-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/report_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/* Sort function used by OSStore sort.
- * Returns if d1 > d2.
+ * Returns if d1 > d2.
*/
void *_os_report_sort_compare(void *d1, void *d2)
{
OSList *d1l = (OSList *)d1;
- OSList *d2l = (OSList *)d2;
+ OSList *d2l = (OSList *)d2;
if(d1l->currently_size > d2l->currently_size)
{
int _os_report_str_int_compare(char *str, int id)
{
int pt_check = 0;
-
+
do
{
if((*str == ',')||(*str == ' '))
return(0);
}
}
+ if(r_filter->files)
+ {
+ if(!strstr(al_data->filename, r_filter->files))
+ {
+ return(0);
+ }
+ }
return(1);
}
}
return(prev_filter);
}
+ else if(strcmp(filter_by, "filename") == 0)
+ {
+ if(!(prev_filter & REPORT_REL_FILE))
+ {
+ prev_filter|=REPORT_REL_FILE;
+ }
+ return(prev_filter);
+ }
else
{
merror("%s: ERROR: Invalid relation '%s'.", __local_name, filter_by);
return(-1);
- }
+ }
}
OSListNode *list_entry;
alert_data *list_aldata;
alert_data *saved_aldata;
-
-
+
+
list_entry = OSList_GetFirstNode(st_data);
while(list_entry)
{
saved_aldata = (alert_data *)list_entry->data;
-
+
/* Removing duplicates. */
list_entry = list_entry->prev;
while(list_entry)
else if(print_related & REPORT_REL_USER)
{
list_aldata = (alert_data *)list_entry->data;
- if(strcmp(list_aldata->user, saved_aldata->user) == 0)
+ if(list_aldata->user == NULL || saved_aldata->user == NULL)
+ {
+ }
+ else if(strcmp(list_aldata->user, saved_aldata->user) == 0)
{
break;
}
else if(print_related & REPORT_REL_SRCIP)
{
list_aldata = (alert_data *)list_entry->data;
- if(strcmp(list_aldata->srcip, saved_aldata->srcip) == 0)
+ if(list_aldata->srcip == NULL || saved_aldata->srcip == NULL)
+ {
+ }
+ else if(strcmp(list_aldata->srcip, saved_aldata->srcip) == 0)
{
break;
}
break;
}
}
+ else if(print_related & REPORT_REL_FILE)
+ {
+ list_aldata = (alert_data *)list_entry->data;
+ if(list_aldata->filename == NULL || saved_aldata->filename == NULL)
+ {
+ }
+ else if(strcmp(list_aldata->filename, saved_aldata->filename) == 0)
+ {
+ break;
+ }
+ }
list_entry = list_entry->prev;
}
l_print_out(" group: '%s'", saved_aldata->group);
else if(print_related & REPORT_REL_RULE)
l_print_out(" rule: '%d'", saved_aldata->rule);
- else if(print_related & REPORT_REL_SRCIP)
+ else if(print_related & REPORT_REL_SRCIP && saved_aldata->srcip)
l_print_out(" srcip: '%s'", saved_aldata->srcip);
- else if(print_related & REPORT_REL_USER)
+ else if(print_related & REPORT_REL_USER && saved_aldata->user)
l_print_out(" user: '%s'", saved_aldata->user);
else if(print_related & REPORT_REL_LEVEL)
l_print_out(" level: '%d'", saved_aldata->level);
+ else if(print_related & REPORT_REL_FILE && saved_aldata->filename)
+ l_print_out(" filename: '%s'", saved_aldata->filename);
}
list_entry = OSList_GetNextNode(st_data);
int dopdout = 0;
OSStore *topstore = (OSStore *)topstore_pt;
OSStoreNode *next_node;
-
+
next_node = OSStore_GetFirstNode(topstore);
while(next_node)
{
_os_report_print_related(REPORT_REL_GROUP, st_data);
if(print_related & REPORT_REL_LEVEL)
_os_report_print_related(REPORT_REL_LEVEL, st_data);
+ if(print_related & REPORT_REL_FILE)
+ _os_report_print_related(REPORT_REL_FILE, st_data);
}
l_print_out(" ");
l_print_out(" ");
}
- return;
+ return;
}
char *first_alert = NULL;
char *last_alert = NULL;
void **data_to_clean = NULL;
-
-
- time_t tm;
- struct tm *p;
-
+
+
+ time_t tm;
+ struct tm *p;
+
file_queue *fileq;
alert_data *al_data;
r_filter->top_rule = OSStore_Create();
r_filter->top_group = OSStore_Create();
r_filter->top_location = OSStore_Create();
-
+ r_filter->top_files = OSStore_Create();
+
Init_FileQueue(fileq, p, CRALERT_READ_ALL|CRALERT_FP_SET);
+
/* Reading the alerts. */
while(1)
{
}
alerts_processed++;
-
+
/* Checking the filters. */
