X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Fanalysisd%2Fdecoders%2Fplugins%2Fpf_decoder.c;h=1a3983581238f85140a6771d66783914cae7fbfa;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=9457ae384d5c3a4df164dd88455103d0961c2287;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git diff --git a/src/analysisd/decoders/plugins/pf_decoder.c b/src/analysisd/decoders/plugins/pf_decoder.c index 9457ae3..1a39835 100644 --- a/src/analysisd/decoders/plugins/pf_decoder.c +++ b/src/analysisd/decoders/plugins/pf_decoder.c @@ -1,17 +1,13 @@ -/* @(#) $Id: pf_decoder.c,v 1.5 2009/06/24 17:06:24 dcid Exp $ */ - /* Copyright (C) 2009 Trend Micro Inc. * All rights reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation. - * - * License details at the LICENSE file included with OSSEC or - * online at: http://www.ossec.net/en/licensing.html */ +#include "../plugin_decoders.h" #include "shared.h" #include "eventinfo.h" @@ -23,11 +19,10 @@ void *PF_Decoder_Init() debug1("%s: Initializing PF decoder..", ARGV0); /* There is nothing to do over here */ - return(NULL); + return (NULL); } - -/* OpenBSD PF decoder +/* OpenBSD PF decoder * Will extract the action,srcip,dstip,protocol,srcport,dstport * * Examples: @@ -37,180 +32,145 @@ void *PF_Decoder_Init() * Mar 30 15:54:22.174412 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030: udp 89 * Mar 30 17:47:40.390143 rule 2/(match) pass in on lo0: 127.0.0.1 > 127.0.0.1: icmp: echo reply * Mar 30 17:47:41.400075 rule 3/(match) pass out on lo0: 127.0.0.1 > 127.0.0.1: icmp: echo request - */ + */ void *PF_Decoder_Exec(Eventinfo *lf) { int port_count = 0; char *tmp_str; char *aux_str; - /* tmp_str should be: Mar 30 15:54:22.171929 rule 3/(match) pass out .. */ tmp_str = strchr(lf->log, ')'); - /* Didn't match */ - if(!tmp_str) - { - return(NULL); + if (!tmp_str) { + return (NULL); } - - /* Going to the action entry */ + + /* Go to the action entry */ tmp_str++; - if(*tmp_str != ' ') - { - return(NULL); + if (*tmp_str != ' ') { + return (NULL); } tmp_str++; - /* tmp_str should be: pass out on xl0: 192.168.2.10.1514 .. */ - - /* Getting action */ - if(*tmp_str == 'p') - { + /* Get action */ + if (*tmp_str == 'p') { os_strdup("pass", lf->action); - } - else if(*tmp_str == 'b') - { + } else if (*tmp_str == 'b') { os_strdup("block", lf->action); - } - else - { + } else { /* Unknown action */ - return(NULL); + return (NULL); } - - /* Jumping to the src ip */ + /* Jump to the src ip */ tmp_str = strchr(tmp_str, ':'); - if(!tmp_str) - { - return(NULL); + if (!tmp_str) { + return (NULL); } tmp_str++; - if(*tmp_str != ' ') - { - return(NULL); + if (*tmp_str != ' ') { + return (NULL); } tmp_str++; - - /* tmp_str should be: 192.168.2.10.1514 > .. */ aux_str = strchr(tmp_str, ' '); - if(!aux_str) - return(NULL); - - - /* Setting aux_str to 0 for strdup */ + if (!aux_str) { + return (NULL); + } + + /* Set aux_str to 0 for strdup */ *aux_str = '\0'; - + os_strdup(tmp_str, lf->srcip); - + /* Aux str has a valid pointer to lf->log now */ *aux_str = ' '; aux_str++; - - - - /* Setting the source port if present */ + + /* Set the source port if present */ tmp_str = lf->srcip; - while(*tmp_str != '\0') - { - if(*tmp_str == '.') + while (*tmp_str != '\0') { + if (*tmp_str == '.') { port_count++; - - + } + /* Found port */ - if(port_count == 4) - { + if (port_count == 4) { *tmp_str = '\0'; tmp_str++; os_strdup(tmp_str, lf->srcport); break; } - + tmp_str++; } - /* Invalid rest of log */ - if(*aux_str != '>') - return(NULL); - + if (*aux_str != '>') { + return (NULL); + } aux_str++; - if(*aux_str != ' ') - return(NULL); + if (*aux_str != ' ') { + return (NULL); + } aux_str++; - /* tmp_str should be: 192.168.2.10.1514: .. .. */ tmp_str = strchr(aux_str, ':'); - if(!tmp_str) - return(NULL); - - - /* Setting aux_str to 0 for strdup */ + if (!tmp_str) { + return (NULL); + } + + /* Set aux_str to 0 for strdup */ *tmp_str = '\0'; - + os_strdup(aux_str, lf->dstip); - - + /* tmp str has a valid pointer to lf->log now */ *tmp_str = ':'; tmp_str++; - - /* Getting destination port */ + /* Get destination port */ aux_str = lf->dstip; port_count = 0; - while(*aux_str != '\0') - { - if(*aux_str == '.') + while (*aux_str != '\0') { + if (*aux_str == '.') { port_count++; - - + } + /* Found port */ - if(port_count == 4) - { + if (port_count == 4) { *aux_str = '\0'; aux_str++; os_strdup(aux_str, lf->dstport); break; } - + aux_str++; } - - /* Getting protocol */ - while(*tmp_str != '\0') - { - if(*tmp_str == ' ') - { + /* Get protocol */ + while (*tmp_str != '\0') { + if (*tmp_str == ' ') { tmp_str++; continue; - } - else if(*tmp_str == 'u') - { + } else if (*tmp_str == 'u') { os_strdup("UDP", lf->protocol); - } - else if(*tmp_str == 'i') - { + } else if (*tmp_str == 'i') { os_strdup("ICMP", lf->protocol); - } - else - { + } else { os_strdup("TCP", lf->protocol); } - + break; } - - return(NULL); + + return (NULL); } -/* END Decoder */