1 /* @(#) $Id: ./src/analysisd/decoders/plugins/ossecalert_decoder.c, 2012/03/28 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
12 * License details at the LICENSE file included with OSSEC or
13 * online at: http://www.ossec.net/en/licensing.html
18 #include "eventinfo.h"
24 /* OSSECAlert decoder init */
25 void *OSSECAlert_Decoder_Init()
27 debug1("%s: Initializing OSSECAlert decoder.", ARGV0);
30 /* There is nothing else to do over here */
36 #define oa_strchr(x,y,z) z = strchr(x,y); if(!z){ return(NULL); }
39 * Will extract the rule_id and point back to the original rule.
40 * Will also extract srcip and username if available.
44 void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
49 char oa_newlocation[256];
50 char tmpstr_buffer[4096 + 1];
55 lf->decoder_info->type = OSSEC_ALERT;
58 /* Checking the alert level. */
59 if(strncmp("Alert Level: ", lf->log, 12) != 0 &&
60 strncmp("ossec: Alert Level:", lf->log, 18) != 0)
66 /* Going past the level. */
67 oa_strchr(lf->log, ';', tmp_str);
71 /* Getting rule id. */
72 oa_strchr(tmp_str, ':', tmp_str);
83 oa_strchr(tmp_str, ' ', tmp_str);
87 /* Getting rule structure. */
88 rule_pointer = OSHash_Get(Config.g_rules_hash, oa_id);
91 merror("%s: WARN: Rule id '%s' not found internally.", ARGV0, oa_id);
96 oa_strchr(tmp_str, ';', tmp_str);
100 /* Checking location. */
101 if(strncmp(" Location: ", tmp_str, 11) != 0)
108 /* Setting location; */
109 oa_location = tmp_str;
112 oa_strchr(tmp_str, ';', tmp_str);
116 /* Setting new location. */
117 oa_newlocation[255] = '\0';
119 if(lf->hostname == lf->location)
121 snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location);
123 os_strdup(oa_newlocation, lf->location);
124 lf->hostname = lf->location;
128 snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname,
129 lf->location, oa_location);
131 os_strdup(oa_newlocation, lf->location);
132 lf->hostname = lf->location;
139 /* Getting additional fields. */
140 while((*tmp_str == ' ') && (tmp_str[1] != ' '))
145 tmp_str = strchr(tmp_str, ';');
152 if(strncmp(oa_val, "srcip: ", 7) == 0)
154 os_strdup(oa_val + 7, lf->srcip);
156 if(strncmp(oa_val, "user: ", 6) == 0)
158 os_strdup(oa_val + 6, lf->dstuser);
166 /* Removing space. */
167 while(*tmp_str == ' ')
170 /* Create new full log */
171 tmpstr_buffer[0] = '\0';
172 tmpstr_buffer[4095] = '\0';
173 strncpy(tmpstr_buffer, tmp_str, 4094);
178 os_strdup(tmpstr_buffer, lf->full_log);
180 lf->log = lf->full_log;
183 /* Rule that generated. */
184 lf->generated_rule = rule_pointer;