115 | } 116 | 117 | # open and write 118 | open (FD, ">$file") or die ('Unable to read file'); 119 | 120 | my $packed = pack("Z[".MAX_FILEPATH_BUF."] Z[".MAX_FILEPATH_BUF."] L L", $data->{spooler_dir}, $data->{spooler_filebase}, $data->{timestamp}, $data->{record}); 121 | print FD $packed; 122 | 123 | close(FD); 124 | } 125 | 126 | 127 | # 128 | # MAIN 129 | # 130 | my $res = GetOptions( 131 | 'r|read=s' => \$options->{file_read}, 132 | 'e|edit=s' => \$options->{file_edit}, 133 | 'directory=s' => \$options->{spooler_dir}, 134 | 'filebase=s' => \$options->{spooler_filebase}, 135 | 'record=s' => \$options->{record}, 136 | 'timestamp=s' => \$options->{timestamp}, 137 | 'v|verbose' => \$options->{verbose}, 138 | 'f|force' => \$options->{force}, 139 | 'help|?' => \$options->{help}, 140 | ); 141 | 142 | if( $options->{help} > 0 ) 143 | { 144 | usage(); 145 | exit(0); 146 | } 147 | elsif( $options->{file_read} ) 148 | { 149 | my $data = waldo_read($options->{file_read}); 150 | print 'waldo: ' . $options->{file_read} . "\n"; 151 | waldo_print($data); 152 | 153 | if ( ! waldo_validate($data) ) 154 | { 155 | print "[!] Read waldo data is incomplete or corrupted.\n"; 156 | } 157 | } 158 | elsif( $options->{file_edit} ) 159 | { 160 | my $data = waldo_read($options->{file_edit}); 161 | 162 | $data->{spooler_dir} = defined($options->{spooler_dir}) ? $options->{spooler_dir} : $data->{spooler_dir}; 163 | $data->{spooler_filebase} = defined($options->{spooler_filebase}) ? $options->{spooler_filebase} : $data->{spooler_filebase}; 164 | $data->{timestamp} = (defined($options->{timestamp}) ? $options->{timestamp} : $data->{timestamp}) + 0; 165 | $data->{record} = (defined($options->{record}) ? $options->{record} : $data->{record}) + 0; 166 | 167 | print "Preparing to write:\n"; 168 | waldo_print($data); 169 | 170 | waldo_write($options->{file_edit}, $data); 171 | } 172 | else 173 | { 174 | usage(); 175 | exit(1); 176 | } 177 | 178 | --------------------------------------------------------------------------------