repo: b55c69ab0638427c3307fb169a767b950530ce4a
-node: 5afbec313087627a125241c880b8a03f819f714f
+node: 10cc358d57a8cf57eb9c97c411cc2a118a3c14ac
branch: default
-latesttag: v2.5.0-beta1
-latesttagdistance: 21
+latesttag: 2.7-beta2
+latesttagdistance: 15
*.o
*.a
*.dSYM
+*.orig
.hgignore
# Auto generated build files
src/logcollector/ossec-logcollector
src/monitord/ossec-monitord
src/monitord/ossec-reportd
+src/os_auth/agent-auth
+src/os_auth/ossec-authd
src/os_csyslogd/ossec-csyslogd
src/os_dbd/ossec-dbd
src/os_execd/ossec-execd
7550abc82f5402592a646615f02fd698686de7bd OSSEC_HIDS_0_4
946d14c2b5ba7c21cd6eefe5f56f136df93f28a6 v1_1_0
8b7a8120903fe0e18fcd9a29897919669c46adfc v2.5.0-beta1
+6f9682e3e1492532e48455e6ca65ca27151f1931 AgentConfigProfile-beta
+7f7d3ed19f558c985931a9b2734a6d5fabc42ab3 MultpileProfileWithOverwriting
+3c4f446bab8d58b93c99e14276ec599319e61401 v2.6.0 Final plus enhancements
+c1d1982737cb58bbffc9721f82c0532323f36bba v2.7-beta1
+39c20dca5873f178beb31168e79dcf654139e578 2.7-beta2
-OSSEC v2.5.1
-Copyright (C) 2010 Trend Micro Inc.
+OSSEC v2.7
+Copyright (C) 2012 Trend Micro Inc.
** Reporting bugs **
If you prefer to contact us privately or if it is a security
-issue, send an e-mail to contact@ossec.net.
+issue, send an e-mail to OSSEC Project ( ossecproject@gmail.com ).
-OSSEC v2.5.1
-Copyright (C) 2010 Trend Micro Inc.
+OSSEC v2.7
+Copyright (C) 2012 Trend Micro Inc.
= Information about OSSEC =
Just follow the steps from the install.sh script.
More information at
-http://www.ossec.net/en/manual.html
+http://www.ossec.net/doc/manual/index.html
-# @(#) $Id$
-#
+OSSEC v2.7
+Copyright (C) 2012 Trend Micro Inc.
Many thanks to everyone who contributed and helped with
the ossec project. Below is the list of all the people
-Development
- Daniel B. Cid <dcid ( at ) ossec.net>
- Jeremy Rossi <jrossi ( at ) ptnsecurity.com>
- - Stephen Kreusch <stephen.kreusch at gmail.com>
+ - Michael Starks
+ - Dan Parriott <ddpbsd at gmail.com>
- Meir Michanie <meirgotroot ( at ) gmail.com>
- Slava Semushin <php-coder at altlinux.org>
- Ahmet Ozturk <oahmet ( at ) metu.edu.tr>
+ - Scott R. Shinn
+ - George Kargiotakis
+ - Jason Stelzer
+ - Xavier Mertens
+ - Stjepan Gros
+ - Brad Lhotsky
+ - cmlara
+ - Christian Gottsche (cgzones)
+ - Dominic
+ - JB Cheng
-Testing/Patches and other contributions.
- Andre Alexandre Gaio <aagaio ( at ) linwork.com.br>
- Liliane A. Cid <liliane.cid ( at ) gmail.com>
- Marcus Maciel - <marcus @ ( at ) underlinux.com.br>
+ - Stephen Kreusch <stephen.kreusch at gmail.com>
- Kayvan A. Sylvan <kayvan@ ( at ) sylvan.com>
- Dianzhi Wang <wangdz@ ( at ) leadsec.com.cn>
- Meir Michanie <meirgotroot@ ( at ) gmail.com>
- Jorge Augusto Senger <jorge ( at ) br10.com.br> - ossec2mysql (contrib)
- David J. Bianco <david at vorant.com>
- Ivan Lotina <lotke at lotke.com>
- - Michael Starks
- Robert Millan [ackstorm] <rmillan at ackstorm.es>
- Martin West <martin at objectgizmos.com>
- Rafael Capovilla <under ( at ) underlinux.com.br>
+ - Florian Crouzqat
+ - Danny Fullerton
+ - Jeremy Hanmer
+ - Pepe Sanz
+ - Kat Fitzgerald
+ - Regis Houssin
+ - carlopmart
+ - Ash Kumar
-Translations
+
+ -Dutch:
+ - Martijn de Boer - martijn ( at ) oceanius.com
+
+ -Serbian:
+ - Maja Michanie - majam ( at ) riunx.com
-Portuguese:
- Daniel Barcellos <danielpoa.rs ( at ) gmail.com>
-OSSEC v2.5.1
-Copyright (C) 2009 Trend Micro Inc.
+OSSEC v2.7
+Copyright (C) 2012 Trend Micro Inc.
= Information about OSSEC =
- Copyright (C) 2010 Trend Micro Inc. All rights reserved.
+ Copyright (C) 2012 Trend Micro Inc. All rights reserved.
OSSEC HIDS is a free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as
published by the FSF - Free Software Foundation.
+ In addition, certain source files in this program permit linking with the
+ OpenSSL library (http://www.openssl.org), which otherwise wouldn't be allowed
+ under the GPL. For purposes of identifying OpenSSL, most source files giving
+ this permission limit it to versions of OpenSSL having a license identical to
+ that listed in this file (see section "OpenSSL LICENSE" below). It is not
+ necessary for the copyright years to match between this file and the OpenSSL
+ version in question. However, note that because this file is an extension of
+ the license statements of these source files, this file may not be changed
+ except with permission from all copyright holders of source files in this
+ program which reference this file.
+
Note that this license applies to the source code, as well as
decoders, rules and any other data file included with OSSEC (unless
otherwise specified).
modules. Our interpretation refers only to OSSEC - we don't speak
for any other GPL products.
+ * As a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+
OSSEC HIDS is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
- See the GNU General Public License Version 3 below for more details.
+ See the GNU General Public License Version 2 below for more details.
-----------------------------------------------------------------------------
END OF TERMS AND CONDITIONS
+
+-------------------------------------------------------------------------------
+
+OpenSSL License
+---------------
+
+ LICENSE ISSUES
+ ==============
+
+ The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
+ the OpenSSL License and the original SSLeay license apply to the toolkit.
+ See below for the actual license texts. Actually both licenses are BSD-style
+ Open Source licenses. In case of any license issues related to OpenSSL
+ please contact openssl-core@openssl.org.
+
+ OpenSSL License
+ ---------------
+
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
-OSSEC v2.5.1
-Copyright (C) 2010 Trend Micro Inc.
+OSSEC v2.7
+Copyright (C) 2012 Trend Micro Inc.
= Information about OSSEC =
# Expect: srcip
# Author: Ahmet Ozturk (ipfilter and IPSec)
# Author: Daniel B. Cid (iptables)
-# Last modified: Feb 14, 2006
+# Author: cgzones
+# Last modified: Oct 04, 2012
UNAME=`uname`
ECHO="/bin/echo"
GREP="/bin/grep"
-IPTABLES="/sbin/iptables"
+IPTABLES=""
+IP4TABLES="/sbin/iptables"
+IP6TABLES="/sbin/ip6tables"
IPFILTER="/sbin/ipf"
if [ "X$UNAME" = "XSunOS" ]; then
IPFILTER="/usr/sbin/ipf"
USER=$2
IP=$3
+
LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
-echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
+filename=$(basename "$0")
+
+LOCK="${PWD}/fw-drop"
+LOCK_PID="${LOCK}/pid"
+LOG_FILE="${PWD}/../logs/active-responses.log"
+
+echo "`date` $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
# Checking for an IP
exit 1;
fi
+case "${IP}" in
+ *:* ) IPTABLES=$IP6TABLES;;
+ *.* ) IPTABLES=$IP4TABLES;;
+ * ) echo "`date` Unable to run active response (invalid IP: '${IP}')." >> ${LOG_FILE} && exit 1;;
+esac
+
+# This number should be more than enough (even if a hundred
+# instances of this script is ran together). If you have
+# a really loaded env, you can increase it to 75 or 100.
+MAX_ITERATION="50"
+
+# Lock function
+lock()
+{
+ i=0;
+ # Providing a lock.
+ while [ 1 ]; do
+ mkdir ${LOCK} > /dev/null 2>&1
+ MSL=$?
+ if [ "${MSL}" = "0" ]; then
+ # Lock aquired (setting the pid)
+ echo "$$" > ${LOCK_PID}
+ return;
+ fi
+
+ # Getting currently/saved PID locking the file
+ C_PID=`cat ${LOCK_PID} 2>/dev/null`
+ if [ "x" = "x${S_PID}" ]; then
+ S_PID=${C_PID}
+ fi
+
+ # Breaking out of the loop after X attempts
+ if [ "x${C_PID}" = "x${S_PID}" ]; then
+ i=`expr $i + 1`;
+ fi
+
+ # Sleep 1 after 10/25 interactions
+ if [ "$i" = "10" -o "$i" = "25" ]; then
+ sleep 1;
+ fi
+
+ i=`expr $i + 1`;
+
+ # So i increments 2 by 2 if the pid does not change.
+ # If the pid keeps changing, we will increments one
+ # by one and fail after MAX_ITERACTION
+
+ if [ "$i" = "${MAX_ITERATION}" ]; then
+ kill="false"
+ for pid in `pgrep -f "${filename}"`; do
+ if [ "x${pid}" = "x${C_PID}" ]; then
+ # Unlocking and exiting
+ kill -9 ${C_PID}
+ echo "`date` Killed process ${C_PID} holding lock." >> ${LOG_FILE}
+ kill="true"
+ unlock;
+ i=0;
+ S_PID="";
+ break;
+ fi
+ done
+
+ if [ "x${kill}" = "xfalse" ]; then
+ echo "`date` Unable kill process ${C_PID} holding lock." >> ${LOG_FILE}
+ # Unlocking and exiting
+ unlock;
+ exit 1;
+ fi
+ fi
+ done
+}
+
+# Unlock function
+unlock()
+{
+ rm -rf ${LOCK}
+}
+
# Blocking IP
fi
# Checking if iptables is present
- ls ${IPTABLES} >> /dev/null 2>&1
- if [ $? != 0 ]; then
+ if [ ! -x ${IPTABLES} ]; then
IPTABLES="/usr"${IPTABLES}
- ls ${IPTABLES} >> /dev/null 2>&1
- if [ $? != 0 ]; then
- exit 0;
+ if [ ! -x ${IPTABLES} ]; then
+ echo "$0: can not find iptables"
+ exit 0;
fi
fi
# Executing and exiting
COUNT=0;
+ lock;
while [ 1 ]; do
echo ".."
${IPTABLES} ${ARG1}
break;
else
COUNT=`expr $COUNT + 1`;
- echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
+ echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
sleep $COUNT;
if [ $COUNT -gt 4 ]; then
break;
else
COUNT=`expr $COUNT + 1`;
- echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
+ echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
sleep $COUNT;
if [ $COUNT -gt 4 ]; then
fi
fi
done
+ unlock;
exit 0;
--- /dev/null
+#!/usr/bin/perl
+#
+# OSSEC active-response script to store a suspicious IP address in a MySQL table.
+#
+# Available actions are:
+# 'add' - Create a new record in the MySQL DB
+# 'delete' - Remove a existing record
+#
+# History
+# -------
+# 2010/10/24 xavir@rootshell.be Created
+#
+
+use strict;
+use warnings;
+use DBI;
+
+# -----------------------
+# DB access configuration
+# -----------------------
+my $db_name = 'ossec_active_lists';
+my $db_user = 'suspicious';
+my $db_pass = 'xxxxxxxxxx';
+
+my ($second, $minute, $hour, $dayOfMonth, $month, $yearOffset, $dayOfWeek, $dayOfYear, $daylightSavings) = localtime();
+my $theTime = sprintf("%d-%02d-%02d %02d:%02d:%02d",
+ $yearOffset+1900, $month+1, $dayOfMonth, $hour, $minute, $second);
+
+my $nArgs = $#ARGV + 1;
+if ($nArgs != 5) {
+ print STDERR "Usage: active-list.pl <action> <username> <ip>\n";
+ exit 1;
+}
+
+my $action = $ARGV[0];
+my $ipAddr = $ARGV[2];
+my $alertId = $ARGV[3];
+my $ruleId = $ARGV[4];
+
+if ($action ne "add" && $action ne "delete") {
+ WriteLog("Invalid action: $action\n");
+ exit 1;
+}
+
+if ($ipAddr =~ m/^(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)/) {
+ if ($1 > 255 || $2 > 255 || $3 > 255 || $4 > 255) {
+ WriteLog("Invalid IP address: $ipAddr\n");
+ exit 1;
+ }
+}
+else {
+ WriteLog("Invalid IP address: $ipAddr\n");
+}
+
+WriteLog("active-list.pl $action $ipAddr $alertId $ruleId\n");
+
+my $dbh = DBI->connect('DBI:mysql:' . $db_name, $db_user, $db_pass) || \
+ die "Could not connect to database: $DBI::errstr";
+
+if ( $action eq "add" ) {
+ my $sth = $dbh->prepare('SELECT ip FROM ip_addresses WHERE ip = "' . $ipAddr . '"');
+ $sth->execute();
+ my $result = $sth->fetchrow_hashref();
+ if (!$result->{ip}) {
+ $sth = $dbh->prepare('INSERT INTO ip_addresses VALUES ("' . $ipAddr . '","'. $theTime . '",' . $alertId . ',' . $ruleId . ',"Added by suspicious-ip Perl Script")');
+ if (!$sth->execute) {
+ WriteLog("Cannot insert new IP address: $DBI::errstr\n");
+ }
+ }
+ else {
+ $sth = $dbh->prepare('UPDATE ip_addresses SET timestamp = "' . $theTime . '", alertid = ' . $alertId . ', ruleid = ' . $ruleId . ' WHERE ip = "' . $ipAddr . '"');
+ if (!$sth->execute) {
+ WriteLog("Cannot update IP address: $DBI::errstr\n");
+ }
+ }
+}
+else {
+ my $sth = $dbh->prepare('DELETE FROM ip_addresses WHERE ip = "' . $ipAddr . '"');
+ if (!$sth->execute) {
+ WriteLog("Cannot remove IP address: $DBI::errstr\n");
+ }
+}
+
+$dbh->disconnect;
+exit 0;
+
+sub WriteLog
+{
+ if ( $_[0] eq "" ) { return; }
+
+ my $pwd = `pwd`;
+ chomp($pwd);
+ my $date = `date`;
+ chomp($date);
+
+ open(LOGH, ">>" . $pwd . "/../active-responses.log") || die "Cannot open log file.";
+ print LOGH $date . " " . $_[0];
+ close(LOGH);
+ return;
+}
--- /dev/null
+Nov 2 13:24:34 melancia pam: gdm-password[1600]: pam_unix(gdm-password:session): session closed for user dcid11
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Nov 2 13:24:34 melancia pam: gdm-password[1600]: pam_unix(gdm-password:session): session closed for user dcid11'
+ hostname: 'melancia'
+ program_name: 'pam'
+ log: 'gdm-password[1600]: pam_unix(gdm-password:session): session closed for user dcid11'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+Feb 15 16:08:14 triumph PAM-securetty[741]: Couldn't open /etc/securetty
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Feb 15 16:08:14 triumph PAM-securetty[741]: Couldn't open /etc/securetty'
+ hostname: 'triumph'
+ program_name: 'PAM-securetty'
+ log: 'Couldn't open /etc/securetty'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '1001'
+ Level: '2'
+ Description: 'File missing. Root access unrestricted.'
+**Alert to be generated.
+
+
--- /dev/null
+Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0'
+ hostname: 'bogus.com'
+ program_name: 'su'
+ log: 'ericx to root on /dev/ttyu0'
+
+**Phase 2: Completed decoding.
+ decoder: 'su'
+ srcuser: 'ericx'
+ dstuser: 'root'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5303'
+ Level: '3'
+ Description: 'User successfully changed UID to root.'
+**Alert to be generated.
+
+
--- /dev/null
+May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '2501'
+ Level: '5'
+ Description: 'User authentication failure.'
+**Alert to be generated.
+
+
--- /dev/null
+May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '2501'
+ Level: '5'
+ Description: 'User authentication failure.'
+**Alert to be generated.
+
+
--- /dev/null
+Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342)
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342)'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342)'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342)
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342)'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342)'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+Jul 5 12:13:15 lili su[2614]: Authentication failed for root
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Jul 5 12:13:15 lili su[2614]: Authentication failed for root'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Jul 5 12:13:15 lili su[2614]: Authentication failed for root'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '2501'
+ Level: '5'
+ Description: 'User authentication failure.'
+**Alert to be generated.
+
+
--- /dev/null
+Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006'
+ hostname: 'niban'
+ program_name: 'useradd'
+ log: 'new group: name=test, gid=5006'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5901'
+ Level: '8'
+ Description: 'New group added to the system'
+**Alert to be generated.
+
+
--- /dev/null
+Nov 1 14:54:03 melancia runuser: pam_unix(runuser:session): session opened for user root by (uid=0)
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Nov 1 14:54:03 melancia runuser: pam_unix(runuser:session): session opened for user root by (uid=0)'
+ hostname: 'melancia'
+ program_name: 'runuser'
+ log: 'pam_unix(runuser:session): session opened for user root by (uid=0)'
+
+**Phase 2: Completed decoding.
+ decoder: 'pam'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5501'
+ Level: '3'
+ Description: 'Login session opened.'
+**Alert to be generated.
+
+
--- /dev/null
+May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000'
+ hostname: 'niban'
+ program_name: 'useradd'
+ log: 'new group: name=logr, gid=12000'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5901'
+ Level: '8'
+ Description: 'New group added to the system'
+**Alert to be generated.
+
+
--- /dev/null
+Jun 16 09:53:44 niban useradd[5721]: new group: name=test2, gid=12001
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Jun 16 09:53:44 niban useradd[5721]: new group: name=test2, gid=12001'
+ hostname: 'niban'
+ program_name: 'useradd'
+ log: 'new group: name=test2, gid=12001'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5901'
+ Level: '8'
+ Description: 'New group added to the system'
+**Alert to be generated.
+
+
--- /dev/null
+Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+Jan 28 20:36:33 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Jan 28 20:36:33 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls'
+ hostname: 'enigma'
+ program_name: 'sudo'
+ log: 'dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls'
+
+**Phase 2: Completed decoding.
+ decoder: 'sudo'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5401'
+ Level: '10'
+ Description: 'Three failed attempts to run sudo'
+**Alert to be generated.
+
+
--- /dev/null
+May 26 19:40:25 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'May 26 19:40:25 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls'
+ hostname: 'enigma'
+ program_name: 'sudo'
+ log: 'dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls'
+
+**Phase 2: Completed decoding.
+ decoder: 'sudo'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5401'
+ Level: '10'
+ Description: 'Three failed attempts to run sudo'
+**Alert to be generated.
+
+
--- /dev/null
+Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4'
+ hostname: 'localhost'
+ program_name: 'vsftpd'
+ log: 'pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4'
+
+**Phase 2: Completed decoding.
+ decoder: 'pam'
+ srcip: '1.2.3.4'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5503'
+ Level: '5'
+ Description: 'User login failed.'
+**Alert to be generated.
+
+
--- /dev/null
+Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+May 26 19:40:41 enigma sudo: dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'May 26 19:40:41 enigma sudo: dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure'
+ hostname: 'enigma'
+ program_name: 'sudo'
+ log: 'dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure'
+
+**Phase 2: Completed decoding.
+ decoder: 'sudo'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5403'
+ Level: '4'
+ Description: 'First time user executed sudo.'
+**Alert to be generated.
+
+
--- /dev/null
+May 26 20:16:17 lili sudo: dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'May 26 20:16:17 lili sudo: dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers'
+ hostname: 'lili'
+ program_name: 'sudo'
+ log: 'dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers'
+
+**Phase 2: Completed decoding.
+ decoder: 'sudo'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5403'
+ Level: '4'
+ Description: 'First time user executed sudo.'
+**Alert to be generated.
+
+
--- /dev/null
+Oct 26 18:07:45 ccs rpc.statd[189]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Oct 26 18:07:45 ccs rpc.statd[189]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220'
+ hostname: 'ccs'
+ program_name: 'rpc.statd'
+ log: 'gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220220'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '1002'
+ Level: '2'
+ Description: 'Unknown problem somewhere in the system.'
+**Alert to be generated.
+
+
--- /dev/null
+May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com'
+ hostname: 'server'
+ program_name: 'ftpd'
+ log: 'ANONYMOUS FTP LOGIN FROM emaca.here.com'
+
+**Phase 2: Completed decoding.
+ decoder: 'ftpd'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '11106'
+ Level: '3'
+ Description: 'Remote host connected to FTP server.'
+**Alert to be generated.
+
+
--- /dev/null
+May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped'
+ hostname: 'victim-host'
+ program_name: 'inetd'
+ log: '/usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '40107'
+ Level: '14'
+ Description: 'Heap overflow in the Solaris cachefsd service.'
+ Info - CVE: '2002-0033'
+**Alert to be generated.
+
+
--- /dev/null
+May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped'
+ hostname: 'victim-host'
+ program_name: 'inetd'
+ log: '/usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '40107'
+ Level: '14'
+ Description: 'Heap overflow in the Solaris cachefsd service.'
+ Info - CVE: '2002-0033'
+**Alert to be generated.
+
+
--- /dev/null
+Apr 17 22:20:29 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Apr 17 22:20:29 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0'
+ hostname: 'hostj'
+ program_name: 'named'
+ log: 'security: notice: dropping source port zero packet from [64.211.251.254].0'
+
+**Phase 2: Completed decoding.
+ decoder: 'named'
+ srcip: '64.211.251.254'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '12101'
+ Level: '12'
+ Description: 'Invalid DNS packet. Possibility of attack.'
+**Alert to be generated.
+
+
--- /dev/null
+sshd[7386]: error: Bad prime description in line 73
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'sshd[7386]: error: Bad prime description in line 73'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'sshd[7386]: error: Bad prime description in line 73'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '1002'
+ Level: '2'
+ Description: 'Unknown problem somewhere in the system.'
+**Alert to be generated.
+
+
--- /dev/null
+Jan 12 20:48:29 elrond sshd[19734]: refused connect from accsys.elink.net.au (203.31.101.11)
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Jan 12 20:48:29 elrond sshd[19734]: refused connect from accsys.elink.net.au (203.31.101.11)'
+ hostname: 'elrond'
+ program_name: 'sshd'
+ log: 'refused connect from accsys.elink.net.au (203.31.101.11)'
+
+**Phase 2: Completed decoding.
+ decoder: 'sshd'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '2503'
+ Level: '5'
+ Description: 'Connection blocked by Tcp Wrappers.'
+**Alert to be generated.
+
+
--- /dev/null
+Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.'
+ hostname: 'hostname'
+ program_name: 'cimserver'
+ log: 'PGS17200: Authentication failed for user jones_b.'
+
+**Phase 2: Completed decoding.
+ decoder: 'cimserver'
+ dstuser: 'jones_b.'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '9610'
+ Level: '5'
+ Description: 'Compaq Insight Manager authentication failure.'
+**Alert to be generated.
+
+
--- /dev/null
+Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '1002'
+ Level: '2'
+ Description: 'Unknown problem somewhere in the system.'
+**Alert to be generated.
+
+
--- /dev/null
+Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '1002'
+ Level: '2'
+ Description: 'Unknown problem somewhere in the system.'
+**Alert to be generated.
