aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

support for printing protocol names for known protocol

Browse Source
remotes/origin/master-1.1.x
Gurvinder Singh 15 years ago committed by Victor Julien
parent b81280524c
commit 3eab715153
5 changed files with 163 additions and 4 deletions
Show Stats Download Patch File Download Diff File

1
src/Makefile.am
Unescape Escape View File

@ -176,6 +176,7 @@ util-decode-asn1.c util-decode-asn1.h \
util-ringbuffer.c util-ringbuffer.h \ util-ringbuffer.c util-ringbuffer.h \
util-validate.h \ util-validate.h \
util-memcmp.c util-memcmp.h \ util-memcmp.c util-memcmp.h \
util-proto-name.c util-proto-name.h \
tm-modules.c tm-modules.h \ tm-modules.c tm-modules.h \
tm-queues.c tm-queues.h \ tm-queues.c tm-queues.h \
tm-queuehandlers.c tm-queuehandlers.h \ tm-queuehandlers.c tm-queuehandlers.h \

33
src/alert-fastlog.c
Unescape Escape View File

@ -58,6 +58,7 @@
#include "util-cuda-handlers.h" #include "util-cuda-handlers.h"
#include "util-privs.h" #include "util-privs.h"
#include "util-print.h" #include "util-print.h"
#include "util-proto-name.h"
#define DEFAULT_LOG_FILENAME "fast.log" #define DEFAULT_LOG_FILENAME "fast.log"
@ -144,8 +145,19 @@ TmEcode AlertFastLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
fprintf(aft->file_ctx->fp, "%s [**] [%" PRIu32 ":%" PRIu32 ":%" PRIu32 "] %s [**] [Classification: %s] [Priority: %" PRIu32 "] {%" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "", if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) {
timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio, IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp); fprintf(aft->file_ctx->fp, "%s [**] [%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [**] [Classification: %s] [Priority: %"PRIu32"]"
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", timebuf,
pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio,
known_proto[IPV4_GET_IPPROTO(p)], srcip, p->sp, dstip, p->dp);
} else {
fprintf(aft->file_ctx->fp, "%s [**] [%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [**] [Classification: %s] [Priority: %"PRIu32"]"
" {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "", timebuf,
pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio,
IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
}
if(pa->references != NULL) { if(pa->references != NULL) {
fprintf(aft->file_ctx->fp," "); fprintf(aft->file_ctx->fp," ");
@ -186,8 +198,21 @@ TmEcode AlertFastLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
fprintf(aft->file_ctx->fp, "%s [**] [%" PRIu32 ":%" PRIu32 ":%" PRIu32 "] %s [**] [Classification: %s] [Priority: %" PRIu32 "] {%" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "", if (SCProtoNameValid(IPV6_GET_L4PROTO(p)) == TRUE) {
timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp); fprintf(aft->file_ctx->fp, "%s [**] [%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [**] [Classification: %s] [Priority: %"
"" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "",
timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
pa->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp,
dstip, p->dp);
} else {
fprintf(aft->file_ctx->fp, "%s [**] [%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [**] [Classification: %s] [Priority: %"
"" PRIu32 "] {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
}
if(pa->references != NULL) { if(pa->references != NULL) {
fprintf(aft->file_ctx->fp," "); fprintf(aft->file_ctx->fp," ");

3
src/suricata.c
Unescape Escape View File

@ -145,6 +145,7 @@
#include "util-ringbuffer.h" #include "util-ringbuffer.h"
#include "util-mem.h" #include "util-mem.h"
#include "util-memcmp.h" #include "util-memcmp.h"
#include "util-proto-name.h"
/* /*
* we put this here, because we only use it here in main. * we put this here, because we only use it here in main.
@ -805,6 +806,7 @@ int main(int argc, char **argv)
SCProfilingInit(); SCProfilingInit();
#endif /* PROFILING */ #endif /* PROFILING */
SCReputationInitCtx(); SCReputationInitCtx();
SCProtoNameInit();
TagInitCtx(); TagInitCtx();
@ -1248,6 +1250,7 @@ int main(int argc, char **argv)
RunModeShutDown(); RunModeShutDown();
OutputDeregisterAll(); OutputDeregisterAll();
TimeDeinit(); TimeDeinit();
SCProtoNameDeInit();
#ifdef PROFILING #ifdef PROFILING
if (profiling_rules_enabled) if (profiling_rules_enabled)

94
src/util-proto-name.c
Unescape Escape View File

@ -0,0 +1,94 @@
/* Copyright (C) 2007-2010 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
*
* File to provide the protocol names based on protocol numbers defined in the
* specified protocol file.
*/
#include "suricata-common.h"
#include "util-proto-name.h"
/**
* \brief Function to load the protocol names from the specified protocol
* file.
*/
void SCProtoNameInit()
{
/* Load the known protocols name from the /etc/protocols file */
FILE *fp = fopen(PROTO_FILE,"r");
if (fp != NULL) {
char line[200];
char *ptr = NULL;
while(fgets(line, sizeof(line), fp) != NULL) {
if (line[0] == '#')
continue;
char *name = strtok_r(line," \t", &ptr);
if (name == NULL)
continue;
char *proto_ch = strtok_r(NULL," \t", &ptr);
if (proto_ch == NULL)
continue;
int proto = atoi(proto_ch);
if (proto >= 255)
continue;
char *cname = strtok_r(NULL, " \t", &ptr);
if (cname != NULL) {
known_proto[proto] = strdup(cname);
} else {
known_proto[proto] = strdup(name);
}
}
fclose(fp);
}
}
/**
* \brief Function to check if the received protocol number is valid and do
* we have corresponding name entry for this number or not.
*
* @param proto Protocol number to be validated
* @return On success returns TRUE otherwise FALSE
*/
uint8_t SCProtoNameValid(uint16_t proto)
{
uint8_t ret = FALSE;
if ((proto <= 255) && known_proto[proto] != NULL)
{
ret = TRUE;
}
return ret;
}
/**
* \brief Function to clears the memory used in storing the protocol names.
*/
void SCProtoNameDeInit()
{
/* clears the memory of loaded protocol names */
for (uint8_t cnt=0;cnt < 255;cnt++) {
if(known_proto[cnt] != NULL)
SCFree(known_proto[cnt]);
}
}

36
src/util-proto-name.h
Unescape Escape View File

@ -0,0 +1,36 @@
/* Copyright (C) 2007-2010 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
*/
#ifndef _UTIL_PROTO_NAME_H
#define _UTIL_PROTO_NAME_H
#define PROTO_FILE "/etc/protocols"
/* Structure to hold the information related to known protocol in /etc/protocols */
char *known_proto[255];
uint8_t SCProtoNameValid(uint16_t );
void SCProtoNameInit(void);
void SCProtoNameDeInit(void);
#endif /* _UTIL_PROTO_NAME_H */
Write Preview
Loading…
Cancel
Save