Snort mailing list archives
A small patch for Barnyard's op_fast.c
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Thu, 03 Feb 2005 16:24:52 +0100
Hithere,
I have a small thing changed in BY, maybe someone else wants it too. The
problem I had when mailing alerts with logsurfer is that the priority
was in the last line:
------------------------------------------------------------------------
01/01/01-00:00:00.000000 {TCP} 1.1.1.1:12345 -> 1.1.1.1:12345
[**] [1:234:5] Snort Alert [1:234:5] [**]
[Classification: Attempted Information Leak] [Priority: 2]
------------------------------------------------------------------------
I wanted a context to be opened only for the 1 alerts. But the
information I also want to collect and mail in the example above is
already gone. So what I actually wanted is this:
------------------------------------------------------------------------
[Classification: Unknown] [Priority: 3]
[**] [122:5:0] portscan: TCP Filtered Portscan [**]
02/03/05-16:09:15.715021 {PROTO255} 1.1.1.1 -> 1.1.1.4
------------------------------------------------------------------------
This is no big deal, I know, but it may save some time and nerve. Patch
the src/output-plugins/op_fast.c with the patch attached and enjoy.
Since I'm not a programmer at all please don't expect the patch to be
done highly professional but it worked for me so it may for you... ;)
Regards,
Edin
--
Edin Dizdarevic
--- op_fast.c Tue Mar 16 05:18:20 2004
+++ op_fast_ed.c Thu Feb 3 15:55:03 2005
@@ -3,7 +3,7 @@
** Copyright (C) 2001-2002 Andrew R. Baker <andrewb () snort org>
** Copyright (C) 2001 Martin Roesch <roesch () sourcefire com>
**
-** This program is distributed under the terms of version 1.0 of the
+** This program is distributed under the terms of version 1.0 of the
** Q Public License. See LICENSE.QPL for further details.
**
** This program is distributed in the hope that it will be useful,
@@ -31,7 +31,7 @@
#include "classification.h"
#include "barnyard.h"
-typedef struct _OpAlertFast_Data
+typedef struct _OpAlertFast_Data
{
char *filename; /* file to open for output */
char *filepath; /* file to open for output */
@@ -55,7 +55,7 @@
OutputPlugin *outputPlugin;
outputPlugin = RegisterOutputPlugin("alert_fast", "alert");
-
+
outputPlugin->setupFunc = OpAlertFast_Setup;
outputPlugin->exitFunc = OpAlertFast_Exit;
outputPlugin->startFunc = OpAlertFast_Start;
@@ -92,11 +92,11 @@
if(!data)
return 0;
-
+
if(data->filename)
free(data->filename);
data->filename = NULL;
-
+
if(data->filepath)
free(data->filepath);
data->filepath = NULL;
@@ -109,15 +109,15 @@
{
OpAlertFast_Data *data = (OpAlertFast_Data *)outputPlugin->data;
-
+
if(data == NULL)
FatalError("ERROR: Unable to find context for AlertFast startup!\n");
-
+
if(pv.verbose >= 2)
OpAlertFast_LogConfig(outputPlugin);
-
+
data->filepath = ProcessFileOption(data->filename);
-
+
data->file = OpenAlertFile(data->filepath);
return 0 ;
@@ -160,7 +160,7 @@
{
/* could not render the timeval */
LogMessage("ERROR: OpAlertFast failed to render timeval\n");
- return -1;
+ return -1;
}
snprintf(sip, 16, "%u.%u.%u.%u", (ad->sip & 0xff000000) >> 24,
@@ -174,24 +174,36 @@
if(ad->protocol == IPPROTO_TCP ||
ad->protocol == IPPROTO_UDP)
{
- fprintf(afd->file, "%s {%s} %s:%d -> %s:%d\n"
+ fprintf(afd->file, "[Classification: %s] [Priority: %d]\n"
"[**] [%d:%d:%d] %s [**]\n"
- "[Classification: %s] [Priority: %d]\n", timestamp,
- protocol_names[ad->protocol], sip, ad->sp, dip, ad->dp,
+ "%s {%s} %s:%d -> %s:%d\n",
+ ct != NULL?ct->name:"Unknown", ad->event.priority,
ad->event.sig_generator, ad->event.sig_id, ad->event.sig_rev,
- tmp != NULL?tmp->msg:"ALERT",
- ct != NULL?ct->name:"Unknown", ad->event.priority);
+ tmp != NULL?tmp->msg:"ALERT",
+ timestamp, protocol_names[ad->protocol],
+ sip, ad->sp, dip, ad->dp);
}
else
{
- fprintf(afd->file, "%s {%s} %s -> %s\n"
+ fprintf(afd->file, "[Classification: %s] [Priority: %d]\n"
"[**] [%d:%d:%d] %s [**]\n"
- "[Classification: %s] [Priority: %d]\n", timestamp,
- protocol_names[ad->protocol], sip, dip,
+ "%s {%s} %s -> %s\n",
+ ct != NULL ? ct->name : "Unknown", ad->event.priority,
ad->event.sig_generator, ad->event.sig_id, ad->event.sig_rev,
- tmp != NULL ? tmp->msg : "ALERT",
- ct != NULL ? ct->name : "Unknown", ad->event.priority);
+ tmp != NULL ? tmp->msg : "ALERT",
+ timestamp, protocol_names[ad->protocol], sip, dip);
}
+ /*
+ ------------------------------------------------------------------------
+ 01/01/01-00:00:00.000000 {TCP} 1.1.1.1:12345 -> 1.1.1.1:12345
+ [**] [1:234:5] Snort Alert [1:234:5] [**]
+ [Classification: Attempted Information Leak] [Priority: 2]
+ ------------------------------------------------------------------------
+ 01/01/01-00:00:00.000000 {PROTO255} 1.1.1.1 -> 1.1.1.1
+ [**] [123:4:5] Snort Alert [123:4:5] [**]
+ [Classification: Unknown] [Priority: 3]
+ ------------------------------------------------------------------------
+ */
PrintXref(ad->event.sig_generator, ad->event.sig_id, afd->file);
@@ -222,11 +234,11 @@
}
toks = mSplit(args, " ", 2, &num_toks, 0);
-
+
data->filename = strdup(toks[0]);
-
+
FreeToks(toks, num_toks);
-
+
outputPlugin->data = (OpAlertFast_Data *) data;
return;
@@ -235,13 +247,13 @@
FILE *OpenAlertFile(char *filename)
{
- FILE *tmp;
+ FILE *tmp;
if((tmp = fopen(filename, "a+")) == NULL)
{
FatalError("ERROR => fopen(%s) failed: %s\n", filename,
strerror(errno));
}
-
+
return tmp;
}
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- A small patch for Barnyard's op_fast.c Edin Dizdarevic (Feb 03)