X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=src%2Fanalysisd%2Fdecoders%2Fplugins%2Fossecalert_decoder.c;fp=src%2Fanalysisd%2Fdecoders%2Fplugins%2Fossecalert_decoder.c;h=43a85b1833e4249364a1e6ba45d083e133bc1274;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=182c9a61876b687622c9244eb3fbe65de7bd3408;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git diff --git a/src/analysisd/decoders/plugins/ossecalert_decoder.c b/src/analysisd/decoders/plugins/ossecalert_decoder.c index 182c9a6..43a85b1 100644 --- a/src/analysisd/decoders/plugins/ossecalert_decoder.c +++ b/src/analysisd/decoders/plugins/ossecalert_decoder.c @@ -1,6 +1,3 @@ -/* @(#) $Id: ./src/analysisd/decoders/plugins/ossecalert_decoder.c, 2012/03/28 dcid Exp $ - */ - /* Copyright (C) 2009 Trend Micro Inc. * All rights reserved. * @@ -9,8 +6,6 @@ * License (version 2) as published by the FSF - Free Software * Foundation. * - * License details at the LICENSE file included with OSSEC or - * online at: http://www.ossec.net/en/licensing.html */ @@ -35,21 +30,23 @@ void *OSSECAlert_Decoder_Init() #define oa_strchr(x,y,z) z = strchr(x,y); if(!z){ return(NULL); } -/* OSSECAlert decoder +/* OSSECAlert decoder * Will extract the rule_id and point back to the original rule. * Will also extract srcip and username if available. * Examples: - * - */ + * + */ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) { char *oa_id = 0; char *oa_location; char *oa_val; char oa_newlocation[256]; - char tmpstr_buffer[4096 + 1]; + char agent_file[OS_SIZE_1024 +1]; + char tmpstr_buffer[4096 +1]; char *tmp_str = NULL; void *rule_pointer; + FILE *fp; lf->decoder_info->type = OSSEC_ALERT; @@ -62,7 +59,7 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) return(NULL); } - + /* Going past the level. */ oa_strchr(lf->log, ';', tmp_str); tmp_str++; @@ -74,10 +71,10 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) if(*tmp_str != ' ') { return(NULL); - } + } tmp_str++; - + /* Getting id. */ oa_id = tmp_str; oa_strchr(tmp_str, ' ', tmp_str); @@ -88,7 +85,8 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) rule_pointer = OSHash_Get(Config.g_rules_hash, oa_id); if(!rule_pointer) { - merror("%s: WARN: Rule id '%s' not found internally.", ARGV0, oa_id); + *tmp_str = ' '; + merror("%s: WARN: Rule id '%s' not found internally: %s", ARGV0, oa_id, lf->log); *tmp_str = ' '; return(NULL); } @@ -97,6 +95,8 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) tmp_str++; + + /* Checking location. */ if(strncmp(" Location: ", tmp_str, 11) != 0) { @@ -107,35 +107,43 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) /* Setting location; */ oa_location = tmp_str; - + oa_strchr(tmp_str, ';', tmp_str); *tmp_str = '\0'; + /* Setting new location. */ oa_newlocation[255] = '\0'; + agent_file[OS_SIZE_1024] = '\0'; - if(lf->hostname == lf->location) - { - snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location); - free(lf->location); - os_strdup(oa_newlocation, lf->location); - lf->hostname = lf->location; - } - else + + snprintf(agent_file, OS_SIZE_1024, "%s/%s->%s", + AGENTINFO_DIR, lf->hostname, lf->location); + + snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location); + free(lf->location); + os_strdup(oa_newlocation, lf->location); + lf->hostname = lf->location; + + + + /* Writting to the agent file */ + fp = fopen(agent_file, "w"); + if(fp) { - snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname, - lf->location, oa_location); - free(lf->location); - os_strdup(oa_newlocation, lf->location); - lf->hostname = lf->location; + fprintf(fp, "%s\n", "Remote Syslog"); + fclose(fp); } + *tmp_str = ';'; tmp_str++; + + /* Getting additional fields. */ while((*tmp_str == ' ') && (tmp_str[1] != ' ')) { @@ -161,24 +169,23 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) *tmp_str = ';'; tmp_str++; } - + /* Removing space. */ while(*tmp_str == ' ') tmp_str++; + - /* Create new full log */ + /* Creating new full log. */ tmpstr_buffer[0] = '\0'; tmpstr_buffer[4095] = '\0'; strncpy(tmpstr_buffer, tmp_str, 4094); - free(lf->full_log); lf->full_log = NULL; os_strdup(tmpstr_buffer, lf->full_log); - lf->log = lf->full_log; - + /* Rule that generated. */ lf->generated_rule = rule_pointer;