Skip to content
This repository has been archived by the owner on Jan 18, 2024. It is now read-only.

Changes to include the Event ID in the alert output #241

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Changes to include the Event ID in the alert output #241

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0c309e6
Add files via upload
FredAustin May 31, 2017
71fd531
Add files via upload
FredAustin May 31, 2017
6f79682
Add files via upload
FredAustin May 31, 2017
c0e95cf
Merge pull request #1 from FredAustin/FredAustin-patch-1
FredAustin May 31, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ Command line:
-h <name> Define the hostname <name>. For logging purposes only
-i <if> Define the interface <if>. For logging purposes only
-I Add Interface name to alert output
-j Add Event ID to alert output
-l <ld> Log to directory <ld>
-m <umask> Set umask = <umask>
-O Obfuscate the logged IP addresses
Expand Down
9 changes: 7 additions & 2 deletions src/barnyard2.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,11 +157,11 @@ static char **barnyard2_argv = NULL;
/* command line options for getopt */
#ifndef WIN32
/* Unix does not support an argument to -s <wink marty!> OR -E, -W */
static char *valid_options = "?a:Ac:C:d:Def:Fg:G:h:i:Il:m:noOqr:R:S:t:Tu:UvVw:xXy";
static char *valid_options = "?a:Ac:C:d:Def:Fg:G:h:i:Ijl:m:noOqr:R:S:t:Tu:UvVw:xXy";
#else
/* Win32 does not support: -D, -g, -m, -t, -u */
/* Win32 no longer supports an argument to -s, either! */
static char *valid_options = "?a:Ac:C:d:eEf:FG:h:i:Il:noOqr:R:S:TUvVw:xXy";
static char *valid_options = "?a:Ac:C:d:eEf:FG:h:i:Ijl:noOqr:R:S:TUvVw:xXy";
#endif

static struct option long_options[] =
Expand Down Expand Up @@ -487,6 +487,7 @@ static int ShowUsage(char *program_name)
FPUTS_BOTH (" -h <name> Define the hostname <name>. For logging purposes only\n");
FPUTS_BOTH (" -i <if> Define the interface <if>. For logging purposes only\n");
FPUTS_BOTH (" -I Add Interface name to alert output\n");
FPUTS_BOTH (" -j Add Event ID to alert output\n");
FPUTS_BOTH (" -l <ld> Log to directory <ld>\n");
FPUTS_UNIX (" -m <umask> Set umask = <umask>\n");
FPUTS_BOTH (" -O Obfuscate the logged IP addresses\n");
Expand Down Expand Up @@ -750,6 +751,10 @@ static void ParseCmdLine(int argc, char **argv)
ConfigAlertWithInterfaceName(bc, NULL);
break;

case 'j':
ConfigEventID(bc, NULL);
break;

case 'l': /* use log dir <X> */
ConfigLogDir(bc, optarg);
break;
Expand Down
8 changes: 7 additions & 1 deletion src/barnyard2.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,7 +282,8 @@ typedef enum _OutputFlag
OUTPUT_FLAG__NO_TIMESTAMP = 0x00000400, /* --nostamps */
OUTPUT_FLAG__ALERT_PKT_CNT = 0x00000800, /* -A packet-count */
/* XXX XXX pv.outputVidInAlerts */
OUTPUT_FLAG__ALERT_VLAN = 0x00001000 /* config include_vlan_in_alerts */
OUTPUT_FLAG__ALERT_VLAN = 0x00001000, /* config include_vlan_in_alerts */
OUTPUT_FLAG__ALERT_EVENTID = 0x00002000 /* -j - include event id in alerts */

} OutputFlag;