+
+
--- /dev/null
+[Tue Sep 12 10:38:15 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190)
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: '[Tue Sep 12 10:38:15 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190)'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: '[error] [client 127.0.0.1] request failed: URI too long (longer than 8190)'
+
+**Phase 2: Completed decoding.
+ decoder: 'apache-errorlog'
+ srcip: '127.0.0.1'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '30117'
+ Level: '10'
+ Description: 'Invalid URI, file name too long.'
+**Alert to be generated.
+
+
--- /dev/null
+[Mon Sep 11 16:55:08 2006] [error] [client 127.0.0.1] (36)File name too long: access to /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm failed
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: '[Mon Sep 11 16:55:08 2006] [error] [client 127.0.0.1] (36)File name too long: access to /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm failed'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: '[error] [client 127.0.0.1] (36)File name too long: access to /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm failed'
+
+**Phase 2: Completed decoding.
+ decoder: 'apache-errorlog'
+ srcip: '127.0.0.1'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '30117'
+ Level: '10'
+ Description: 'Invalid URI, file name too long.'
+**Alert to be generated.
+
+
--- /dev/null
+Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443]
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443]'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443]'
+
+**Phase 2: Completed decoding.
+ No decoder matched.
--- /dev/null
+Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast'
+ hostname: 'niban'
+ program_name: 'sudo'
+ log: ' dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast'
+
+**Phase 2: Completed decoding.
+ decoder: 'sudo'
+ dstuser: 'dcid'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5403'
+ Level: '4'
+ Description: 'First time user executed sudo.'
+**Alert to be generated.
+
+
--- /dev/null
+Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec'
+
+**Phase 2: Completed decoding.
+ decoder: 'vsftpd'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '11404'
+ Level: '0'
+ Description: 'FTP server file upload.'
--- /dev/null
+MySQL log: 060516 22:38:46 mysqld ended
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'MySQL log: 060516 22:38:46 mysqld ended'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'MySQL log: 060516 22:38:46 mysqld ended'
+
+**Phase 2: Completed decoding.
+ decoder: 'mysql_log'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '50120'
+ Level: '12'
+ Description: 'Database shutdown messge.'
+**Alert to be generated.
+
+
--- /dev/null
+Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]'
+ hostname: 'gandalf'
+ program_name: 'pop3d'
+ log: 'LOGIN FAILED, ip=[::ffff:1.2.3.4]'
+
+**Phase 2: Completed decoding.
+ decoder: 'courier'
+ srcip: '::ffff:1.2.3.4'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '3902'
+ Level: '5'
+ Description: 'Courier (imap/pop3) authentication failed.'
+**Alert to be generated.
+
+
--- /dev/null
+type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"
--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"'
+ hostname: 'melancia'
+ program_name: '(null)'
+ log: 'type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"'
+
+**Phase 2: Completed decoding.
+ decoder: 'auditd'
+ action: 'SYSCALL'
+ id: '148'
+ status: 'yes'
+ extra_data: '/tmp/wget'
--- /dev/null
+#!/bin/sh
+
+echo "Starting log unit tests (must be run as root and on a system with OSSEC installed)."
+echo "(it will make sure the current rules aree working as they should)."
+rm -f ./tmpres
+for i in ./*/log; do
+ idir=`dirname $i`
+
+ rm -f ./tmpres || exit "Unable to remove tmpres.";
+ cat $i | /var/ossec/bin/ossec-logtest 2>&1|grep -v ossec-testrule |grep -A 500 "Phase 1:" > ./tmpres
+
+ if [ ! -f $idir/res ]; then
+ echo "** Creating entry for $i - Not set yet."
+ cat ./tmpres > $idir/res
+ rm -f tmpres
+ continue;
+ fi
+ MD1=`md5sum ./tmpres | cut -d " " -f 1`
+ MD2=`md5sum $idir/res | cut -d " " -f 1`
+
+ if [ ! $MD1 = $MD2 ]; then
+ echo "**ERROR: Unit testing failed. Output for the test $i failed."
+ echo "== OLD OUTPUT: =="
+ cat $idir/res
+ echo "== NEW OUTPUT: =="
+ cat tmpres
+ echo "** ERROR: Exiting."
+ rm -f tmpres
+ exit 0;
+ fi
+
+done
+
+echo ""
+echo "Log unit tests completed. Everything seems ok (nothing changed since last test regarding the outputs)."
# started as a hack to properly script manage_agents. # #
# # #
##########################################################
+# Modified by Tim Meader (Timothy.A.Meader@nasa.gov)
+# on 2010/12/08
+#
+# - fixed two errors that were popping up during add or
+# remove operations due to the code not taking into
+# account the old key entries that have the "#*#*#*"
+# pattern after the ID number. Simple fix was to do
+# a "if (defined(xxx))" on the vars
+# - fixed the "list" operation to only show valid key
+# entries
+# - changed the extract operation to store options
+# in an array, and subsequently rewrote the
+# "extract_key" (now called "extract_keys") func
+# to accept this new behavior
+# - modified "extract_keys" func to accept either ID,
+# name, or IP address as the argument after the
+# "-e" operator. Output of key extraction now
+# includes the name and IP address by default in the
+# format: "name,IP extracted_key"
+#
+#########################################################
+
#$Id$
# TODO:
use constant AUTH_KEY_FILE => "/var/ossec/etc/client.keys";
-my ($key, $add, $remove, $extract, $import, $listagents);
+my ($key, $add, $remove, @extracts, $import, $listagents);
my ($agentid, $agentname, $ipaddress);
GetOptions(
'k|key=s' => \$key, # Unencoded ssh key
'a|add' => \$add, # Add a new agent
'r|remove=s' => \$remove, # Remove an agent
- 'e|extract=s' => \$extract, # Extract a key
+ 'e|extract=s' => \@extracts, # Extract a key
'm|import' => \$import, # Import a key
'l|list' => \$listagents, # List all agents
'i|id=s' => \$agentid, # Unique agent id
list_agents();
}
# Decode and extract the key for $agentid
-elsif ($extract) {
- $agentid = $extract;
- if ($agentid) {
- extract_key($agentid);
+elsif (@extracts) {
+ if (@extracts) {
+ extract_keys(@extracts);
}
else {
usage();
close(FH);
if (@used_agent_ids) {
- @used_agent_ids = sort(@used_agent_ids);
+ @used_agent_ids = sort { $a <=> $b } @used_agent_ids;
$agentid = sprintf("%03d", $used_agent_ids[-1] + 1);
}
}
sub usage {
warn "Usage: $0 [OPERATION] [OPTIONS]\n";
warn " [operations]\n";
- warn " -a or --add = Add a new agent\n";
- warn " -r or --remove [id] = Remove agent\n";
- warn " -e or --extract [id] = Extract key\n";
- warn " -m or --import [keydata] = Import key\n";
- warn " -l or --list = List available agents\n";
+ warn " -a or --add = Add a new agent\n";
+ warn " -r or --remove [id] = Remove agent\n";
+ warn " -e or --extract [id|name|ip] = Extract key\n";
+ warn " -m or --import [keydata] = Import key\n";
+ warn " -l or --list = List available agents\n";
warn " [options]\n";
- warn " -k or --key [keydata] = Key data\n";
- warn " -n or --name [name] = Agent name (32 character max)\n";
- warn " -i or --id [id] = Agent identification (integer)\n";
- warn " -p or --ip [ip] = IP address\n\n";
+ warn " -k or --key [keydata] = Key data\n";
+ warn " -n or --name [name] = Agent name (32 character max)\n";
+ warn " -i or --id [id] = Agent identification (integer)\n";
+ warn " -p or --ip [ip] = IP address\n\n";
exit 1;
}
while (<FH>) {
chomp;
my ($id, $name, $ip, $key) = split;
- print "$id", " " x (25 - length($id)),
- "$name", " " x (25 - length($name)),
- "$ip", " " x (25 - length($ip)) . "\n";
+ if (defined($key)) {
+ print "$id", " " x (25 - length($id)),
+ "$name", " " x (25 - length($name)),
+ "$ip", " " x (25 - length($ip)) . "\n";
+ }
}
close(FH);
exit 0;
}
-sub extract_key {
- my $extractid = shift;
- my ($encoded, $decoded);
-
+sub extract_keys {
if (-r AUTH_KEY_FILE) {
open (FH, "<", AUTH_KEY_FILE);
}
else {
die "No ".AUTH_KEY_FILE."!\n";
}
- while (<FH>) {
- chomp;
- my ($id, $name, $ip, $key) = split;
- if ($id == $extractid) {
- # Newlines are valid base64 characters so use '' instead for \n
- $decoded = MIME::Base64::encode($_, '');
- print "$decoded\n";
- exit 0;
+
+ foreach my $extract (@_) {
+ my ($encoded, $decoded);
+ my $found = 0;
+
+ while (<FH>) {
+ chomp;
+ my ($id, $name, $ip, $key) = split;
+ # Check to make sure it's a valid entry
+ if (defined($key)) {
+ if (($extract =~ /^\d+$/) && ($id == $extract)) {
+ $found = 1;
+ }
+ elsif ($name eq $extract) {
+ $found = 1;
+ }
+ elsif ($ip eq $extract) {
+ $found = 1;
+ }
+ else {
+ next;
+ }
+ # Newlines are valid base64 characters so use '' instead for \n
+ $decoded = MIME::Base64::encode($_, '');
+ print "$name,$ip $decoded\n";
+ next;
+ }
}
+ if (!$found) {
+ warn "Error: Agent $extract doesn't exist!\n";
+ }
+ seek FH,0,0;
}
- warn "Error: Agent ID $extractid doesn't exist!\n";
}
sub add_agent {
while (<FH>) {
chomp;
my ($id, $name, $ip, $key) = split;
- $rval = 1 if ($id == $newid && $rval == 0);
- $rval = 2 if ($name eq $newname && $rval == 0);
- $rval = 3 if ($ip eq $newip && $rval == 0);
+ if(defined($key)) {
+ $rval = 1 if ($id == $newid && $rval == 0);
+ $rval = 2 if ($name eq $newname && $rval == 0);
+ $rval = 3 if ($ip eq $newip && $rval == 0);
+ }
}
close(FH);
}
--- /dev/null
+<?php
+/* OSSEC 2 RSS script.
+ * by Daniel B. Cid ( dcid @ ossec.net)
+ *
+ * Just upload it to any web-accessible directory, and make
+ * sure the web server can access the OSSEC alerts log file.
+ */
+
+
+$ossec_log = "/var/ossec/logs/alerts/alerts.log";
+if(!is_readable($ossec_log))
+{
+ echo "ERROR: Unable to access $ossec_log\n";
+ echo "*TIP: Make sure your web server can access that file. \n";
+ exit(1);
+}
+
+$timelp = filemtime($ossec_log);
+$fh = fopen($ossec_log, "r");
+if(!$fh)
+{
+ exit(1);
+}
+
+if(filesize($ossec_log) > 30000)
+{
+ fseek($fh, -30000, SEEK_END);
+ $line = fgets($fh, 4096);
+}
+
+
+$lastlines = array();
+$event = array();
+while($line = fgets($fh, 4096))
+{
+ $line = trim($line);
+ if($line == "")
+ {
+ continue;
+ }
+
+ if(strncmp($line, "** Alert ", 9) == 0)
+ {
+ if(strncmp($event, "** Alert ", 9) == 0)
+ {
+ array_push($lastlines, $event);
+ }
+ unset($event);
+ $event = array();
+ $event[] = htmlspecialchars($line);
+ }
+ else
+ {
+ $event[] = htmlspecialchars($line);
+ }
+}
+fclose($fh);
+
+$lastlines = array_reverse($lastlines);
+$myhost = gethostname();
+if($myhost === FALSE)
+{
+ $myhost = "";
+}
+
+echo '<?xml version="1.0" encoding="UTF-8"?>
+<?xml-stylesheet href="/css/rss.css" type="text/css"?>
+<rss version="2.0">
+<channel>
+<title>OSSEC '.$myhost.' RSS Feed</title>
+<link>http://ossec.net</link>
+<description>OSSEC RSS Feed for '.$myhost.'</description>
+<language>en-us</language>
+<lastBuildDate>'.date("r", $timelp).'</lastBuildDate>
+<pubDate>'.date("r", $timelp).'</pubDate>
+<copyright>(C) OSSEC.net 2008-2011</copyright>
+<generator>OSSEC.net RSS feed</generator>
+<ttl>30</ttl>
+<webMaster>dcid@ossec.net</webMaster>
+
+<image>
+ <title>OSSEC Alert Feed</title>
+ <url>http://www.ossec.net/img/ossec_logo.jpg</url>
+ <link>http://ossec.net</link>
+</image>
+';
+
+foreach($lastlines as $myentry)
+{
+echo $myentry;
+
+ if(preg_match("/^.. Alert (\d+)\./", $myentry[0], $regs, PREG_OFFSET_CAPTURE, 0))
+ {
+ $myunixtime = $regs[1][0];
+ }
+ else
+ {
+ continue;
+ }
+
+
+ echo '
+ <item>
+ <title>'.$myentry[2]." ,from ".substr($myentry[1], 20).'</title>
+ <link>http://ossec.net</link>
+ <guid isPermaLink="false">'.$myentry[0].'</guid>
+ <description><![CDATA[';
+
+ foreach($myentry as $myline){ echo $myline."<br />\n"; }
+
+ echo '
+ ]]></description>
+ <pubDate>'.date("r", $myunixtime).'</pubDate>
+ </item>
+ ';
+}
+
+echo '
+</channel>
+</rss>
+';
+
+
+?>
$stats{$alerthost}{rule}{$rule}++;
$stats{$alerthost}{level}{$level}++;
$stats{$alerthost}{description}{$description}++;
- $stats{$alerthost}{srcip}{$srcip}++;
- $stats{$alerthost}{user}{$user}++;
+ if (defined $srcip) { $stats{$alerthost}{srcip}{$srcip}++; }
+ if (defined $user) { $stats{$alerthost}{user}{$user}++; }
next ;
}
if (m/^\*\* Alert ([0-9]+).([0-9]+):(.*)$/){
--- /dev/null
+#!/bin/sh
+# Simple utilities
+# Add a new file
+# Add a new remote host to be monitored via lynx
+# Add a new remote host to be monitored (DNS)
+# Add a new command to be monitored
+# by Daniel B. Cid - dcid ( at ) ossec.net
+
+ACTION=$1
+FILE=$2
+FORMAT=$3
+
+if [ "X$FILE" = "X" ]; then
+ echo "$0: addfile <filename> [<format>]"
+ echo "$0: addsite <domain>"
+ echo "$0: adddns <domain>"
+ #echo "$0: addcommand <command>"
+ echo ""
+ #echo "Example: $0 addcommand 'netstat -tan |grep LISTEN| grep -v 127.0.0.1'"
+ echo "Example: $0 adddns ossec.net"
+ echo "Example: $0 addsite dcid.me"
+ exit 1;
+fi
+
+if [ "X$FORMAT" = "X" ]; then
+ FORMAT="syslog"
+fi
+
+# Adding a new file
+if [ $ACTION = "addfile" ]; then
+ # Checking if file is already configured
+ grep "$FILE" /var/ossec/etc/ossec.conf > /dev/null 2>&1
+ if [ $? = 0 ]; then
+ echo "$0: File $FILE already configured at ossec."
+ exit 1;
+ fi
+
+ # Checking if file exist
+ ls -la $FILE > /dev/null 2>&1
+ if [ ! $? = 0 ]; then
+ echo "$0: File $FILE does not exist."
+ exit 1;
+ fi
+
+ echo "
+ <ossec_config>
+ <localfile>
+ <log_format>$FORMAT</log_format>
+ <location>$FILE</location>
+ </localfile>
+ </ossec_config>
+ " >> /var/ossec/etc/ossec.conf
+
+ echo "$0: File $FILE added.";
+ exit 0;
+fi
+
+
+# Adding a new DNS check
+if [ $ACTION = "adddns" ]; then
+ COMMAND="host -W 5 -t NS $FILE; host -W 5 -t A $FILE | sort"
+ echo $FILE | grep -E '^[a-z0-9A-Z.-]+$' >/dev/null 2>&1
+ if [ $? = 1 ]; then
+ echo "$0: Invalid domain: $FILE"
+ exit 1;
+ fi
+
+ grep "host -W 5 -t NS $FILE" /var/ossec/etc/ossec.conf >/dev/null 2>&1
+ if [ $? = 0 ]; then
+ echo "$0: Already configured for $FILE"
+ exit 1;
+ fi
+
+ MYERR=0
+ echo "
+ <ossec_config>
+ <localfile>
+ <log_format>full_command</log_format>
+ <command>$COMMAND</command>
+ </localfile>
+ </ossec_config>
+ " >> /var/ossec/etc/ossec.conf || MYERR=1;
+
+ if [ $MYERR = 1 ]; then
+ echo "$0: Unable to modify the configuration file.";
+ exit 1;
+ fi
+
+ FIRSTRULE="150010"
+ while [ 1 ]; do
+ grep "\"$FIRSTRULE\"" /var/ossec/rules/local_rules.xml > /dev/null 2>&1
+ if [ $? = 0 ]; then
+ FIRSTRULE=`expr $FIRSTRULE + 1`
+ else
+ break;
+ fi
+ done
+
+
+ echo "
+ <group name=\"local,dnschanges,\">
+ <rule id=\"$FIRSTRULE\" level=\"0\">
+ <if_sid>530</if_sid>
+ <check_diff />
+ <match>^ossec: output: 'host -W 5 -t NS $FILE</match>
+ <description>DNS Changed for $FILE</description>
+ </rule>
+ </group>
+ " >> /var/ossec/rules/local_rules.xml || MYERR=1;
+
+ if [ $MYERR = 1 ]; then
+ echo "$0: Unable to modify the local rules file.";
+ exit 1;
+ fi
+
+ echo "Domain $FILE added to be monitored."
+ exit 0;
+fi
+
+
+# Adding a new lynx check
+if [ $ACTION = "addsite" ]; then
+ COMMAND="lynx --connect_timeout 10 --dump $FILE | head -n 10"
+ echo $FILE | grep -E '^[a-z0-9A-Z.-]+$' >/dev/null 2>&1
+ if [ $? = 1 ]; then
+ echo "$0: Invalid domain: $FILE"
+ exit 1;
+ fi
+
+ grep "lynx --connect_timeout 10 --dump $FILE" /var/ossec/etc/ossec.conf >/dev/null 2>&1
+ if [ $? = 0 ]; then
+ echo "$0: Already configured for $FILE"
+ exit 1;
+ fi
+
+ MYERR=0
+ echo "
+ <ossec_config>
+ <localfile>
+ <log_format>full_command</log_format>
+ <command>$COMMAND</command>
+ </localfile>
+ </ossec_config>
+ " >> /var/ossec/etc/ossec.conf || MYERR=1;
+
+ if [ $MYERR = 1 ]; then
+ echo "$0: Unable to modify the configuration file.";
+ exit 1;
+ fi
+
+ FIRSTRULE="150010"
+ while [ 1 ]; do
+ grep "\"$FIRSTRULE\"" /var/ossec/rules/local_rules.xml > /dev/null 2>&1
+ if [ $? = 0 ]; then
+ FIRSTRULE=`expr $FIRSTRULE + 1`
+ else
+ break;
+ fi
+ done
+
+
+ echo "
+ <group name=\"local,sitechange,\">
+ <rule id=\"$FIRSTRULE\" level=\"0\">
+ <if_sid>530</if_sid>
+ <check_diff />
+ <match>^ossec: output: 'lynx --connect_timeout 10 --dump $FILE</match>
+ <description>DNS Changed for $FILE</description>
+ </rule>
+ </group>
+ " >> /var/ossec/rules/local_rules.xml || MYERR=1;
+
+ if [ $MYERR = 1 ]; then
+ echo "$0: Unable to modify the local rules file.";
+ exit 1;
+ fi
+
+ echo "Domain $FILE added to be monitored."
+ exit 0;
+fi
+
+
--- /dev/null
+
+== How to add an agent without any keyboard input ==
+
+By default, to add an agent from server side, you must provide your agent
+information to `manage_agents` program, by using its interactive mode.
+This is really tedious if you have many servers / agents to add. Luckily,
+you can use following environment variables as responses
+
+ | variable name | value | description |
+ +------------------------+---------+----------------------+
+ | OSSEC_ACTION | A/a | add an agent |
+ | OSSEC_AGENT_NAME | string | name of agent |
+ | OSSEC_AGENT_IP | CIDR | ip address of agent |
+ | OSSEC_AGENT_ID | integer | max length = 8 |
+ | OSSEC_AGENT_KEY | string | base64 format | (*)
+ | OSSEC_ACTION_CONFIRMED | y/Y/n/N | y -> confirmed |
+
+ (*) OSSEC_AGENT_KEY is used only on agent (when key is being imported)
+
+Please note that it's your duty to ensure that name, ip,... of agent are
+valid. Otherwise, the program will fall back to interactive mode. In most
+case, you should ensure that you new agent has an unique name/id. You can
+simply know that by using `manage_agents -l` to list all known agents.
+
+For more details, please refer to OSSEC document
+ http://www.ossec.net/doc/manual/agent/agent-management.html
+
+PS: you may use some tools (`expect`) to send strings to `manage_agents`,
+insead of using the above environment variables. It's your choice.
+
+--
+Anh K. Huynh <kyanh@viettug.org>
-<!-- @(#) $Id$
+<!-- @(#) $Id: decoder.xml,v 1.166 2010/06/15 12:52:01 dcid Exp $
- OSSEC log decoder.
- Author: Daniel B. Cid
- License: http://www.ossec.net/en/licensing.html
<order>user</order>
</decoder>
+<!--XXXX<decoder name="pam-user2">
+ <parent>pam</parent>
+ <prematch>^session \S+ </prematch>
+ <regex>for user (\S+)</regex>
+ <order>user</order>
+</decoder>
+-->
+
<decoder name="pam-host-user">
<parent>pam</parent>
<prematch>rhost=\S+\s+user=\S+</prematch>
<order>srcip</order>
</decoder>
-
<!-- SSH decoder.
- Will extract username and srcip from the logs.
- Apr 23 07:03:53 machinename sshd[29961]: User root from 12.3.4.5
not allowed because not listed in AllowUsers
- sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.
+ - Sep 4 23:58:33 junction sshd[9351]: fatal: Write failed: Broken pipe
+ - Sep 18 14:58:47 ix sshd[11816]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
+ - Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)
+ - Aug 10 08:38:40 junction sshd[20013]: error: connect_to 192.168.179 port 8080: failed
+ - Jun 9 00:00:01 ix sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.
+ - Jan 26 11:57:26 ix sshd[14879]: error: connect to ix.example.com port 7777 failed: Connection refused
+ - Oct 8 10:07:27 y sshd[7644]: debug1: attempt 2 failures 2
+ - Oct 8 08:58:37 y sshd[6956]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials
+ - Oct 8 08:48:33 y sshd[6856]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
+ - Oct 8 11:18:26 172.16.51.132 sshd[7618]: error: PAM: Module is unknown for ddp from 172.16.51.1
+ - Jun 19 20:56:00 tiny sshd[11605]: fatal: Write failed: Host is down
+ - Jun 11 06:32:17 gorilla sshd[28293]: fatal: buffer_get_bignum2: buffer error
+ - Jun 11 06:32:17 gorilla sshd[28293]: error: buffer_get_bignum2_ret: negative numbers not supported
+ - Apr 14 19:28:21 gorilla sshd[31274]: Connection closed by 192.168.1.33
+ - Jun 22 12:01:13 junction sshd[11283]: Received disconnect from 212.14.228.46: 11: Bye Bye
+ - Nov 9 07:40:25 ginaz sshd[5973]: error: setsockopt SO_KEEPALIVE: Connection reset by peer
+ - Nov 2 12:08:27 192.168.17.7 sshd[9665]: fatal: Cannot bind any address.
