X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=src%2Fanalysisd%2Fcleanevent.c;fp=src%2Fanalysisd%2Fcleanevent.c;h=6df285d6cac1e768c7a3e0b948b0b170e3cb91fc;hb=789cbc8e52da68eba3517b920ef22e000cf3c9fd;hp=938aa0ef87fee07a11a20e8ae46b8b8884ebd96b;hpb=ef70704f0b31b59bb719b884d6a99cb9e3e2044a;p=ossec-hids.git

diff --git a/src/analysisd/cleanevent.c b/src/analysisd/cleanevent.c
index 938aa0e..6df285d 100755
--- a/src/analysisd/cleanevent.c
+++ b/src/analysisd/cleanevent.c
@@ -83,13 +83,25 @@ int OS_CleanMSG(char *msg, Eventinfo *lf)
     lf->log = lf->full_log+loglen;
     strncpy(lf->log, pieces, loglen);
 
-
+    /* check if month contains an umlaut and repair
+     * umlaute are non-ASCII and use 2 slots in the char array
+     * repair to only one slot so we can detect the correct date format in the next step
+     * ex: Mär 02 17:30:52
+     */
+    if (pieces[1] == (char) 195) {
+        if (pieces[2] == (char) 164) {
+            pieces[0] = '\0';
+            pieces[1] = 'M';
+            pieces[2] = 'a';
+            pieces++;
+        }
+    }
 
     /* Checking for the syslog date format.
      * ( ex: Dec 29 10:00:01
      *   or  2007-06-14T15:48:55-04:00 for syslog-ng isodate
      *   or  2009-05-22T09:36:46.214994-07:00 for rsyslog )
-     */	
+     */
     if(
         (
         (loglen > 17) &&
@@ -366,6 +378,22 @@ int OS_CleanMSG(char *msg, Eventinfo *lf)
         lf->log+=23;
     }
 
+    /* Checking for suricata (new) date format
+     * ex: 01/28/1979-09:13:16.240702  [**]
+     */
+    else if( (loglen > 26) &&
+             (pieces[2] == '/') &&
+             (pieces[5] == '/') &&
+             (pieces[10] == '-') &&
+             (pieces[13] == ':') &&
+             (pieces[16]== ':') &&
+             (pieces[19]== '.') &&
+             (pieces[26] == ' ') )
+    {
+        lf->log+=28;
+    }
+
+
     /* Checking for apache log format */
     /* [Fri Feb 11 18:06:35 2004] [warn] */
     else if( (loglen > 27) &&
@@ -492,10 +520,12 @@ int OS_CleanMSG(char *msg, Eventinfo *lf)
      */
     else if((loglen > 32) &&
             (pieces[0] == '1') &&
+            (isdigit((int)pieces[1])) &&
+            (isdigit((int)pieces[2])) &&
+            (isdigit((int)pieces[3])) &&
             (pieces[10] == '.') &&
-            (pieces[14] == ' ') &&
             (isdigit((int)pieces[13])) &&
-            (isdigit((int)pieces[1])) &&
+            (pieces[14] == ' ') &&
             ((pieces[21] == ' ')||(pieces[22] == ' ')))
     {
         lf->log+=14;