From b6eb062e73bea5a85fbd7c43e3661208796dc360 Mon Sep 17 00:00:00 2001
From: Eddie Arrage <eddie.arrage@huawei.com>
Date: Tue, 24 Apr 2018 00:22:07 +0000
Subject: Fix snort rule with blank content & WR packet in alert

- Fix bug with addition of content field in rule definition
that causes rules with a blank content fields to inhibit
snort from starting successfully.
- Write more of the packet data for snort alert into Redis
- Above includes X-Real-IP, X-Forwarded-For header fields
for http traffic from proxy that shows source IP

Some packet data is missing in alerts from snort.

Change-Id: I2c5c29e514d1ca9e8e5b9b3f7990afa87c6311b9
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
---
 samples/services/snort_ids/docker/grpc/snort_alerts.py | 18 ++++++++++--------
 samples/services/snort_ids/docker/grpc/snort_server.py | 14 ++++++++++----
 2 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/samples/services/snort_ids/docker/grpc/snort_alerts.py b/samples/services/snort_ids/docker/grpc/snort_alerts.py
index 4cb87e2..25d1738 100644
--- a/samples/services/snort_ids/docker/grpc/snort_alerts.py
+++ b/samples/services/snort_ids/docker/grpc/snort_alerts.py
@@ -14,7 +14,7 @@ from idstools import unified2
 
 
 HOST_IP = 'redis'
-PROXY_GRPC = 'proxy-access-control:50054'
+# PROXY_GRPC = 'proxy-access-control:50054'
 
 logging.basicConfig(filename='alert.log', level=logging.DEBUG)
 
@@ -34,7 +34,7 @@ reader = unified2.SpoolRecordReader("/var/log/snort",
 
 def sendGrpcAlert(event_id, redis_key):
     try:
-        channel = grpc.insecure_channel(PROXY_GRPC)
+        channel = grpc.insecure_channel('proxy-access-control:50054')
         stub = nginx_pb2_grpc.ControllerStub(channel)
         stub.ProcessAlerts(nginx_pb2.AlertMessage(
             event_id=event_id, redis_key=redis_key))
@@ -45,13 +45,15 @@ def sendGrpcAlert(event_id, redis_key):
 for record in reader:
     try:
         if isinstance(record, unified2.Event):
-            snort_event = "snort_event:" + str(record['event-id'])
-            r.sadd('snort_events', str(record['event-id']))
-            r.hmset(snort_event, record)
-            sendGrpcAlert(str(record['event-id']), 'snort_events')
-        # elif isinstance(record, unified2.Packet):
-            # print("Packet:")
+            event = record
+        elif isinstance(record, unified2.Packet):
+            packet = record
         # elif isinstance(record, unified2.ExtraData):
             # print("Extra-Data:")
+        snort_event = "snort_event:" + str(record['event-id'])
+        r.sadd('snort_events', str(record['event-id']))
+        event.update(packet)
+        r.hmset(snort_event, event)
+        sendGrpcAlert(str(record['event-id']), 'snort_events')
     except Exception as e:
         logging.debug(e)
diff --git a/samples/services/snort_ids/docker/grpc/snort_server.py b/samples/services/snort_ids/docker/grpc/snort_server.py
index 9ece832..223461a 100644
--- a/samples/services/snort_ids/docker/grpc/snort_server.py
+++ b/samples/services/snort_ids/docker/grpc/snort_server.py
@@ -33,10 +33,16 @@ class Controller(snort_pb2_grpc.ControllerServicer):
             # file_local = 'testfile'
             file_local = '/etc/snort/rules/local.rules'
             f = open(file_local, 'a')
-            rule = 'alert {} {} {} -> {} {} '.format(
-                r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \
-                + '(msg:"{}"; content:{}; sid:{}; rev:{};)\n'.format(
-                                      r.msg, r.content, r.sid, r.rev)
+            if r.content:
+                rule = 'alert {} {} {} -> {} {} '.format(
+                    r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \
+                    + '(msg:"{}"; content:{}; sid:{}; rev:{};)\n'.format(
+                                          r.msg, r.content, r.sid, r.rev)
+            else:
+                rule = 'alert {} {} {} -> {} {} '.format(
+                    r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \
+                    + '(msg:"{}"; sid:{}; rev:{};)\n'.format(
+                                          r.msg, r.sid, r.rev)
             f.write(rule)
             f.close
             msg = "Added to local rules"
-- 
cgit 1.2.3-korg