+ - Nov 2 12:11:40 192.168.17.7 sshd[9814]: pam_loginuid(sshd:session): set_loginuid failed opening loginuid
+ - Nov 6 09:53:38 hagal sshd[697]: error: accept: Software caused connection abort
+ - Nov 9 11:36:55 ecaz sshd[26967]: pam_succeed_if(sshd:auth): error retrieving information about user _z9xxbBW
-->
<decoder name="sshd">
<order>srcip</order>
</decoder>
+<decoder name="ssh-closed">
+ <parent>sshd</parent>
+ <prematch>^Connection closed </prematch>
+ <regex offset="after_prematch">^by (\S+)$</regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="ssh-disconnect">
+ <parent>sshd</parent>
+ <prematch>^Received disconnect </prematch>
+ <regex offset="after_prematch">^from (\S+):</regex>
+ <order>srcip</order>
+</decoder>
+
+<!--XXX
+<decoder name="ssh-pam">
+ <parent>sshd</parent>
+ <prematch>PAM: Module</prematch>
+ <regex>for (\S+) from (\S+)$</regex>
+ <order>user, srcip</order>
+</decoder>
+
+<decoder name="ssh-connect-to">
+ <parent>sshd</parent>
+ <prematch>connect_to</prematch>
+ <regex>connect_to: (\S+) port (\d+):</regex>
+ <order>dstip,dstport</order>
+</decoder>
+-->
+
+<decoder name="sshd-ldap">
+ <parent>sshd</parent>
+ <prematch>^pam_ldap: </prematch>
+ <regex>user "uid=(\S+),ou=\w+,dc=\w+,dc=\w+"</regex>
+ <order>user</order>
+</decoder>
+
+
+<!-- Dropbear rules -->
+<decoder name="dropbear">
+ <program_name>^dropbear</program_name>
+</decoder>
+
+<decoder name="dropbear-from">
+ <parent>dropbear</parent>
+ <regex>for '(\S+)' from (\S+):\d+$</regex>
+ <order>dstuser,srcip</order>
+</decoder>
+
<!--
<order>srcip</order>
</decoder>
+<decoder name="smbd-from">
+ <parent>smbd</parent>
+ <prematch> from (\S+)$</prematch>
+ <regex> from (\S+)$</regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="smbd-client">
+ <parent>smbd</parent>
+ <prematch>to client \S+.</prematch>
+ <regex>to client (\S+). </regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="nmbd">
+ <program_name>^nmbd</program_name>
+</decoder>
<!-- Sudo decoder.
<fts>name, srcuser, location</fts>
</decoder>
+<decoder name="su-ldap">
+ <parent>su</parent>
+ <prematch>pam_ldap</prematch>
+ <regex>user "uid=(\S+),</regex>
+ <order>user</order>
+</decoder>
+
<decoder name="su-detail2">
<parent>su</parent>
<regex>^BAD SU (\S+) to (\S+) on|</regex>
<parent>ftpd</parent>
<prematch>^Failed authentication from: \S+ |</prematch>
<prematch>^repeated login failures from </prematch>
- <regex offset="after_prematch">[(\d+.\d+.\d+.\d+)]$</regex>
+ <!--<regex offset="after_prematch">(\S+)</regex>-->
+ <regex offset="after_prematch">^\S+ [(\d+.\d+.\d+.\d+)]$|^(\S+)</regex>
<order>srcip</order>
</decoder>
- arpwatch: new station 192.168.1.103 0:11:43:5e:5d:80 eth0
- arpwatch: bogon 172.16.150.149 0:2:b3:d6:e5:68 eth0
- arpwatch: new station 192.168.2.10 0:c0:4f:78:32:be
+ - arpwatch: pcap open re0: /dev/bpf0: Permission denied
+ - arpwatch: reused old ethernet address 192.168.17.248 0:e:3b:a:cb:67 (0:1e:8c:72:b0:d0)
-->
<decoder name="arpwatch">
<program_name>^arpwatch</program_name>
- Examples:
- valhalla named[7885]: client 192.168.1.231#1142: update 'hayaletgemi.edu/IN' denied
- named[12637]: client 1.2.3.4#32769: query (cache) 'somedomain.com/MX/IN' denied
+ - Oct 22 10:12:33 junction named[31687]: /etc/blocked.slave:9892: syntax error near ';'
+ - Oct 22 10:12:33 junction named[31687]: reloading configuration failed: unexpected token
-->
<decoder name="named">
<program_name>^named</program_name>
</decoder>
+<decoder name="named-query">
+ <parent>named</parent>
+ <prematch>: query: </prematch>
+ <regex>client (\S+)#\d+: query: (\S+) IN </regex>
+ <order>srcip,url</order>
+</decoder>
+
+
<decoder name="named_client">
<parent>named</parent>
<prematch>^client </prematch>
<order>srcip</order>
</decoder>
+<decoder name="named-master">
+ <parent>named</parent>
+ <prematch> for master</prematch>
+ <regex>for master (\d+.\d+.\d+.\d+):(\d+) \S+ \(source (\d+.\d+.\d+.\d+)#d+\)$</regex>
+ <order>dstip,dstport,srcip</order>
+</decoder>
<!-- Postfix decoder.
</decoder>
+<!-- OpenBSD smtpd decoders -->
+
+<decoder name="smtpd">
+ <program_name>smtpd</program_name>
+</decoder>
+
+<decoder name="smtpd-client">
+ <parent>smtpd</parent>
+ <prematch offset="after_parent">^client</prematch>
+ <regex>^client (\S+) </regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="smtpd-relay">
+ <parent>smtpd</parent>
+ <prematch>relay=</prematch>
+ <regex>relay=\S+ [(\S+)], </regex>
+ <order>srcip</order>
+</decoder>
+
+
+
<!-- Iptables decoder.
- Will extract the srcip, dstip, srcport, dstport, protocol
- Examples:
<order>srcport,dstport</order>
</decoder>
+<decoder name="iptables-shorewall2">
+ <parent>iptables</parent>
+ <type>firewall</type>
+ <prematch>^\p\S+\p Shorewall:\S+:</prematch>
+ <regex offset="after_prematch">^(\S+):\.+ SRC=(\S+) DST=(\S+) \.+ </regex>
+ <regex>PROTO=(\w+) </regex>
+ <order>action,srcip,dstip,protocol</order>
+</decoder>
<!-- Solaris IPFilter decoder.
<order>id, action, protocol, srcip, srcport, dstip, dstport</order>
</decoder>
+<decoder name="pix-url-success">
+ <parent>pix</parent>
+ <prematch offset="after_parent">^5-304001: </prematch>
+ <regex offset="after_parent">^(\S+): (\d+.\d+.\d+.\d+) Accessed URL </regex>
+ <regex>(\d+.\d+.\d+.\d+):(http\w*://\.+)|</regex>
+ <regex>^(\S+): (\d+.\d+.\d+.\d+) Accessed URL (\d+.\d+.\d+.\d+):</regex>
+ <order>id, srcip, dstip, url</order>
+</decoder>
+
+<decoder name="pix-url-deny">
+ <parent>pix</parent>
+ <prematch offset="after_parent">^5-304002: </prematch>
+ <regex offset="after_parent">^(\S+): Access (denied) URL (http\w*://\.+) </regex>
+ <regex>SRC (\d+.\d+.\d+.\d+) DEST (\d+.\d+.\d+.\d+) on interface</regex>
+ <order>id, action, url, srcip, dstip</order>
+</decoder>
+
<decoder name="pix-attacks">
<parent>pix</parent>
<prematch offset="after_parent">^2-106012: |^2-106017: |</prematch>
+<!-- OpenBSD isakmpd decoders -->
+
+<decoder name="isakmpd">
+ <program_name>^isakmpd</program_name>
+</decoder>
+
+<decoder name="isakmpd-from">
+ <parent>isakmpd</parent>
+ <prematch>message from </prematch>
+ <regex>from (\S+) port (\d+)</regex>
+ <order>srcip,srcport</order>
+</decoder>
+
+<decoder name="isakmpd-peer">
+ <parent>isakmpd</parent>
+ <prematch>from peer</prematch>
+ <regex>from peer (\S+):(\d+)$</regex>
+ <order>srcip,srcport</order>
+</decoder>
+
+
+
<!-- Suhosin decoder.
- Will extract the attack name and srcip.
- Examples:
200 1732
- 1.1.1.1 - username [18/Jan/2006:13:10:06 -0500] "GET /xxx.html HTTP/1.1"
- 123.4.5.6 aa.xx.com - [05/Nov/2006:00:46:56 -0500] "GET / HTTP/1.1" 302 -
+ - ::ffff:202.194.15.192 190.7.138.180 - [18/Oct/2010:10:48:55 -0500] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
-->
<decoder name="web-accesslog">
<type>web-log</type>
- <prematch>^\d+.\d+.\d+.\d+ </prematch>
+ <prematch>^\d+.\d+.\d+.\d+ |^::ffff:\d+.\d+.\d+.\d+ </prematch>
<regex>^(\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+] </regex>
<regex>"\w+ (\S+) HTTP\S+ (\d+) </regex>
<order>srcip, url, id</order>
<fts>name, location, extra_data</fts>
</decoder>
+<decoder name="ossec-alert1">
+ <parent>ossec</parent>
+ <prematch>^ossec: Alert Level:</prematch>
+ <plugin_decoder>OSSECAlert_Decoder</plugin_decoder>
+</decoder>
+
<decoder name="ossec-alert">
<program_name>^ossec$</program_name>
<plugin_decoder>OSSECAlert_Decoder</plugin_decoder>
</decoder>
+<!-- decoder for active responses as logged by an OSSEC agent or server
+- Examples
+Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 172.16.0.1 1304756247.60385 31151
+Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 172.16.0.1 1304756247.60385 31151
+Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/host-deny.sh delete - 172.16.0.1 1304756247.60385 31151
+Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
+-->
+<decoder name="ar_log">
+ <prematch>^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /\.+/active-response</prematch>
+ <regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)</regex>
+ <order>action, status, srcip, id, extra_data</order>
+</decoder>
<!-- Zeus decoder.
- Will extract the severity and the srcip/username when available.
<program_name>^asterisk</program_name>
</decoder>
+<decoder name="asterisk-hijacking">
+ <parent>asterisk</parent>
+ <prematch>^WARNING[\d+]: \S+ in \S+: Don't know </prematch>
+ <regex offset="after_prematch">^\S+ how to respond via '(\w+/\d.\d/\w+)'</regex>
+ <order>user</order>
+</decoder>
+
<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch>
<order>srcip</order>
</decoder>
+<decoder name="asterisk-denied2">
+ <parent>asterisk</parent>
+ <prematch>Registration from </prematch>
+ <regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex>
+ <order>srcip</order>
+</decoder>
+<decoder name="asterisk-iax-authentication-denied">
+ <parent>asterisk</parent>
+ <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch>
+ <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) failed MD5 authentication for (\S+)</regex>
+ <order>srcip, user</order>
+</decoder>
<!-- Cisco IOS
- Group for Cisco IOS messages.
-->
<decoder name="ms-dhcp-ipv4">
- <prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,</prematch>
- <regex>^(\d\d),</regex>
- <order>id</order>
+ <prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,|</prematch>
+ <prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch>
+ <regex>^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\w+),(\d+.\d+.\d+.\d+)</regex>
+ <order>id,extra_data,srcip</order>
</decoder>
<!--
- Server 2008 DHCP IPv6 Decoder (must go second)
- ID,Date,Time,Description,IPV6 Address,Host Name,Error Code, Duid Length, Duid Bytes(Hex),User Name.
-->
-11020,05/05/09,00:00:38,DHCPV6
<decoder name="ms-dhcp-ipv6">
<prematch>^\d\d\d\d\d,\d\d/\d\d/\d\d,\d\d:\d\d:\d\d,</prematch>
<regex>^(\d\d\d\d\d),</regex>
</decoder>
+<!-- OpenBSD kernel messages -->
+<decoder name="bsd_kernel">
+ <program_name>^/bsd</program_name>
+</decoder>
+
+<decoder name="bsd_arp">
+ <parent>bsd_kernel</parent>
+ <prematch offset="after_parent">^arp </prematch>
+ <regex offset="after_prematch"> for (\S+) by (\S+) on \S+</regex>
+ <order>dstip, extra_data</order>
+</decoder>
+
+
+<!-- OpenBSD mountd decoder
+- Apr 11 20:01:02 ix mountd[11618]: Refused mount RPC from host 192.168.17.10 port 45659
+-->
+
+<decoder name="mountd">
+ <program_name>^mountd</program_name>
+</decoder>
+
+<decoder name="mountd-host">
+ <parent>mountd</parent>
+ <prematch>from host </prematch>
+ <regex offset="after_prematch">(\S+) port \d+$</regex>
+ <order>srcip</order>
+</decoder>
+
+
+<!-- bro-ids decoders
+ - Aug 25 08:52:10 junction bro: no=PortScanSummary na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 num=988 msg=192.168.17.8\\\\ scanned\\\\ a\\\\ total\\\\ of\\\\ 988\\\\ ports tag=@ef-24ad-af
+ - Aug 26 12:34:27 junction bro: no=PortScan na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 p=17/tcp num=250 msg=192.168.17.8\\ has\\ scanned\\ 250\\ ports\\ of\\ 192.168.17.17 tag=@11-68e9-5
+ - junction bro: Starting incremental serialization...
+ - junction bro: Finished incremental serialization.
+ - ix bro: no=NoticeTally na=NOTICE_ALARM_ALWAYS es=bro num=307 msg=AckAboveHole\\ (307\\ times) tag=@81-2fd-1f9
+ - ix bro: no=NoticeTally na=NOTICE_ALARM_ALWAYS es=bro num=7 msg=ContentGap\\ (7\\ times) tag=@81-2fd-1fa
+ - ix bro: no=ResourceSummary na=NOTICE_ALARM_ALWAYS es=bro msg=elapsed\\ time\\ \\=\\ 376.0\\ msecs\\ 174.0\\ usecs,\\ total\\ CPU\\ \\=\\ 390.0\\ msecs,\\ maximum\\ memory\\ \\=\\ 0\\ KB,\\ peak\\ connections\\ \\=\\ 0,\\ peak\\ timers\\ \\=\\ 84,\\ peak\\ fragments\\ \\=\\ 0 tag=@69-1f25-1
+ - junction bro: no=PortScanSummary na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 num=988 msg=192.168.17.8\\\\ scanned\\\\ a\\\\ total\\\\ of\\\\ 988\\\\ ports tag=@ef-24ad-af
+ - junction bro: no=ZoneTransfer na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.1.9 sp=4175/tcp da=192.168.1.17 dp=53/tcp p=53/tcp msg=transfer\\ of\\example.com\\ requested\\ by\\ 192.168.1.9 tag=@61-3a46-d
+ - ix bro: no=SensitivePortmapperAccess na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 sp=2957/tcp da=192.168.17.9 dp=111/tcp p=111/tcp msg=rpc:\\ 192.168.17.8/2957\\ >\\ 192.168.17.9/portmap\\ pm_dump:\\ (done) tag=@46-764d-5d
+ - junction bro: no=PortScan na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 p=17/tcp num=250 msg=192.168.17.8\\ has\\ scanned\\ 250\\ ports\\ of\\ 192.168.17.17 tag=@11-68e9-5
+-->
+
+<decoder name="bro-ids">
+ <program_name>^bro</program_name>
+</decoder>
+
+<decoder name="bro-portscan">
+ <parent>bro-ids</parent>
+ <prematch>no=PortscanSummary</prematch>
+ <regex>sa=(\S+) num=(\d+) msg=</regex>
+ <order>srcip,extra_data</order>
+</decoder>
+
+<decoder name="bro-portscan2">
+ <parent>bro-ids</parent>
+ <prematch>no=PortScan </prematch>
+ <regex>sa=(\S+) p=(\d+)/(\S+) num=(\d+)</regex>
+ <order>srcip,srcport,protocol,extra_data</order>
+</decoder>
+
+<decoder name="bro-typical">
+ <parent>bro-ids</parent>
+ <prematch>na=NOTICE</prematch>
+ <regex>sa=(\S+) sp=(\d+)/(\S+) da=(\S+) dp=(\d+)/\S+</regex>
+ <order>srcip,srcport,protocol,dstip,dstport</order>
+</decoder>
+
+
+
+<!-- nss ldap decoders
+- Jun 26 08:19:25 servername sh: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
+- Aug 16 10:58:12 client nscd: nss_ldap: failed to bind to LDAP server ldap://ldap.example.com: Can't contact LDAP server
+-->
+<!--
+<decoder name="nss-ldap">
+ <program_name>^sh$|^nscd$</program_name>
+ <prematch>^nss_ldap</prematch>
+</decoder>
+
+<decoder name="ldap-server">
+ <parent>nss-ldap</parent>
+ <prematch> server </prematch>
+ <regex offset="after_prematch">ldap://(\S+):</regex>
+ <order>system_name</order>
+</decoder>
+-->
+
+
+
+<!-- OpenBSD groupdel
+ - May 28 09:15:43 ix groupdel[25984]: group deleted: name=_dbus
+-->
+<decoder name="groupdel">
+ <program_name>groupdel</program_name>
+ <regex>^group deleted: name=(\S+)$</regex>
+ <order>extra_data</order>
+</decoder>
+
+
+<!-- Portsentry -->
+<decoder name="portsentry">
+ <program_name>^portsentry</program_name>
+</decoder>
+
+<decoder name="portsentry-attackalert">
+ <parent>portsentry</parent>
+ <prematch>attackalert: Connect from host: </prematch>
+ <regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</regex>
+ <order>srcip,protocol,dstport</order>
+</decoder>
+
+<decoder name="portsentry-blocked">
+ <parent>portsentry</parent>
+ <prematch>is already blocked. Ignoring$</prematch>
+ <regex>Host: (\S+) is</regex>
+ <order>srcip</order>
+</decoder>
+
+
+<!-- Clamav and Freshclam decoder
+ - Nov 5 22:59:19 ix freshclam[32349]: Incremental update failed, trying to download daily.cvd
+-->
+<decoder name="clamd">
+ <program_name>^clamd</program_name>
+</decoder>
+
+<decoder name="freshclam">
+ <program_name>^freshclam</program_name>
+</decoder>
+
+
+<!-- OpenLDAP decoder.
+ - Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 fd=64 ACCEPT from IP=10.10.248.27:33957 (IP=10.10.241.77:389)
+ -->
+<decoder name="openldap">
+ <program_name>^slapd</program_name>
+ <regex>^conn=(\d+) </regex>
+ <order>id</order>
+</decoder>
+
+
+
+<!-- NTP decoder
+ - gorilla ntpd[27379]: bad sensor nmea0
+ - tiny ntpd[25875]: bad peer 192.168.1.233 (192.168.1.233)
+ - gorilla ntpd[29719]: bind on 192.168.1.233 failed, skipping: Can't assign requested address
+ - ix ntpd[8392]: bind on 192.168.17.9 failed, skipping: Address already in use
+ - ix ntpd[11685]: bad peer from pool pool.ntp.org (64.73.32.135)
+ - richese ntpd[3465]: bad peer ix (192.168.17.9)
+ - ix ntpd[11685]: bad peer from pool pool.ntp.org (69.50.219.51)
+ - ix ntpd[7045]: recvmsg 192.168.17.17: Connection refused
+ - ix ntpd[29411]: 2 out of 3 peers valid
+ - bridge ntpd[5877]: logconfig: illegal argument - ignored
+ - bridge ntpd[5902]: offset 0.000000 sec freq 0.000 ppm error 0.000011 poll 6
+-->
+<decoder name="ntpd">
+ <program_name>^ntpd</program_name>
+</decoder>
+
+<decoder name="ntpd-bad-peer">
+ <parent>ntpd</parent>
+ <prematch offset="after_parent">^bad peer </prematch>
+ <regex>^bad peer \S+ \p(\S+)\p$|^bad peer from pool \S+ \p(\S+)\p$</regex>
+ <order>srcip</order>
+</decoder>
+
+
+<!-- Auditd
+163
+164 - Will extract action, id, status, extra_data, srcip
+165 - Author and (c): Michael Starks, 2011
+166 - Future enhancements should ensure that all log samples regress properly due to the complexity of these decoders
+167 - Examples:
+
+<!-- CentOS 5.5 -->
+type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
+type=CRED_ACQ msg=audit(1305666154.831:51859): user pid=21250 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct="username" : exe="/usr/sbin/sshd" (hostname=lala.example.com, addr=172.16.0.1, terminal=ssh res=success)'
+type=CRED_ACQ msg=audit(1273182001.226:148635): user pid=29770 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
+type=USER_AUTH msg=audit(1305666163.690:51871): user pid=21269 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
+type=USER_ACCT msg=audit(1306939201.750:67934): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=CRED_ACQ msg=audit(1306939201.751:67935): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_START msg=audit(1306939201.756:67937): user pid=4401 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_CHAUTHTOK msg=audit(1304523288.952:37394): user pid=7258 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='op=change password id=505 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1 res=success)'
+
+<!-- Unknown source -->
+type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
+
+<!-- Ubuntu 10.04 LTS -->
+type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"
+type=SYSCALL msg=audit(1307045820.403:151): arch=c000003e syscall=59 success=no exit=-13 a0=de24c8 a1=de2408 a2=dc3008 a3=7fff1db3cc60 items=1 ppid=11719 pid=12347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="bash" exe="/bin/bash" key=(null)
+type=SYSCALL msg=audit(1306939143.715:67933): arch=40000003 syscall=94 success=yes exit=0 a0=5 a1=180 a2=8ebd360 a3=8ec4978 items=1 ppid=4383 pid=4388 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8038 comm="less" exe="/usr/bin/less" subj=user_u:system_r:unconfined_t:s0 key="perm_mod"
+type=USER_ROLE_CHANGE msg=audit(1280266360.845:51): user pid=1978 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:unconfined_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
+type=PATH msg=audit(1306967989.163:119): item=0 name="./ls" inode=261813 dev=fb:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
+
+<!-- Will not decode due to null name, that's OK -->
+type=PATH msg=audit(1273924468.947:179534): item=0 name=(null) inode=424783 dev=fd:07 mode=0100640 ouid=0 ogid=502 rdev=00:00 obj=user_u:object_r:file_t:s0
+
+-->
+
+<decoder name="auditd">
+ <prematch>^type=</prematch>
+</decoder>
+
+<!-- SELinux -->
+ <decoder name="auditd-selinux">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^AVC </prematch>
+ <regex offset="after_parent">^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$</regex>
+ <order>action,id,status,extra_data</order>
+ </decoder>
+
+<!-- syscall -->
+ <decoder name="auditd-syscall">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^SYSCALL </prematch>
+ <regex offset="after_parent">^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"</regex>
+ <order>action,id,status,extra_data</order>
+ </decoder>
+
+<!-- config -->
+ <decoder name="auditd-config">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^CONFIG_CHANGE </prematch>
+ <regex offset="after_parent">^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$</regex>
+ <order>action,id,extra_data</order>
+ </decoder>
+
+<!-- path (will only decode if name is not null)-->
+ <decoder name="auditd-path">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^PATH </prematch>
+ <regex offset="after_parent">^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
+ <order>action,id,extra_data</order>
+ </decoder>
+
+<!-- user-related -->
+ <decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_parent">^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|</regex>
+ <regex>^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+</regex>
+ <order>action,id</order>
+ </decoder>
+
+ <decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$</regex>
+ <order>user,extra_data,srcip</order>
+ </decoder>
+
+ <decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$</regex>
+ <order>user,extra_data,srcip,status</order>
+ </decoder>
+
+ <decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+ <order>user,extra_data,srcip,status</order>
+ </decoder>
+
+ <decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+ <order>extra_data,srcip,status</order>
+ </decoder>
<!-- EOF -->
# Logcollector number of attempts to open a log file.
logcollector.open_attempts=8
+# Logcollector - If it should accept remote commands from the manager
+logcollector.remote_commands=0
+
+
# Remoted counter io flush.
remoted.recv_counter_flush=128
# Maild full subject (0=disabled, 1=enabled)
maild.full_subject=0
+# Maild display GeoIP data (0=disabled, 1=enabled)
+maild.geoip=1
+
# Monitord day_wait. Ammount of seconds to wait before compressing/signing
# the files.
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
+ <include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
+ <include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>web_rules.xml</include>
+ <include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
### Agent Installation variables. ###
-# USER_AGENT_SERVER_IP specifies the IP address of the
+# Specifies the IP address or hostname of the
# ossec server. Only used on agent installations.
-#USER_AGENT_SERVER_IP="1.2.3.4"
+# Choose only one, not both.
