Revision 20dcac61
Added by SARRAZIN Théo about 2 years ago
| src/etc/inc/syslog.inc | ||
|---|---|---|
| 1096 | 1096 |
$flent['srcip'] = $rule_data[$field++]; |
| 1097 | 1097 |
$flent['dstip'] = $rule_data[$field++]; |
| 1098 | 1098 |
|
| 1099 |
if ($flent['protoid'] == '6' || $flent['protoid'] == '17') { // TCP or UDP
|
|
| 1100 |
$flent['srcport'] = $rule_data[$field++]; |
|
| 1101 |
$flent['dstport'] = $rule_data[$field++]; |
|
| 1102 |
|
|
| 1103 |
$flent['src'] = $flent['srcip'] . ':' . $flent['srcport']; |
|
| 1104 |
$flent['dst'] = $flent['dstip'] . ':' . $flent['dstport']; |
|
| 1105 |
|
|
| 1106 |
$flent['datalen'] = $rule_data[$field++]; |
|
| 1107 |
if ($flent['protoid'] == '6') { // TCP
|
|
| 1108 |
$flent['tcpflags'] = $rule_data[$field++]; |
|
| 1109 |
$flent['seq'] = $rule_data[$field++]; |
|
| 1110 |
$flent['ack'] = $rule_data[$field++]; |
|
| 1111 |
$flent['window'] = $rule_data[$field++]; |
|
| 1112 |
$flent['urg'] = $rule_data[$field++]; |
|
| 1113 |
$flent['options'] = explode(";", $rule_data[$field++]);
|
|
| 1114 |
} |
|
| 1115 |
} else if ($flent['protoid'] == '1' || $flent['protoid'] == '58') { // ICMP (IPv4 & IPv6)
|
|
| 1116 |
$flent['src'] = $flent['srcip']; |
|
| 1117 |
$flent['dst'] = $flent['dstip']; |
|
| 1118 |
|
|
| 1119 |
$flent['icmp_type'] = $rule_data[$field++]; |
|
| 1120 |
|
|
| 1121 |
switch ($flent['icmp_type']) {
|
|
| 1122 |
case "request": |
|
| 1123 |
case "reply": |
|
| 1124 |
$flent['icmp_id'] = $rule_data[$field++]; |
|
| 1125 |
$flent['icmp_seq'] = $rule_data[$field++]; |
|
| 1126 |
break; |
|
| 1127 |
case "unreachproto": |
|
| 1128 |
$flent['icmp_dstip'] = $rule_data[$field++]; |
|
| 1129 |
$flent['icmp_protoid'] = $rule_data[$field++]; |
|
| 1130 |
break; |
|
| 1131 |
case "unreachport": |
|
| 1132 |
$flent['icmp_dstip'] = $rule_data[$field++]; |
|
| 1133 |
$flent['icmp_protoid'] = $rule_data[$field++]; |
|
| 1134 |
$flent['icmp_port'] = $rule_data[$field++]; |
|
| 1135 |
break; |
|
| 1136 |
case "unreach": |
|
| 1137 |
case "timexceed": |
|
| 1138 |
case "paramprob": |
|
| 1139 |
case "redirect": |
|
| 1140 |
case "maskreply": |
|
| 1141 |
$flent['icmp_descr'] = $rule_data[$field++]; |
|
| 1142 |
break; |
|
| 1143 |
case "needfrag": |
|
| 1144 |
$flent['icmp_dstip'] = $rule_data[$field++]; |
|
| 1145 |
$flent['icmp_mtu'] = $rule_data[$field++]; |
|
| 1146 |
break; |
|
| 1147 |
case "tstamp": |
|
| 1148 |
$flent['icmp_id'] = $rule_data[$field++]; |
|
| 1149 |
$flent['icmp_seq'] = $rule_data[$field++]; |
|
| 1150 |
break; |
|
| 1151 |
case "tstampreply": |
|
| 1152 |
$flent['icmp_id'] = $rule_data[$field++]; |
|
| 1153 |
$flent['icmp_seq'] = $rule_data[$field++]; |
|
| 1154 |
$flent['icmp_otime'] = $rule_data[$field++]; |
|
| 1155 |
$flent['icmp_rtime'] = $rule_data[$field++]; |
|
| 1156 |
$flent['icmp_ttime'] = $rule_data[$field++]; |
|
| 1157 |
break; |
|
| 1158 |
default : |
|
| 1159 |
$flent['icmp_descr'] = $rule_data[$field++]; |
|
| 1160 |
break; |
|
| 1161 |
} |
|
| 1162 |
|
|
| 1163 |
} else if ($flent['protoid'] == '2') { // IGMP
|
|
| 1164 |
$flent['src'] = $flent['srcip']; |
|
| 1165 |
$flent['dst'] = $flent['dstip']; |
|
| 1166 |
} else if ($flent['protoid'] == '112') { // CARP
|
|
| 1167 |
$flent['type'] = $rule_data[$field++]; |
|
| 1168 |
$flent['ttl'] = $rule_data[$field++]; |
|
| 1169 |
$flent['vhid'] = $rule_data[$field++]; |
|
| 1170 |
$flent['version'] = $rule_data[$field++]; |
|
| 1171 |
$flent['advskew'] = $rule_data[$field++]; |
|
| 1172 |
$flent['advbase'] = $rule_data[$field++]; |
|
| 1173 |
$flent['src'] = $flent['srcip']; |
|
| 1174 |
