X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Fshared%2Freport_op.c;h=ede6310fae4f9725836c95e58c1e8e98a686df0c;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hp=cc51737a95a42766da0cb7a3e3587287442bff3a;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git diff --git a/src/shared/report_op.c b/src/shared/report_op.c index cc51737..ede6310 100755 --- a/src/shared/report_op.c +++ b/src/shared/report_op.c @@ -1,11 +1,12 @@ -/* @(#) $Id: report_op.c,v 1.2 2009/06/24 18:53:08 dcid Exp $ */ +/* @(#) $Id: ./src/shared/report_op.c, 2011/09/08 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All rights reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation */ @@ -14,14 +15,33 @@ /** Helper functions. */ +FILE *__g_rtype = NULL; +void l_print_out(const char *msg, ...) +{ + va_list args; + va_start(args, msg); + + if(__g_rtype) + { + (void)vfprintf(__g_rtype, msg, args); + (void)fprintf(__g_rtype, "\n"); + } + else + { + (void)vfprintf(stderr, msg, args); + (void)fprintf(stderr, "\n"); + } + va_end(args); +} + /* Sort function used by OSStore sort. - * Returns if d1 > d2. + * Returns if d1 > d2. */ void *_os_report_sort_compare(void *d1, void *d2) { OSList *d1l = (OSList *)d1; - OSList *d2l = (OSList *)d2; + OSList *d2l = (OSList *)d2; if(d1l->currently_size > d2l->currently_size) { @@ -32,11 +52,27 @@ void *_os_report_sort_compare(void *d1, void *d2) } +/* Print output header. */ +void _os_header_print(int t, char *hname) +{ + if(!t) + { + l_print_out("Top entries for '%s':", hname); + l_print_out("------------------------------------------------"); + } + else + { + l_print_out("Related entries for '%s':", hname); + l_print_out("------------------------------------------------"); + } +} + + /* Compares if the id is present in the string. */ int _os_report_str_int_compare(char *str, int id) { int pt_check = 0; - + do { if((*str == ',')||(*str == ' ')) @@ -90,7 +126,7 @@ int _os_report_check_filters(alert_data *al_data, report_filter *r_filter) } if(r_filter->location) { - if(!OS_Match2(r_filter->location, al_data->location)) + if(!OS_Match(r_filter->location, al_data->location)) { return(0); } @@ -102,7 +138,27 @@ int _os_report_check_filters(alert_data *al_data, report_filter *r_filter) return(0); } } - + if(r_filter->srcip) + { + if(!strstr(al_data->srcip, r_filter->srcip)) + { + return(0); + } + } + if(r_filter->user) + { + if(!strstr(al_data->user, r_filter->user)) + { + return(0); + } + } + if(r_filter->files) + { + if(!strstr(al_data->filename, r_filter->files)) + { + return(0); + } + } return(1); } @@ -159,11 +215,19 @@ int _report_filter_value(char *filter_by, int prev_filter) } return(prev_filter); } + else if(strcmp(filter_by, "filename") == 0) + { + if(!(prev_filter & REPORT_REL_FILE)) + { + prev_filter|=REPORT_REL_FILE; + } + return(prev_filter); + } else { - merror("%s: ERROR: Invalid relation '%s'.", ARGV0, filter_by); + merror("%s: ERROR: Invalid relation '%s'.", __local_name, filter_by); return(-1); - } + } } @@ -174,13 +238,13 @@ int _os_report_print_related(int print_related, OSList *st_data) OSListNode *list_entry; alert_data *list_aldata; alert_data *saved_aldata; - - + + list_entry = OSList_GetFirstNode(st_data); while(list_entry) { saved_aldata = (alert_data *)list_entry->data; - + /* Removing duplicates. */ list_entry = list_entry->prev; while(list_entry) @@ -215,7 +279,10 @@ int _os_report_print_related(int print_related, OSList *st_data) else if(print_related & REPORT_REL_USER) { list_aldata = (alert_data *)list_entry->data; - if(strcmp(list_aldata->user, saved_aldata->user) == 0) + if(list_aldata->user == NULL || saved_aldata->user == NULL) + { + } + else if(strcmp(list_aldata->user, saved_aldata->user) == 0) { break; } @@ -224,7 +291,10 @@ int _os_report_print_related(int