+# USER_AGENT_SERVER_IP="1.2.3.4"
+# USER_AGENT_SERVER_NAME
+
+
+# USER_AGENT_CONFIG_PROFILE specifies the agent's config profile
+# name. This is used to create agent.conf configuration profiles
+# for this particular profile name. Only used on agent installations.
+# Can be any string. E.g. LinuxDBServer or WindowsDomainController
+#USER_AGENT_CONFIG_PROFILE="generic"
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/apache_rules.xml, 2011/09/08 dcid Exp $
+
- Official Apache rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<rule id="30109" level="9">
<if_sid>30101</if_sid>
- <regex>user \S+ not found</regex>
+ <regex>user \S+ not found|user \S+ in realm \.* not found</regex>
<description>Attempt to login using a non-existent user.</description>
<group>invalid_login,</group>
</rule>
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/arpwatch_rules.xml, 2011/09/08 dcid Exp $
+
- Official Arpwatch rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<match>sent bad addr len</match>
<description>Arpwatch detected bad address len (ignored).</description>
</rule>
+
+ <rule id="7207" level="1">
+ <if_sid>7200</if_sid>
+ <match>/dev/bpf0: Permission denied</match>
+ <description>arpwatch probably run with wrong permissions</description>
+ </rule>
+
+ <rule id="7208" level="1">
+ <if_sid>7200</if_sid>
+ <match>reused old ethernet address</match>
+ <description>An IP has reverted to an old ethernet address.</description>
+ </rule>
+
+ <rule id="7209" level="7">
+ <if_sid>7200</if_sid>
+ <match>ethernet mismatch</match>
+ <description>Possible arpspoofing attempt.</description>
+ <group>ip_spoof,</group>
+ </rule>
+
+
+
</group> <!-- SYSLOG,arpwatch, -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/asterisk_rules.xml, 2011/09/08 dcid Exp $
+
- Official Asterisk rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<same_source_ip />
<description>Extension enumeration.</description>
</rule>
+
+ <!--From Javi Benito jabi.benito@gmail.com-->
+ <!--http://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/-->
+ <rule id="6253" level="5">
+ <if_sid>6201</if_sid>
+ <match>No registration for peer</match>
+ <description>Login session failed (invalid iax user).</description>
+ <group>invalid_login,</group>
+ </rule>
+
+ <!--From Javi Benito jabi.benito@gmail.com-->
+ <rule id="6254" level="10" frequency="3" timeframe="300">
+ <if_matched_sid>6253</if_matched_sid>
+ <same_source_ip />
+ <description>Extension IAX Enumeration.</description>
+ </rule>
+
+ <!--From Javi Benito jabi.benito@gmail.com-->
+ <rule id="6255" level="5">
+ <if_sid>6202</if_sid>
+ <match>Don't know how to respond via</match>
+ <description>Possible Registration Hijacking.</description>
+ <group>invalid_login,</group>
+ </rule>
+
+ <!--From Javi Benito jabi.benito@gmail.com-->
+ <rule id="6256" level="5">
+ <if_sid>6201</if_sid>
+ <match>failed MD5 authentication</match>
+ <description>IAX peer Wrong Password.</description>
+ <group>invalid_login,</group>
+ </rule>
+
+ <!--From Javi Benito jabi.benito@gmail.com-->
+ <rule id="6257" level="10" frequency="3" timeframe="300">
+ <if_matched_sid>6256</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple failed logins.</description>
+ </rule>
+
</group> <!-- ASTERISK -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/attack_rules.xml, 2011/09/08 dcid Exp $
+
- Official "attack" correlation rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
--- /dev/null
+ <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+ -->
+
+<group name="syslog,ids,bro">
+
+ <rule id="52000" level="0">
+ <decoded_as>bro-ids</decoded_as>
+ <description>Grouping for all bro-ids events.</description>
+ </rule>
+
+ <rule id="52001" level="0">
+ <if_sid>52000</if_sid>
+ <match>Starting incremental serialization</match>
+ <description>Bro-ids has been started.</description>
+ </rule>
+
+ <rule id="52002" level="0">
+ <if_sid>52000</if_sid>
+ <match>Finished incremental serialization</match>
+ <description>Bro-ids has been stopped.</description>
+ </rule>
+
+ <rule id="52003" level="8">
+ <if_sid>52000</if_sid>
+ <match>msg=AckAboveHole</match>
+ <description>XXX Ack Above Hole</description>
+ </rule>
+
+ <rule id="52004" level="8">
+ <if_sid>52000</if_sid>
+ <match>msg=ContentGap</match>
+ <description>XXX Content Gap</description>
+ </rule>
+
+ <rule id="52005" level="1">
+ <if_sid>52000</if_sid>
+ <match>no=ResourceSummary</match>
+ <description>Bro-ids resource summary.</description>
+ </rule>
+
+ <rule id="52006" level="7">
+ <if_sid>52000</if_sid>
+ <match>no=PortScanSummary</match>
+ <description>Bro-ids port scan summary.</description>
+ </rule>
+
+ <rule id="52007" level="4">
+ <if_sid>52000</if_sid>
+ <match>no=ZoneTransfer</match>
+ <description>Bro-ids Zone Transfer alert.</description>
+ </rule>
+
+ <rule id="52008" level="4">
+ <if_sid>52000</if_sid>
+ <match>no=SensitivePortMapperAccess</match>
+ <description>Bro-ids detected acces to the portmapper port.</description>
+ </rule>
+
+ <rule id="52009" level="4">
+ <if_sid>52000</if_sid>
+ <match>no=PortScan </match>
+ <description>Bro-ids detected a portscan.</description>
+ </rule>
+
+
+</group> <!-- SYSLOG,LOCAL -->
+
+
+<!-- EOF -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/cimserver_rules.xml, 2011/09/08 dcid Exp $
+
- Official Compaq Insight Manager (cimserver) rules for OSSEC.
-
- Author: Stephen Kreusch
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/cisco-ios_rules.xml, 2011/09/08 dcid Exp $
+
- Official Cisco IOS rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
--- /dev/null
+
+<group name="clamd,freshclam,">
+
+ <rule id="52500" level="0" noalert="1">
+ <decoded_as>clamd</decoded_as>
+ <description>Grouping of the clamd rules.</description>
+ </rule>
+
+ <rule id="52501" level="0" noalert="1">
+ <decoded_as>freshclam</decoded_as>
+ <description>ClamAV database update</description>
+ </rule>
+
+ <rule id="52502" level="8">
+ <if_sid>52500</if_sid>
+ <match>FOUND</match>
+ <description>Virus detected</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52503" level="10">
+ <if_sid>52500</if_sid>
+ <match>^ERROR: </match>
+ <description>Clamd error</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52504" level="7">
+ <if_sid>52500</if_sid>
+ <match>^WARNING: </match>
+ <description>Clamd warning</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52505" level="3">
+ <if_sid>52500</if_sid>
+ <match>clamd daemon</match>
+ <description>Clamd restarted</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52506" level="3">
+ <if_sid>52500</if_sid>
+ <match>Database modification detected</match>
+ <description>Clamd database updated</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52507" level="3">
+ <if_sid>52501</if_sid>
+ <match>ClamAV update process started </match>
+ <description>ClamAV database update</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52508" level="3">
+ <if_sid>52501</if_sid>
+ <match>Database updated </match>
+ <description>ClamAV database updated</description>
+ <group>virus</group>
+ </rule>
+
+ <rule id="52509" level="0">
+ <if_sid>52501</if_sid>
+ <match>Incremental update failed|Error while reading database from|Update failed.</match>
+ <description>Could not download the incremental virus definition updates.</description>
+ </rule>
+
+</group> <!-- clamd, freshclam -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/courier_rules.xml, 2011/09/08 dcid Exp $
+
- Official Courier rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
--- /dev/null
+ <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+ -->
+
+
+
+<!-- Modify it at your will. -->
+
+<group name="syslog,sshd,dropbear">
+
+ <rule id="51000" level="0" noalert="1">
+ <decoded_as>dropbear</decoded_as>
+ <description>Grouping for dropbear rules.</description>
+ </rule>
+
+ <rule id="51001" level="1">
+ <if_sid>51000</if_sid>
+ <match>Failed to get kex value</match>
+ <description>Failed to get key exchange value</description>
+ </rule>
+
+ <rule id="51002" level="1">
+ <if_sid>51000</if_sid>
+ <match>Premature kexdh_init message received</match>
+ <description>Premature kexdh_init message</description>
+ </rule>
+
+ <rule id="51003" level="5">
+ <if_sid>51000</if_sid>
+ <match>bad password attempt for</match>
+ <description>Bad password attempt.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
+ <rule id="51004" level="10" frequency="6" timeframe="120" ignore="60">
+ <if_matched_sid>51003</if_matched_sid>
+ <same_source_ip />
+ <description>dropbear brute force attempt.</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <rule id="51005" level="0">
+ <if_sid>51000</if_sid>
+ <regex>exit after auth \(\S+\): Disconnect received</regex>
+ <description>User disconnected.</description>
+ </rule>
+
+ <rule id="51006" level="2">
+ <if_sid>51000</if_sid>
+ <match>exit before auth</match>
+ <description>Client exited before authentication.</description>
+ <group>recon,</group>
+ </rule>
+
+ <rule id="51007" level="10" frequency="6" timeframe="120" ignore="60">
+ <if_matched_sid>51000</if_matched_sid>
+ <same_source_ip />
+ <description>dropbear brute force attempt.</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+
+ <rule id="51008" level="1">
+ <if_sid>51000</if_sid>
+ <match>Incompatible remote version</match>
+ <description>Incompatible remote version.</description>
+ <group>recon,</group>
+ </rule>
+
+ <rule id="51009" level="0">
+ <if_sid>51000</if_sid>
+ <match>password auth succeeded for</match>
+ <description>User successfully logged in using a password.</description>
+ <group>authentication_success,</group>
+ </rule>
+
+
+</group> <!-- SYSLOG,LOCAL -->
+
+
+<!-- EOF -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/firewall_rules.xml, 2011/09/08 dcid Exp $
+
- Official Firewall rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/ftpd_rules.xml, 2011/09/08 dcid Exp $
+
- Official ftpd rules for OSSEC.
- Author: Ahmet Ozturk
- License: http://www.ossec.net/en/licensing.html
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/hordeimp_rules.xml, 2011/09/08 dcid Exp $
+
- Official Horde IMP rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/ids_rules.xml, 2011/09/08 dcid Exp $
+
- Official IDS rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/imapd_rules.xml, 2011/09/08 dcid Exp $
+
- Official imapd rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/local_rules.xml, 2011/09/08 dcid Exp $
+
- Example of local rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
--- /dev/null
+#unknown system
+Feb 15 16:08:14 triumph PAM-securetty[741]: Couldn't open /etc/securetty
+Jan 26 21:01:23 test100 PAM-securetty[284]: Couldn't open /etc/securetty
+#Red hat
+Nov 7 21:01:17 enigma PAM-securetty[975]: Couldn't open /etc/securetty
+Apr 19 17:06:03 ecos2 PAM-securetty[1203]: Couldn't open /etc/securetty
--- /dev/null
+su[2921936]: succeeded: ttyq4 changing from root to ldap
+su[2921936]: failed: ttyq4 changing from root to ldap
+su: failed: ttyq# changing from <user> to root
+su[234]: BAD SU ger to fwmaster on /dev/ttyp0
+Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0
+Sep 12 18:40:02 bogus.com su: BAD su rachel on /dev/ttyp1
+
+Feb 14 17:20:27 niban su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit
+May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root
+May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test
+
+Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342)
+Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342)
+#Slack:
+Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root
+Jul 5 12:13:15 lili su[2614]: Authentication failed for root
+Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root
+
--- /dev/null
+May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006
+May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000
+Jun 16 09:53:44 niban useradd[5721]: new group: name=test2, gid=12001
+Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002
+Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002
+Aug 5 08:57:10 niban groupadd[30279]: new group: name=osaudit, gid=12002
+Aug 5 09:44:53 niban groupadd[32676]: new group: name=osaudit, gid=12002
+Aug 5 09:47:52 niban groupadd[642]: new group: name=osaudit, gid=12002
+Feb 4 14:21:45 niban adduser[26287]: new group: name=test123, gid=12003
+Apr 5 16:06:49 niban adduser[16143]: new group: name=port, gid=12003
+Apr 5 16:20:28 niban groupadd[16193]: new group: name=port1, gid=12004
+Apr 5 16:20:29 niban groupadd[16194]: new group: name=port2, gid=12005
+
+May 28 10:48:29 niban useradd[32421]: new user: name=logr, uid=12000, gid=12000, home=/home/logr, shell=/bin/bash
+Jun 16 09:53:44 niban useradd[5721]: new user: name=test2, uid=12001, gid=12001, home=/home/test2, shell=/bin/bash
+Aug 5 09:33:06 niban useradd[32213]: new user: name=osaudit, uid=12002, gid=12002, home=/var/osaudit, shell=/sbin/nologin
+Aug 5 09:47:52 niban useradd[643]: new user: name=osaudit, uid=12002, gid=12002, home=/var/osaudit, shell=/sbin/nologin
+Feb 4 14:21:45 niban adduser[26287]: new user: name=test123, uid=12003, gid=12003, home=/home/test123, shell=/bin/bash
+Apr 5 16:06:49 niban adduser[16143]: new user: name=port, uid=12003, gid=12003, home=/home/port, shell=/bin/bash
+Apr 5 16:17:35 niban adduser[16164]: new user: name=port2, uid=12004, gid=0, home=/home/port2, shell=/bin/bash
+Apr 5 16:18:25 niban adduser[16166]: new user: name=port3, uid=12005, gid=1336, home=/home/port3, shell=/bin/bash
+Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash
+
+May 28 10:48:07 niban userdel[32416]: delete user `logr'
+Aug 5 09:43:27 niban userdel[32657]: delete user `osaudit'
+Feb 4 14:27:13 niban userdel[26300]: delete user `test123'
+
+May 28 10:48:13 niban groupdel[32417]: remove group `logr'
+Aug 4 15:13:08 niban groupdel[26461]: remove group `osaudit'
+Aug 4 15:15:31 niban groupdel[26821]: remove group `osaudit'
+Aug 5 09:43:27 niban userdel[32657]: remove group `osaudit'
+Aug 5 09:47:08 niban groupdel[631]: remove group `osaudit'
+Feb 4 14:27:13 niban userdel[26300]: remove group `test123'
+
--- /dev/null
+#Red Hat box
+Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls
+#OpenBSD
+Jan 28 20:36:33 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls
+May 26 19:40:25 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls
+
--- /dev/null
+#Red Hat
+Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls
+Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1
+Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin
+#OpenBSD
+May 26 19:40:41 enigma sudo: dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure
+#Slackware
+May 26 20:16:17 lili sudo: dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers
--- /dev/null
+# From incidents mailing list
+Oct 26 18:07:45 ccs rpc.statd[189]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
+
+Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
+^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z
+<F7><FF><BF>^[<F7><FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x
+%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\2
+20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
+20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
+20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
+20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
+20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
+20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
+20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
+20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
+20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
+20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
+20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
+20\220\220\220\220\220\220
+Jul 9 01:21:11 blue
+<C7>^F/bin<C7>F^D/shA0<C0>\210F^G\211v^L\215V^P\215N^L\211<F3><B0>^K<CD>
+\200<B0>^A<CD>\200<E8>\177<FF><FF><FF>
+
+May 16 19:38:33 server rpc.statd[353]: gethostbyname error for ^Y...^Y...^[??[
--- /dev/null
+May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com
+[192.168.3.236], 1.1.1.F.1.1.C.A.?..k^1.1.^^AF^Df..^A.'.1.^^A.=.1.1.^^HC^B1...1
+.^^H.^L...u.1.F^I^^H.=..^N.0..F^D1.F^Gv^HF^L.N^HV^L.^K.1.1.^A.....0bin0sh1..11
--- /dev/null
+# From log analysis web site
+May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
+May 16 22:46:21 victim-host last message repeated 7 times
+May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
+May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
+May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
+May 16 22:46:59 victim-host last message repeated 1 time
+May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
+May 16 22:47:07 victim-host last message repeated 3 times
+May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup
+May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
--- /dev/null
+a.out[347] attempt to execute code on stack by uid 555
+Nov 12 18:47:01 foo.bar.baz /usr/dt/bin/rpc.ttdbserverd[646]: _Tt_file_system::findBestMountPoint -- max_match_entry is null, aborting...
+Nov 12 18:47:01 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped
+Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to execute code on stack by uid 0
+Nov 12 18:47:02 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped
+Nov 12 18:47:03 foo.bar.baz unix: rpc.ttdbserverd[1934] attempt to execute code on stack by uid 0
+Nov 12 18:47:03 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped
--- /dev/null
+Apr 17 22:20:21 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0
+Apr 17 22:20:21 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0
+Apr 17 22:20:29 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0
+Jan 6 13:39:19 drew named[128838]: dropping source port zero packet from [216.161.67.226].0
+Jan 6 13:39:23 drew named[128838]: dropping source port zero packet from [63.224.229.252].0
+Jan 6 13:39:25 drew named[128838]: dropping source port zero packet from [63.227.214.187].0
+named[3430]: dropping source port zero packet from [209.191.188.93].0
+named[3534]: dropping source port zero packet from [63.226.179.7].0
+named[20627]: dropping source port zero packet from [206.252.159.146].0
--- /dev/null
+Apr 20 09:14:45 hostname named[98]: denied AXFR from [1.2.3.4].1329 for
+"xxxxx.com" (not master/slave)
+Mar 1 13:52:03 arcane named[15025]: denied AXFR from [205.166.226.38].1421 for "atfantasy.com" (acl)
--- /dev/null
+Jan 6 13:40:28 drew named[128838]: denied update from [24.64.63.195].41151 for in-addr.arpa
+Jan 6 13:40:47 drew named[128838]: denied update from [24.64.63.195].41858 for in-addr.arpa
+unapproved update from [132.174.25.169].1848 for 174.132.in-addr.arpa
+Dec 31 00:01:31 valhalla named[7885]: client 192.168.1.231#1142: update 'hayaletgemi.edu/IN' denied
--- /dev/null
+named[8020]: unexpected RCODE (REFUSED) resolving 'inteligentes.cjb.net/AAAA/IN': 200.206.159.96#53
+
+named[8020]: unexpected RCODE (REFUSED) resolving 'inteligentes.cjb.net/A/IN': 200.206.159.96#53
--- /dev/null
+#Unknown
+May 26 12:53:57 atlas kernel: svc: unknown program 100227 (me 100003)
+Feb 28 07:46:15 bs11 kernel: svc: unknown program 100227 (me 100003)
+Jun 28 09:58:14 poseidon kernel: svc: unknown program 100227 (me 100003)
--- /dev/null
+Mar 30 12:01:25 compute-0-0.local automount[6447]: mount(nfs): nfs: mount failure cares.local:/export/home/jfiske on /home/jfiske
+Mar 30 12:01:25 compute-0-0.local automount[6449]: mount(nfs): nfs: mount failure cares.local:/export/home/jfiske on /home/jfiske
+Aug 4 12:35:30 localhost automount[7203]: mount(nfs): nfs: mount failure 192.168.1.100:/compile/nfs/107 on /test/107
+Jul 2 22:37:52 gkar automount[2344]: mount(nfs): nfs: mount failure sunray:/exp
+Aug 4 12:31:56 localhost automount[5252]: mount(nfs): nfs: mount
+failure 192.168.1.100:/compile/nfs/16
--- /dev/null
+rpc.mountd: refused mount request from 10.0.0.12 for /home2/files (/): no export entry
+Jan 12 08:20:00 gateway rpc.mountd: refused mount request from test.bscnet.com for /mnt (/): no export entry
+Jul 5 12:00:53 lili rpc.mountd: refused mount request from enigma for /bin (/): no export entry
+Jul 5 12:01:03 lili rpc.mountd: refused mount request from enigma for /etc (/): no export entry
--- /dev/null
+Nov 9 05:00:07 ensim
+proftpd[21141]: ensim.domain.com
+(p50832E46.dip.t-dialin.net[80.131
+.46.70]) - FTP session opened.
+Nov 9 05:00:09 ensim
+proftpd[21141]: ensim.domain.com
+(p50832E46.dip.t-dialin.net[80.131
+.46.70]) - no such user
+'anonymous'
+Nov 9 05:00:14 ensim
+proftpd[21141]: ensim.domain.com
+(p50832E46.dip.t-dialin.net[80.131
+.46.70]) - FTP session closed.
+Nov 9 06:12:41 ensim
+proftpd[24994]: ensim.domain.com
+(ool-18bba13b.dyn.optonline.net[24
+.187.161.59]) - FTP session
+opened.
+Nov 9 06:12:41 ensim
+proftpd[24994]: ensim.domain.com
+(ool-18bba13b.dyn.optonline.net[24
+.187.161.59]) - no such user
+'vgodz'
+Nov 9 06:12:41 ensim
+proftpd[24994]: ensim.domain.com
+(ool-18bba13b.dyn.optonline.net[24
+.187.161.59]) - FTP session
+closed.
--- /dev/null
+pptpd[7282]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available
+pptpd[7293]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available
+pptpd[7510]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available
+pptpd[8916]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available
--- /dev/null
+Jan 25 21:05:40 horus xinetd[4479]: Deactivating service ftp due to excessive incoming connections. Restarting in 30 seconds.
+Feb 20 14:54:32 localhost xinetd[717]: Deactivating service nsca due to excessive incoming connections. Restarting in 30 seconds.
