From a8f8d7ffd2a84cfbd36fb99d78693d1fc59b729d Mon Sep 17 00:00:00 2001
From: "Russ Combs (rucombs)" <rucombs@cisco.com>
Date: Sat, 9 Feb 2019 11:54:26 -0500
Subject: [PATCH] Merge pull request #1492 in SNORT/snort3 from
 ~BRASTULT/snort3:talos_logger to master

Squashed commit of the following:

commit 3219d7e23f37c8a36b1603aa1891518cce9f7bc0
Author: Brandon Stultz <brastult@cisco.com>
Date:   Sat Feb 9 01:11:05 2019 -0500

    loggers: alert_talos: fix copyright, warnings

commit af79e3104b64985339760317b88dd276e7bee0e6
Author: Brandon Stultz <brastult@cisco.com>
Date:   Fri Feb 8 15:30:20 2019 -0500

    loggers: alert_talos: fix include order

commit c0fa5704c52d94190f56420bd6b1e2385555a211
Author: Brandon Stultz <brastult@cisco.com>
Date:   Thu Feb 7 21:01:02 2019 -0500

    loggers: alert_talos: fix cppcheck error

commit 6ae83d3b266de5aedf0fd7a688973909ab79435a
Author: Brandon Stultz <brastult@cisco.com>
Date:   Thu Feb 7 16:55:38 2019 -0500

    loggers: alert_talos: fix copyright, author, unneeded check

commit 1ebfbd0ebf38b4141308eacfabfcf4e8d5e70460
Merge: 7b17578d2a 7a4dd7ac12
Author: Brandon Stultz <brastult@cisco.com>
Date:   Thu Feb 7 13:15:44 2019 -0500

    Merge branch 'master' into talos_logger

commit 7b17578d2ae062d3efc369a042aa8ef223b0763c
Author: Brandon Stultz <brastult@cisco.com>
Date:   Mon Feb 4 17:41:22 2019 -0500

    loggers: alert_talos: fix memory leak

commit 9519e233898511d8fb4efa3d41fbaf63d76f467b
Author: Brandon Stultz <brastult@cisco.com>
Date:   Tue Jan 22 17:07:46 2019 -0500

    loggers: add alert_talos, use in talos tweak
---
 lua/talos.lua              |   1 -
 src/loggers/CMakeLists.txt |   2 +
 src/loggers/alert_talos.cc | 242 +++++++++++++++++++++++++++++++++++++
 src/loggers/loggers.cc     |   2 +
 src/main/snort_module.cc   |   2 +-
 5 files changed, 247 insertions(+), 2 deletions(-)
 create mode 100644 src/loggers/alert_talos.cc

diff --git a/lua/talos.lua b/lua/talos.lua
index d1de13f79..42a57c5ed 100644
--- a/lua/talos.lua
+++ b/lua/talos.lua
@@ -12,7 +12,6 @@ normalizer = { tcp = { ips = true } }
 
 ips.include = 'local.rules'
 
