X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Fanalysisd%2Falerts%2Fexec.c;h=660cc528b8049a7feb9e8155b40bb4017190741e;hb=927951d1c1ad45ba9e7325f07d996154a91c911b;hp=46bf4ac5b5cb122461db1ca28e37840361b14f95;hpb=301048b51990573e58a30dc4a5bb4ec285cad554;p=ossec-hids.git diff --git a/src/analysisd/alerts/exec.c b/src/analysisd/alerts/exec.c index 46bf4ac..660cc52 100755 --- a/src/analysisd/alerts/exec.c +++ b/src/analysisd/alerts/exec.c @@ -1,11 +1,12 @@ -/* @(#) $Id$ */ +/* @(#) $Id: ./src/analysisd/alerts/exec.c, 2011/09/08 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 2) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation */ @@ -25,29 +26,30 @@ #include "eventinfo.h" -/* OS_Exec v0.1 +/* OS_Exec v0.1 */ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) { char exec_msg[OS_SIZE_1024 +1]; char *ip; char *user; + char *filename; + int do_free_filename = 0; + ip = user = filename = "-"; /* Cleaning the IP */ if(lf->srcip && (ar->ar_cmd->expect & SRCIP)) { - ip = strrchr(lf->srcip, ':'); - if(ip) + if(strncmp(lf->srcip, "::ffff:", 7) == 0) { - ip++; + ip = lf->srcip + 7; } else { ip = lf->srcip; } - /* Checking if IP is to ignored */ if(Config.white_list) { @@ -64,7 +66,7 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) OSMatch **wl; srcip_size = strlen(ip); - + wl = Config.hostname_white_list; while(*wl) { @@ -74,70 +76,90 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) } } } - else - { - ip = "-"; - } - - + /* Getting username */ if(lf->dstuser && (ar->ar_cmd->expect & USERNAME)) { user = lf->dstuser; } - else + + /* Get the filename */ + if(lf->filename && (ar->ar_cmd->expect & FILENAME)) { - user = "-"; + filename = os_shell_escape(lf->filename); + do_free_filename = 1; } - /* active response on the server. + /* active response on the server. * The response must be here if the ar->location is set to AS * or the ar->location is set to local (REMOTE_AGENT) and the * event location is from here. - */ + */ if((ar->location & AS_ONLY) || ((ar->location & REMOTE_AGENT) && (lf->location[0] != '(')) ) { if(!(Config.ar & LOCAL_AR)) return; - + snprintf(exec_msg, OS_SIZE_1024, - "%s %s %s %d.%ld %d %s", + "%s %s %s %d.%ld %d %s %s", ar->name, user, ip, lf->time, __crt_ftell, lf->generated_rule->sigid, - lf->location); + lf->location, + filename); if(OS_SendUnix(*execq, exec_msg, 0) < 0) { merror("%s: Error communicating with execd.", ARGV0); } } - - /* Active response to the forwarder */ - else if((Config.ar & REMOTE_AR) && (lf->location[0] == '(')) + + /* Active response to the forwarder */ + else if((Config.ar & REMOTE_AR)) { - int rc; - snprintf(exec_msg, OS_SIZE_1024, - "%s %c%c%c %s %s %s %s %d.%ld %d %s", - lf->location, - (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C, - (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C, - (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C, - ar->agent_id != NULL? ar->agent_id: "(null)", - ar->name, - user, - ip, - lf->time, - __crt_ftell, - lf->generated_rule->sigid, - lf->location); - + int rc; + /*If lf->location start with a ( was generated by remote agent and its ID is included in lf->location + if missing then it must of been generated by the local analysisd so prepend a false id tag */ + if(lf->location[0] == '(') { + snprintf(exec_msg, OS_SIZE_1024, + "%s %c%c%c %s %s %s %s %d.%ld %d %s %s", + lf->location, + (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C, + (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C, + (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C, + ar->agent_id != NULL? ar->agent_id: "(null)", + ar->name, + user, + ip, + lf->time, + __crt_ftell, + lf->generated_rule->sigid, + lf->location, + filename); + } else { + snprintf(exec_msg, OS_SIZE_1024, + "(local_source) %s %c%c%c %s %s %s %s %d.%ld %d %s %s", + lf->location, + (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C, + (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C, + (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C, + ar->agent_id != NULL? ar->agent_id: "(null)", + ar->name, + user, + ip, + lf->time, + __crt_ftell, + lf->generated_rule->sigid, + lf->location, + filename); + } + if((rc = OS_SendUnix(*arq, exec_msg, 0)) < 0) { if(rc == OS_SOCKBUSY) @@ -146,12 +168,16 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) } else { - merror("%s: AR socket error (shutdown?).", ARGV0); + merror("%s: AR socket error (shutdown?).", ARGV0); } merror("%s: Error communicating with ar queue (%d).", ARGV0, rc); } } - + + // Clean up Memory + if ( filename != NULL && do_free_filename == 1 ) + free(filename); + return; }