--- /dev/null
+# freebsd invalid physical login
+login: 1 LOGIN FAILURE ON ttyv0
+login: 1 LOGIN FAILURE ON ttyv0, root
+
+# saslauthd
+saslauthd[113]: do_auth : auth failure: [user=SERVERWEB\Administrador] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
+
+# Strange sshd logs
+sshd[7386]: error: Bad prime description in line 73
+sshd[8143]: error: Bad prime description in line 73
--- /dev/null
+Dec 7 13:52:12 casal in.telnetd[27798]: refused connect from unknown
+Dec 7 13:52:12 casal in.telnetd[27798]: refused connect from unknown
+Jan 22 10:37:41 frontend-0 ypserv[832]: refused connect from
+127.0.0.1:868
+Feb 21 15:14:29 my_ftp_host in.ftpd[32374]: refused connect from
+XX.XX.XX.67
+Feb 21 15:14:36 my_ftp_host in.ftpd[32375]: refused connect from
+XX.XX.XX.67
+Jan 12 20:48:29 elrond sshd[19734]: refused connect from accsys.elink.net.au (203.31.101.11)
+
+Jan 14 18:29:26 elrond sshd[26895]: refused connect from pD952714D.dip.t-dialin.net (217.82.113.77)
+
+Jan 18 21:46:26 elrond sshd[9370]: refused connect from root@cops2.inf.ethz.ch (129.132.134.179)
+
+Jan 19 19:34:06 elrond sshd[12580]: refused connect from r88m211.cybercable.tm.fr (195.132.88.211)
+
+Jan 23 13:13:49 elrond sshd[25980]: refused connect from pD9527D56.dip.t-dialin.net (217.82.125.86)
+
+Jan 24 19:26:26 elrond sshd[30479]: refused connect from pD95279BD.dip.t-dialin.net (217.82.121.189)
+
+Jan 27 07:33:48 elrond sshd[7899]: refused connect from root@194.213.255.84 (194.213.255.84)
+
+Jan 31 20:48:07 elrond sshd[26946]: refused connect from wwwstud.hsk.no (158.36.81.145)
+
+Feb 1 01:30:49 elrond sshd[27872]: refused connect from co101359-a.olden1.ov.nl.home.com (213.51.84.16)
+
+Feb 4 07:06:59 elrond sshd[7766]: refused connect from moosrose.onlineunit.de (195.254.38.131)
+
+Feb 10 22:22:49 elrond sshd[2592]: refused connect from root@62.138.38.142 (62.138.38.142)
--- /dev/null
+#Red Hat
+Feb 4 16:54:28 niban login[1074]: FAILED LOGIN 1 FROM (null) FOR dcid, Authentication failure
--- /dev/null
+#FreeBSD
+Feb 15 14:32:20 freebsd-1 sshd[1374]: Illegal user dcid from 192.168.1.2
+Feb 15 16:11:56 freebsd-1 sshd[2690]: Illegal user dcid from 192.168.10.153
+Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2
+Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2
+Aug 1 15:44:11 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2
+Aug 1 15:44:11 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2
--- /dev/null
+# Terminal failure
+Apr 27 17:27:19 niban login(pam_unix)[1059]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=root
+Apr 27 17:27:21 niban login[1059]: FAILED LOGIN 1 FROM (null) FOR root, Authentication failure
+# ssh (pam) failure
+Apr 27 17:33:59 niban sshd(pam_unix)[9420]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=niban.sfeng.sourcefire.com user=dcid
+Apr 27 17:34:04 niban sshd(pam_unix)[9420]: 1 more authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=niban.sfeng.sourcefire.com user=dcid
+# ssh failure root
+Apr 27 17:34:26 niban sshd(pam_unix)[9425]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=niban.sfeng.sourcefire.com user=root
+
+# SSHD failed password
+Apr 27 17:34:04 niban sshd[9420]: Failed password for dcid from 10.4.12.26 port 40137 ssh2
+Apr 27 17:34:28 niban sshd[9425]: Failed password for root from 10.4.12.26 port 40138 ssh2
+
--- /dev/null
+[Thu Dec 15 23:49:07 2005] [error] [client 85.107.239.37] client denied by server configuration: /home/myuser/wwwhome/.htm, referer: http://www.example.com/~user7/laodikeiaproject.htm?pswd=hhh
+[Mon Dec 19 18:04:14 2005] [error] [client 85.107.239.37] client denied by server configuration: /home/johndoe/wwwhome/index2.html, referer: http://www.server.com/~refuser/gatekeep.html
+[Mon Dec 19 18:46:05 2005] [error] [client 81.213.203.103] client denied by server configuration: /apache/web-data/htdocs/home/wwwrd/rcilo/announce/, referer: http://webmail.academia.edu/0/_top
+
+
+[Fri Dec 16 01:46:23 2005] [error] [client 80.230.208.105] Directory index forbidden by rule: /home/inst1/wwwhome/courses/es301/
+[Fri Dec 16 01:54:34 2005] [error] [client 131.193.170.106] Directory index forbidden by rule: /apache/web-data/hteng/home/ker/16imfiles/photos/1999cn/
+[Fri Dec 16 02:05:46 2005] [error] [client 195.229.242.53] Directory index forbidden by rule: /apache/web-data/htdocs/home/tuniv/assets/damascus3/
+[Fri Dec 16 11:02:09 2005] [error] [client 139.177.32.34] Directory index forbidden by rule: /apache/web-data/htdocs/home/maiam/research/groups, referer: http://www.akademi.edu.tr/research/groups/index.html
+
+
+[Fri Dec 16 02:25:55 2005] [error] [client 64.94.163.159] Client sent malformed Host header
+[Fri Dec 16 03:10:11 2005] [error] [client 64.94.163.159] Client sent malformed Host header
+[Fri Dec 16 04:04:36 2005] [error] [client 64.94.163.159] Client sent malformed Host header
+[Fri Dec 16 05:26:09 2005] [error] [client 64.94.163.137] Client sent malformed Host header
+
+
+[Mon Dec 19 19:29:17 2005] [warn] [client 85.98.37.115] [315546] auth_ldap authenticate: user administrator authentication failed; URI /exam/inter/Announce.htm [User not found][No such object], referer: http://www.akademi.edu.tr/
+[Mon Dec 19 20:35:25 2005] [warn] [client 213.139.197.178] [307420] auth_ldap authenticate: user user7 authentication failed; URI /exam/inter/Announce.htm [User not found][No such object], referer: http://www.akademi.edu.tr/
+[Mon Dec 19 22:06:34 2005] [warn] [client 85.101.143.252] [360448] auth_ldap authenticate: user user9 authentication failed; URI /files/pg/app_web/index.php [User not found][No such object], referer: http://www.example.com/index.php?sub=list
+
+
+[Mon Dec 19 23:01:11 2005] [error] [client 85.105.120.139] user qwerty not found: /~oahmet/gunce/ss.txt
+[Mon Dec 19 23:01:13 2005] [error] [client 85.105.120.139] user qwerty not found: /~oahmet/gunce/ss.txt
+[Mon Dec 19 23:01:14 2005] [error] [client 85.105.120.139] user qwerty not found: /~oahmet/gunce/ss.txt
+
+
+[Mon Dec 19 23:02:01 2005] [error] [client 85.105.120.139] user oahmet: authentication failure for "/~oahmet/gunce/ss.txt": Password Mismatch
+[Mon Dec 19 23:02:05 2005] [error] [client 85.105.120.139] user oahmet: authentication failure for "/~oahmet/gunce/ss.txt": Password Mismatch
+
+
+Sun Aug 5 16:23:04 2001] [error] [client 66.31.142.16] File does not exist: /var/www/html/default.ida
+[Sun Aug 5 16:26:02 2001] [error] [client 66.31.68.147] File does not exist: /var/www/html/default.ida
+[Sun Aug 5 16:32:01 2001] [error] [client 66.31.101.12] File does not exist: /var/www/html/default.ida
+
+[Tue Sep 12 10:38:15 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190)
+[Tue Sep 12 10:39:38 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190)
+[Tue Sep 12 10:40:17 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190)
+[Mon Sep 11 16:55:08 2006] [error] [client 127.0.0.1] (36)File name too long: access to /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm failed
--- /dev/null
+Sep 1 10:24:59 10.10.10.1 %SYS-5-CONFIG_I: Configured from console by console
+Sep 1 10:25:18 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:49871 -> 10.10.10.10:80]
+Sep 1 10:25:18 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:59591 -> 10.10.10.10:80]
+Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:51654 -> 10.10.10.10:4444]
+Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:60797 -> 10.10.10.10:80]
+Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:2 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:60797 -> 10.10.10.10:80]
+Sep 1 10:25:30 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:59816 -> 10.10.10.10:4444]
+Sep 1 10:26:52 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1232 -> 192.168.100.1:443]
+Sep 1 10:29:24 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1233 -> 192.168.100.1:443]
+Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443]
+Sep 1 10:29:37 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1235 -> 192.168.100.1:443]
+Sep 1 10:30:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1236 -> 192.168.100.1:443]
+Sep 1 10:31:44 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1237 -> 192.168.100.1:443]
+Sep 1 10:31:55 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1238 -> 192.168.100.1:443]
+Sep 1 10:33:30 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1239 -> 192.168.100.1:443]
+Sep 1 10:34:27 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1240 -> 192.168.100.1:443]
+Sep 1 10:36:09 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1241 -> 192.168.100.1:443]
+Sep 1 10:36:12 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1242 -> 192.168.100.1:443]
+Sep 1 10:36:14 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1243 -> 192.168.100.1:443]
+Sep 1 10:37:28 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1244 -> 192.168.100.1:443]
+Sep 1 10:38:08 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1245 -> 192.168.100.1:443]
+Sep 1 10:38:36 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:0 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:59633 -> 10.10.10.10:80]
+%IPS-4-SIGNATURE: Sig:5769 Subsig:0 Sev:4 Malformed HTTP Request [192.168.100.11:59633 -> 10.10.10.10:80]
+%IPS-4-SIGNATURE: Sig:5123 Subsig:0 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:59633 -> 10.10.10.10:80]
+%IPS-4-SIGNATURE: Sig:5769 Subsig:0 Sev:4 Malformed HTTP Request [192.168.100.11:59633 -> 10.10.10.10:80]
--- /dev/null
+Jul 10 16:07:14 cisco2621 %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.6.56(3067) -> 172.36.4.7(139), 1 packet
+%SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.40.16(3059) -> 10.0.4.101(1060), 2 packets
+%SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.16.16(2179) -> 10.0.4.101(1060), 1 packet
+%SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.32.16(4206) -> 10.0.4.101(1060), 2 packets
+%SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet
+Jul 10 16:07:14 1.2.3.4 %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1469) -> 10.0.127.12(445), 1 packet
+%SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1496) -> 10.0.127.39(445), 1 packet
+%SEC-6-IPACCESSLOGP: list 100 denied udp 200.174.153.126(1028) -> 66.81.85.65(137), 1 packet
+Jul 10 16:07:14 myhost1 %SEC-6-IPACCESSLOGP: list 100 denied udp 195.23.72.148(1026) -> 66.81.85.65(137), 1 packet
--- /dev/null
+May 28 19:38:24 valhalla ftpd[24474]: FTPD: IMPORT file local /mnt/1//ide9/s09099/public_html/tasarim_files/akis.bmp, remote
+Jun 1 22:50:26 valhalla ftpd[22898]: FTPD: IMPORT file local oledata.mso, remote
+May 28 15:14:02 valhalla ftpd[28616]: FTPD: EXPORT file local , remote Analiz.html
+May 28 21:40:31 valhalla ftpd[28432]: FTPD: EXPORT file local , remote arrows_up.gif
+May 28 15:50:36 valhalla ftpd[28370]: connection from dsl.static8596180144.ttnet.net.tr at Sun May 28 15:50:36 2006
+May 28 15:50:36 valhalla ftpd[28370]: FTP LOGIN FROM dsl.static8596180144.ttnet.net.tr, user12
+May 29 11:04:16 queen ftpd[417946]: connect from vlh102.tncc.mu.edu
+Jun 3 02:32:37 queen ftpd[418042]: refused connect from y-oper.labs.mu.edu
+Jun 3 13:37:10 queen ftpd[327802]: refused connect from 85.99.150.230
+Jun 3 11:38:08 queen ftpd[491744]: warning: can't verify hostname: gethostbyname(dsl85-102-24474.ttnet.net.tr) failed
+Jun 3 07:46:16 arguvan in.ftpd[18561]: [ID 484914 daemon.notice] gethostbyaddr: nameservices.net. != 216.117.134.168
+Jun 1 16:16:26 valhalla ftpd[39056]: repeated login failures from dsl.dynamic859622181.ttnet.net.tr
+Jun 2 16:44:05 valhalla ftpd[28662]: repeated login failures from 192.168.4.5
+May 28 15:52:51 valhalla ftpd[27654]: User oahmet timed out after 900 seconds at Sun May 28 15:52:51 2006
+May 30 00:06:23 valhalla ftpd[11452]: User redsp timed out after 900 seconds at Tue May 30 00:06:23 2006
--- /dev/null
+2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows-Update-Agent - - hostname 200 0 0 1467 841 31
+2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows-Update-Agent - - hostname 400 0 0 1467 841 31
+2007-01-23 05:00:11 W3SVC22 xxx.ossec.net 1.2.3.4 GET / - 80 - 192.168.2.33 HTTP/1.1 Windows-Update-Agent - - myhost.name 500 0 0 1467 841 31
+2005-05-21 05:39:27 W3SVC1 hostname123 192.168.0.101 GET /VirtualServerError/VSWebApp.exe view=1 1024 WEBBROWSER\User 192.168.0.101 HTTP/1.0 Mozilla/4.0+(User-Agent) - - xx.nada.com 200 0 0
--- /dev/null
+May 7 13:40:14 gaucha imapd[26772]: imap service init from 200.255.5.8
+May 7 13:40:14 gaucha imapd[26772]: Authenticated user=joao host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:14 gaucha imapd[26772]: Logout user=joao host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:20 gaucha imapd[26788]: imap service init from 200.255.5.8
+May 7 13:40:20 gaucha imapd[26788]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:21 gaucha imapd[26788]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:25 gaucha imapd[26792]: imap service init from 200.255.5.8
+May 7 13:40:25 gaucha imapd[26792]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:25 gaucha imapd[26792]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:33 gaucha imapd[26801]: imap service init from 200.255.5.8
+May 7 13:40:33 gaucha imapd[26801]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:33 gaucha imapd[26801]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:38 gaucha imapd[26803]: imap service init from 200.255.5.8
+May 7 13:40:38 gaucha imapd[26803]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:39 gaucha imapd[26803]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:45 gaucha imapd[26810]: imap service init from 200.255.5.8
+May 7 13:40:45 gaucha imapd[26810]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:45 gaucha imapd[26810]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:55 gaucha imapd[26820]: imap service init from 200.255.5.8
+May 7 13:40:55 gaucha imapd[26820]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:40:55 gaucha imapd[26820]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:41:24 gaucha imapd[26906]: imap service init from 200.255.5.8
+May 7 13:41:24 gaucha imapd[26906]: Authenticated user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:41:25 gaucha imapd[26906]: Logout user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:41:25 gaucha imapd[26908]: imap service init from 200.255.5.8
+May 7 13:41:25 gaucha imapd[26908]: Authenticated user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:41:25 gaucha imapd[26908]: Logout user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:41:39 gaucha imapd[26924]: imap service init from 200.255.5.8
+May 7 13:41:39 gaucha imapd[26924]: Authenticated user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:41:40 gaucha imapd[26924]: Logout user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:41:43 gaucha imapd[26932]: imap service init from 200.255.5.8
+May 7 13:41:43 gaucha imapd[26932]: Authenticated user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:41:44 gaucha imapd[26932]: Logout user=lamafia host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:41:59 gaucha imapd[26953]: imap service init from 200.255.5.8
+May 7 13:41:59 gaucha imapd[26953]: Authenticated user=joao host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:41:59 gaucha imapd[26953]: Logout user=joao host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:42:00 gaucha imapd[26959]: imap service init from 200.255.5.8
+May 7 13:42:00 gaucha imapd[26959]: Authenticated user=joao host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:42:00 gaucha imapd[26959]: Logout user=joao host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:42:19 gaucha imapd[27019]: imap service init from 200.255.5.8
+May 7 13:42:19 gaucha imapd[27019]: Authenticated user=joao host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:42:21 gaucha imapd[27019]: Logout user=joao host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:42:48 gaucha imapd[27094]: imap service init from 200.255.5.8
+May 7 13:42:48 gaucha imapd[27094]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:42:48 gaucha imapd[27094]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:42:48 gaucha imapd[27096]: imap service init from 200.255.5.8
+May 7 13:42:48 gaucha imapd[27096]: Authenticated user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:42:48 gaucha imapd[27096]: Logout user=tiago host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:51:53 gaucha imapd[27832]: imap service init from 200.255.5.8
+May 7 13:51:56 gaucha imapd[27832]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:51:59 gaucha imapd[27832]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:52:02 gaucha imapd[27832]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:52:02 gaucha imapd[27832]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:52:41 gaucha imapd[27991]: imap service init from 200.255.5.8
+May 7 13:52:44 gaucha imapd[27991]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:52:47 gaucha imapd[27991]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:52:50 gaucha imapd[27991]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:52:50 gaucha imapd[27991]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:52:51 gaucha imapd[27999]: imap service init from 200.255.5.8
+May 7 13:52:54 gaucha imapd[27999]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:52:57 gaucha imapd[27999]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:53:00 gaucha imapd[27999]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:53:00 gaucha imapd[27999]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:53:39 gaucha imapd[28041]: imap service init from 200.255.5.8
+May 7 13:53:42 gaucha imapd[28041]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:53:45 gaucha imapd[28041]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:53:48 gaucha imapd[28041]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:53:48 gaucha imapd[28041]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:54:10 gaucha imapd[28129]: imap service init from 200.255.5.8
+May 7 13:54:13 gaucha imapd[28129]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:54:16 gaucha imapd[28129]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:54:19 gaucha imapd[28129]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:54:19 gaucha imapd[28129]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:54:39 gaucha imapd[28170]: imap service init from 200.255.5.8
+May 7 13:54:42 gaucha imapd[28170]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:54:45 gaucha imapd[28170]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:54:48 gaucha imapd[28170]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:54:48 gaucha imapd[28170]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:55:37 gaucha imapd[28236]: imap service init from 200.255.5.8
+May 7 13:55:40 gaucha imapd[28236]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:55:43 gaucha imapd[28236]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:55:46 gaucha imapd[28236]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:55:46 gaucha imapd[28236]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:56:23 gaucha imapd[28311]: imap service init from 200.255.5.8
+May 7 13:56:27 gaucha imapd[28311]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:56:30 gaucha imapd[28311]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:56:33 gaucha imapd[28311]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:56:33 gaucha imapd[28311]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:57:08 gaucha imapd[28414]: imap service init from 200.255.5.8
+May 7 13:57:08 gaucha imapd[28414]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:57:08 gaucha imapd[28414]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:57:08 gaucha imapd[28416]: imap service init from 200.255.5.8
+May 7 13:57:08 gaucha imapd[28416]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:57:10 gaucha imapd[28416]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:57:16 gaucha imapd[28424]: imap service init from 200.255.5.8
+May 7 13:57:17 gaucha imapd[28424]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:57:17 gaucha imapd[28424]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:57:17 gaucha imapd[28425]: imap service init from 200.255.5.8
+May 7 13:57:17 gaucha imapd[28425]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:57:17 gaucha imapd[28425]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:57:56 gaucha imapd[28469]: imap service init from 200.255.5.8
+May 7 13:57:56 gaucha imapd[28469]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:57:57 gaucha imapd[28469]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:58:11 gaucha imapd[28538]: imap service init from 200.255.5.8
+May 7 13:58:11 gaucha imapd[28538]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:58:11 gaucha imapd[28538]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:58:12 gaucha imapd[28539]: imap service init from 200.255.5.8
+May 7 13:58:12 gaucha imapd[28539]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:58:12 gaucha imapd[28539]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:58:12 gaucha imapd[28541]: imap service init from 200.255.5.8
+May 7 13:58:12 gaucha imapd[28541]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:58:12 gaucha imapd[28541]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:58:20 gaucha imapd[28553]: imap service init from 200.255.5.8
+May 7 13:58:20 gaucha imapd[28553]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:58:20 gaucha imapd[28553]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:58:24 gaucha imapd[28557]: imap service init from 200.255.5.8
+May 7 13:58:24 gaucha imapd[28557]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:58:24 gaucha imapd[28557]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:58:50 gaucha imapd[28646]: imap service init from 200.255.5.8
+May 7 13:58:50 gaucha imapd[28646]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:58:50 gaucha imapd[28646]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:59:12 gaucha imapd[28691]: imap service init from 200.255.5.8
+May 7 13:59:12 gaucha imapd[28691]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:59:13 gaucha imapd[28691]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:59:13 gaucha imapd[28692]: imap service init from 200.255.5.8
+May 7 13:59:13 gaucha imapd[28692]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:59:13 gaucha imapd[28692]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:59:39 gaucha imapd[28713]: imap service init from 200.255.5.8
+May 7 13:59:39 gaucha imapd[28713]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:59:39 gaucha imapd[28713]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:59:40 gaucha imapd[28714]: imap service init from 200.255.5.8
+May 7 13:59:40 gaucha imapd[28714]: Authenticated user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:59:40 gaucha imapd[28714]: Logout user=paulomartins host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:59:43 gaucha imapd[28718]: imap service init from 200.255.5.8
+May 7 13:59:43 gaucha imapd[28718]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 13:59:43 gaucha imapd[28718]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:00:51 gaucha imapd[28821]: imap service init from 200.255.5.8
+May 7 14:00:53 gaucha imapd[28824]: imap service init from 200.255.5.8
+May 7 14:00:53 gaucha imapd[28824]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:00:53 gaucha imapd[28824]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:00:54 gaucha imapd[28821]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:00:57 gaucha imapd[28821]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:01:00 gaucha imapd[28821]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:01:00 gaucha imapd[28821]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:01:04 gaucha imapd[28827]: imap service init from 200.255.5.8
+May 7 14:01:04 gaucha imapd[28827]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:01:04 gaucha imapd[28827]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:01:27 gaucha imapd[28910]: imap service init from 200.255.5.8
+May 7 14:01:27 gaucha imapd[28910]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:01:27 gaucha imapd[28910]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:01:31 gaucha imapd[28912]: imap service init from 200.255.5.8
+May 7 14:01:34 gaucha imapd[28912]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:01:37 gaucha imapd[28912]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:01:40 gaucha imapd[28912]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:01:40 gaucha imapd[28912]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:01:50 gaucha imapd[28938]: imap service init from 200.255.5.8
+May 7 14:01:50 gaucha imapd[28938]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:01:50 gaucha imapd[28938]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:07 gaucha imapd[28959]: imap service init from 200.255.5.8
+May 7 14:02:10 gaucha imapd[28959]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:11 gaucha imapd[28968]: imap service init from 200.255.5.8
+May 7 14:02:11 gaucha imapd[28968]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:11 gaucha imapd[28968]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:13 gaucha imapd[28959]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:16 gaucha imapd[28959]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:16 gaucha imapd[28959]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:16 gaucha imapd[28977]: imap service init from 200.255.5.8
+May 7 14:02:18 gaucha imapd[28978]: imap service init from 200.255.5.8
+May 7 14:02:18 gaucha imapd[28978]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:18 gaucha imapd[28978]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:19 gaucha imapd[28977]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:22 gaucha imapd[28977]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:25 gaucha imapd[28977]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:25 gaucha imapd[28977]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:25 gaucha imapd[28988]: imap service init from 200.255.5.8
+May 7 14:02:28 gaucha imapd[28988]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:31 gaucha imapd[28988]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:34 gaucha imapd[28988]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:34 gaucha imapd[28988]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:42 gaucha imapd[29001]: imap service init from 200.255.5.8
+May 7 14:02:42 gaucha imapd[29001]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:02:42 gaucha imapd[29001]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:03:44 gaucha imapd[29105]: imap service init from 200.255.5.8
+May 7 14:03:44 gaucha imapd[29105]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:03:44 gaucha imapd[29105]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:04:25 gaucha imapd[29565]: imap service init from 200.255.5.8
+May 7 14:04:25 gaucha imapd[29565]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:04:25 gaucha imapd[29565]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:05:14 gaucha imapd[29645]: imap service init from 200.255.5.8
+May 7 14:05:14 gaucha imapd[29645]: Authenticated user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:05:14 gaucha imapd[29645]: Logout user=acp host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:18:34 gaucha imapd[30752]: imap service init from 200.255.5.8
+May 7 14:18:34 gaucha imapd[30752]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:18:34 gaucha imapd[30752]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:18:34 gaucha imapd[30754]: imap service init from 200.255.5.8
+May 7 14:18:34 gaucha imapd[30754]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:18:43 gaucha imapd[30754]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:18:47 gaucha imapd[30766]: imap service init from 200.255.5.8
+May 7 14:18:47 gaucha imapd[30766]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:18:48 gaucha imapd[30766]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:18:55 gaucha imapd[30769]: imap service init from 200.255.5.8
+May 7 14:18:55 gaucha imapd[30769]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:18:55 gaucha imapd[30769]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:18:56 gaucha imapd[30772]: imap service init from 200.255.5.8
+May 7 14:18:56 gaucha imapd[30772]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:18:59 gaucha imapd[30772]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:19:03 gaucha imapd[30779]: imap service init from 200.255.5.8
