-/* @(#) $Id: ./src/shared/read-alert.c, 2011/11/09 dcid Exp $
- */
-
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* and/or modify it under the terms of the GNU General Public
* License (version 2) as published by the FSF - Free Software
* Foundation
- *
- * License details at the LICENSE file included with OSSEC or
- * online at: http://www.ossec.net/en/licensing.html
*/
-
/* File monitoring functions */
#include "shared.h"
#include "read-alert.h"
-
/* ** Alert xyz: email active-response ** */
#define ALERT_BEGIN "** Alert"
#define RULE_BEGIN_SZ 6
#define SRCIP_BEGIN "Src IP: "
#define SRCIP_BEGIN_SZ 8
-#define GEOIP_BEGIN_SRC "Src Location: "
+
+#ifdef LIBGEOIP_ENABLED
+#define GEOIP_BEGIN_SRC "Src Location: "
#define GEOIP_BEGIN_SRC_SZ 14
-#define GEOIP_BEGIN_DST "Dst Location: "
+#define GEOIP_BEGIN_DST "Dst Location: "
#define GEOIP_BEGIN_DST_SZ 14
+#endif /* LIBGEOIP_ENABLED */
+
#define SRCPORT_BEGIN "Src Port: "
#define SRCPORT_BEGIN_SZ 10
#define DSTIP_BEGIN "Dst IP: "
#define USER_BEGIN_SZ 6
#define ALERT_MAIL "mail"
#define ALERT_MAIL_SZ 4
-#define ALERT_AR "active-response"
#define OLDMD5_BEGIN "Old md5sum was: "
#define OLDMD5_BEGIN_SZ 16
#define NEWMD5_BEGIN "New md5sum is : "
#define OLDSHA1_BEGIN_SZ 17
#define NEWSHA1_BEGIN "New sha1sum is : "
#define NEWSHA1_BEGIN_SZ 17
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+#define SIZE_BEGIN "Size changed from "
+#define SIZE_BEGIN_SZ 18
+#define OWNER_BEGIN "Ownership was "
+#define OWNER_BEGIN_SZ 14
+#define GROUP_BEGIN "Group ownership was "
+#define GROUP_BEGIN_SZ 20
+#define PERM_BEGIN "Permissions changed from "
+#define PERM_BEGIN_SZ 25
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
-/** void FreeAlertData(alert_data *al_data)
- * Free alert data.
- */
void FreeAlertData(alert_data *al_data)
{
char **p;
- if(al_data->alertid)
- {
+ if (al_data->alertid) {
free(al_data->alertid);
al_data->alertid = NULL;
}
- if(al_data->date)
- {
+ if (al_data->date) {
free(al_data->date);
al_data->date = NULL;
}
- if(al_data->location)
- {
+ if (al_data->location) {
free(al_data->location);
al_data->location = NULL;
}
- if(al_data->comment)
- {
+ if (al_data->comment) {
free(al_data->comment);
al_data->comment = NULL;
}
- if(al_data->group)
- {
+ if (al_data->group) {
free(al_data->group);
al_data->group = NULL;
}
- if(al_data->srcip)
- {
+ if (al_data->srcip) {
free(al_data->srcip);
al_data->srcip = NULL;
}
- if(al_data->dstip)
- {
+ if (al_data->dstip) {
free(al_data->dstip);
al_data->dstip = NULL;
}
- if(al_data->user)
- {
+ if (al_data->user) {
free(al_data->user);
al_data->user = NULL;
}
- if(al_data->filename)
- {
+ if (al_data->filename) {
free(al_data->filename);
al_data->filename = NULL;
}
- if(al_data->old_md5)
