1 /* @(#) $Id: ossecalert_decoder.c,v 1.3 2009/06/24 17:06:24 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
11 * License details at the LICENSE file included with OSSEC or
12 * online at: http://www.ossec.net/en/licensing.html
17 #include "eventinfo.h"
23 /* OSSECAlert decoder init */
24 void *OSSECAlert_Decoder_Init()
26 debug1("%s: Initializing OSSECAlert decoder.", ARGV0);
29 /* There is nothing else to do over here */
35 #define oa_strchr(x,y,z) z = strchr(x,y); if(!z){ return(NULL); }
38 * Will extract the rule_id and point back to the original rule.
39 * Will also extract srcip and username if available.
43 void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
48 char oa_newlocation[256];
53 lf->decoder_info->type = OSSEC_ALERT;
56 /* Checking the alert level. */
57 if(strncmp("Alert Level: ", lf->log, 12) != 0)
63 /* Going past the level. */
64 oa_strchr(lf->log, ';', tmp_str);
68 /* Getting rule id. */
69 oa_strchr(tmp_str, ':', tmp_str);
80 oa_strchr(tmp_str, ' ', tmp_str);
84 /* Getting rule structure. */
85 rule_pointer = OSHash_Get(Config.g_rules_hash, oa_id);
88 merror("%s: WARN: Rule id '%s' not found internally.", ARGV0, oa_id);
93 oa_strchr(tmp_str, ';', tmp_str);
97 /* Checking location. */
98 if(strncmp(" Location: ", tmp_str, 11) != 0)
105 /* Setting location; */
106 oa_location = tmp_str;
109 oa_strchr(tmp_str, ';', tmp_str);
113 /* Setting new location. */
114 oa_newlocation[255] = '\0';
116 if(lf->hostname == lf->location)
118 snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location);
120 os_strdup(oa_newlocation, lf->location);
121 lf->hostname = lf->location;
125 snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname,
126 lf->location, oa_location);
128 os_strdup(oa_newlocation, lf->location);
129 lf->hostname = lf->location;
136 /* Getting additional fields. */
137 while((*tmp_str == ' ') && (tmp_str[1] != ' '))
142 tmp_str = strchr(tmp_str, ';');
149 if(strncmp(oa_val, "srcip: ", 7) == 0)
151 os_strdup(oa_val + 7, lf->srcip);
153 if(strncmp(oa_val, "user: ", 6) == 0)
155 os_strdup(oa_val + 6, lf->dstuser);
163 /* Removing space. */
164 while(*tmp_str == ' ')
168 /* Creating new full log. */
170 os_strdup(tmp_str, lf->full_log);
171 lf->log = lf->full_log;
174 /* Rule that generated. */
175 lf->generated_rule = rule_pointer;