+May 7 14:19:03 gaucha imapd[30779]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:19:04 gaucha imapd[30779]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:19:30 gaucha imapd[30793]: imap service init from 200.255.5.8
+May 7 14:19:30 gaucha imapd[30793]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:19:30 gaucha imapd[30793]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:19:46 gaucha imapd[30813]: imap service init from 200.255.5.8
+May 7 14:19:46 gaucha imapd[30813]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:19:46 gaucha imapd[30813]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:20:04 gaucha imapd[30831]: imap service init from 200.255.5.8
+May 7 14:20:04 gaucha imapd[30831]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:20:04 gaucha imapd[30831]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:21:52 gaucha imapd[31001]: imap service init from 200.255.5.8
+May 7 14:21:52 gaucha imapd[31001]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:21:52 gaucha imapd[31001]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:26:30 gaucha imapd[31461]: imap service init from 200.255.5.8
+May 7 14:26:33 gaucha imapd[31461]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:26:39 gaucha imapd[31461]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:26:45 gaucha imapd[31480]: imap service init from 200.255.5.8
+May 7 14:26:45 gaucha imapd[31480]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:26:45 gaucha imapd[31480]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:26:45 gaucha imapd[31481]: imap service init from 200.255.5.8
+May 7 14:26:45 gaucha imapd[31481]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:26:45 gaucha imapd[31481]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:27:08 gaucha imapd[31495]: imap service init from 200.255.5.8
+May 7 14:27:08 gaucha imapd[31495]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:27:08 gaucha imapd[31495]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:27:11 gaucha imapd[31497]: imap service init from 200.255.5.8
+May 7 14:27:11 gaucha imapd[31497]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:27:11 gaucha imapd[31497]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:27:13 gaucha imapd[31500]: imap service init from 200.255.5.8
+May 7 14:27:13 gaucha imapd[31500]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:27:13 gaucha imapd[31500]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:27:55 gaucha imapd[31531]: imap service init from 200.255.5.8
+May 7 14:27:55 gaucha imapd[31531]: Authenticated user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:27:55 gaucha imapd[31531]: Logout user=blowsky host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:27:59 gaucha imapd[31542]: imap service init from 200.255.5.8
+May 7 14:27:59 gaucha imapd[31542]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:27:59 gaucha imapd[31542]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:00 gaucha imapd[31543]: imap service init from 200.255.5.8
+May 7 14:28:00 gaucha imapd[31543]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:00 gaucha imapd[31543]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:16 gaucha imapd[31574]: imap service init from 200.255.5.8
+May 7 14:28:16 gaucha imapd[31574]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:16 gaucha imapd[31574]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:20 gaucha imapd[31582]: imap service init from 200.255.5.8
+May 7 14:28:20 gaucha imapd[31582]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:20 gaucha imapd[31582]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:23 gaucha imapd[31588]: imap service init from 200.255.5.8
+May 7 14:28:23 gaucha imapd[31588]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:24 gaucha imapd[31588]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:38 gaucha imapd[31599]: imap service init from 200.255.5.8
+May 7 14:28:38 gaucha imapd[31599]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:38 gaucha imapd[31599]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:41 gaucha imapd[31602]: imap service init from 200.255.5.8
+May 7 14:28:41 gaucha imapd[31602]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:41 gaucha imapd[31602]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:46 gaucha imapd[31605]: imap service init from 200.255.5.8
+May 7 14:28:46 gaucha imapd[31605]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:46 gaucha imapd[31605]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:50 gaucha imapd[31611]: imap service init from 200.255.5.8
+May 7 14:28:50 gaucha imapd[31611]: Authenticated user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:28:50 gaucha imapd[31611]: Logout user=andreiaps host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:11 gaucha imapd[31848]: imap service init from 200.255.5.8
+May 7 14:31:11 gaucha imapd[31848]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:11 gaucha imapd[31848]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:11 gaucha imapd[31849]: imap service init from 200.255.5.8
+May 7 14:31:11 gaucha imapd[31849]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:11 gaucha imapd[31849]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:15 gaucha imapd[31858]: imap service init from 200.255.5.8
+May 7 14:31:15 gaucha imapd[31858]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:15 gaucha imapd[31858]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:24 gaucha imapd[31873]: imap service init from 200.255.5.8
+May 7 14:31:24 gaucha imapd[31873]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:24 gaucha imapd[31873]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:26 gaucha imapd[31875]: imap service init from 200.255.5.8
+May 7 14:31:26 gaucha imapd[31875]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:26 gaucha imapd[31875]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:30 gaucha imapd[31879]: imap service init from 200.255.5.8
+May 7 14:31:30 gaucha imapd[31879]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:30 gaucha imapd[31879]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:32 gaucha imapd[31881]: imap service init from 200.255.5.8
+May 7 14:31:32 gaucha imapd[31881]: Authenticated user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:31:32 gaucha imapd[31881]: Logout user=rhsc host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:36:00 gaucha imapd[32375]: imap service init from 200.255.5.8
+May 7 14:36:00 gaucha imapd[32375]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:36:00 gaucha imapd[32375]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:36:04 gaucha imapd[32381]: imap service init from 200.255.5.8
+May 7 14:36:04 gaucha imapd[32381]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:36:04 gaucha imapd[32381]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:36:06 gaucha imapd[32385]: imap service init from 200.255.5.8
+May 7 14:36:06 gaucha imapd[32385]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:36:06 gaucha imapd[32385]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:36:15 gaucha imapd[32442]: imap service init from 200.255.5.8
+May 7 14:36:15 gaucha imapd[32442]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:36:15 gaucha imapd[32442]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:36:21 gaucha imapd[32443]: imap service init from 200.255.5.8
+May 7 14:36:21 gaucha imapd[32443]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:36:21 gaucha imapd[32443]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:14 gaucha imapd[32479]: imap service init from 200.255.5.8
+May 7 14:37:14 gaucha imapd[32479]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:15 gaucha imapd[32479]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:15 gaucha imapd[32485]: imap service init from 200.255.5.8
+May 7 14:37:15 gaucha imapd[32485]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:15 gaucha imapd[32485]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:18 gaucha imapd[32488]: imap service init from 200.255.5.8
+May 7 14:37:18 gaucha imapd[32488]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:18 gaucha imapd[32488]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:19 gaucha imapd[32489]: imap service init from 200.255.5.8
+May 7 14:37:19 gaucha imapd[32489]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:19 gaucha imapd[32489]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:20 gaucha imapd[32493]: imap service init from 200.255.5.8
+May 7 14:37:20 gaucha imapd[32493]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:20 gaucha imapd[32493]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:20 gaucha imapd[32494]: imap service init from 200.255.5.8
+May 7 14:37:20 gaucha imapd[32494]: Authenticated user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:20 gaucha imapd[32494]: Logout user=solaris host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:25 gaucha imapd[32502]: imap service init from 200.255.5.8
+May 7 14:37:25 gaucha imapd[32502]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:25 gaucha imapd[32502]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:25 gaucha imapd[32503]: imap service init from 200.255.5.8
+May 7 14:37:25 gaucha imapd[32503]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:25 gaucha imapd[32503]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:34 gaucha imapd[32508]: imap service init from 200.255.5.8
+May 7 14:37:34 gaucha imapd[32508]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:34 gaucha imapd[32508]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:34 gaucha imapd[32509]: imap service init from 200.255.5.8
+May 7 14:37:34 gaucha imapd[32509]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:34 gaucha imapd[32509]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:45 gaucha imapd[32520]: imap service init from 200.255.5.8
+May 7 14:37:45 gaucha imapd[32520]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:37:45 gaucha imapd[32520]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:38:22 gaucha imapd[32552]: imap service init from 200.255.5.8
+May 7 14:38:22 gaucha imapd[32552]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:38:22 gaucha imapd[32552]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:38:25 gaucha imapd[32555]: imap service init from 200.255.5.8
+May 7 14:38:28 gaucha imapd[32555]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:38:31 gaucha imapd[32555]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:38:34 gaucha imapd[32555]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:38:34 gaucha imapd[32555]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:38:38 gaucha imapd[32574]: imap service init from 200.255.5.8
+May 7 14:38:38 gaucha imapd[32574]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:38:38 gaucha imapd[32574]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:38:47 gaucha imapd[32590]: imap service init from 200.255.5.8
+May 7 14:38:47 gaucha imapd[32590]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:38:47 gaucha imapd[32590]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:38:48 gaucha imapd[32591]: imap service init from 200.255.5.8
+May 7 14:38:48 gaucha imapd[32591]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:38:49 gaucha imapd[32591]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:39:20 gaucha imapd[32640]: imap service init from 200.255.5.8
+May 7 14:39:20 gaucha imapd[32640]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:39:21 gaucha imapd[32640]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:39:26 gaucha imapd[32648]: imap service init from 200.255.5.8
+May 7 14:39:26 gaucha imapd[32648]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:39:26 gaucha imapd[32648]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:06 gaucha imapd[32713]: imap service init from 200.255.5.8
+May 7 14:40:06 gaucha imapd[32713]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:06 gaucha imapd[32713]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:07 gaucha imapd[32716]: imap service init from 200.255.5.8
+May 7 14:40:07 gaucha imapd[32716]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:07 gaucha imapd[32716]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:11 gaucha imapd[32717]: imap service init from 200.255.5.8
+May 7 14:40:11 gaucha imapd[32717]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:12 gaucha imapd[32717]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:18 gaucha imapd[32729]: imap service init from 200.255.5.8
+May 7 14:40:18 gaucha imapd[32729]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:18 gaucha imapd[32729]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:24 gaucha imapd[32733]: imap service init from 200.255.5.8
+May 7 14:40:24 gaucha imapd[32733]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:24 gaucha imapd[32733]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:25 gaucha imapd[32734]: imap service init from 200.255.5.8
+May 7 14:40:25 gaucha imapd[32734]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:25 gaucha imapd[32734]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:41 gaucha imapd[32750]: imap service init from 200.255.5.8
+May 7 14:40:41 gaucha imapd[32750]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:41 gaucha imapd[32750]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:54 gaucha imapd[32766]: imap service init from 200.255.5.8
+May 7 14:40:54 gaucha imapd[32766]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:54 gaucha imapd[32766]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:58 gaucha imapd[304]: imap service init from 200.255.5.8
+May 7 14:40:58 gaucha imapd[304]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:59 gaucha imapd[304]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:59 gaucha imapd[309]: imap service init from 200.255.5.8
+May 7 14:40:59 gaucha imapd[309]: Authenticated user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:40:59 gaucha imapd[309]: Logout user=sergiogrl host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:41:03 gaucha imapd[311]: imap service init from 200.255.5.8
+May 7 14:41:03 gaucha imapd[311]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:41:03 gaucha imapd[311]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:41:14 gaucha imapd[341]: imap service init from 200.255.5.8
+May 7 14:41:14 gaucha imapd[341]: Authenticated user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:41:14 gaucha imapd[341]: Logout user=lhalpern host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:41:22 gaucha imapd[352]: imap service init from 200.255.5.8
+May 7 14:41:22 gaucha imapd[352]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:41:22 gaucha imapd[352]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:41:32 gaucha imapd[367]: imap service init from 200.255.5.8
+May 7 14:41:32 gaucha imapd[367]: Authenticated user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:41:32 gaucha imapd[367]: Logout user=wrs host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:50:37 gaucha imapd[1357]: imap service init from 200.255.5.8
+May 7 14:50:37 gaucha imapd[1357]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:50:37 gaucha imapd[1357]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:50:37 gaucha imapd[1359]: imap service init from 200.255.5.8
+May 7 14:50:37 gaucha imapd[1359]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:50:38 gaucha imapd[1359]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:50:49 gaucha imapd[1380]: imap service init from 200.255.5.8
+May 7 14:50:49 gaucha imapd[1380]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:50:49 gaucha imapd[1380]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:50:58 gaucha imapd[1390]: imap service init from 200.255.5.8
+May 7 14:50:58 gaucha imapd[1390]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:50:58 gaucha imapd[1390]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:51:05 gaucha imapd[1456]: imap service init from 200.255.5.8
+May 7 14:51:05 gaucha imapd[1456]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:51:05 gaucha imapd[1456]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:51:10 gaucha imapd[1466]: imap service init from 200.255.5.8
+May 7 14:51:10 gaucha imapd[1466]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:51:10 gaucha imapd[1466]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:51:19 gaucha imapd[1540]: imap service init from 200.255.5.8
+May 7 14:51:19 gaucha imapd[1540]: Authenticated user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:51:19 gaucha imapd[1540]: Logout user=raphaelv host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:55:51 gaucha imapd[2016]: imap service init from 200.255.5.8
+May 7 14:55:51 gaucha imapd[2016]: Authenticated user=niguna host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:55:51 gaucha imapd[2016]: Logout user=niguna host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:55:52 gaucha imapd[2019]: imap service init from 200.255.5.8
+May 7 14:55:52 gaucha imapd[2019]: Authenticated user=niguna host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:55:52 gaucha imapd[2019]: Logout user=niguna host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:56:26 gaucha imapd[2103]: imap service init from 200.255.5.8
+May 7 14:56:26 gaucha imapd[2103]: Authenticated user=niguna host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:56:26 gaucha imapd[2103]: Logout user=niguna host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:56:28 gaucha imapd[2108]: imap service init from 200.255.5.8
+May 7 14:56:28 gaucha imapd[2108]: Authenticated user=niguna host=bahiana.resenet.com.br [200.255.5.8]
+May 7 14:56:28 gaucha imapd[2108]: Logout user=niguna host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:10 gaucha imapd[2571]: imap service init from 200.255.5.8
+May 7 15:01:10 gaucha imapd[2571]: Authenticated user=sil host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:10 gaucha imapd[2571]: Logout user=sil host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:11 gaucha imapd[2574]: imap service init from 200.255.5.8
+May 7 15:01:11 gaucha imapd[2574]: Authenticated user=sil host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:12 gaucha imapd[2574]: Logout user=sil host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:17 gaucha imapd[2579]: imap service init from 200.255.5.8
+May 7 15:01:17 gaucha imapd[2579]: Authenticated user=sil host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:17 gaucha imapd[2579]: Logout user=sil host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:20 gaucha imapd[2583]: imap service init from 200.255.5.8
+May 7 15:01:20 gaucha imapd[2583]: Authenticated user=sil host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:20 gaucha imapd[2583]: Logout user=sil host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:21 gaucha imapd[2586]: imap service init from 200.255.5.8
+May 7 15:01:21 gaucha imapd[2586]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:21 gaucha imapd[2586]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:23 gaucha imapd[2591]: imap service init from 200.255.5.8
+May 7 15:01:23 gaucha imapd[2591]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:32 gaucha imapd[2591]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:45 gaucha imapd[2622]: imap service init from 200.255.5.8
+May 7 15:01:45 gaucha imapd[2622]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:01:45 gaucha imapd[2622]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:02:27 gaucha imapd[2694]: imap service init from 200.255.5.8
+May 7 15:02:27 gaucha imapd[2694]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:02:27 gaucha imapd[2694]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:02:32 gaucha imapd[2704]: imap service init from 200.255.5.8
+May 7 15:02:32 gaucha imapd[2704]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:02:32 gaucha imapd[2704]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:02:39 gaucha imapd[2707]: imap service init from 200.255.5.8
+May 7 15:02:39 gaucha imapd[2707]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:02:39 gaucha imapd[2707]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:02:51 gaucha imapd[2716]: imap service init from 200.255.5.8
+May 7 15:02:51 gaucha imapd[2716]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:02:51 gaucha imapd[2716]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:03:00 gaucha imapd[2723]: imap service init from 200.255.5.8
+May 7 15:03:00 gaucha imapd[2723]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:03:00 gaucha imapd[2723]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:03:22 gaucha imapd[2760]: imap service init from 200.255.5.8
+May 7 15:03:22 gaucha imapd[2760]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:03:22 gaucha imapd[2760]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:03:27 gaucha imapd[2765]: imap service init from 200.255.5.8
+May 7 15:03:27 gaucha imapd[2765]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:03:28 gaucha imapd[2765]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:03:50 gaucha imapd[2787]: imap service init from 200.255.5.8
+May 7 15:03:50 gaucha imapd[2787]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:03:50 gaucha imapd[2787]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:03:57 gaucha imapd[2802]: imap service init from 200.255.5.8
+May 7 15:03:57 gaucha imapd[2802]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:03:57 gaucha imapd[2802]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:04:01 gaucha imapd[2806]: imap service init from 200.255.5.8
+May 7 15:04:01 gaucha imapd[2806]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:04:03 gaucha imapd[2806]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:04:26 gaucha imapd[2846]: imap service init from 200.255.5.8
+May 7 15:04:26 gaucha imapd[2846]: Authenticated user=tupa8 host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:04:26 gaucha imapd[2846]: Logout user=tupa8 host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:04:26 gaucha imapd[2847]: imap service init from 200.255.5.8
+May 7 15:04:26 gaucha imapd[2847]: Authenticated user=tupa8 host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:04:26 gaucha imapd[2847]: Logout user=tupa8 host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:06:38 gaucha imapd[2983]: imap service init from 200.255.5.8
+May 7 15:06:38 gaucha imapd[2983]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:06:38 gaucha imapd[2983]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:06:38 gaucha imapd[2984]: imap service init from 200.255.5.8
+May 7 15:06:38 gaucha imapd[2984]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:06:38 gaucha imapd[2984]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:06:43 gaucha imapd[2985]: imap service init from 200.255.5.8
+May 7 15:06:43 gaucha imapd[2985]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:06:43 gaucha imapd[2985]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:06:43 gaucha imapd[2986]: imap service init from 200.255.5.8
+May 7 15:06:43 gaucha imapd[2986]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:06:43 gaucha imapd[2986]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:06:43 gaucha imapd[2987]: imap service init from 200.255.5.8
+May 7 15:06:44 gaucha imapd[2987]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:06:44 gaucha imapd[2987]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:07:14 gaucha imapd[2999]: imap service init from 200.255.5.8
+May 7 15:07:14 gaucha imapd[2999]: Authenticated user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:07:15 gaucha imapd[2999]: Logout user=sesan host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:07:22 gaucha imapd[3001]: imap service init from 200.255.5.8
+May 7 15:07:22 gaucha imapd[3001]: Authenticated user=estudio host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:07:22 gaucha imapd[3001]: Logout user=estudio host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:09:06 gaucha imapd[3166]: imap service init from 200.255.5.8
+May 7 15:09:06 gaucha imapd[3166]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:09:06 gaucha imapd[3166]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:09:07 gaucha imapd[3169]: imap service init from 200.255.5.8
+May 7 15:09:07 gaucha imapd[3169]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:09:07 gaucha imapd[3169]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:09:26 gaucha imapd[3187]: imap service init from 200.255.5.8
+May 7 15:09:26 gaucha imapd[3187]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:09:26 gaucha imapd[3187]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:09:29 gaucha imapd[3188]: imap service init from 200.255.5.8
+May 7 15:09:29 gaucha imapd[3188]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:09:29 gaucha imapd[3188]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:09:32 gaucha imapd[3191]: imap service init from 200.255.5.8
+May 7 15:09:32 gaucha imapd[3191]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:09:32 gaucha imapd[3191]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:22 gaucha imapd[3259]: imap service init from 200.255.5.8
+May 7 15:10:22 gaucha imapd[3259]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:22 gaucha imapd[3259]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:31 gaucha imapd[3263]: imap service init from 200.255.5.8
+May 7 15:10:31 gaucha imapd[3263]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:31 gaucha imapd[3263]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:39 gaucha imapd[3273]: imap service init from 200.255.5.8
+May 7 15:10:39 gaucha imapd[3273]: Authenticated user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:39 gaucha imapd[3273]: Logout user=rfonseca host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:40 gaucha imapd[3275]: imap service init from 200.255.5.8
+May 7 15:10:40 gaucha imapd[3275]: Authenticated user=leobarroso host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:40 gaucha imapd[3275]: Logout user=leobarroso host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:41 gaucha imapd[3276]: imap service init from 200.255.5.8
+May 7 15:10:41 gaucha imapd[3276]: Authenticated user=leobarroso host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:41 gaucha imapd[3276]: Logout user=leobarroso host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:58 gaucha imapd[3283]: imap service init from 200.255.5.8
+May 7 15:10:58 gaucha imapd[3283]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:59 gaucha imapd[3283]: Logout user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:59 gaucha imapd[3285]: imap service init from 200.255.5.8
+May 7 15:10:59 gaucha imapd[3285]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:10:59 gaucha imapd[3285]: Logout user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:11:06 gaucha imapd[3290]: imap service init from 200.255.5.8
+May 7 15:11:06 gaucha imapd[3290]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:11:06 gaucha imapd[3290]: Logout user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:13:03 gaucha imapd[3386]: imap service init from 200.255.5.8
+May 7 15:13:03 gaucha imapd[3386]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:13:03 gaucha imapd[3386]: Logout user=ceopenedo4 host=bahiana.resenet.com.br [200.255.5.8]
+May 7 15:14:04 gaucha imapd[3455]: imap service init from 200.255.5.8
+May 7 15:14:04 gaucha imapd[3455]: Authenticated user=ceopenedo4 host=bahiana.resenet.com.br
+May 9 07:22:56 gaucha imapd[13648]: Logout user=marciabernardes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:23:45 gaucha imapd[13784]: imap service init from 200.255.5.8
+May 9 07:23:45 gaucha imapd[13784]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:23:45 gaucha imapd[13784]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:23:45 gaucha imapd[13785]: imap service init from 200.255.5.8
+May 9 07:23:45 gaucha imapd[13785]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:23:47 gaucha imapd[13785]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:23:53 gaucha imapd[13795]: imap service init from 200.255.5.8
+May 9 07:23:53 gaucha imapd[13795]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:23:53 gaucha imapd[13795]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:24:01 gaucha imapd[13816]: imap service init from 200.255.5.8