- {
+ if (al_data->old_md5) {
free(al_data->old_md5);
al_data->old_md5 = NULL;
}
- if(al_data->new_md5)
- {
+ if (al_data->new_md5) {
free(al_data->new_md5);
al_data->new_md5 = NULL;
}
- if(al_data->old_sha1)
- {
+ if (al_data->old_sha1) {
free(al_data->old_sha1);
al_data->old_sha1 = NULL;
}
- if(al_data->new_sha1)
- {
+ if (al_data->new_sha1) {
free(al_data->new_sha1);
al_data->new_sha1 = NULL;
}
- if(al_data->log)
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+ if(al_data->file_size)
{
+ free(al_data->file_size);
+ al_data->file_size = NULL;
+ }
+ if(al_data->owner_chg)
+ {
+ free(al_data->owner_chg);
+ al_data->owner_chg = NULL;
+ }
+ if(al_data->group_chg)
+ {
+ free(al_data->group_chg);
+ al_data->group_chg = NULL;
+ }
+ if(al_data->perm_chg)
+ {
+ free(al_data->perm_chg);
+ al_data->perm_chg = NULL;
+ }
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+ if (al_data->log) {
p = al_data->log;
- while(*(p))
- {
+ while (*(p)) {
free(*(p));
*(p) = NULL;
p++;
free(al_data->log);
al_data->log = NULL;
}
-#ifdef GEOIP
- if (al_data->geoipdatasrc)
- {
- free(al_data->geoipdatasrc);
- al_data->geoipdatasrc = NULL;
+#ifdef LIBGEOIP_ENABLED
+ if (al_data->srcgeoip) {
+ free(al_data->srcgeoip);
+ al_data->srcgeoip = NULL;
}
- if (al_data->geoipdatadst)
- {
- free(al_data->geoipdatadst);
- al_data->geoipdatadst = NULL;
+ if (al_data->dstgeoip) {
+ free(al_data->dstgeoip);
+ al_data->dstgeoip = NULL;
}
#endif
free(al_data);
al_data = NULL;
}
-
-/** alert_data *GetAlertData(FILE *fp)
- * Returns alert data for the file specified
- */
+/* Return alert data for the file specified */
alert_data *GetAlertData(int flag, FILE *fp)
{
- int _r = 0, log_size = 0, issyscheck = 0;
+ int _r = 0, issyscheck = 0;
+ size_t log_size = 0;
char *p;
char *alertid = NULL;
char *old_sha1 = NULL;
char *new_sha1 = NULL;
char **log = NULL;
-#ifdef GEOIP
- char *geoipdatasrc = NULL;
- char *geoipdatadst = NULL;
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+ char *file_size = NULL;
+ char *owner_chg = NULL;
+ char *group_chg = NULL;
+ char *perm_chg = NULL;
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+#ifdef LIBGEOIP_ENABLED
+ char *srcgeoip = NULL;
+ char *dstgeoip = NULL;
#endif
- int level, rule, srcport = 0, dstport = 0;
-
+ int level = 0, rule = 0, srcport = 0, dstport = 0;
- char str[OS_BUFFER_SIZE+1];
- str[OS_BUFFER_SIZE]='\0';
+ char str[OS_BUFFER_SIZE + 1];
+ str[OS_BUFFER_SIZE] = '\0';
-
- while(fgets(str, OS_BUFFER_SIZE, fp) != NULL)
- {
-
- /* Enf of alert */
- if(strcmp(str, "\n") == 0 && log_size > 0)
- {
+ while (fgets(str, OS_BUFFER_SIZE, fp) != NULL) {
+ /* End of alert */
+ if (strcmp(str, "\n") == 0 && log_size > 0) {
/* Found in here */
- if(_r == 2)
- {
+ if (_r == 2) {