-alert_fast = { packet = true }
 alerts = { alert_with_interface_name = true }
 
 profiler =
diff --git a/src/loggers/CMakeLists.txt b/src/loggers/CMakeLists.txt
index d0feabd8b..9090e6eba 100644
--- a/src/loggers/CMakeLists.txt
+++ b/src/loggers/CMakeLists.txt
@@ -13,6 +13,7 @@ set (PLUGIN_LIST
     alert_full.cc
     alert_json.cc
     alert_syslog.cc
+    alert_talos.cc
     alert_unixsock.cc
     log_hext.cc
     log_pcap.cc
@@ -37,6 +38,7 @@ else (STATIC_LOGGERS)
     add_dynamic_module(alert_full loggers alert_full.cc)
     add_dynamic_module(alert_json loggers alert_json.cc)
     add_dynamic_module(alert_syslog loggers alert_syslog.cc)
+    add_dynamic_module(alert_talos loggers alert_talos.cc)
     add_dynamic_module(alert_unixsock loggers alert_unixsock.cc)
     add_dynamic_module(log_hext loggers log_hext.cc)
     add_dynamic_module(log_pcap loggers log_pcap.cc)
diff --git a/src/loggers/alert_talos.cc b/src/loggers/alert_talos.cc
new file mode 100644
index 000000000..db6bff1d7
--- /dev/null
+++ b/src/loggers/alert_talos.cc
@@ -0,0 +1,242 @@
+//--------------------------------------------------------------------------
+// Copyright (C) 2019-2019 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation.  You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// alert_talos.cc author Brandon Stultz <brastult@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <unistd.h>
+#include <cstdio>
+#include <iostream>
+#include <map>
+#include <sstream>
+
+#include "detection/signature.h"
+#include "events/event.h"
+#include "framework/logger.h"
+#include "framework/module.h"
+#include "packet_io/sfdaq.h"
+
+using namespace snort;
+using namespace std;
+
+struct AlertLog
+{
+    string name;
+    struct Rule
+    {
+        void print();
+        string key;
+        string msg;
+        uint32_t gid;
+        uint32_t sid;
+        uint32_t rev;
+        unsigned count;
+    };
+    map<string, Rule> alerts;
+};
+
+static THREAD_LOCAL AlertLog* talos_log = nullptr;
+
+void AlertLog::Rule::print()
+{
+    string color, reset;
+
+    if ( isatty(fileno(stdout)) )
+    {
+        reset = "\x1b[0m";
+
+        switch (gid)
+        {
+        case 1:
+            color = "\x1b[31m";
+            break;
+        case 3:
+            color = "\x1b[32m";
+            break;
+        default:
+            color = "\x1b[33m";
+            break;
+        }
+    }
+
+    cout << "\t" << key << " " << color
+         << msg << reset << " (alerts: "
+         << count << ")" << endl;
+}
+
+//-------------------------------------------------------------------------
+// module stuff
+//-------------------------------------------------------------------------
+
+static const Parameter s_params[] =
+{
+    { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
+};
+
+#define S_NAME "alert_talos"
+#define s_help "output event in Talos alert format"
+
+class TalosModule : public Module
+{
+public:
+    TalosModule() : Module(S_NAME, s_help, s_params) { }
+};
+
+//-------------------------------------------------------------------------
+// logger stuff
+//-------------------------------------------------------------------------
+
+class TalosLogger : public Logger
+{
+public:
+    TalosLogger(TalosModule*) { }
+
+    void open() override;
+    void close() override;
+
+    void alert(Packet*, const char* msg, const Event&) override;
+};
+
+void TalosLogger::open()
+{
+    talos_log = new AlertLog;
+
+    string ifname = string(SFDAQ::get_interface_spec());
+    size_t sep_pos = ifname.find_last_of("/\\");
+
+    if ( sep_pos != string::npos )
+        ifname = ifname.substr(sep_pos+1);
+
+    talos_log->name = ifname;
+}
+
+void TalosLogger::close()
+{
+    if ( !talos_log )
+        return;
+
+    auto& alerts = talos_log->alerts;
+
+    cout << endl << "##### " << talos_log->name << " #####" << endl;
+
+    if ( alerts.size() == 0 )
+    {
+        cout << "\tNo alerts" << endl;
+    }
+
+    for ( auto& kv : alerts )
+    {
+        kv.second.print();
+    }
+
+    cout << "#####" << endl;
+
+    delete talos_log;
+}
+
+void TalosLogger::alert(Packet*, const char* msg, const Event& event)
+{
+    auto& alerts = talos_log->alerts;
+    AlertLog::Rule rule;
+    stringstream key;
+    string message;
+
+    key << "["
+        << event.sig_info->gid << ":"
+        << event.sig_info->sid << ":"
+        << event.sig_info->rev
+        << "]";
+
+    auto rule_iter = alerts.find(key.str());
+
+    // check if rule is in alert map
+    if ( rule_iter != alerts.end() )
+    {
+        // rule in alert map, increment count
+        rule_iter->second.count += 1;
+        return;
+    }
+
+    message = string(msg);
+
+    if ( message.length() < 2 )
+        return;
+
+    // remove quotes
+    message.erase(0,1);
+    message.pop_back();
+
+    rule.key = key.str();
+    rule.msg = message;
+    rule.gid = event.sig_info->gid;
+    rule.sid = event.sig_info->sid;
+    rule.rev = event.sig_info->rev;
+    rule.count = 1;
+
+    // rule not in map, add it
+    alerts[key.str()] = rule;
+}
+
+//-------------------------------------------------------------------------
+// api stuff
+//-------------------------------------------------------------------------
+
+static Module* mod_ctor()
+{ return new TalosModule; }
+
+static void mod_dtor(Module* m)
+{ delete m; }
+
+static Logger* talos_ctor(SnortConfig*, Module* mod)
+{ return new TalosLogger((TalosModule*)mod); }
+
+static void talos_dtor(Logger* p)
+{ delete p; }
+
+static LogApi talos_api
+{
+    {
+        PT_LOGGER,
+        sizeof(LogApi),
+        LOGAPI_VERSION,
+        0,
+        API_RESERVED,
+        API_OPTIONS,
+        S_NAME,
+        s_help,
+        mod_ctor,
+        mod_dtor
+    },
+    OUTPUT_TYPE_FLAG__ALERT,
+    talos_ctor,
+    talos_dtor
+};
+
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
+const BaseApi* alert_talos[] =
+#endif
+{
+    &talos_api.base,
+    nullptr
+};
+
diff --git a/src/loggers/loggers.cc b/src/loggers/loggers.cc
index 1c265c956..b0e9e4707 100644
--- a/src/loggers/loggers.cc
+++ b/src/loggers/loggers.cc
@@ -38,6 +38,7 @@ extern const BaseApi* alert_fast[];
 extern const BaseApi* alert_full[];
 extern const BaseApi* alert_json[];
 extern const BaseApi* alert_syslog[];
+extern const BaseApi* alert_talos[];
 extern const BaseApi* alert_unixsock[];
 extern const BaseApi* log_hext[];
 extern const BaseApi* log_pcap[];
@@ -57,6 +58,7 @@ void load_loggers()
     PluginManager::load_plugins(alert_full);
     PluginManager::load_plugins(alert_json);
     PluginManager::load_plugins(alert_syslog);
+    PluginManager::load_plugins(alert_talos);
     PluginManager::load_plugins(alert_unixsock);
 
     // loggers
diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc
index 9e90b6dc9..83d5b1219 100644
--- a/src/main/snort_module.cc
+++ b/src/main/snort_module.cc
@@ -955,7 +955,7 @@ bool SnortModule::set(const char*, Value& v, SnortConfig* sc)
     {
         sc->set_tweaks("talos");
         sc->run_flags |= RUN_FLAG__INLINE;
-        sc->set_quiet(true);
+        sc->set_alert_mode("talos");
     }
     else if ( v.is("--treat-drop-as-alert") )
         sc->set_treat_drop_as_alert(true);
-- 
2.47.3