+May 9 07:24:01 gaucha imapd[13816]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:24:01 gaucha imapd[13816]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:24:04 gaucha imapd[13824]: imap service init from 200.255.5.8
+May 9 07:24:04 gaucha imapd[13824]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:24:04 gaucha imapd[13824]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:24:06 gaucha imapd[13825]: imap service init from 200.255.5.8
+May 9 07:24:06 gaucha imapd[13825]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:24:06 gaucha imapd[13825]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:24:14 gaucha imapd[13897]: imap service init from 200.255.5.8
+May 9 07:24:14 gaucha imapd[13897]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:24:14 gaucha imapd[13897]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:25:46 gaucha imapd[14162]: imap service init from 200.255.5.8
+May 9 07:25:46 gaucha imapd[14162]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:25:46 gaucha imapd[14162]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:25:46 gaucha imapd[14164]: imap service init from 200.255.5.8
+May 9 07:25:46 gaucha imapd[14164]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:25:47 gaucha imapd[14164]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:03 gaucha imapd[14186]: imap service init from 200.255.5.8
+May 9 07:26:03 gaucha imapd[14186]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:03 gaucha imapd[14186]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:04 gaucha imapd[14190]: imap service init from 200.255.5.8
+May 9 07:26:04 gaucha imapd[14190]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:05 gaucha imapd[14190]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:07 gaucha imapd[14249]: imap service init from 200.255.5.8
+May 9 07:26:07 gaucha imapd[14249]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:07 gaucha imapd[14249]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:10 gaucha imapd[14307]: imap service init from 200.255.5.8
+May 9 07:26:10 gaucha imapd[14307]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:10 gaucha imapd[14307]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:13 gaucha imapd[14316]: imap service init from 200.255.5.8
+May 9 07:26:13 gaucha imapd[14316]: Authenticated user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:13 gaucha imapd[14316]: Logout user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:13 gaucha imapd[14318]: imap service init from 200.255.5.8
+May 9 07:26:13 gaucha imapd[14318]: Authenticated user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:14 gaucha imapd[14318]: Logout user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:16 gaucha imapd[14322]: imap service init from 200.255.5.8
+May 9 07:26:16 gaucha imapd[14322]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:16 gaucha imapd[14322]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:46 gaucha imapd[14421]: imap service init from 200.255.5.8
+May 9 07:26:46 gaucha imapd[14421]: Authenticated user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:46 gaucha imapd[14421]: Logout user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:48 gaucha imapd[14422]: imap service init from 200.255.5.8
+May 9 07:26:48 gaucha imapd[14422]: Authenticated user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:48 gaucha imapd[14422]: Logout user=nicolau host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:53 gaucha imapd[14432]: imap service init from 200.255.5.8
+May 9 07:26:53 gaucha imapd[14432]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:26:53 gaucha imapd[14432]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:27:01 gaucha imapd[14452]: imap service init from 200.255.5.8
+May 9 07:27:01 gaucha imapd[14452]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:27:01 gaucha imapd[14452]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:27:07 gaucha imapd[14463]: imap service init from 200.255.5.8
+May 9 07:27:07 gaucha imapd[14463]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:27:07 gaucha imapd[14463]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:27:20 gaucha imapd[14492]: imap service init from 200.255.5.8
+May 9 07:27:20 gaucha imapd[14492]: Authenticated user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:27:21 gaucha imapd[14492]: Logout user=robertoferraz host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:28:03 gaucha imapd[14618]: imap service init from 200.255.5.8
+May 9 07:28:03 gaucha imapd[14618]: Authenticated user=tetedias host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:28:03 gaucha imapd[14618]: Logout user=tetedias host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:28:18 gaucha imapd[14644]: imap service init from 200.255.5.8
+May 9 07:28:18 gaucha imapd[14644]: Authenticated user=tetedias host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:28:18 gaucha imapd[14644]: Logout user=tetedias host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:28:19 gaucha imapd[14649]: imap service init from 200.255.5.8
+May 9 07:28:19 gaucha imapd[14649]: Authenticated user=tetedias host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:28:19 gaucha imapd[14649]: Logout user=tetedias host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:02 gaucha imapd[15751]: imap service init from 200.255.5.8
+May 9 07:36:02 gaucha imapd[15751]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:02 gaucha imapd[15751]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:03 gaucha imapd[15752]: imap service init from 200.255.5.8
+May 9 07:36:03 gaucha imapd[15752]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:06 gaucha imapd[15752]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:09 gaucha imapd[15763]: imap service init from 200.255.5.8
+May 9 07:36:09 gaucha imapd[15763]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:09 gaucha imapd[15763]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:19 gaucha imapd[15782]: imap service init from 200.255.5.8
+May 9 07:36:19 gaucha imapd[15782]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:19 gaucha imapd[15782]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:33 gaucha imapd[15805]: imap service init from 200.255.5.8
+May 9 07:36:33 gaucha imapd[15805]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:33 gaucha imapd[15805]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:39 gaucha imapd[15811]: imap service init from 200.255.5.8
+May 9 07:36:39 gaucha imapd[15811]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:40 gaucha imapd[15811]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:42 gaucha imapd[15817]: imap service init from 200.255.5.8
+May 9 07:36:42 gaucha imapd[15817]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:36:42 gaucha imapd[15817]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:37:21 gaucha imapd[15954]: imap service init from 200.255.5.8
+May 9 07:37:21 gaucha imapd[15954]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:37:21 gaucha imapd[15954]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:00 gaucha imapd[16051]: imap service init from 200.255.5.8
+May 9 07:38:00 gaucha imapd[16051]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:01 gaucha imapd[16051]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:01 gaucha imapd[16053]: imap service init from 200.255.5.8
+May 9 07:38:01 gaucha imapd[16053]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:01 gaucha imapd[16053]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:14 gaucha imapd[16081]: imap service init from 200.255.5.8
+May 9 07:38:14 gaucha imapd[16081]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:14 gaucha imapd[16081]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:17 gaucha imapd[16139]: imap service init from 200.255.5.8
+May 9 07:38:17 gaucha imapd[16139]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:17 gaucha imapd[16139]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:19 gaucha imapd[16151]: imap service init from 200.255.5.8
+May 9 07:38:19 gaucha imapd[16151]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:19 gaucha imapd[16151]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:22 gaucha imapd[16207]: imap service init from 200.255.5.8
+May 9 07:38:22 gaucha imapd[16207]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:22 gaucha imapd[16207]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:31 gaucha imapd[16229]: imap service init from 200.255.5.8
+May 9 07:38:31 gaucha imapd[16229]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:31 gaucha imapd[16229]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:33 gaucha imapd[16237]: imap service init from 200.255.5.8
+May 9 07:38:33 gaucha imapd[16237]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:33 gaucha imapd[16237]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:36 gaucha imapd[16240]: imap service init from 200.255.5.8
+May 9 07:38:36 gaucha imapd[16240]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:36 gaucha imapd[16240]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:48 gaucha imapd[16260]: imap service init from 200.255.5.8
+May 9 07:38:48 gaucha imapd[16260]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:48 gaucha imapd[16260]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:54 gaucha imapd[16277]: imap service init from 200.255.5.8
+May 9 07:38:54 gaucha imapd[16277]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:54 gaucha imapd[16277]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:58 gaucha imapd[16286]: imap service init from 200.255.5.8
+May 9 07:38:58 gaucha imapd[16286]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:38:58 gaucha imapd[16286]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:05 gaucha imapd[16297]: imap service init from 200.255.5.8
+May 9 07:39:05 gaucha imapd[16297]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:05 gaucha imapd[16297]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:07 gaucha imapd[16301]: imap service init from 200.255.5.8
+May 9 07:39:07 gaucha imapd[16301]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:07 gaucha imapd[16301]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:08 gaucha imapd[16302]: imap service init from 200.255.5.8
+May 9 07:39:08 gaucha imapd[16302]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:09 gaucha imapd[16302]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:10 gaucha imapd[16304]: imap service init from 200.255.5.8
+May 9 07:39:10 gaucha imapd[16304]: Authenticated user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:10 gaucha imapd[16304]: Logout user=dsf host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:16 gaucha imapd[16315]: imap service init from 200.255.5.8
+May 9 07:39:16 gaucha imapd[16315]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:16 gaucha imapd[16315]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:51 gaucha imapd[16397]: imap service init from 200.255.5.8
+May 9 07:39:51 gaucha imapd[16397]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:51 gaucha imapd[16397]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:54 gaucha imapd[16404]: imap service init from 200.255.5.8
+May 9 07:39:54 gaucha imapd[16404]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:39:54 gaucha imapd[16404]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:40:20 gaucha imapd[16514]: imap service init from 200.255.5.8
+May 9 07:40:20 gaucha imapd[16514]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:40:20 gaucha imapd[16514]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:40:22 gaucha imapd[16524]: imap service init from 200.255.5.8
+May 9 07:40:22 gaucha imapd[16524]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:40:22 gaucha imapd[16524]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:40:45 gaucha imapd[16638]: imap service init from 200.255.5.8
+May 9 07:40:45 gaucha imapd[16638]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:40:45 gaucha imapd[16638]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:41:11 gaucha imapd[16683]: imap service init from 200.255.5.8
+May 9 07:41:11 gaucha imapd[16683]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:41:11 gaucha imapd[16683]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:41:21 gaucha imapd[16703]: imap service init from 200.255.5.8
+May 9 07:41:21 gaucha imapd[16703]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:41:21 gaucha imapd[16703]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:41:24 gaucha imapd[16713]: imap service init from 200.255.5.8
+May 9 07:41:24 gaucha imapd[16713]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:41:28 gaucha imapd[16713]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:41:40 gaucha imapd[16789]: imap service init from 200.255.5.8
+May 9 07:41:40 gaucha imapd[16789]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:41:40 gaucha imapd[16789]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:41:57 gaucha imapd[16821]: imap service init from 200.255.5.8
+May 9 07:41:57 gaucha imapd[16821]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:41:58 gaucha imapd[16821]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:42:21 gaucha imapd[16892]: imap service init from 200.255.5.8
+May 9 07:42:21 gaucha imapd[16892]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:42:21 gaucha imapd[16892]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:42:22 gaucha imapd[16897]: imap service init from 200.255.5.8
+May 9 07:42:22 gaucha imapd[16897]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:42:22 gaucha imapd[16897]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:42:28 gaucha imapd[16900]: imap service init from 200.255.5.8
+May 9 07:42:28 gaucha imapd[16900]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:42:28 gaucha imapd[16900]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:42:51 gaucha imapd[16993]: imap service init from 200.255.5.8
+May 9 07:42:51 gaucha imapd[16993]: Authenticated user=bedan host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:42:51 gaucha imapd[16993]: Logout user=bedan host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:42:58 gaucha imapd[17002]: imap service init from 200.255.5.8
+May 9 07:42:58 gaucha imapd[17002]: Authenticated user=bedan host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:43:04 gaucha imapd[17002]: Logout user=bedan host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:43:56 gaucha imapd[17079]: imap service init from 200.255.5.8
+May 9 07:43:56 gaucha imapd[17079]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:43:57 gaucha imapd[17079]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:44:00 gaucha imapd[17086]: imap service init from 200.255.5.8
+May 9 07:44:00 gaucha imapd[17086]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:44:01 gaucha imapd[17086]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:44:08 gaucha imapd[17152]: imap service init from 200.255.5.8
+May 9 07:44:09 gaucha imapd[17152]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:44:09 gaucha imapd[17152]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:44:14 gaucha imapd[17161]: imap service init from 200.255.5.8
+May 9 07:44:14 gaucha imapd[17161]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:44:14 gaucha imapd[17161]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:44:41 gaucha imapd[17217]: imap service init from 200.255.5.8
+May 9 07:44:41 gaucha imapd[17217]: Authenticated user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:44:41 gaucha imapd[17217]: Logout user=pessoal host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:00 gaucha imapd[17263]: imap service init from 200.255.5.8
+May 9 07:45:00 gaucha imapd[17263]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:01 gaucha imapd[17263]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:21 gaucha imapd[17329]: imap service init from 200.255.5.8
+May 9 07:45:21 gaucha imapd[17329]: Authenticated user=noka host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:22 gaucha imapd[17329]: Logout user=noka host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:26 gaucha imapd[17405]: imap service init from 200.255.5.8
+May 9 07:45:29 gaucha imapd[17405]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:32 gaucha imapd[17405]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:35 gaucha imapd[17405]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:35 gaucha imapd[17405]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:39 gaucha imapd[17480]: imap service init from 200.255.5.8
+May 9 07:45:42 gaucha imapd[17480]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:45 gaucha imapd[17480]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:48 gaucha imapd[17480]: AUTHENTICATE LOGIN failure host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:48 gaucha imapd[17480]: Logout user=??? host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:48 gaucha imapd[17488]: imap service init from 200.255.5.8
+May 9 07:45:48 gaucha imapd[17488]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:48 gaucha imapd[17488]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:49 gaucha imapd[17489]: imap service init from 200.255.5.8
+May 9 07:45:49 gaucha imapd[17489]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:49 gaucha imapd[17490]: imap service init from 200.255.5.8
+May 9 07:45:49 gaucha imapd[17490]: Authenticated user=carolduarte host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:49 gaucha imapd[17490]: Logout user=carolduarte host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:49 gaucha imapd[17489]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:49 gaucha imapd[17491]: imap service init from 200.255.5.8
+May 9 07:45:49 gaucha imapd[17491]: Authenticated user=carolduarte host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:52 gaucha imapd[17494]: imap service init from 200.255.5.8
+May 9 07:45:52 gaucha imapd[17494]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:53 gaucha imapd[17494]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:45:59 gaucha imapd[17549]: imap service init from 200.255.5.8
+May 9 07:45:59 gaucha imapd[17549]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:46:00 gaucha imapd[17549]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:46:12 gaucha imapd[17575]: imap service init from 200.255.5.8
+May 9 07:46:12 gaucha imapd[17575]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:46:12 gaucha imapd[17575]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:46:14 gaucha imapd[17577]: imap service init from 200.255.5.8
+May 9 07:46:14 gaucha imapd[17577]: Authenticated user=hype host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:46:15 gaucha imapd[17577]: Logout user=hype host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:47:09 gaucha imapd[17491]: Command stream end of file, while reading line user=carolduarte host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:48:48 gaucha imapd[17978]: imap service init from 200.255.5.8
+May 9 07:48:48 gaucha imapd[17978]: Authenticated user=wald-meister host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:48:48 gaucha imapd[17978]: Logout user=wald-meister host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:48:48 gaucha imapd[17979]: imap service init from 200.255.5.8
+May 9 07:48:48 gaucha imapd[17979]: Authenticated user=wald-meister host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:48:48 gaucha imapd[17979]: Logout user=wald-meister host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:48:54 gaucha imapd[17985]: imap service init from 200.255.5.8
+May 9 07:48:54 gaucha imapd[17985]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:48:54 gaucha imapd[17985]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:48:55 gaucha imapd[17986]: imap service init from 200.255.5.8
+May 9 07:48:55 gaucha imapd[17986]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:48:58 gaucha imapd[17986]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:13 gaucha imapd[18022]: imap service init from 200.255.5.8
+May 9 07:49:13 gaucha imapd[18022]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:13 gaucha imapd[18022]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:17 gaucha imapd[18076]: imap service init from 200.255.5.8
+May 9 07:49:17 gaucha imapd[18076]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:17 gaucha imapd[18076]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:23 gaucha imapd[18094]: imap service init from 200.255.5.8
+May 9 07:49:23 gaucha imapd[18094]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:23 gaucha imapd[18094]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:33 gaucha imapd[18164]: imap service init from 200.255.5.8
+May 9 07:49:33 gaucha imapd[18164]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:33 gaucha imapd[18164]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:39 gaucha imapd[18191]: imap service init from 200.255.5.8
+May 9 07:49:39 gaucha imapd[18191]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:40 gaucha imapd[18191]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:42 gaucha imapd[18199]: imap service init from 200.255.5.8
+May 9 07:49:42 gaucha imapd[18199]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:42 gaucha imapd[18199]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:47 gaucha imapd[18225]: imap service init from 200.255.5.8
+May 9 07:49:47 gaucha imapd[18225]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:49:47 gaucha imapd[18225]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:02 gaucha imapd[18304]: imap service init from 200.255.5.8
+May 9 07:50:02 gaucha imapd[18304]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:02 gaucha imapd[18304]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:05 gaucha imapd[18319]: imap service init from 200.255.5.8
+May 9 07:50:05 gaucha imapd[18319]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:05 gaucha imapd[18319]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:10 gaucha imapd[18350]: imap service init from 200.255.5.8
+May 9 07:50:10 gaucha imapd[18350]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:10 gaucha imapd[18350]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:13 gaucha imapd[18411]: imap service init from 200.255.5.8
+May 9 07:50:13 gaucha imapd[18411]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:13 gaucha imapd[18411]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:16 gaucha imapd[18420]: imap service init from 200.255.5.8
+May 9 07:50:16 gaucha imapd[18420]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:16 gaucha imapd[18420]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:33 gaucha imapd[18508]: imap service init from 200.255.5.8
+May 9 07:50:33 gaucha imapd[18508]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:33 gaucha imapd[18508]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:38 gaucha imapd[18527]: imap service init from 200.255.5.8
+May 9 07:50:38 gaucha imapd[18527]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:38 gaucha imapd[18527]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:57 gaucha imapd[18626]: imap service init from 200.255.5.8
+May 9 07:50:57 gaucha imapd[18626]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:50:57 gaucha imapd[18626]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:51:04 gaucha imapd[18650]: imap service init from 200.255.5.8
+May 9 07:51:04 gaucha imapd[18650]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:51:05 gaucha imapd[18650]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:51:07 gaucha imapd[18670]: imap service init from 200.255.5.8
+May 9 07:51:07 gaucha imapd[18670]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:51:07 gaucha imapd[18670]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:51:15 gaucha imapd[18708]: imap service init from 200.255.5.8
+May 9 07:51:15 gaucha imapd[18708]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:51:15 gaucha imapd[18708]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:51:57 gaucha imapd[18897]: imap service init from 200.255.5.8
+May 9 07:51:58 gaucha imapd[18897]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:51:58 gaucha imapd[18897]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:52:14 gaucha imapd[18968]: imap service init from 200.255.5.8
+May 9 07:52:14 gaucha imapd[18968]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:52:15 gaucha imapd[18968]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:52:17 gaucha imapd[18986]: imap service init from 200.255.5.8
+May 9 07:52:17 gaucha imapd[18986]: Authenticated user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:52:17 gaucha imapd[18986]: Logout user=lenita host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:53:53 gaucha imapd[19553]: imap service init from 200.255.5.8
+May 9 07:53:53 gaucha imapd[19553]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:53:53 gaucha imapd[19553]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:53:54 gaucha imapd[19558]: imap service init from 200.255.5.8
+May 9 07:53:54 gaucha imapd[19558]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:53:54 gaucha imapd[19558]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:54:24 gaucha imapd[19699]: imap service init from 200.255.5.8
+May 9 07:54:24 gaucha imapd[19699]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:54:24 gaucha imapd[19699]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:54:29 gaucha imapd[19724]: imap service init from 200.255.5.8
+May 9 07:54:29 gaucha imapd[19724]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:54:29 gaucha imapd[19724]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:54:33 gaucha imapd[19747]: imap service init from 200.255.5.8
+May 9 07:54:33 gaucha imapd[19747]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:54:33 gaucha imapd[19747]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:55:07 gaucha imapd[20068]: imap service init from 200.255.5.8
+May 9 07:55:07 gaucha imapd[20068]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:55:07 gaucha imapd[20068]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:55:19 gaucha imapd[20104]: imap service init from 200.255.5.8
+May 9 07:55:19 gaucha imapd[20104]: Authenticated user=valseved host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:55:19 gaucha imapd[20104]: Logout user=valseved host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:55:19 gaucha imapd[20105]: imap service init from 200.255.5.8
+May 9 07:55:19 gaucha imapd[20105]: Authenticated user=valseved host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:55:27 gaucha imapd[20105]: Logout user=valseved host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:56:24 gaucha imapd[20542]: imap service init from 200.255.5.8
+May 9 07:56:24 gaucha imapd[20542]: Authenticated user=valseved host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:56:24 gaucha imapd[20542]: Logout user=valseved host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:59:06 gaucha imapd[20981]: imap service init from 200.255.5.8
+May 9 07:59:06 gaucha imapd[20981]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:59:06 gaucha imapd[20981]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:59:06 gaucha imapd[20982]: imap service init from 200.255.5.8
+May 9 07:59:06 gaucha imapd[20982]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:59:09 gaucha imapd[20982]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:59:43 gaucha imapd[21049]: imap service init from 200.255.5.8
+May 9 07:59:43 gaucha imapd[21049]: Authenticated user=auditar host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:59:43 gaucha imapd[21049]: Logout user=auditar host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:59:43 gaucha imapd[21050]: imap service init from 200.255.5.8
+May 9 07:59:43 gaucha imapd[21050]: Authenticated user=auditar host=bahiana.resenet.com.br [200.255.5.8]
+May 9 07:59:43 gaucha imapd[21050]: Logout user=auditar host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:00:21 gaucha imapd[21262]: imap service init from 200.255.5.8
+May 9 08:00:21 gaucha imapd[21262]: Authenticated user=auditar host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:00:21 gaucha imapd[21262]: Logout user=auditar host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:00:23 gaucha imapd[21271]: imap service init from 200.255.5.8