alert_data *al_data;
os_calloc(1, sizeof(alert_data), al_data);
al_data->alertid = alertid;
al_data->user = user;
al_data->date = date;
al_data->filename = filename;
-#ifdef GEOIP
- al_data->geoipdatasrc = geoipdatasrc;
- al_data->geoipdatadst = geoipdatadst;
+#ifdef LIBGEOIP_ENABLED
+ al_data->srcgeoip = srcgeoip ;
+ al_data->dstgeoip = dstgeoip;
#endif
al_data->old_md5 = old_md5;
al_data->new_md5 = new_md5;
al_data->old_sha1 = old_sha1;
al_data->new_sha1 = new_sha1;
+ /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+ al_data->file_size = file_size;
+ al_data->owner_chg = owner_chg;
+ al_data->group_chg = group_chg;
+ al_data->perm_chg = perm_chg;
+ /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
- return(al_data);
+ return (al_data);
}
_r = 0;
}
-
- /* Checking for the header */
- if(strncmp(ALERT_BEGIN, str, ALERT_BEGIN_SZ) == 0)
- {
+ /* Check for the header */
+ if (strncmp(ALERT_BEGIN, str, ALERT_BEGIN_SZ) == 0) {
char *m;
- int z = 0;
+ size_t z = 0;
p = str + ALERT_BEGIN_SZ + 1;
m = strstr(p, ":");
- if (!m)
- {
+ if (!m) {
continue;
}
z = strlen(p) - strlen(m);
- os_realloc(alertid, (z + 1)*sizeof(char *), alertid);
+ os_realloc(alertid, (z + 1)*sizeof(char), alertid);
strncpy(alertid, p, z);
alertid[z] = '\0';
- /* Searching for email flag */
+ /* Search for email flag */
p = strchr(p, ' ');
- if(!p)
- {
+ if (!p) {
continue;
}
p++;
-
- /* Checking for the flags */
- if((flag & CRALERT_MAIL_SET) &&
- (strncmp(ALERT_MAIL, p, ALERT_MAIL_SZ) != 0))
- {
+ /* Check for the flags */
+ if ((flag & CRALERT_MAIL_SET) &&
+ (strncmp(ALERT_MAIL, p, ALERT_MAIL_SZ) != 0)) {
continue;
}
p = strchr(p, '-');
- if(p)
- {
+ if (p) {
p++;
+ free(group);
os_strdup(p, group);
- /* Cleaning new line from group */
+ /* Clean newline from group */
os_clearnl(group, p);
- if(group != NULL && strstr(group, "syscheck") != NULL)
- {
+ if (group != NULL && strstr(group, "syscheck") != NULL) {
issyscheck = 1;
}
}
-
- /* Searching for active-response flag */
+ /* Search for active-response flag */
_r = 1;
continue;
}
- if(_r < 1)
+ if (_r < 1) {
continue;
-
+ }
/*** Extract information from the event ***/
/* r1 means: 2006 Apr 13 16:15:17 /var/log/auth.log */
- if(_r == 1)
- {
- /* Clear new line */
+ if (_r == 1) {
+ /* Clear newline */
os_clearnl(str, p);
p = strchr(str, ':');
- if(p)
- {
+ if (p) {
p = strchr(p, ' ');
- if(p)
- {
+ if (p) {
*p = '\0';
p++;
- }
- else
- {
+ } else {
/* If p is null it is because strchr failed */
- merror("ZZZ: 1() Merror date or location not NULL");
- _r = 0;
+ merror("%s: ERROR: date or location not NULL", __local_name);
goto l_error;
}
}
-
/* If not, str is date and p is the location */
- if(date || location)
- merror("ZZZ Merror date or location not NULL");