Expand Down Expand Up @@ -664,6 +665,11 @@ static INLINE int BcOutputUseUtc(void)
return barnyard2_conf->output_flags & OUTPUT_FLAG__USE_UTC;
}

static INLINE int BcOutputUseEventID(void)
{
return barnyard2_conf->output_flags & OUTPUT_FLAG__ALERT_EVENTID;
}

static INLINE int BcOutputDataLink(void)
{
return barnyard2_conf->output_flags & OUTPUT_FLAG__SHOW_DATA_LINK;
Expand Down
3 changes: 2 additions & 1 deletion src/decode.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -638,7 +638,8 @@ void DecodeMPLS(const uint8_t* pkt, const uint32_t len, Packet* p)
int iRet = 0;

pc.mpls++;
UpdateMPLSStats(&sfBase, len, Active_PacketWasDropped());
// I believe this is a Snort function
// UpdateMPLSStats(&sfBase, len, Active_PacketWasDropped());
tmpMplsHdr = (uint32_t *) pkt;
p->mpls = NULL;

Expand Down
6 changes: 6 additions & 0 deletions src/output-plugins/spo_alert_fast.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,12 @@ static void AlertFast(Packet *p, void *event, uint32_t event_type, void *arg)
TextLog_Puts(data->log, " [**] ");
#endif

if(BcOutputUseEventID())
{
TextLog_Print(data->log, "(%lu) ",
(unsigned long) ntohl(((Unified2EventCommon *)event)->event_id));
}

TextLog_Print(data->log, "[%lu:%lu:%lu] ",
(unsigned long) ntohl(((Unified2EventCommon *)event)->generator_id),
(unsigned long) ntohl(((Unified2EventCommon *)event)->signature_id),
Expand Down
6 changes: 6 additions & 0 deletions src/output-plugins/spo_alert_full.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,12 @@ static void AlertFull(Packet *p, void *event, uint32_t event_type, void *arg)

if(event != NULL)
{
if(BcOutputUseEventID())
{
TextLog_Print(data->log, "(%lu) ",
(unsigned long) ntohl(((Unified2EventCommon *)event)->event_id));
}

TextLog_Print(data->log, "[%lu:%lu:%lu] ",
(unsigned long) ntohl(((Unified2EventCommon *)event)->generator_id),
(unsigned long) ntohl(((Unified2EventCommon *)event)->signature_id),
Expand Down
10 changes: 10 additions & 0 deletions src/output-plugins/spo_alert_syslog.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -541,6 +541,16 @@ void AlertSyslog(Packet *p, void *event, uint32_t event_type, void *arg)

// if(event != NULL)
// {
if(BcOutputUseEventID())
{
if( SnortSnprintf(event_data, STD_BUF, "(%lu) ",
(unsigned long) ntohl(((Unified2EventCommon *)event)->event_id)) != SNORT_SNPRINTF_SUCCESS )
return ;

if( strlcat(event_string, event_data, SYSLOG_BUF) >= SYSLOG_BUF )
return ;
}

if( SnortSnprintf(event_data, STD_BUF, "[%lu:%lu:%lu] ",
(unsigned long) ntohl(((Unified2EventCommon *)event)->generator_id),
(unsigned long) ntohl(((Unified2EventCommon *)event)->signature_id),
Expand Down
6 changes: 6 additions & 0 deletions src/output-plugins/spo_alert_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,12 @@ void AlertTest(Packet *p, void *event, u_int32_t event_type, void *arg)

if(event != NULL)
{
if(BcOutputUseEventID())
{
fprintf(data->file, "(%lu)\t",
(unsigned long) ntohl(((Unified2EventCommon *)event)->event_id));
}

fprintf(data->file, "%lu\t%lu\t%lu\t",
(unsigned long) ntohl(((Unified2EventCommon *)event)->generator_id),
(unsigned long) ntohl(((Unified2EventCommon *)event)->signature_id),
Expand Down
8 changes: 8 additions & 0 deletions src/parser.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2177,6 +2177,14 @@ void ConfigUtc(Barnyard2Config *bc, char *args)
bc->output_flags |= OUTPUT_FLAG__USE_UTC;
}

void ConfigEventID(Barnyard2Config *bc, char *args)
{
if (bc == NULL)
return;

bc->output_flags |= OUTPUT_FLAG__ALERT_EVENTID;
}

void ConfigVerbose(Barnyard2Config *bc, char *args)
{
if (bc == NULL)
Expand Down