From 30f2c9c2ffcaa3990bda7f7ba70c3fd450bab731 Mon Sep 17 00:00:00 2001 From: "Russ Combs (rucombs)" Date: Tue, 21 Nov 2017 10:30:17 -0500 Subject: [PATCH] Merge pull request #1074 in SNORT/snort3 from json_update to master Squashed commit of the following: commit b77eea3ec6a9545d4ca359b1586467cfd4ebcd9f Author: Russ Combs (rucombs) Date: Tue Nov 21 08:33:22 2017 -0500 snort2lua: tweak const name for clarity (internal) commit 714bb45f048ba47c0ad766edec21ab6813bc78fd Author: Russ Combs (rucombs) Date: Tue Nov 21 07:45:22 2017 -0500 rules: default msg = "no msg in rule" commit 9eba78b7f2d3bb4e89fba2b2f0fb95beb754857f Author: Russ Combs (rucombs) Date: Tue Nov 21 07:44:00 2017 -0500 alert_csv: various fixes to match alert_json eth_len: changed to decimal format msg: remove extra quotes seconds: new decimal field for unix-style timestamp commit 2244c7d12ceb18e93aaa7ed449e134a42e1eb3fc Author: Russ Combs (rucombs) Date: Tue Nov 21 07:40:30 2017 -0500 alert_json: various fixes; thanks to Noah Dietrich for reporting the issues eth_len: changed to decimal format eth_type: changed to string format (hex value) msg: remove extra quotes seconds: new decimal field for unix-style timestamp --- extra/src/loggers/alert_json/alert_json.cc | 17 ++++++++++++----- src/loggers/alert_csv.cc | 17 +++++++++++++---- src/parser/parse_rule.cc | 3 +++ tools/snort2lua/helpers/converter.cc | 2 +- tools/snort2lua/helpers/util_binder.h | 4 ++-- 5 files changed, 31 insertions(+), 12 deletions(-) diff --git a/extra/src/loggers/alert_json/alert_json.cc b/extra/src/loggers/alert_json/alert_json.cc index dcc872f71..062d06d4e 100644 --- a/extra/src/loggers/alert_json/alert_json.cc +++ b/extra/src/loggers/alert_json/alert_json.cc @@ -202,7 +202,7 @@ static bool ff_eth_len(Args& a) return false; print_label(a, "eth_len"); - TextLog_Print(json_log, "0x%X", a.pkt->pkth->pktlen); + TextLog_Print(json_log, "%u", a.pkt->pkth->pktlen); return true; } @@ -228,7 +228,7 @@ static bool ff_eth_type(Args& a) const eth::EtherHdr* eh = layer::get_eth_layer(a.pkt); print_label(a, "eth_type"); - TextLog_Print(json_log, "0x%X", ntohs(eh->ether_type)); + TextLog_Print(json_log, "\"0x%X\"", ntohs(eh->ether_type)); return true; } @@ -315,7 +315,7 @@ static bool ff_ip_len(Args& a) static bool ff_msg(Args& a) { print_label(a, "msg"); - TextLog_Quote(json_log, a.msg); + TextLog_Puts(json_log, a.msg); return true; } @@ -394,6 +394,13 @@ static bool ff_rule(Args& a) return true; } +static bool ff_seconds(Args& a) +{ + print_label(a, "seconds"); + TextLog_Print(json_log, "%u", a.pkt->pkth->ts.tv_sec); + return true; +} + static bool ff_service(Args& a) { const char* svc = "unknown"; @@ -599,7 +606,7 @@ static const JsonFunc json_func[] = ff_dst_port, ff_eth_dst, ff_eth_len, ff_eth_src, ff_eth_type, ff_gid, ff_icmp_code, ff_icmp_id, ff_icmp_seq, ff_icmp_type, ff_iface, ff_ip_id, ff_ip_len, ff_msg, ff_mpls, ff_pkt_gen, ff_pkt_len, ff_pkt_num, ff_priority, - ff_proto, ff_rev, ff_rule, ff_service, ff_sid, ff_src_addr, ff_src_ap, + ff_proto, ff_rev, ff_rule, ff_seconds, ff_service, ff_sid, ff_src_addr, ff_src_ap, ff_src_port, ff_target, ff_tcp_ack, ff_tcp_flags, ff_tcp_len, ff_tcp_seq, ff_tcp_win, ff_timestamp, ff_tos, ff_ttl, ff_udp_len, ff_vlan }; @@ -609,7 +616,7 @@ static const JsonFunc json_func[] = "dst_port | eth_dst | eth_len | eth_src | eth_type | gid | " \ "icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | " \ "ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | " \ - "proto | rev | rule | service | sid | src_addr | src_ap | " \ + "proto | rev | rule | seconds | service | sid | src_addr | src_ap | " \ "src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | " \ "tcp_win | timestamp | tos | ttl | udp_len | vlan" diff --git a/src/loggers/alert_csv.cc b/src/loggers/alert_csv.cc index 49bf58e78..34d42633e 100644 --- a/src/loggers/alert_csv.cc +++ b/src/loggers/alert_csv.cc @@ -89,6 +89,8 @@ static void ff_b64_data(Args& a) unsigned nin = 0; Base64Encoder b64; + TextLog_Putc(csv_log, '"'); + while ( nin < a.pkt->dsize ) { unsigned kin = min(a.pkt->dsize-nin, block_size); @@ -99,6 +101,8 @@ static void ff_b64_data(Args& a) if ( unsigned kout = b64.finish(out) ) TextLog_Write(csv_log, out, kout); + + TextLog_Putc(csv_log, '"'); } static void ff_dir(Args& a) @@ -158,7 +162,7 @@ static void ff_eth_len(Args& a) if ( !