+ if (date || location || !p) {
+ merror("%s: ERROR: date or location not NULL or p is NULL", __local_name);
+ goto l_error;
+ }
os_strdup(str, date);
os_strdup(p, location);
_r = 2;
log_size = 0;
continue;
- }
-
-
- else if(_r == 2)
- {
+ } else if (_r == 2) {
/* Rule begin */
- if(strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0)
- {
- os_clearnl(str,p);
+ if (strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0) {
+ os_clearnl(str, p);
p = str + RULE_BEGIN_SZ;
rule = atoi(p);
p = strchr(p, ' ');
- if(p)
- {
+ if (p) {
p++;
p = strchr(p, ' ');
- if(p)
+ if (p) {
p++;
+ }
}
- if(!p)
+ if (!p) {
goto l_error;
+ }
level = atoi(p);
- /* Getting the comment */
+ /* Get the comment */
p = strchr(p, '\'');
- if(!p)
+ if (!p) {
goto l_error;
+ }
p++;
+ free(comment);
os_strdup(p, comment);
/* Must have the closing \' */
p = strrchr(comment, '\'');
- if(p)
- {
+ if (p) {
*p = '\0';
- }
- else
- {
+ } else {
goto l_error;
}
}
/* srcip */
- else if(strncmp(SRCIP_BEGIN, str, SRCIP_BEGIN_SZ) == 0)
- {
- os_clearnl(str,p);
+ else if (strncmp(SRCIP_BEGIN, str, SRCIP_BEGIN_SZ) == 0) {
+ os_clearnl(str, p);
p = str + SRCIP_BEGIN_SZ;
+ free(srcip);
os_strdup(p, srcip);
}
-#ifdef GEOIP
+#ifdef LIBGEOIP_ENABLED
/* GeoIP Source Location */
- else if (strncmp(GEOIP_BEGIN_SRC, str, GEOIP_BEGIN_SRC_SZ) == 0)
- {
- os_clearnl(str,p);
- p = str + GEOIP_BEGIN_SRC_SZ;
- os_strdup(p, geoipdatasrc);
+ else if (strncmp(GEOIP_BEGIN_SRC, str, GEOIP_BEGIN_SRC_SZ) == 0) {
+ os_clearnl(str, p);
+ p = str + GEOIP_BEGIN_SRC_SZ;
+ free(srcgeoip);
+ os_strdup(p, srcgeoip);
}
#endif
/* srcport */
- else if(strncmp(SRCPORT_BEGIN, str, SRCPORT_BEGIN_SZ) == 0)
- {
- os_clearnl(str,p);
+ else if (strncmp(SRCPORT_BEGIN, str, SRCPORT_BEGIN_SZ) == 0) {
+ os_clearnl(str, p);
p = str + SRCPORT_BEGIN_SZ;
srcport = atoi(p);
}
/* dstip */
- else if(strncmp(DSTIP_BEGIN, str, DSTIP_BEGIN_SZ) == 0)
- {
- os_clearnl(str,p);
+ else if (strncmp(DSTIP_BEGIN, str, DSTIP_BEGIN_SZ) == 0) {
+ os_clearnl(str, p);
p = str + DSTIP_BEGIN_SZ;
+ free(dstip);
os_strdup(p, dstip);
}
-#ifdef GEOIP
+#ifdef LIBGEOIP_ENABLED
/* GeoIP Destination Location */
- else if (strncmp(GEOIP_BEGIN_DST, str, GEOIP_BEGIN_DST_SZ) == 0)
- {
- os_clearnl(str,p);
- p = str + GEOIP_BEGIN_DST_SZ;
- os_strdup(p, geoipdatadst);
+ else if (strncmp(GEOIP_BEGIN_DST, str, GEOIP_BEGIN_DST_SZ) == 0) {
+ os_clearnl(str, p);
+ p = str + GEOIP_BEGIN_DST_SZ;
+ free(dstgeoip);
+ os_strdup(p, dstgeoip);
}
#endif
/* dstport */
- else if(strncmp(DSTPORT_BEGIN, str, DSTPORT_BEGIN_SZ) == 0)
- {
- os_clearnl(str,p);
+ else if (strncmp(DSTPORT_BEGIN, str, DSTPORT_BEGIN_SZ) == 0) {
+ os_clearnl(str, p);
p = str + DSTPORT_BEGIN_SZ;
dstport = atoi(p);
}
/* username */