print_related, OSList *st_data) else if(print_related & REPORT_REL_SRCIP) { list_aldata = (alert_data *)list_entry->data; - if(strcmp(list_aldata->srcip, saved_aldata->srcip) == 0) + if(list_aldata->srcip == NULL || saved_aldata->srcip == NULL) + { + } + else if(strcmp(list_aldata->srcip, saved_aldata->srcip) == 0) { break; } @@ -238,23 +308,36 @@ int _os_report_print_related(int print_related, OSList *st_data) break; } } + else if(print_related & REPORT_REL_FILE) + { + list_aldata = (alert_data *)list_entry->data; + if(list_aldata->filename == NULL || saved_aldata->filename == NULL) + { + } + else if(strcmp(list_aldata->filename, saved_aldata->filename) == 0) + { + break; + } + } list_entry = list_entry->prev; } if(!list_entry) { if(print_related & REPORT_REL_LOCATION) - print_out(" location: '%s'", saved_aldata->location); + l_print_out(" location: '%s'", saved_aldata->location); else if(print_related & REPORT_REL_GROUP) - print_out(" group: '%s'", saved_aldata->group); + l_print_out(" group: '%s'", saved_aldata->group); else if(print_related & REPORT_REL_RULE) - print_out(" rule: '%d'", saved_aldata->rule); - else if(print_related & REPORT_REL_SRCIP) - print_out(" srcip: '%s'", saved_aldata->srcip); - else if(print_related & REPORT_REL_USER) - print_out(" user: '%s'", saved_aldata->user); + l_print_out(" rule: '%d'", saved_aldata->rule); + else if(print_related & REPORT_REL_SRCIP && saved_aldata->srcip) + l_print_out(" srcip: '%s'", saved_aldata->srcip); + else if(print_related & REPORT_REL_USER && saved_aldata->user) + l_print_out(" user: '%s'", saved_aldata->user); else if(print_related & REPORT_REL_LEVEL) - print_out(" level: '%d'", saved_aldata->level); + l_print_out(" level: '%d'", saved_aldata->level); + else if(print_related & REPORT_REL_FILE && saved_aldata->filename) + l_print_out(" filename: '%s'", saved_aldata->filename); } list_entry = OSList_GetNextNode(st_data); @@ -281,7 +364,7 @@ int _os_report_add_tostore(char *key, OSStore *top, void *data) top_list = OSList_Create(); if(!top_list) { - merror(MEM_ERROR, ARGV0); + merror(MEM_ERROR, __local_name); return(0); } OSList_AddData(top_list, data); @@ -296,20 +379,9 @@ int _os_report_add_tostore(char *key, OSStore *top, void *data) void os_report_printtop(void *topstore_pt, char *hname, int print_related) { + int dopdout = 0; OSStore *topstore = (OSStore *)topstore_pt; OSStoreNode *next_node; - - if(!print_related) - { - print_out("Top entries for '%s':", hname); - print_out("------------------------------------------------"); - } - else - { - print_out("Related entries for '%s':", hname); - print_out("------------------------------------------------"); - } - next_node = OSStore_GetFirstNode(topstore); while(next_node) @@ -328,14 +400,24 @@ void os_report_printtop(void *topstore_pt, char *hname, int print_related) lkey[46] = '\0'; } - print_out("%-48s|%-8d|", (char *)next_node->key, st_data->currently_size); + if(!dopdout) + { + _os_header_print(print_related, hname); + dopdout = 1; + } + l_print_out("%-48s|%-8d|", (char *)next_node->key, st_data->currently_size); } /* Print each destination. */ else { - print_out("%-48s|%-8d|", (char *)next_node->key, st_data->currently_size); + if(!dopdout) + { + _os_header_print(print_related, hname); + dopdout = 1; + } + l_print_out("%-48s|%-8d|", (char *)next_node->key, st_data->currently_size); if(print_related & REPORT_REL_LOCATION) _os_report_print_related(REPORT_REL_LOCATION, st_data); @@ -349,6 +431,8 @@ void os_report_printtop(void *topstore_pt, char *hname, int print_related) _os_report_print_related(REPORT_REL_GROUP, st_data); if(print_related & REPORT_REL_LEVEL) _os_report_print_related(REPORT_REL_LEVEL, st_data); + if(print_related & REPORT_REL_FILE) + _os_report_print_related(REPORT_REL_FILE, st_data); } @@ -356,9 +440,12 @@ void os_report_printtop(void *topstore_pt, char *hname, int print_related) } - print_out(" "); - print_out(" "); - return; + if(dopdout == 1) + { + l_print_out(" "); + l_print_out(" "); + } + return; } @@ -369,11 +456,12 @@ void os_ReportdStart(report_filter *r_filter) int alerts_filtered = 0; char *first_alert = NULL; char *last_alert = NULL; - - - time_t tm; - struct tm *p; - + void **data_to_clean = NULL; + + + time_t tm; + struct tm *p; + file_queue *fileq; alert_data *al_data; @@ -385,6 +473,29 @@ void os_ReportdStart(report_filter *r_filter) + + /* Initating file queue - to read the alerts */ + os_calloc(1, sizeof(file_queue), fileq); + + if(r_filter->report_type == REPORT_TYPE_DAILY && r_filter->filename) + { + fileq->fp = fopen(r_filter->filename, "r"); + if(!fileq->fp) + { + merror("%s: ERROR: Unable to open alerts file to generate report.", __local_name); + return; + } + if(r_filter->fp) + { + __g_rtype = r_filter->fp; + } + } + else + { + fileq->fp = stdin; + } + + /* Creating top hashes. */ r_filter->top_user = OSStore_Create(); r_filter->top_srcip = OSStore_Create(); @@ -392,15 +503,12 @@ void os_ReportdStart(report_filter *r_filter) r_filter->top_rule = OSStore_Create(); r_filter->top_group = OSStore_Create(); r_filter->top_location = OSStore_Create(); + r_filter->top_files = OSStore_Create(); - - - /* Initating file queue - to read the alerts */ - os_calloc(1, sizeof(file_queue), fileq); - fileq->fp = stdin; Init_FileQueue(fileq, p, CRALERT_READ_ALL|CRALERT_FP_SET); + /* Reading the alerts. */ while(1) { @@ -408,12 +516,11 @@ void os_ReportdStart(report_filter *r_filter) al_data = Read_FileMon(fileq, p, 1); if(!al_data) { - verbose("%s: Report completed. Creating output...", ARGV0); break; } alerts_processed++; - + /* Checking the filters. */ if(!_os_report_check_filters(al_data, r_filter)) @@ -421,24 +528,25 @@ void os_ReportdStart(report_filter *r_filter) FreeAlertData(al_data); continue; } - - + + alerts_filtered++; + data_to_clean = os_AddPtArray(al_data, data_to_clean); /* Setting first and last alert for summary. */ if(!first_alert) first_alert = al_data->date; last_alert = al_data->date; - - + + /* Adding source ip if it is set properly. */ - if(strcmp(al_data->srcip, "(none)") != 0) + if(al_data->srcip != NULL && strcmp(al_data->srcip, "(none)") != 0) _os_report_add_tostore(al_data->srcip, r_filter->top_srcip, al_data); - + /* Adding user if it is set properly. */ - if(strcmp(al_data->user, "(none)") != 0) + if(al_data->user != NULL && strcmp(al_data->user, "(none)") != 0) _os_report_add_tostore(al_data->user, r_filter->top_user, al_data); @@ -449,10 +557,10 @@ void os_ReportdStart(report_filter *r_filter) mrule[76] = '\0'; snprintf(mlevel, 16, "Severity %d" , al_data->level); snprintf(mrule, 76, "%d - %s" , al_data->rule, al_data->comment); - - _os_report_add_tostore(strdup(mlevel), r_filter->top_level, + + _os_report_add_tostore(strdup(mlevel), r_filter->top_level, al_data); - _os_report_add_tostore(strdup(mrule), r_filter->top_rule, + _os_report_add_tostore(strdup(mrule), r_filter->top_rule, al_data); } @@ -474,8 +582,8 @@ void os_ReportdStart(report_filter *r_filter) mgroup++; continue; } - - _os_report_add_tostore(tmp_str, r_filter->top_group, + + _os_report_add_tostore(tmp_str, r_filter->top_group, al_data); mgroup++; } @@ -487,84 +595,137 @@ void os_ReportdStart(report_filter *r_filter) tmp_str++; if(*tmp_str != '\0') { - _os_report_add_tostore(tmp_str, r_filter->top_group, + _os_report_add_tostore(tmp_str, r_filter->top_group, al_data); } } } - /* Adding to the location top filter. */ - _os_report_add_tostore(al_data->location, r_filter->top_location, + /* Adding to the location top filter. */ + _os_report_add_tostore(al_data->location, r_filter->top_location, al_data); + + + if(al_data->filename != NULL) + { + _os_report_add_tostore(al_data->filename, r_filter->top_files, + al_data); + } } + /* No report available */ + if(alerts_filtered == 0) + { + if(!r_filter->report_name) + merror("%s: INFO: Report completed and zero alerts post-filter.", __local_name); + else + merror("%s: INFO: Report '%s' completed and zero alerts post-filter.", __local_name, r_filter->report_name); + return; + } - print_out(" "); if(r_filter->report_name) - print_out("Report '%s' completed.", r_filter->report_name); + verbose("%s: INFO: Report '%s' completed. Creating output...", __local_name, r_filter->report_name); else - print_out("Report completed. =="); - print_out("------------------------------------------------"); - - print_out("->Processed alerts: %d", alerts_processed); - print_out("->Post-filtering alerts: %d", alerts_filtered); - print_out("->First alert: %s", first_alert); - print_out("->Last alert: %s", last_alert); - print_out(" "); - print_out(" "); - + verbose("%s: INFO: Report completed. Creating output...", __local_name); + + + l_print_out(" "); + if(r_filter->report_name) + l_print_out("Report '%s' completed.", r_filter->report_name); + else + l_print_out("Report completed. =="); + l_print_out("------------------------------------------------"); + + l_print_out("->Processed alerts: %d", alerts_processed); + l_print_out("->Post-filtering alerts: %d", alerts_filtered); + l_print_out("->First alert: %s", first_alert); + l_print_out("->Last alert: %s", last_alert); + l_print_out(" "); + l_print_out(" "); + OSStore_Sort(r_filter->top_srcip, _os_report_sort_compare); OSStore_Sort(r_filter->top_user, _os_report_sort_compare); OSStore_Sort(r_filter->top_level, _os_report_sort_compare); OSStore_Sort(r_filter->top_group, _os_report_sort_compare); OSStore_Sort(r_filter->top_location, _os_report_sort_compare); OSStore_Sort(r_filter->top_rule, _os_report_sort_compare); - + OSStore_Sort(r_filter->top_files, _os_report_sort_compare); + if(r_filter->top_srcip) os_report_printtop(r_filter->top_srcip, "Source ip", 0); - + if(r_filter->top_user) os_report_printtop(r_filter->top_user, "Username", 0); - + if(r_filter->top_level) os_report_printtop(r_filter->top_level, "Level", 0); - + if(r_filter->top_group) os_report_printtop(r_filter->top_group, "Group", 0); - + if(r_filter->top_location) os_report_printtop(r_filter->top_location, "Location", 0); - + if(r_filter->top_rule) os_report_printtop(r_filter->top_rule, "Rule", 0); + if(r_filter->top_files) + os_report_printtop(r_filter->top_files, "Filenames", 0); + /* Print related events. */ if(r_filter->related_srcip) - os_report_printtop(r_filter->top_srcip, "Source ip", + os_report_printtop(r_filter->top_srcip, "Source ip", r_filter->related_srcip); if(r_filter->related_user) - os_report_printtop(r_filter->top_user, "Username", + os_report_printtop(r_filter->top_user, "Username", r_filter->related_user); if(r_filter->related_level) - os_report_printtop(r_filter->top_level, "Level", + os_report_printtop(r_filter->top_level, "Level", r_filter->related_level); if(r_filter->related_group) - os_report_printtop(r_filter->top_group, "Group", + os_report_printtop(r_filter->top_group, "Group", r_filter->related_group); - + if(r_filter->related_location) - os_report_printtop(r_filter->top_location, "Location", + os_report_printtop(r_filter->top_location, "Location", r_filter->related_location); - + if(r_filter->related_rule) - os_report_printtop(r_filter->top_rule, "Rule", + os_report_printtop(r_filter->top_rule, "Rule", r_filter->related_rule); + + if(r_filter->related_file) + os_report_printtop(r_filter->top_files, "Filename", + r_filter->related_file); + + + /* If we have to dump the alerts. */ + if(data_to_clean) + { + int