X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Fanalysisd%2Fdecoders%2Fplugins%2Fossecalert_decoder.c;h=43a85b1833e4249364a1e6ba45d083e133bc1274;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=2514d48534b1fac859b3f64a2d8b3aae1bdd66c2;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git diff --git a/src/analysisd/decoders/plugins/ossecalert_decoder.c b/src/analysisd/decoders/plugins/ossecalert_decoder.c index 2514d48..43a85b1 100644 --- a/src/analysisd/decoders/plugins/ossecalert_decoder.c +++ b/src/analysisd/decoders/plugins/ossecalert_decoder.c @@ -1,15 +1,11 @@ -/* @(#) $Id: ossecalert_decoder.c,v 1.3 2009/06/24 17:06:24 dcid Exp $ */ - /* Copyright (C) 2009 Trend Micro Inc. * All rights reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation. * - * License details at the LICENSE file included with OSSEC or - * online at: http://www.ossec.net/en/licensing.html */ @@ -46,15 +42,19 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) char *oa_location; char *oa_val; char oa_newlocation[256]; + char agent_file[OS_SIZE_1024 +1]; + char tmpstr_buffer[4096 +1]; char *tmp_str = NULL; void *rule_pointer; + FILE *fp; lf->decoder_info->type = OSSEC_ALERT; /* Checking the alert level. */ - if(strncmp("Alert Level: ", lf->log, 12) != 0) + if(strncmp("Alert Level: ", lf->log, 12) != 0 && + strncmp("ossec: Alert Level:", lf->log, 18) != 0) { return(NULL); } @@ -85,7 +85,8 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) rule_pointer = OSHash_Get(Config.g_rules_hash, oa_id); if(!rule_pointer) { - merror("%s: WARN: Rule id '%s' not found internally.", ARGV0, oa_id); + *tmp_str = ' '; + merror("%s: WARN: Rule id '%s' not found internally: %s", ARGV0, oa_id, lf->log); *tmp_str = ' '; return(NULL); } @@ -94,6 +95,8 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) tmp_str++; + + /* Checking location. */ if(strncmp(" Location: ", tmp_str, 11) != 0) { @@ -110,29 +113,37 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) *tmp_str = '\0'; + /* Setting new location. */ oa_newlocation[255] = '\0'; + agent_file[OS_SIZE_1024] = '\0'; - if(lf->hostname == lf->location) - { - snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location); - free(lf->location); - os_strdup(oa_newlocation, lf->location); - lf->hostname = lf->location; - } - else + + snprintf(agent_file, OS_SIZE_1024, "%s/%s->%s", + AGENTINFO_DIR, lf->hostname, lf->location); + + snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location); + free(lf->location); + os_strdup(oa_newlocation, lf->location); + lf->hostname = lf->location; + + + + /* Writting to the agent file */ + fp = fopen(agent_file, "w"); + if(fp) { - snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname, - lf->location, oa_location); - free(lf->location); - os_strdup(oa_newlocation, lf->location); - lf->hostname = lf->location; + fprintf(fp, "%s\n", "Remote Syslog"); + fclose(fp); } + *tmp_str = ';'; tmp_str++; - + + + /* Getting additional fields. */ while((*tmp_str == ' ') && (tmp_str[1] != ' ')) { @@ -164,10 +175,15 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) while(*tmp_str == ' ') tmp_str++; - + /* Creating new full log. */ + tmpstr_buffer[0] = '\0'; + tmpstr_buffer[4095] = '\0'; + strncpy(tmpstr_buffer, tmp_str, 4094); + free(lf->full_log); - os_strdup(tmp_str, lf->full_log); + lf->full_log = NULL; + os_strdup(tmpstr_buffer, lf->full_log); lf->log = lf->full_log;