- else if(strncmp(USER_BEGIN, str, USER_BEGIN_SZ) == 0)
- {
- os_clearnl(str,p);
+ else if (strncmp(USER_BEGIN, str, USER_BEGIN_SZ) == 0) {
+ os_clearnl(str, p);
p = str + USER_BEGIN_SZ;
+ free(user);
os_strdup(p, user);
}
/* Old MD5 */
- else if(strncmp(OLDMD5_BEGIN, str, OLDMD5_BEGIN_SZ) == 0)
- {
- os_clearnl(str,p);
+ else if (strncmp(OLDMD5_BEGIN, str, OLDMD5_BEGIN_SZ) == 0) {
+ os_clearnl(str, p);
p = str + OLDMD5_BEGIN_SZ;
+ free(old_md5);
os_strdup(p, old_md5);
}
/* New MD5 */
- else if(strncmp(NEWMD5_BEGIN, str, NEWMD5_BEGIN_SZ) == 0)
- {
- os_clearnl(str,p);
+ else if (strncmp(NEWMD5_BEGIN, str, NEWMD5_BEGIN_SZ) == 0) {
+ os_clearnl(str, p);
p = str + NEWMD5_BEGIN_SZ;
+ free(new_md5);
os_strdup(p, new_md5);
}
- /* Old SHA1 */
- else if(strncmp(OLDSHA1_BEGIN, str, OLDSHA1_BEGIN_SZ) == 0)
- {
- os_clearnl(str,p);
+ /* Old SHA-1 */
+ else if (strncmp(OLDSHA1_BEGIN, str, OLDSHA1_BEGIN_SZ) == 0) {
+ os_clearnl(str, p);
p = str + OLDSHA1_BEGIN_SZ;
+ free(old_sha1);
os_strdup(p, old_sha1);
}
- /* New SHA1 */
- else if(strncmp(NEWSHA1_BEGIN, str, NEWSHA1_BEGIN_SZ) == 0)
- {
- os_clearnl(str,p);
+ /* New SHA-1 */
+ else if (strncmp(NEWSHA1_BEGIN, str, NEWSHA1_BEGIN_SZ) == 0) {
+ os_clearnl(str, p);
p = str + NEWSHA1_BEGIN_SZ;
+ free(new_sha1);
os_strdup(p, new_sha1);
}
- /* It is a log message */
- else if(log_size < 20)
+ /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+ /* File Size */
+ else if(strncmp(SIZE_BEGIN, str, SIZE_BEGIN_SZ) == 0)
{
os_clearnl(str,p);
- if(str != NULL && issyscheck == 1)
- {
- if(strncmp(str, "Integrity checksum changed for: '",33) == 0)
- {
- filename = strdup(str+33);
- if(filename)
- {
- filename[strlen(filename) -1] = '\0';
+ p = str + SIZE_BEGIN_SZ;
+ if(file_size) {
+ free(file_size);
+ }
+ os_strdup(p, file_size);
+ }
+ /* File Ownership */
+ else if(strncmp(OWNER_BEGIN, str, OWNER_BEGIN_SZ) == 0)
+ {
+ os_clearnl(str,p);
+
+ p = str + OWNER_BEGIN_SZ;
+ if(owner_chg) {
+ free(owner_chg);
+ }
+ os_strdup(p, owner_chg);
+ }
+ /* File Group Ownership */
+ else if(strncmp(GROUP_BEGIN, str, GROUP_BEGIN_SZ) == 0)
+ {
+ os_clearnl(str,p);
+
+ p = str + GROUP_BEGIN_SZ;
+ if(group_chg) {
+ free(group_chg);
+ }
+ os_strdup(p, group_chg);
+ }
+ /* File Permissions */
+ else if(strncmp(PERM_BEGIN, str, PERM_BEGIN_SZ) == 0)
+ {
+ os_clearnl(str,p);
+
+ p = str + PERM_BEGIN_SZ;
+ if(perm_chg) {
+ free(perm_chg);
+ }
+ os_strdup(p, perm_chg);
+ }
+ /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+ /* It is a log message */
+ else if (log_size < 20) {
+ os_clearnl(str, p);
+
+ if (issyscheck == 1) {
+ if (strncmp(str, "Integrity checksum changed for: '", 33) == 0) {
+ filename = strdup(str + 33);
+ if (filename) {
+ filename[strlen(filename) - 1] = '\0';
}
}