(a.pkt->proto_bits & PROTO_BIT__ETH) ) return; - TextLog_Print(csv_log, "0x%X", a.pkt->pkth->pktlen); + TextLog_Print(csv_log, "%u", a.pkt->pkth->pktlen); } static void ff_eth_src(Args& a) @@ -230,7 +234,7 @@ static void ff_ip_len(Args& a) static void ff_msg(Args& a) { - TextLog_Quote(csv_log, a.msg); + TextLog_Puts(csv_log, a.msg); } static void ff_mpls(Args& a) @@ -288,6 +292,11 @@ static void ff_rule(Args& a) a.event.sig_info->gid, a.event.sig_info->sid, a.event.sig_info->rev); } +static void ff_seconds(Args& a) +{ + TextLog_Print(csv_log, "%u", a.pkt->pkth->ts.tv_sec); +} + static void ff_service(Args& a) { const char* svc = "unknown"; @@ -428,7 +437,7 @@ static const CsvFunc csv_func[] = ff_dst_port, ff_eth_dst, ff_eth_len, ff_eth_src, ff_eth_type, ff_gid, ff_icmp_code, ff_icmp_id, ff_icmp_seq, ff_icmp_type, ff_iface, ff_ip_id, ff_ip_len, ff_msg, ff_mpls, ff_pkt_gen, ff_pkt_len, ff_pkt_num, ff_priority, - ff_proto, ff_rev, ff_rule, ff_service, ff_sid, ff_src_addr, ff_src_ap, + ff_proto, ff_rev, ff_rule, ff_seconds, ff_service, ff_sid, ff_src_addr, ff_src_ap, ff_src_port, ff_target, ff_tcp_ack, ff_tcp_flags, ff_tcp_len, ff_tcp_seq, ff_tcp_win, ff_timestamp, ff_tos, ff_ttl, ff_udp_len, ff_vlan }; @@ -438,7 +447,7 @@ static const CsvFunc csv_func[] = "dst_port | eth_dst | eth_len | eth_src | eth_type | gid | " \ "icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | " \ "ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | " \ - "proto | rev | rule | service | sid | src_addr | src_ap | " \ + "proto | rev | rule | seconds | service | sid | src_addr | src_ap | " \ "src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | " \ "tcp_win | timestamp | tos | ttl | udp_len | vlan" diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc index ee40f0355..47b08f9ea 100644 --- a/src/parser/parse_rule.cc +++ b/src/parser/parse_rule.cc @@ -1274,6 +1274,9 @@ const char* parse_rule_close(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* ot if ( !otn_dup ) otn->ruleIndex = parser_get_rule_index(otn->sigInfo.gid, otn->sigInfo.sid); + if ( !otn->sigInfo.message ) + otn->sigInfo.message = snort_strdup("\"no msg in rule\""); // yes, stored as "msg" + OptFpList* fpl = AddOptFuncToList(OptListEnd, otn); fpl->type = RULE_OPTION_TYPE_LEAF_NODE; diff --git a/tools/snort2lua/helpers/converter.cc b/tools/snort2lua/helpers/converter.cc index fd89184de..6d6a0ce59 100644 --- a/tools/snort2lua/helpers/converter.cc +++ b/tools/snort2lua/helpers/converter.cc @@ -362,7 +362,7 @@ int Converter::convert(const std::string& input, // add binding for wizard at bottom of table auto& wiz = make_binder(); wiz.set_use_type("wizard"); - wiz.set_priority(Binder::MAX_PRIORITY); + wiz.set_priority(Binder::PRIORITY_LAST); } add_bindings(); diff --git a/tools/snort2lua/helpers/util_binder.h b/tools/snort2lua/helpers/util_binder.h index 3ccb43647..1b271955e 100644 --- a/tools/snort2lua/helpers/util_binder.h +++ b/tools/snort2lua/helpers/util_binder.h @@ -51,7 +51,7 @@ public: void print_binding(bool should_print) { printed = !should_print; } - static const unsigned MAX_PRIORITY = UINT_MAX; + static const unsigned PRIORITY_LAST = UINT_MAX; void set_priority(unsigned); unsigned get_priority(); @@ -139,7 +139,7 @@ private: bool printed = false; // ensures that the binding is added once, // by either the destructor or user - unsigned priority = MAX_PRIORITY; + unsigned priority = PRIORITY_LAST; int when_ips_policy_id = -1; std::string when_service; -- 2.47.3