1 /* @(#) $Id: ./src/analysisd/decoders/plugins/ossecalert_decoder.c, 2012/03/28 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
12 * License details at the LICENSE file included with OSSEC or
13 * online at: http://www.ossec.net/en/licensing.html
18 #include "eventinfo.h"
24 /* OSSECAlert decoder init */
25 void *OSSECAlert_Decoder_Init()
27 debug1("%s: Initializing OSSECAlert decoder.", ARGV0);
30 /* There is nothing else to do over here */
36 #define oa_strchr(x,y,z) z = strchr(x,y); if(!z){ return(NULL); }
39 * Will extract the rule_id and point back to the original rule.
40 * Will also extract srcip and username if available.
44 void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
49 char oa_newlocation[256];
54 lf->decoder_info->type = OSSEC_ALERT;
57 /* Checking the alert level. */
58 if(strncmp("Alert Level: ", lf->log, 12) != 0 &&
59 strncmp("ossec: Alert Level:", lf->log, 18) != 0)
65 /* Going past the level. */
66 oa_strchr(lf->log, ';', tmp_str);
70 /* Getting rule id. */
71 oa_strchr(tmp_str, ':', tmp_str);
82 oa_strchr(tmp_str, ' ', tmp_str);
86 /* Getting rule structure. */
87 rule_pointer = OSHash_Get(Config.g_rules_hash, oa_id);
90 merror("%s: WARN: Rule id '%s' not found internally.", ARGV0, oa_id);
95 oa_strchr(tmp_str, ';', tmp_str);
99 /* Checking location. */
100 if(strncmp(" Location: ", tmp_str, 11) != 0)
107 /* Setting location; */
108 oa_location = tmp_str;
111 oa_strchr(tmp_str, ';', tmp_str);
115 /* Setting new location. */
116 oa_newlocation[255] = '\0';
118 if(lf->hostname == lf->location)
120 snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location);
122 os_strdup(oa_newlocation, lf->location);
123 lf->hostname = lf->location;
127 snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname,
128 lf->location, oa_location);
130 os_strdup(oa_newlocation, lf->location);
131 lf->hostname = lf->location;
138 /* Getting additional fields. */
139 while((*tmp_str == ' ') && (tmp_str[1] != ' '))
144 tmp_str = strchr(tmp_str, ';');
151 if(strncmp(oa_val, "srcip: ", 7) == 0)
153 os_strdup(oa_val + 7, lf->srcip);
155 if(strncmp(oa_val, "user: ", 6) == 0)
157 os_strdup(oa_val + 6, lf->dstuser);
165 /* Removing space. */
166 while(*tmp_str == ' ')
170 /* Creating new full log. */
172 os_strdup(tmp_str, lf->full_log);
173 lf->log = lf->full_log;
176 /* Rule that generated. */
177 lf->generated_rule = rule_pointer;