$flent['dst'] = $flent['dstip']; |
|
| 1099 |
switch($flent['protoid']) {
|
|
| 1100 |
case '6': |
|
| 1101 |
case '17': // TCP or UDP |
|
| 1102 |
$flent['srcport'] = $rule_data[$field++]; |
|
| 1103 |
$flent['dstport'] = $rule_data[$field++]; |
|
| 1104 |
|
|
| 1105 |
$flent['src'] = $flent['srcip'] . ':' . $flent['srcport']; |
|
| 1106 |
$flent['dst'] = $flent['dstip'] . ':' . $flent['dstport']; |
|
| 1107 |
|
|
| 1108 |
$flent['datalen'] = $rule_data[$field++]; |
|
| 1109 |
if ($flent['protoid'] == '6') { // TCP
|
|
| 1110 |
$flent['tcpflags'] = $rule_data[$field++]; |
|
| 1111 |
$flent['seq'] = $rule_data[$field++]; |
|
| 1112 |
$flent['ack'] = $rule_data[$field++]; |
|
| 1113 |
$flent['window'] = $rule_data[$field++]; |
|
| 1114 |
$flent['urg'] = $rule_data[$field++]; |
|
| 1115 |
$flent['options'] = explode(";", $rule_data[$field++]);
|
|
| 1116 |
} |
|
| 1117 |
break; |
|
| 1118 |
case '1': |
|
| 1119 |
case '58': // ICMP (IPv4 & IPv6) |
|
| 1120 |
$flent['src'] = $flent['srcip']; |
|
| 1121 |
$flent['dst'] = $flent['dstip']; |
|
| 1122 |
|
|
| 1123 |
$flent['icmp_type'] = $rule_data[$field++]; |
|
| 1124 |
|
|
| 1125 |
switch ($flent['icmp_type']) {
|
|
| 1126 |
case "request": |
|
| 1127 |
case "reply": |
|
| 1128 |
$flent['icmp_id'] = $rule_data[$field++]; |
|
| 1129 |
$flent['icmp_seq'] = $rule_data[$field++]; |
|
| 1130 |
break; |
|
| 1131 |
case "unreachproto": |
|
| 1132 |
$flent['icmp_dstip'] = $rule_data[$field++]; |
|
| 1133 |
$flent['icmp_protoid'] = $rule_data[$field++]; |
|
| 1134 |
break; |
|
| 1135 |
case "unreachport": |
|
| 1136 |
$flent['icmp_dstip'] = $rule_data[$field++]; |
|
| 1137 |
$flent['icmp_protoid'] = $rule_data[$field++]; |
|
| 1138 |
$flent['icmp_port'] = $rule_data[$field++]; |
|
| 1139 |
break; |
|
| 1140 |
case "unreach": |
|
| 1141 |
case "timexceed": |
|
| 1142 |
case "paramprob": |
|
| 1143 |
case "redirect": |
|
| 1144 |
case "maskreply": |
|
| 1145 |
$flent['icmp_descr'] = $rule_data[$field++]; |
|
| 1146 |
break; |
|
| 1147 |
case "needfrag": |
|
| 1148 |
$flent['icmp_dstip'] = $rule_data[$field++]; |
|
| 1149 |
$flent['icmp_mtu'] = $rule_data[$field++]; |
|
| 1150 |
break; |
|
| 1151 |
case "tstamp": |
|
| 1152 |
$flent['icmp_id'] = $rule_data[$field++]; |
|
| 1153 |
$flent['icmp_seq'] = $rule_data[$field++]; |
|
| 1154 |
break; |
|
| 1155 |
case "tstampreply": |
|
| 1156 |
$flent['icmp_id'] = $rule_data[$field++]; |
|
| 1157 |
$flent['icmp_seq'] = $rule_data[$field++]; |
|
| 1158 |
$flent['icmp_otime'] = $rule_data[$field++]; |
|
| 1159 |
$flent['icmp_rtime'] = $rule_data[$field++]; |
|
| 1160 |
$flent['icmp_ttime'] = $rule_data[$field++]; |
|
| 1161 |
break; |
|
| 1162 |
default : |
|
| 1163 |
$flent['icmp_descr'] = $rule_data[$field++]; |
|
| 1164 |
break; |
|
| 1165 |
} |
|
| 1166 |
break; |
|
| 1167 |
case '112': // CARP |
|
| 1168 |
$flent['type'] = $rule_data[$field++]; |
|
| 1169 |
$flent['ttl'] = $rule_data[$field++]; |
|
| 1170 |
$flent['vhid'] = $rule_data[$field++]; |
|
| 1171 |
$flent['version'] = $rule_data[$field++]; |
|
| 1172 |
$flent['advskew'] = $rule_data[$field++]; |
|
| 1173 |
$flent['advbase'] = $rule_data[$field++]; |
|
| 1174 |
$flent['src'] = $flent['srcip']; |
|
| 1175 |
$flent['dst'] = $flent['dstip']; |
|
| 1176 |
break; |
|
| 1177 |
default: |
|
| 1178 |
$flent['src'] = $flent['srcip']; |
|
| 1179 |
$flent['dst'] = $flent['dstip']; |
|
| 1180 |
break; |
|
| 1175 | 1181 |
} |
| 1176 | 1182 |
} else {
|
| 1177 | 1183 |
if (g_get('debug')) {
|
Also available in: Unified diff
resolves issue #13940 by adding a default statement to handle any protocol layout