if(!_os_report_check_filters(al_data, r_filter))
FreeAlertData(al_data);
continue;
}
-
-
+
+
alerts_filtered++;
data_to_clean = os_AddPtArray(al_data, data_to_clean);
if(!first_alert)
first_alert = al_data->date;
last_alert = al_data->date;
-
-
+
+
/* Adding source ip if it is set properly. */
- if(strcmp(al_data->srcip, "(none)") != 0)
+ if(al_data->srcip != NULL && strcmp(al_data->srcip, "(none)") != 0)
_os_report_add_tostore(al_data->srcip, r_filter->top_srcip, al_data);
-
+
/* Adding user if it is set properly. */
- if(strcmp(al_data->user, "(none)") != 0)
+ if(al_data->user != NULL && strcmp(al_data->user, "(none)") != 0)
_os_report_add_tostore(al_data->user, r_filter->top_user, al_data);
mrule[76] = '\0';
snprintf(mlevel, 16, "Severity %d" , al_data->level);
snprintf(mrule, 76, "%d - %s" , al_data->rule, al_data->comment);
-
- _os_report_add_tostore(strdup(mlevel), r_filter->top_level,
+
+ _os_report_add_tostore(strdup(mlevel), r_filter->top_level,
al_data);
- _os_report_add_tostore(strdup(mrule), r_filter->top_rule,
+ _os_report_add_tostore(strdup(mrule), r_filter->top_rule,
al_data);
}
mgroup++;
continue;
}
-
- _os_report_add_tostore(tmp_str, r_filter->top_group,
+
+ _os_report_add_tostore(tmp_str, r_filter->top_group,
al_data);
mgroup++;
}
tmp_str++;
if(*tmp_str != '\0')
{
- _os_report_add_tostore(tmp_str, r_filter->top_group,
+ _os_report_add_tostore(tmp_str, r_filter->top_group,
al_data);
}
}
}
- /* Adding to the location top filter. */
- _os_report_add_tostore(al_data->location, r_filter->top_location,
+ /* Adding to the location top filter. */
+ _os_report_add_tostore(al_data->location, r_filter->top_location,
al_data);
+
+
+ if(al_data->filename != NULL)
+ {
+ _os_report_add_tostore(al_data->filename, r_filter->top_files,
+ al_data);
+ }
}
/* No report available */
if(!r_filter->report_name)
merror("%s: INFO: Report completed and zero alerts post-filter.", __local_name);
else
- merror("%s: INFO: Report '%s' completed and zero alerts post-filter.", __local_name, r_filter->report_name);
+ merror("%s: INFO: Report '%s' completed and zero alerts post-filter.", __local_name, r_filter->report_name);
return;
}
-
+
if(r_filter->report_name)
verbose("%s: INFO: Report '%s' completed. Creating output...", __local_name, r_filter->report_name);
else
- verbose("%s: INFO: Report completed. Creating output...", __local_name);
+ verbose("%s: INFO: Report completed. Creating output...", __local_name);
l_print_out(" ");
else
l_print_out("Report completed. ==");
l_print_out("------------------------------------------------");
-
+
l_print_out("->Processed alerts: %d", alerts_processed);
l_print_out("->Post-filtering alerts: %d", alerts_filtered);
l_print_out("->First alert: %s", first_alert);
l_print_out("->Last alert: %s", last_alert);
l_print_out(" ");
l_print_out(" ");
-
+
OSStore_Sort(r_filter->top_srcip, _os_report_sort_compare);
OSStore_Sort(r_filter->top_user, _os_report_sort_compare);
OSStore_Sort(r_filter->top_level, _os_report_sort_compare);
OSStore_Sort(r_filter->top_group, _os_report_sort_compare);
OSStore_Sort(r_filter->top_location, _os_report_sort_compare);
OSStore_Sort(r_filter->top_rule, _os_report_sort_compare);
-
+ OSStore_Sort(r_filter->top_files, _os_report_sort_compare);
+
if(r_filter->top_srcip)
os_report_printtop(r_filter->top_srcip, "Source ip", 0);
-
+
if(r_filter->top_user)
os_report_printtop(r_filter->top_user, "Username", 0);
-
+
if(r_filter->top_level)
os_report_printtop(r_filter->top_level, "Level", 0);
-
+
if(r_filter->top_group)
os_report_printtop(r_filter->top_group, "Group", 0);
-
+
if(r_filter->top_location)
os_report_printtop(r_filter->top_location, "Location", 0);
-
+
if(r_filter->top_rule)
os_report_printtop(r_filter->top_rule, "Rule", 0);
+ if(r_filter->top_files)
