1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
10 #include "../plugin_decoders.h"
13 #include "eventinfo.h"
16 void *SymantecWS_Decoder_Init()
18 debug1("%s: Initializing SymantecWS decoder..", ARGV0);
20 /* There is nothing to do over here */
24 /* Symantec Web Security decoder
25 * Will extract the action, srcip, id, url and username.
27 * Examples (also online at
28 * http://www.ossec.net/wiki/index.php/Symantec_WebSecurity ).
29 * 20070717,73613,1=5,11=10.1.1.3,10=userc,3=1,2=1
30 * 20070717,73614,1=5,11=1.2.3.4,1106=News,60=http://news.bbc.co.uk/,10=userX,1000=212.58.240.42,2=27
32 void *SymantecWS_Decoder_Exec(Eventinfo *lf)
35 char buf_str[OS_SIZE_1024 + 1];
38 /* Initialize buffer */
40 buf_str[OS_SIZE_1024] = '\0';
42 /* Remove date and time */
43 if (!(tmp_str = strchr(lf->log, ','))) {
46 if (!(tmp_str = strchr(tmp_str, ','))) {
51 /* Get all the values */
52 while (tmp_str != NULL) {
53 /* Check if we have the username */
54 if (strncmp(tmp_str, "10=", 3) == 0) {
57 while (*tmp_str != '\0' && count < 128 && *tmp_str != ',') {
58 buf_str[count] = *tmp_str;
62 buf_str[count] = '\0';
65 os_strdup(buf_str, lf->dstuser);
69 /* Check the IP address */
70 else if (strncmp(tmp_str, "11=", 3) == 0) {
73 while (*tmp_str != '\0' && count < 128 && *tmp_str != ',') {
74 buf_str[count] = *tmp_str;
78 buf_str[count] = '\0';
80 /* Avoid memory leaks -- only adding the first one */
82 os_strdup(buf_str, lf->srcip);
87 else if (strncmp(tmp_str, "60=", 3) == 0) {
90 while (*tmp_str != '\0' && count < OS_SIZE_1024 && *tmp_str != ',') {
91 buf_str[count] = *tmp_str;
95 buf_str[count] = '\0';
97 /* Avoid memory leaks -- only adding the first one */
99 os_strdup(buf_str, lf->url);
104 else if ((strncmp(tmp_str, "3=", 2) == 0) ||
105 (strncmp(tmp_str, "2=", 2) == 0)) {
107 while (*tmp_str != '\0' && count < 9) {
108 buf_str[count] = *tmp_str;
112 buf_str[count] = '\0';
114 /* Avoid memory leaks -- only adding the first one */
116 os_strdup(buf_str, lf->id);
121 tmp_str = strchr(tmp_str, ',');