issyscheck = 0;
}
- os_realloc(log, (log_size +2)*sizeof(char *), log);
+ os_realloc(log, (log_size + 2)*sizeof(char *), log);
os_strdup(str, log[log_size]);
log_size++;
log[log_size] = NULL;
}
continue;
- l_error:
-
- /* Freeing the memory */
+l_error:
+ /* Free the memory */
_r = 0;
- if(date)
- {
+ if (date) {
free(date);
date = NULL;
}
- if(location)
- {
+ if (location) {
free(location);
location = NULL;
}
- if(comment)
- {
+ if (comment) {
free(comment);
comment = NULL;
}
- if(srcip)
- {
+ if (srcip) {
free(srcip);
srcip = NULL;
}
-#ifdef GEOIP
- if(geoipdatasrc)
- {
- free(geoipdatasrc);
- geoipdatasrc = NULL;
- }
- if(geoipdatadst)
- {
- free(geoipdatadst);
- geoipdatadst = NULL;
- }
+#ifdef LIBGEOIP_ENABLED
+ if (srcgeoip) {
+ free(srcgeoip);
+ srcgeoip = NULL;
+ }
+ if (dstgeoip) {
+ free(dstgeoip);
+ dstgeoip = NULL;
+ }
#endif
- if(user)
- {
+ if (user) {
free(user);
user = NULL;
}
- if(filename)
- {
+ if (filename) {
free(filename);
filename = NULL;
}
- if(group)
- {
+ if (group) {
free(group);
group = NULL;
}
- if(old_md5)
- {
+ if (old_md5) {
free(old_md5);
old_md5 = NULL;
}
- if(new_md5)
- {
+ if (new_md5) {
free(new_md5);
new_md5 = NULL;
}
- if(old_sha1)
- {
+ if (old_sha1) {
free(old_sha1);
old_sha1 = NULL;
}
- if(new_sha1)
- {
+ if (new_sha1) {
free(new_sha1);
new_sha1 = NULL;
}
- while(log_size > 0)
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+ if(file_size)
+ {
+ free(file_size);
+ file_size = NULL;
+ }
+ if(owner_chg)
{
+ free(owner_chg);
+ owner_chg = NULL;
+ }
+ if(group_chg)
+ {
+ free(group_chg);
+ group_chg = NULL;
+ }
+ if(perm_chg)
+ {
+ free(perm_chg);
+ perm_chg = NULL;
+ }
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+ while (log_size > 0) {
log_size--;
- if(log[log_size])
- {
+ if (log[log_size]) {
free(log[log_size]);
log[log_size] = NULL;
}
}
}
- if(alertid)
- {
- free(alertid);
- alertid = NULL;
- }
+ if (alertid) {
+ free(alertid);
+ alertid = NULL;
+ }
+ if (group) {
+ free(group);
+ group = NULL;
+ }
+ if (location) {
+ free(location);
+ location = NULL;
+ }
+ if (date) {
+ free(date);
+ date = NULL;
+ }
+
+ while (log_size > 0) {
+ log_size--;
+ if (log[log_size]) {
+ free(log[log_size]);
+ log[log_size] = NULL;
+ }
+ }
+
+ free(log);
+ free(comment);
+ free(srcip);
+ free(dstip);
+ free(user);
+ free(old_md5);
+ free(new_md5);
+ free(old_sha1);
+ free(new_sha1);
+ free(filename);
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+ free(file_size);
+ free(owner_chg);
+ free(group_chg);
+ free(perm_chg);
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+#ifdef LIBGEOIP_ENABLED
+ free(srcgeoip);
+ free(dstgeoip);
+#endif
/* We need to clean end of file before returning */
clearerr(fp);
- return(NULL);
+ return (NULL);
}
-
-
-/* EOF */