i = 0; + + if(r_filter->show_alerts) + { + l_print_out("Log dump:"); + l_print_out("------------------------------------------------"); + } + while(data_to_clean[i]) + { + alert_data *md = data_to_clean[i]; + if(r_filter->show_alerts) + l_print_out("%s %s\nRule: %d (level %d) -> '%s'\n%s\n\n", md->date, md->location, md->rule, md->level, md->comment, md->log[0]); + FreeAlertData(md); + i++; + } + free(data_to_clean); + data_to_clean = NULL; + } } @@ -575,35 +736,47 @@ void os_ReportdStart(report_filter *r_filter) * report_filter *r_filter) * Checks the configuration filters. */ -int os_report_configfilter(char *filter_by, char *filter_value, +int os_report_configfilter(char *filter_by, char *filter_value, report_filter *r_filter, int arg_type) { if(!filter_by || !filter_value) { return(-1); } - + if(arg_type == REPORT_FILTER) { if(strcmp(filter_by, "group") == 0) { - r_filter->group = filter_value; + r_filter->group = filter_value; } else if(strcmp(filter_by, "rule") == 0) { - r_filter->rule = filter_value; + r_filter->rule = filter_value; } else if(strcmp(filter_by, "level") == 0) { - r_filter->level = filter_value; + r_filter->level = filter_value; } else if(strcmp(filter_by, "location") == 0) { - r_filter->location = filter_value; + r_filter->location = filter_value; + } + else if(strcmp(filter_by, "user") == 0) + { + r_filter->user = filter_value; + } + else if(strcmp(filter_by, "srcip") == 0) + { + r_filter->srcip = filter_value; + } + else if(strcmp(filter_by, "filename") == 0) + { + r_filter->files = filter_value; } else { - merror("%s: ERROR: Invalid filter '%s'.", ARGV0, filter_by); + merror("%s: ERROR: Invalid filter '%s'.", __local_name, filter_by); return(-1); } } @@ -611,7 +784,7 @@ int os_report_configfilter(char *filter_by, char *filter_value, { if(strcmp(filter_by, "group") == 0) { - r_filter->related_group = + r_filter->related_group = _report_filter_value(filter_value, r_filter->related_group); if(r_filter->related_group == -1) @@ -619,7 +792,7 @@ int os_report_configfilter(char *filter_by, char *filter_value, } else if(strcmp(filter_by, "rule") == 0) { - r_filter->related_rule = + r_filter->related_rule = _report_filter_value(filter_value, r_filter->related_rule); if(r_filter->related_rule == -1) @@ -627,7 +800,7 @@ int os_report_configfilter(char *filter_by, char *filter_value, } else if(strcmp(filter_by, "level") == 0) { - r_filter->related_level = + r_filter->related_level = _report_filter_value(filter_value, r_filter->related_level); if(r_filter->related_level == -1) @@ -635,7 +808,7 @@ int os_report_configfilter(char *filter_by, char *filter_value, } else if(strcmp(filter_by, "location") == 0) { - r_filter->related_location = + r_filter->related_location = _report_filter_value(filter_value, r_filter->related_location); if(r_filter->related_location == -1) @@ -643,7 +816,7 @@ int os_report_configfilter(char *filter_by, char *filter_value, } else if(strcmp(filter_by, "srcip") == 0) { - r_filter->related_srcip = + r_filter->related_srcip = _report_filter_value(filter_value, r_filter->related_srcip); if(r_filter->related_srcip == -1) @@ -651,15 +824,23 @@ int os_report_configfilter(char *filter_by, char *filter_value, } else if(strcmp(filter_by, "user") == 0) { - r_filter->related_user = + r_filter->related_user = _report_filter_value(filter_value, r_filter->related_user); - + if(r_filter->related_user == -1) return(-1); } + else if(strcmp(filter_by, "filename") == 0) + { + r_filter->related_file = + _report_filter_value(filter_value, r_filter->related_file); + + if(r_filter->related_file == -1) + return(-1); + } else { - merror("%s: ERROR: Invalid related entry '%s'.", ARGV0, filter_by); + merror("%s: ERROR: Invalid related entry '%s'.", __local_name, filter_by); return(-1); } }