Changeset 1589
- Timestamp:
- 03/06/08 09:03:10 (7 months ago)
- Files:
-
- nebula/trunk/src/sig.c (modified) (6 diffs)
- nebula/trunk/src/sig.h (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
nebula/trunk/src/sig.c
r1588 r1589 71 71 72 72 73 //void build_sig(cluster *cl, stree *t, lcatbl *lca_table, substr_list list, stnode **leaves, ssize_t num_leaves, ssize_t min_len, double min_ent, sigtype stype) {74 73 void build_sig(signature *sig, stree *t, lcatbl *lca_table, stnode **leaves, ssize_t num_leaves, ssize_t min_len, double min_ent) { 75 74 int i, j, printable, printed_chars; … … 223 222 if (rules_file) { 224 223 // append snort signature to rules file 225 if (append_snortsig_to_rulefile(rules_file, t, sig ->cl, seglist, num_frags) > 0) {224 if (append_snortsig_to_rulefile(rules_file, t, sig, seglist, num_frags) > 0) { 226 225 if (snort_pid) { 227 226 printf("[#] forcing snort to reload rule set\n"); … … 518 517 list_substrings(gst, sig.cstr_list.elem[i].n, sig.cstr_list.elem[i].len); 519 518 520 // build_sig(cl, gst, lca_table, cstr_list, leaves, num_leaves, min_sstr_len, min_sstr_ent, SIG_SNORT);521 519 build_sig(&sig, gst, lca_table, leaves, num_leaves, min_sstr_len, min_sstr_ent); 522 520 … … 535 533 536 534 537 int append_snortsig_to_rulefile(const char *filename, const stree *t, const cluster *cl, const sseg *seglist, const ssize_t num_frags) {535 int append_snortsig_to_rulefile(const char *filename, const stree *t, const signature *sig, const sseg *seglist, const ssize_t num_frags) { 538 536 int i, j, printable; 539 537 FILE *rfile; … … 547 545 } 548 546 549 fprintf(rfile, "#-------------------------------------------------------------------------------------------------------\n"); 550 fprintf(rfile, "\nalert tcp any any -> any any (msg: \"nebula rule %u rev. %u\";", cl->sig_id, cl->sig_rev); 547 fprintf(rfile, "#-----------------------------------------------------------------------------------------------------------------------\n"); 548 549 // protocol info 550 if (sig->proto_type == SIGPROTO_UDP) { 551 fprintf(rfile, "alert udp "); 552 } else { 553 fprintf(rfile, "alert tcp "); 554 } 555 556 // port info 557 if (sig->port_type == SIGPORT_UNIQ && sig->port) { 558 fprintf(rfile, "any any -> $HOME_NET %u (msg: \"nebula rule %u rev. %u\";", sig->port, sig->cl->sig_id, sig->cl->sig_rev); 559 } else { 560 fprintf(rfile, "any any -> $HOME_NET any (msg: \"nebula rule %u rev. %u\";", sig->cl->sig_id, sig->cl->sig_rev); 561 } 562 551 563 if (num_frags) { 552 564 fprintf(rfile, " \\\n content: \""); … … 622 634 (long unsigned int) seglist[i-1].max_off + seglist[i-1].len - seglist[i].min_off); 623 635 } 624 fprintf(rfile, " \\\n sid: %u; rev: %u;)\n", cl->sig_id,cl->sig_rev);636 fprintf(rfile, " \\\n sid: %u; rev: %u;)\n", sig->cl->sig_id, sig->cl->sig_rev); 625 637 } 626 638 nebula/trunk/src/sig.h
r1588 r1589 93 93 void *pt_siggen(void *cl); 94 94 void build_sig(signature *sig, stree *t, lcatbl *lca_table, stnode **leaves, ssize_t num_leaves, ssize_t min_len, double min_ent); 95 int append_snortsig_to_rulefile(const char *filename, const stree *t, const cluster *cl, const sseg *seglist, const ssize_t num_frags);95 int append_snortsig_to_rulefile(const char *filename, const stree *t, const signature *sig, const sseg *seglist, const ssize_t num_frags); 96 96 97 97 #endif
