alert-prelude: correctly set Source and Target

IDMEF alert contains two entities named Source and Target that are
defined using common language:
* "The Source class contains information about the possible source(s) of
   the event(s) that generated an alert."
* "The Target class contains information about the possible target(s) of
   the event(s) that generated an alert."

Previous alerts event were not following that so we can updated the code
when we know the direction thanks to the metadata field.

diff --git a/src/alert-prelude.c b/src/alert-prelude.c
index e9caacabccae43ff643b573dc1e0191e478bd479..97d70ad6d47b41146ac11ad9668d68d993fca9ad 100644 (file)
--- a/src/alert-prelude.c
+++ b/src/alert-prelude.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2014 Open Information Security Foundation
+/* Copyright (C) 2007-2017 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -255,7 +255,8 @@ static int EventToImpact(const PacketAlert *pa, const Packet *p, idmef_alert_t *
  *
  * \return 0 if ok
  */
-static int EventToSourceTarget(const Packet *p, idmef_alert_t *alert)
+static int EventToSourceTarget(const PacketAlert *pa, const Packet *p,
+                               idmef_alert_t *alert)
 {
     int ret;
     idmef_node_t *node;
@@ -267,6 +268,8 @@ static int EventToSourceTarget(const Packet *p, idmef_alert_t *alert)
     static char saddr[128], daddr[128];
     uint8_t ip_vers;
     uint8_t ip_proto;
+    uint16_t sp, dp;
+    uint8_t invert = 0;
 
     SCEnter();
 
@@ -276,16 +279,45 @@ static int EventToSourceTarget(const Packet *p, idmef_alert_t *alert)
     if ( ! IPH_IS_VALID(p) )
         SCReturnInt(0);
 
+    if (pa->s->flags & SIG_FLAG_HAS_TARGET) {
+        if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
+            invert = 1;
+        } else {
+            invert = 0;
+        }
+    } else {
+        invert = 0;
+    }
+
     if (PKT_IS_IPV4(p)) {
         ip_vers = 4;
         ip_proto = IPV4_GET_RAW_IPPROTO(p->ip4h);
-        PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), saddr, sizeof(saddr));
-        PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), daddr, sizeof(daddr));
+        if (invert) {
+            PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), saddr, sizeof(saddr));
+            PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), daddr, sizeof(daddr));
+            sp = p->dp;
+            dp = p->sp;
+        } else {
+            PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), saddr, sizeof(saddr));
+            PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), daddr, sizeof(daddr));
+            sp = p->sp;
+            dp = p->dp;
+
+        }
     } else if (PKT_IS_IPV6(p)) {
         ip_vers = 6;
         ip_proto = IPV6_GET_L4PROTO(p);
-        PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), saddr, sizeof(saddr));
-        PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), daddr, sizeof(daddr));
+        if (invert) {
+            PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), saddr, sizeof(saddr));
+            PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), daddr, sizeof(daddr));
+            sp = p->dp;
+            dp = p->sp;
+        } else {
+            PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), saddr, sizeof(saddr));
+            PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), daddr, sizeof(daddr));
+            sp = p->sp;
+            dp = p->dp;
+        }
     } else
         SCReturnInt(0);
 
@@ -298,7 +330,7 @@ static int EventToSourceTarget(const Packet *p, idmef_alert_t *alert)
         SCReturnInt(ret);
 
     if ( p->tcph || p->udph )
-        idmef_service_set_port(service, p->sp);
+        idmef_service_set_port(service, sp);
 
     idmef_service_set_ip_version(service, ip_vers);
     idmef_service_set_iana_protocol_number(service, ip_proto);
@@ -326,7 +358,7 @@ static int EventToSourceTarget(const Packet *p, idmef_alert_t *alert)
         SCReturnInt(ret);
 
     if ( p->tcph || p->udph )
-        idmef_service_set_port(service, p->dp);
+        idmef_service_set_port(service, dp);
 
     idmef_service_set_ip_version(service, ip_vers);
     idmef_service_set_iana_protocol_number(service, ip_proto);
@@ -910,7 +942,7 @@ static int AlertPreludeLogger(ThreadVars *tv, void *thread_data, const Packet *p
     if (unlikely(ret < 0))
         goto err;
 
-    ret = EventToSourceTarget(p, alert);
+    ret = EventToSourceTarget(pa, p, alert);
     if (unlikely(ret < 0))
         goto err;