Snort mailing list archives
A small patch for Barnyard's op_fast.c
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Thu, 03 Feb 2005 16:24:52 +0100
Hithere, I have a small thing changed in BY, maybe someone else wants it too. The problem I had when mailing alerts with logsurfer is that the priority was in the last line: ------------------------------------------------------------------------ 01/01/01-00:00:00.000000 {TCP} 1.1.1.1:12345 -> 1.1.1.1:12345 [**] [1:234:5] Snort Alert [1:234:5] [**] [Classification: Attempted Information Leak] [Priority: 2] ------------------------------------------------------------------------ I wanted a context to be opened only for the 1 alerts. But the information I also want to collect and mail in the example above is already gone. So what I actually wanted is this: ------------------------------------------------------------------------ [Classification: Unknown] [Priority: 3] [**] [122:5:0] portscan: TCP Filtered Portscan [**] 02/03/05-16:09:15.715021 {PROTO255} 1.1.1.1 -> 1.1.1.4 ------------------------------------------------------------------------ This is no big deal, I know, but it may save some time and nerve. Patch the src/output-plugins/op_fast.c with the patch attached and enjoy. Since I'm not a programmer at all please don't expect the patch to be done highly professional but it worked for me so it may for you... ;) Regards, Edin -- Edin Dizdarevic
--- op_fast.c Tue Mar 16 05:18:20 2004 +++ op_fast_ed.c Thu Feb 3 15:55:03 2005 @@ -3,7 +3,7 @@ ** Copyright (C) 2001-2002 Andrew R. Baker <andrewb () snort org> ** Copyright (C) 2001 Martin Roesch <roesch () sourcefire com> ** -** This program is distributed under the terms of version 1.0 of the +** This program is distributed under the terms of version 1.0 of the ** Q Public License. See LICENSE.QPL for further details. ** ** This program is distributed in the hope that it will be useful, @@ -31,7 +31,7 @@ #include "classification.h" #include "barnyard.h" -typedef struct _OpAlertFast_Data +typedef struct _OpAlertFast_Data { char *filename; /* file to open for output */ char *filepath; /* file to open for output */ @@ -55,7 +55,7 @@ OutputPlugin *outputPlugin; outputPlugin = RegisterOutputPlugin("alert_fast", "alert"); - + outputPlugin->setupFunc = OpAlertFast_Setup; outputPlugin->exitFunc = OpAlertFast_Exit; outputPlugin->startFunc = OpAlertFast_Start; @@ -92,11 +92,11 @@ if(!data) return 0; - + if(data->filename) free(data->filename); data->filename = NULL; - + if(data->filepath) free(data->filepath); data->filepath = NULL; @@ -109,15 +109,15 @@ { OpAlertFast_Data *data = (OpAlertFast_Data *)outputPlugin->data; - + if(data == NULL) FatalError("ERROR: Unable to find context for AlertFast startup!\n"); - + if(pv.verbose >= 2) OpAlertFast_LogConfig(outputPlugin); - + data->filepath = ProcessFileOption(data->filename); - + data->file = OpenAlertFile(data->filepath); return 0 ; @@ -160,7 +160,7 @@ { /* could not render the timeval */ LogMessage("ERROR: OpAlertFast failed to render timeval\n"); - return -1; + return -1; } snprintf(sip, 16, "%u.%u.%u.%u", (ad->sip & 0xff000000) >> 24, @@ -174,24 +174,36 @@ if(ad->protocol == IPPROTO_TCP || ad->protocol == IPPROTO_UDP) { - fprintf(afd->file, "%s {%s} %s:%d -> %s:%d\n" + fprintf(afd->file, "[Classification: %s] [Priority: %d]\n" "[**] [%d:%d:%d] %s [**]\n" - "[Classification: %s] [Priority: %d]\n", timestamp, - protocol_names[ad->protocol], sip, ad->sp, dip, ad->dp, + "%s {%s} %s:%d -> %s:%d\n", + ct != NULL?ct->name:"Unknown", ad->event.priority, ad->event.sig_generator, ad->event.sig_id, ad->event.sig_rev, - tmp != NULL?tmp->msg:"ALERT", - ct != NULL?ct->name:"Unknown", ad->event.priority); + tmp != NULL?tmp->msg:"ALERT", + timestamp, protocol_names[ad->protocol], + sip, ad->sp, dip, ad->dp); } else { - fprintf(afd->file, "%s {%s} %s -> %s\n" + fprintf(afd->file, "[Classification: %s] [Priority: %d]\n" "[**] [%d:%d:%d] %s [**]\n" - "[Classification: %s] [Priority: %d]\n", timestamp, - protocol_names[ad->protocol], sip, dip, + "%s {%s} %s -> %s\n", + ct != NULL ? ct->name : "Unknown", ad->event.priority, ad->event.sig_generator, ad->event.sig_id, ad->event.sig_rev, - tmp != NULL ? tmp->msg : "ALERT", - ct != NULL ? ct->name : "Unknown", ad->event.priority); + tmp != NULL ? tmp->msg : "ALERT", + timestamp, protocol_names[ad->protocol], sip, dip); } + /* + ------------------------------------------------------------------------ + 01/01/01-00:00:00.000000 {TCP} 1.1.1.1:12345 -> 1.1.1.1:12345 + [**] [1:234:5] Snort Alert [1:234:5] [**] + [Classification: Attempted Information Leak] [Priority: 2] + ------------------------------------------------------------------------ + 01/01/01-00:00:00.000000 {PROTO255} 1.1.1.1 -> 1.1.1.1 + [**] [123:4:5] Snort Alert [123:4:5] [**] + [Classification: Unknown] [Priority: 3] + ------------------------------------------------------------------------ + */ PrintXref(ad->event.sig_generator, ad->event.sig_id, afd->file); @@ -222,11 +234,11 @@ } toks = mSplit(args, " ", 2, &num_toks, 0); - + data->filename = strdup(toks[0]); - + FreeToks(toks, num_toks); - + outputPlugin->data = (OpAlertFast_Data *) data; return; @@ -235,13 +247,13 @@ FILE *OpenAlertFile(char *filename) { - FILE *tmp; + FILE *tmp; if((tmp = fopen(filename, "a+")) == NULL) { FatalError("ERROR => fopen(%s) failed: %s\n", filename, strerror(errno)); } - + return tmp; }
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- A small patch for Barnyard's op_fast.c Edin Dizdarevic (Feb 03)