aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Print [drop] as well for syslog output.

Browse Source
remotes/origin/master-1.1.x
Victor Julien 15 years ago
parent 0377ae0817
commit 8a390971e7
1 changed files with 34 additions and 12 deletions
Show Stats Download Patch File Download Diff File

46
src/alert-syslog.c
Unescape Escape View File

@ -54,6 +54,7 @@
#define DEFAULT_ALERT_SYSLOG_LEVEL LOG_ERR
#define MODULE_NAME "AlertSyslog"
extern uint8_t engine_mode;
static int alert_syslog_level = DEFAULT_ALERT_SYSLOG_LEVEL;
typedef struct AlertSyslogThread_ {
@ -245,6 +246,7 @@ TmEcode AlertSyslogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
{
AlertSyslogThread *ast = (AlertSyslogThread *)data;
int i;
char *action = "";
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
@ -261,18 +263,24 @@ TmEcode AlertSyslogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
if (pa->action == ACTION_DROP && IS_ENGINE_MODE_IPS(engine_mode)) {
action = "[Drop] ";
} else if (pa->action == ACTION_DROP) {
action = "[wDrop] ";
}
if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) {
syslog(alert_syslog_level, "[%" PRIu32 ":%" PRIu32 ":%"
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", pa->gid, pa->sid,
pa->rev, pa->msg, pa->class_msg, pa->prio,
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", action, pa->gid,
pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio,
known_proto[IPV4_GET_IPPROTO(p)], srcip, p->sp, dstip, p->dp);
} else {
syslog(alert_syslog_level, "[%" PRIu32 ":%" PRIu32 ":%"
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
" {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio,
IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
action, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
pa->prio, IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
}
}
SCMutexUnlock(&ast->file_ctx->fp_mutex);
@ -296,6 +304,7 @@ TmEcode AlertSyslogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
{
AlertSyslogThread *ast = (AlertSyslogThread *)data;
int i;
char *action = "";
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
@ -311,19 +320,25 @@ TmEcode AlertSyslogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
if (pa->action == ACTION_DROP && IS_ENGINE_MODE_IPS(engine_mode)) {
action = "[Drop] ";
} else if (pa->action == ACTION_DROP) {
action = "[wDrop] ";
}
if (SCProtoNameValid(IPV6_GET_L4PROTO(p)) == TRUE) {
syslog(alert_syslog_level, "[%" PRIu32 ":%" PRIu32 ":%"
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [Classification: %s] [Priority: %"
"" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "",
pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
action, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
pa->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp,
dstip, p->dp);
} else {
syslog(alert_syslog_level, "[%" PRIu32 ":%" PRIu32 ":%"
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [Classification: %s] [Priority: %"
"" PRIu32 "] {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
action, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
}
@ -349,6 +364,7 @@ TmEcode AlertSyslogDecoderEvent(ThreadVars *tv, Packet *p, void *data,
{
AlertSyslogThread *ast = (AlertSyslogThread *)data;
int i;
char *action = "";
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
@ -364,9 +380,15 @@ TmEcode AlertSyslogDecoderEvent(ThreadVars *tv, Packet *p, void *data,
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
snprintf(temp_buf_hdr, sizeof(temp_buf_hdr), "[%" PRIu32 ":%" PRIu32
if (pa->action == ACTION_DROP && IS_ENGINE_MODE_IPS(engine_mode)) {
action = "[Drop] ";
} else if (pa->action == ACTION_DROP) {
action = "[wDrop] ";
}
snprintf(temp_buf_hdr, sizeof(temp_buf_hdr), "%s[%" PRIu32 ":%" PRIu32
":%" PRIu32 "] %s [Classification: %s] [Priority: %" PRIu32
"] [**] [Raw pkt: ", pa->gid, pa->sid, pa->rev, pa->msg,
"] [**] [Raw pkt: ", action, pa->gid, pa->sid, pa->rev, pa->msg,
pa->class_msg, pa->prio);
strlcpy(alert, temp_buf_hdr, sizeof(alert));

Write Preview
Loading…
Cancel
Save