+ os_report_printtop(r_filter->top_files, "Filenames", 0);
+
/* Print related events. */
if(r_filter->related_srcip)
- os_report_printtop(r_filter->top_srcip, "Source ip",
+ os_report_printtop(r_filter->top_srcip, "Source ip",
r_filter->related_srcip);
if(r_filter->related_user)
- os_report_printtop(r_filter->top_user, "Username",
+ os_report_printtop(r_filter->top_user, "Username",
r_filter->related_user);
if(r_filter->related_level)
- os_report_printtop(r_filter->top_level, "Level",
+ os_report_printtop(r_filter->top_level, "Level",
r_filter->related_level);
if(r_filter->related_group)
- os_report_printtop(r_filter->top_group, "Group",
+ os_report_printtop(r_filter->top_group, "Group",
r_filter->related_group);
-
+
if(r_filter->related_location)
- os_report_printtop(r_filter->top_location, "Location",
+ os_report_printtop(r_filter->top_location, "Location",
r_filter->related_location);
-
+
if(r_filter->related_rule)
- os_report_printtop(r_filter->top_rule, "Rule",
+ os_report_printtop(r_filter->top_rule, "Rule",
r_filter->related_rule);
-
-
+
+ if(r_filter->related_file)
+ os_report_printtop(r_filter->top_files, "Filename",
+ r_filter->related_file);
+
+
/* If we have to dump the alerts. */
if(data_to_clean)
{
* report_filter *r_filter)
* Checks the configuration filters.
*/
-int os_report_configfilter(char *filter_by, char *filter_value,
+int os_report_configfilter(char *filter_by, char *filter_value,
report_filter *r_filter, int arg_type)
{
if(!filter_by || !filter_value)
{
return(-1);
}
-
+
if(arg_type == REPORT_FILTER)
{
if(strcmp(filter_by, "group") == 0)
{
- r_filter->group = filter_value;
+ r_filter->group = filter_value;
}
else if(strcmp(filter_by, "rule") == 0)
{
- r_filter->rule = filter_value;
+ r_filter->rule = filter_value;
}
else if(strcmp(filter_by, "level") == 0)
{
- r_filter->level = filter_value;
+ r_filter->level = filter_value;
}
else if(strcmp(filter_by, "location") == 0)
{
- r_filter->location = filter_value;
+ r_filter->location = filter_value;
}
else if(strcmp(filter_by, "user") == 0)
{
- r_filter->user = filter_value;
+ r_filter->user = filter_value;
}
else if(strcmp(filter_by, "srcip") == 0)
{
- r_filter->srcip = filter_value;
+ r_filter->srcip = filter_value;
+ }
+ else if(strcmp(filter_by, "filename") == 0)
+ {
+ r_filter->files = filter_value;
}
else
{
{
if(strcmp(filter_by, "group") == 0)
{
- r_filter->related_group =
+ r_filter->related_group =
_report_filter_value(filter_value, r_filter->related_group);
if(r_filter->related_group == -1)
}
else if(strcmp(filter_by, "rule") == 0)
{
- r_filter->related_rule =
+ r_filter->related_rule =
_report_filter_value(filter_value, r_filter->related_rule);
if(r_filter->related_rule == -1)
}
else if(strcmp(filter_by, "level") == 0)
{
- r_filter->related_level =
+ r_filter->related_level =
_report_filter_value(filter_value, r_filter->related_level);
if(r_filter->related_level == -1)
}
else if(strcmp(filter_by, "location") == 0)
{
- r_filter->related_location =
+ r_filter->related_location =
_report_filter_value(filter_value, r_filter->related_location);
if(r_filter->related_location == -1)
}
else if(strcmp(filter_by, "srcip") == 0)
{
- r_filter->related_srcip =
+ r_filter->related_srcip =
_report_filter_value(filter_value, r_filter->related_srcip);
if(r_filter->related_srcip == -1)
}
else if(strcmp(filter_by, "user") == 0)
{
- r_filter->related_user =
+ r_filter->related_user =
_report_filter_value(filter_value, r_filter->related_user);
-
+
if(r_filter->related_user == -1)
return(-1);
}
+ else if(strcmp(filter_by, "filename") == 0)
+ {
+ r_filter->related_file =
+ _report_filter_value(filter_value, r_filter->related_file);
+
+ if(r_filter->related_file == -1)
+ return(-1);
+ }
else
{
merror("%s: ERROR: Invalid related entry '%s'.", __local_name, filter_by);