1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
13 #include "eventinfo.h"
19 /* OSSECAlert decoder init */
20 void *OSSECAlert_Decoder_Init()
22 debug1("%s: Initializing OSSECAlert decoder.", ARGV0);
25 /* There is nothing else to do over here */
31 #define oa_strchr(x,y,z) z = strchr(x,y); if(!z){ return(NULL); }
34 * Will extract the rule_id and point back to the original rule.
35 * Will also extract srcip and username if available.
39 void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
44 char oa_newlocation[256];
45 char agent_file[OS_SIZE_1024 +1];
46 char tmpstr_buffer[4096 +1];
52 lf->decoder_info->type = OSSEC_ALERT;
55 /* Checking the alert level. */
56 if(strncmp("Alert Level: ", lf->log, 12) != 0 &&
57 strncmp("ossec: Alert Level:", lf->log, 18) != 0)
63 /* Going past the level. */
64 oa_strchr(lf->log, ';', tmp_str);
68 /* Getting rule id. */
69 oa_strchr(tmp_str, ':', tmp_str);
80 oa_strchr(tmp_str, ' ', tmp_str);
84 /* Getting rule structure. */
85 rule_pointer = OSHash_Get(Config.g_rules_hash, oa_id);
89 merror("%s: WARN: Rule id '%s' not found internally: %s", ARGV0, oa_id, lf->log);
94 oa_strchr(tmp_str, ';', tmp_str);
100 /* Checking location. */
101 if(strncmp(" Location: ", tmp_str, 11) != 0)
108 /* Setting location; */
109 oa_location = tmp_str;
112 oa_strchr(tmp_str, ';', tmp_str);
117 /* Setting new location. */
118 oa_newlocation[255] = '\0';
119 agent_file[OS_SIZE_1024] = '\0';
122 snprintf(agent_file, OS_SIZE_1024, "%s/%s->%s",
123 AGENTINFO_DIR, lf->hostname, lf->location);
125 snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location);
127 os_strdup(oa_newlocation, lf->location);
128 lf->hostname = lf->location;
132 /* Writting to the agent file */
133 fp = fopen(agent_file, "w");
136 fprintf(fp, "%s\n", "Remote Syslog");
147 /* Getting additional fields. */
148 while((*tmp_str == ' ') && (tmp_str[1] != ' '))
153 tmp_str = strchr(tmp_str, ';');
160 if(strncmp(oa_val, "srcip: ", 7) == 0)
162 os_strdup(oa_val + 7, lf->srcip);
164 if(strncmp(oa_val, "user: ", 6) == 0)
166 os_strdup(oa_val + 6, lf->dstuser);
174 /* Removing space. */
175 while(*tmp_str == ' ')
179 /* Creating new full log. */
180 tmpstr_buffer[0] = '\0';
181 tmpstr_buffer[4095] = '\0';
182 strncpy(tmpstr_buffer, tmp_str, 4094);
186 os_strdup(tmpstr_buffer, lf->full_log);
187 lf->log = lf->full_log;
190 /* Rule that generated. */
191 lf->generated_rule = rule_pointer;