+May 9 08:00:23 gaucha imapd[21271]: Authenticated user=auditar host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:00:23 gaucha imapd[21271]: Logout user=auditar host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:00:37 gaucha imapd[21282]: imap service init from 200.255.5.8
+May 9 08:00:37 gaucha imapd[21282]: Authenticated user=bgr host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:00:37 gaucha imapd[21282]: Logout user=bgr host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:00:38 gaucha imapd[21283]: imap service init from 200.255.5.8
+May 9 08:00:38 gaucha imapd[21283]: Authenticated user=bgr host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:00:38 gaucha imapd[21283]: Logout user=bgr host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:00:58 gaucha imapd[21362]: imap service init from 200.255.5.8
+May 9 08:00:58 gaucha imapd[21362]: Authenticated user=auditarconsultoria host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:00:58 gaucha imapd[21362]: Logout user=auditarconsultoria host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:00:58 gaucha imapd[21363]: imap service init from 200.255.5.8
+May 9 08:00:58 gaucha imapd[21363]: Authenticated user=auditarconsultoria host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:00:58 gaucha imapd[21363]: Logout user=auditarconsultoria host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:01:28 gaucha imapd[21427]: imap service init from 200.255.5.8
+May 9 08:01:28 gaucha imapd[21427]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:01:28 gaucha imapd[21427]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:01:43 gaucha imapd[21459]: imap service init from 200.255.5.8
+May 9 08:01:43 gaucha imapd[21459]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:01:43 gaucha imapd[21459]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:01:44 gaucha imapd[21460]: imap service init from 200.255.5.8
+May 9 08:01:44 gaucha imapd[21460]: Authenticated user=diretori host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:01:44 gaucha imapd[21460]: Logout user=diretori host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:01:46 gaucha imapd[21462]: imap service init from 200.255.5.8
+May 9 08:01:46 gaucha imapd[21462]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:01:47 gaucha imapd[21462]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:02:03 gaucha imapd[21486]: imap service init from 200.255.5.8
+May 9 08:02:03 gaucha imapd[21486]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:02:04 gaucha imapd[21486]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:02:05 gaucha imapd[21491]: imap service init from 200.255.5.8
+May 9 08:02:05 gaucha imapd[21491]: Authenticated user=martti host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:02:06 gaucha imapd[21491]: Logout user=martti host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:01 gaucha imapd[21603]: imap service init from 200.255.5.8
+May 9 08:03:01 gaucha imapd[21603]: Authenticated user=jurac_lo host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:01 gaucha imapd[21603]: Logout user=jurac_lo host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:02 gaucha imapd[21610]: imap service init from 200.255.5.8
+May 9 08:03:02 gaucha imapd[21610]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:02 gaucha imapd[21610]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:02 gaucha imapd[21611]: imap service init from 200.255.5.8
+May 9 08:03:02 gaucha imapd[21611]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:04 gaucha imapd[21611]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:05 gaucha imapd[21615]: imap service init from 200.255.5.8
+May 9 08:03:06 gaucha imapd[21615]: Authenticated user=jurac_lo host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:06 gaucha imapd[21615]: Logout user=jurac_lo host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:10 gaucha imapd[21620]: imap service init from 200.255.5.8
+May 9 08:03:10 gaucha imapd[21620]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:10 gaucha imapd[21620]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:13 gaucha imapd[21632]: imap service init from 200.255.5.8
+May 9 08:03:13 gaucha imapd[21632]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:13 gaucha imapd[21632]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:28 gaucha imapd[21652]: imap service init from 200.255.5.8
+May 9 08:03:28 gaucha imapd[21652]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:28 gaucha imapd[21652]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:31 gaucha imapd[21658]: imap service init from 200.255.5.8
+May 9 08:03:31 gaucha imapd[21658]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:31 gaucha imapd[21658]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:44 gaucha imapd[21671]: imap service init from 200.255.5.8
+May 9 08:03:44 gaucha imapd[21671]: Authenticated user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:44 gaucha imapd[21671]: Logout user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:55 gaucha imapd[21693]: imap service init from 200.255.5.8
+May 9 08:03:55 gaucha imapd[21693]: Authenticated user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:56 gaucha imapd[21693]: Logout user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:59 gaucha imapd[21695]: imap service init from 200.255.5.8
+May 9 08:03:59 gaucha imapd[21695]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:03:59 gaucha imapd[21695]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:01 gaucha imapd[21699]: imap service init from 200.255.5.8
+May 9 08:04:01 gaucha imapd[21699]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:01 gaucha imapd[21699]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:19 gaucha imapd[21725]: imap service init from 200.255.5.8
+May 9 08:04:19 gaucha imapd[21725]: Authenticated user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:19 gaucha imapd[21725]: Logout user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:23 gaucha imapd[21735]: imap service init from 200.255.5.8
+May 9 08:04:23 gaucha imapd[21735]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:23 gaucha imapd[21735]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:26 gaucha imapd[21743]: imap service init from 200.255.5.8
+May 9 08:04:26 gaucha imapd[21743]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:26 gaucha imapd[21743]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:32 gaucha imapd[21749]: imap service init from 200.255.5.8
+May 9 08:04:32 gaucha imapd[21749]: Authenticated user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:46 gaucha imapd[21749]: Logout user=cooperarh host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:55 gaucha imapd[21881]: imap service init from 200.255.5.8
+May 9 08:04:55 gaucha imapd[21881]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:56 gaucha imapd[21881]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:58 gaucha imapd[21940]: imap service init from 200.255.5.8
+May 9 08:04:58 gaucha imapd[21940]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:04:58 gaucha imapd[21940]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:01 gaucha imapd[21947]: imap service init from 200.255.5.8
+May 9 08:05:01 gaucha imapd[21947]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:01 gaucha imapd[21947]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:05 gaucha imapd[21964]: imap service init from 200.255.5.8
+May 9 08:05:05 gaucha imapd[21964]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:05 gaucha imapd[21964]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:18 gaucha imapd[22030]: imap service init from 200.255.5.8
+May 9 08:05:18 gaucha imapd[22030]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:18 gaucha imapd[22030]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:21 gaucha imapd[22038]: imap service init from 200.255.5.8
+May 9 08:05:21 gaucha imapd[22038]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:22 gaucha imapd[22038]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:24 gaucha imapd[22040]: imap service init from 200.255.5.8
+May 9 08:05:24 gaucha imapd[22040]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:24 gaucha imapd[22040]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:35 gaucha imapd[22057]: imap service init from 200.255.5.8
+May 9 08:05:35 gaucha imapd[22057]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:35 gaucha imapd[22057]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:37 gaucha imapd[22062]: imap service init from 200.255.5.8
+May 9 08:05:37 gaucha imapd[22062]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:37 gaucha imapd[22062]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:40 gaucha imapd[22067]: imap service init from 200.255.5.8
+May 9 08:05:40 gaucha imapd[22067]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:40 gaucha imapd[22067]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:55 gaucha imapd[22140]: imap service init from 200.255.5.8
+May 9 08:05:55 gaucha imapd[22140]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:05:56 gaucha imapd[22140]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:06:13 gaucha imapd[22167]: imap service init from 200.255.5.8
+May 9 08:06:13 gaucha imapd[22167]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:06:13 gaucha imapd[22167]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:06:18 gaucha imapd[22176]: imap service init from 200.255.5.8
+May 9 08:06:18 gaucha imapd[22176]: Authenticated user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:06:18 gaucha imapd[22176]: Logout user=resenet host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:06:31 gaucha imapd[22209]: imap service init from 200.255.5.8
+May 9 08:06:31 gaucha imapd[22209]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:06:31 gaucha imapd[22209]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:06:31 gaucha imapd[22212]: imap service init from 200.255.5.8
+May 9 08:06:31 gaucha imapd[22212]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:06:43 gaucha imapd[22212]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:32 gaucha imapd[22350]: imap service init from 200.255.5.8
+May 9 08:07:32 gaucha imapd[22350]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:33 gaucha imapd[22350]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:36 gaucha imapd[22355]: imap service init from 200.255.5.8
+May 9 08:07:36 gaucha imapd[22355]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:36 gaucha imapd[22355]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:48 gaucha imapd[22382]: imap service init from 200.255.5.8
+May 9 08:07:48 gaucha imapd[22382]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:48 gaucha imapd[22382]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:48 gaucha imapd[22387]: imap service init from 200.255.5.8
+May 9 08:07:48 gaucha imapd[22387]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:48 gaucha imapd[22387]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:51 gaucha imapd[22395]: imap service init from 200.255.5.8
+May 9 08:07:51 gaucha imapd[22395]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:51 gaucha imapd[22395]: Logout user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:55 gaucha imapd[22401]: imap service init from 200.255.5.8
+May 9 08:07:55 gaucha imapd[22401]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:55 gaucha imapd[22401]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:58 gaucha imapd[22409]: imap service init from 200.255.5.8
+May 9 08:07:58 gaucha imapd[22409]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:07:58 gaucha imapd[22409]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:08:00 gaucha imapd[22417]: imap service init from 200.255.5.8
+May 9 08:08:00 gaucha imapd[22417]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:08:00 gaucha imapd[22417]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:08:09 gaucha imapd[22427]: imap service init from 200.255.5.8
+May 9 08:08:10 gaucha imapd[22427]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:08:10 gaucha imapd[22427]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:08:55 gaucha imapd[22498]: imap service init from 200.255.5.8
+May 9 08:08:55 gaucha imapd[22498]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:08:55 gaucha imapd[22498]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:08:58 gaucha imapd[22502]: imap service init from 200.255.5.8
+May 9 08:08:58 gaucha imapd[22502]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:04 gaucha imapd[22502]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:12 gaucha imapd[22530]: imap service init from 200.255.5.8
+May 9 08:09:12 gaucha imapd[22530]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:13 gaucha imapd[22530]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:14 gaucha imapd[22539]: imap service init from 200.255.5.8
+May 9 08:09:14 gaucha imapd[22539]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:15 gaucha imapd[22539]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:19 gaucha imapd[22600]: imap service init from 200.255.5.8
+May 9 08:09:19 gaucha imapd[22600]: Authenticated user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:19 gaucha imapd[22600]: Logout user=rgmuller host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:24 gaucha imapd[22604]: imap service init from 200.255.5.8
+May 9 08:09:24 gaucha imapd[22604]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:24 gaucha imapd[22604]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:25 gaucha imapd[22606]: imap service init from 200.255.5.8
+May 9 08:09:25 gaucha imapd[22606]: Authenticated user=fonterra host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:26 gaucha imapd[22606]: Logout user=fonterra host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:26 gaucha imapd[22608]: imap service init from 200.255.5.8
+May 9 08:09:26 gaucha imapd[22608]: Authenticated user=fonterra host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:27 gaucha imapd[22608]: Logout user=fonterra host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:51 gaucha imapd[22633]: imap service init from 200.255.5.8
+May 9 08:09:51 gaucha imapd[22633]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:52 gaucha imapd[22633]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:58 gaucha imapd[22650]: imap service init from 200.255.5.8
+May 9 08:09:58 gaucha imapd[22650]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:09:58 gaucha imapd[22650]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:10:17 gaucha imapd[22800]: imap service init from 200.255.5.8
+May 9 08:10:17 gaucha imapd[22800]: Authenticated user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:10:17 gaucha imapd[22800]: Logout user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:10:18 gaucha imapd[22801]: imap service init from 200.255.5.8
+May 9 08:10:18 gaucha imapd[22801]: Authenticated user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:10:18 gaucha imapd[22801]: Logout user=diegoperes host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:10:19 gaucha imapd[22805]: imap service init from 200.255.5.8
+May 9 08:10:19 gaucha imapd[22805]: Authenticated user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:10:20 gaucha imapd[22805]: Logout user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:10:30 gaucha imapd[22825]: imap service init from 200.255.5.8
+May 9 08:10:30 gaucha imapd[22825]: Authenticated user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:10:30 gaucha imapd[22825]: Logout user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:10:38 gaucha imapd[22836]: imap service init from 200.255.5.8
+May 9 08:10:38 gaucha imapd[22836]: Authenticated user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:10:38 gaucha imapd[22836]: Logout user=terabyte host=bahiana.resenet.com.br [200.255.5.8]
+May 9 08:11:00 gaucha imapd[22914]: imap service init from 200.255.5.8
+May 9 08:11:00 gaucha imapd[22914]: Authenticated user=claudiadessimoni host=bahiana.resenet.com.br [200.255.5.8]
--- /dev/null
+kernel: tcp_parse_options: Illegal window scaling value 200 >14 received.
--- /dev/null
+OSSEC HIDS Notification.
+2006 May 25 17:07:58
+
+Received From: (gaucha) 200.255.5.5->/var/log/maillog
+Rule: 6254 fired (level 10) -> "Multiple attempts to send e-mail from invalid/unkonown sender domain.'"
+Portion of the log(s):
+
+sm-mta[20900]: k4PK8NYf020900: ruleset=check_mail, arg1=<brbomaquinas@brbom.com>, relay=200-138-41-205.ctame705.dsl.brasiltelecom.net.br [200.138.41.205] (may be forged), reject=553 5.1.8 <brbomaquinas@brbom.com>... Domain of sender address brbomaquinas@brbom.com does not exist
+sm-mta[20881]: k4PK8FOQ020881: ruleset=check_mail, arg1=<brbomaquinas@brbom.com>, relay=200-138-41-205.ctame705.dsl.brasiltelecom.net.br [200.138.41.205] (may be forged), reject=553 5.1.8 <brbomaquinas@brbom.com>... Domain of sender address brbomaquinas@brbom.com does not exist
+sm-mta[20867]: k4PK86E0020867: ruleset=check_mail, arg1=<brbomaquinas@brbom.com>, relay=200-138-41-205.ctame705.dsl.brasiltelecom.net.br [200.138.41.205] (may be forged), reject=553 5.1.8 <brbomaquinas@brbom.com>... Domain of sender address brbomaquinas@brbom.com does not exist
+
+
+
+
+OSSEC HIDS Notification.
+2006 May 25 16:40:15
+
+Received From: (gaucha) 200.255.5.5->/var/log/maillog
+Rule: 6253 fired (level 10) -> "Multiple relaying attepmts for spam.'"
+Portion of the log(s):
+
+sm-mta[14582]: k4PJeY7S014582: ruleset=check_rcpt, arg1=<andre.pereira@gerdau.com.br>, relay=200-207-91-189.speedycti.com.br [200.207.91.189] (may be forged), reject=550 5.7.1 <andre.pereira@gerdau.com.br>... Relaying denied. IP name possibly forged [200.207.91.189]
+sm-mta[14582]: k4PJeY7S014582: ruleset=check_rcpt, arg1=<andre.nichele@gerdau.com.br>, relay=200-207-91-189.speedycti.com.br [200.207.91.189] (may be forged), reject=550 5.7.1 <andre.nichele@gerdau.com.br>... Relaying denied. IP name possibly forged [200.207.91.189]
+sm-mta[14582]: k4PJeY7S014582: ruleset=check_rcpt, arg1=<andre.celiberto@gerdau.com.br>, relay=200-207-91-189.speedycti.com.br [200.207.91.189] (may be forged), reject=550 5.7.1 <andre.celiberto@gerdau.com.br>... Relaying denied. IP name possibly forged [200.207.91.189]
+
+
+
+ --END OF NOTIFICATION
+
+
+
+OSSEC HIDS Notification.
+2006 May 24 20:25:21
+
+Received From: (gaucha) 200.255.5.5->/var/log/maillog
+Rule: 6253 fired (level 10) -> "Multiple relaying attepmts for spam.'"
+Portion of the log(s):
+
+sm-mta[22707]: ruleset=check_relay, arg1=[201.29.120.119], arg2=127.0.0.4, relay=120119.user.veloxzone.com.br [201.29.120.119] (may be forged), reject=550 5.7.1 Rejected: 201.29.120.119 listed at sbl-xbl.spamhaus.org
+sm-mta[22675]: ruleset=check_relay, arg1=[201.29.120.119], arg2=127.0.0.4, relay=120119.user.veloxzone.com.br [201.29.120.119] (may be forged), reject=550 5.7.1 Rejected: 201.29.120.119 listed at sbl-xbl.spamhaus.org
+sm-mta[22653]: ruleset=check_relay, arg1=[201.29.120.119], arg2=127.0.0.4, relay=120119.user.veloxzone.com.br [201.29.120.119] (may be forged), reject=550 5.7.1 Rejected: 201.29.120.119 listed at sbl-xbl.spamhaus.org
+sm-mta[22625]: ruleset=check_relay, arg1=[201.29.120.119], arg2=127.0.0.4, relay=120119.user.veloxzone.com.br [201.29.120.119] (may be forged), reject=550 5.7.1 Rejected: 201.29.120.119 listed at sbl-xbl.spamhaus.org
+
+
+
+
+OSSEC HIDS Notification.
+2006 May 25 03:13:08
+
+Received From: (gaucha) 200.255.5.5->/var/log/maillog
+Rule: 6253 fired (level 10) -> "Multiple relaying attepmts for spam.'"
+Portion of the log(s):
+
+sm-mta[21399]: ruleset=check_relay, arg1=[201.24.166.179], arg2=127.0.0.5, relay=201-24-166-179.gnace703.dsl.brasiltelecom.net.br [201.24.166.179] (may be forged), reject=550 5.7.1 Rejected: 201.24.166.179 listed at sbl-xbl.spamhaus.org
+sm-mta[21392]: ruleset=check_relay, arg1=[201.24.166.179], arg2=127.0.0.5, relay=201-24-166-179.gnace703.dsl.brasiltelecom.net.br [201.24.166.179] (may be forged), reject=550 5.7.1 Rejected: 201.24.166.179 listed at sbl-xbl.spamhaus.org
+sm-mta[21377]: ruleset=check_relay, arg1=[201.24.166.179], arg2=127.0.0.5, relay=201-24-166-179.gnace703.dsl.brasiltelecom.net.br [201.24.166.179] (may be forged), reject=550 5.7.1 Rejected: 201.24.166.179 listed at sbl-xbl.spamhaus.org
+sm-mta[21373]: ruleset=check_relay, arg1=[201.24.166.179], arg2=127.0.0.5, relay=201-24-166-179.gnace703.dsl.brasiltelecom.net.br [201.24.166.179] (may be forged), reject=550 5.7.1 Rejected: 201.24.166.179 listed at sbl-xbl.spamhaus.org
+
+
+
+ --END OF NOTIFICATION
+
+
--- /dev/null
+pop3d: authentication error: Input/output error
+pop3d: authentication error: Input/output error
+postfix/postfix-script: fatal: the Postfix mail system is not running
+postfix/postfix-script: fatal: the Postfix mail system is not running
+
+OSSEC HIDS Notification.
+2006 May 25 03:50:36
+
+Received From: /var/log/maillog
+Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
+Portion of the log(s):
+
+ postfix/smtp[8909]: 774C14AEF2: to=<rj-bounces@spacedelic.com.br>, relay=127.0.0.1[127.0.0.1], delay=423, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 Local Error (in reply to end of DATA command))
+
+
+
+ --END OF NOTIFICATION
+
+
+OSSEC HIDS Notification.
+2006 May 25 03:32:34
+
+Received From: /var/log/maillog
+Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
+Portion of the log(s):
+
+scorpion postfix/smtp[9144]: connect to rmailb2.walla.co.il[192.118.82.145]: Connection refused (port 25)
+
+
+
+ --END OF NOTIFICATION
+
--- /dev/null
+> 1:Nov 30 18:01:53 xx.xx.xx.xx ns204: NetScreen device_id=ns204
+> [Root]system-critical-00027: 2nd push has been confirmed. (2005-11-30
+> 17:56:44)
+>
+> 2:Nov 30 18:01:59 xx.xx.xx.xx ns204: NetScreen device_id=ns204
+> [Root]system-critical-00027: Configuration Erase sequence accepted,
+> unit reset. (2005-11-30 17:56:50)
+>
+> 3:Nov 30 18:01:59 xx.xx.xx.xx ns204: NetScreen device_id=ns204
+> [Root]system-notification-00033: NSM keys were deleted. (2005-11-30
+> 17:56:50)
--- /dev/null
+May 21 20:20:44 slacker proftpd[25526] slacker.lab.ossec.net: ProFTPD 1.2.10 (stable) (built Tue Aug 2 22:33:07 PDT 2005) standalone mode STARTUP
+May 21 20:21:18 slacker proftpd[25530] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session opened.
+May 21 20:21:21 slacker proftpd[25530] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): no such user 'a'
+May 21 20:21:21 slacker proftpd[25530] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): USER a: no such user found from 192.168.2.10 [192.168.2.10] to 192.168.2.32:21
+May 21 20:22:14 slacker proftpd[25530] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session closed.
+May 21 20:22:15 slacker proftpd[25556] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session opened.
+May 21 20:22:28 slacker proftpd[25556] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): USER dcid: Login successful.
+May 21 20:22:35 slacker proftpd[25556] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session closed.
+May 21 20:22:42 slacker proftpd[25557] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session opened.
+May 21 20:22:44 slacker proftpd[25557] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): USER dcid (Login failed): Incorrect password.
+May 21 20:22:46 slacker proftpd[25557] slacker.lab.ossec.net (192.168.2.10[192.168.2.10]): FTP session closed.
+
+May 30 14:41:52 valhalla proftpd[11727]: valhalla.ahmetozturk.name.tr (85.103.201.222[85.103.201.222]) - unable to find open port in PassivePorts range 65532-65533: defaulting to INPORT_ANY
+May 30 15:39:27 valhalla proftpd[13464]: valhalla.ahmetozturk.name.tr (212.156.175.130[212.156.175.130]) - unable to find open port in PassivePorts range 65532-65533: defaulting to INPORT_ANY
+
+
+May 29 18:49:42 valhalla proftpd[16661]: valhalla.ahmetozturk.name.tr (85.103.107.214[85.103.107.214]) - Refused PORT 192,168,1,33,4,83 (address mismatch)
+May 31 13:11:38 valhalla proftpd[10486]: valhalla.ahmetozturk.name.tr (85.102.240.252[85.102.240.252]) - Refused PORT 10,0,65,23,19,139 (address mismatch)
+
+
+Jun 1 11:51:24 valhalla proftpd[7301]: valhalla.ahmetozturk.name.tr (81.215.6.178[81.215.6.178]) - Maximum login attempts (3) exceeded
+Jun 1 11:51:24 valhalla proftpd[7301]: valhalla.ahmetozturk.name.tr (81.215.6.178[81.215.6.178]) - Maximum login attempts (3) exceeded
+
+
+
+May 29 11:27:28 hayaletgemi proftpd[4874]: warning: host name/name mismatch: www.ahmetozturk.name.tr != nil.alannim.com
+Jun 3 07:48:10 hayaletgemi proftpd[1026]: warning: host name/address mismatch: 216.117.134.168 != nameservices.net
+
+
+Jun 2 15:07:14 hayaletgemi proftpd[458988]: warning: can't verify hostname: gethostbyname(designstudio) failed
+Jun 3 15:35:28 hayaletgemi proftpd[696376]: warning: can't verify hostname: gethostbyname(dsl.dynamic859612386.ttnet.net.tr) failed
+
+
+
+May 30 17:06:40 queen proftpd[1769554]: connect from 212.146.159.45
+May 30 21:46:50 queen proftpd[2142266]: connect from 88.224.90.235
+
+
+May 30 21:04:35 valhalla proftpd[22104]: valhalla.ahmetozturk.name.tr (85.97.67.160[85.97.67.160]) - FTP no transfer timeout, disconnected
+May 30 22:53:09 valhalla proftpd[24395]: valhalla.ahmetozturk.name.tr (88.240.52.97[88.240.52.97]) - FTP no transfer timeout, disconnected
+
+
+May 31 06:50:39 valhalla proftpd[345]: valhalla.ahmetozturk.name.tr (217.20.94.150[217.20.94.150]) - FTP login timed out, disconnected
+May 31 15:13:38 valhalla proftpd[14273]: valhalla.ahmetozturk.name.tr (85.104.215.80[85.104.215.80]) - FTP login timed out, disconnected
+
+
+
+May 31 11:26:23 valhalla proftpd[6399]: valhalla.ahmetozturk.name.tr (88.226.116.196[88.226.116.196]) - FTP session idle timeout, disconnected.
+May 31 13:10:54 valhalla proftpd[8987]: valhalla.ahmetozturk.name.tr (85.104.215.80[85.104.215.80]) - FTP session idle timeout, disconnected.
+
+
+May 30 13:44:57 valhalla proftpd[8521]: valhalla.ahmetozturk.name.tr (84.134.231.103[84.134.231.103]) - Data transfer stall timeout: 3600 seconds
+Jun 3 08:24:13 valhalla proftpd[24038]: valhalla.ahmetozturk.name.tr (85.104.252.16[85.104.252.16]) - Data transfer stall timeout: 3600 seconds
+
+
+May 29 15:13:37 whale proftpd[4555]: whale.ahmetozturk.name.tr (dsl85-105-3059.ttnet.net.tr[85.105.10.139]) - ProFTPD terminating (signal 11)
+May 29 15:13:53 whale proftpd[4592]: whale.ahmetozturk.name.tr (dsl85-105-3059.ttnet.net.tr[85.105.10.139]) - ProFTPD terminating (signal 11)
+
+
+May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 10 entries to 20 entries
+May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 20 entries to 40 entries
+May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 40 entries to 80 entries
+May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 80 entries to 160 entries
+May 30 17:21:53 whale proftpd[2056246]: whale.ahmetozturk.name.tr (193.140.92.250[193.140.92.250]) - Reallocating sreaddir buffer from 160 entries to 320 entries
+
+
+May 30 16:22:39 whale proftpd[25749]: whale.ahmetozturk.name.tr (adsl85-105-30850.tt.net.tr[85.105.10.222]) - listen() failed in inet_listen(): Address already in use
+May 31 13:21:13 whale proftpd[15942]: whale.ahmetozturk.name.tr (adsl85-105-30850.tt.net.tr[85.105.10.222]) - listen() failed in inet_listen(): Address already in use
--- /dev/null
+smbd[12252]: getpeername failed. Error was Transport endpoint is not connected
+smbd[12252]: Denied connection from (0.0.0.0)
+smbd[12252]: getpeername failed. Error was Transport endpoint is not connected
+smbd[12252]: Connection denied from 0.0.0.0
+smbd[12252]: write_socket_data: write failure. Error = Connection reset by peer
+smbd[12252]: write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection reset by peer
+smbd[12252]: Error writing 5 bytes to client. -1. (Connection reset by peer)
+May 31 15:54:18 homesmbsrv smbd[124]: Permission denied-- user not allowed to delete, pause, or resume print job. User name: oahmet. Printer name: prnq1.
+
--- /dev/null
+A clean mail:
+
+Mar 19 08:21:13 h780152 spamd[11565]: connection from localhost [127.0.0.1] at port 49144
+Mar 19 08:21:13 h780152 spamd[11565]: checking message <20060318231614.f9991a2d.johnxj@comcast.net> for root:98.
+Mar 19 08:21:14 h780152 spamd[11565]: clean message (0.0/6.0) for root:98 in 1.6 seconds, 3347 bytes.
+Mar 19 08:21:14 h780152 spamd[11565]: result: . 0 - AWL,FORGED_RCVD_HELO scantime=1.6,size=3347,mid=<20060318231614.f9991a2d.johnxj@comcast.net>,autolearn=ham
+Mar 19 08:21:14 h780152 qmail-scanner[25042]: Clear:RC:0(217.72.192.234):SA:0(0.0/6.0): 1.681359 3302 sylpheed-admin@good-day.net peter@ifup.de [sylpheed:27685]_Sync_two_copies_of_Sylpheed <20060318231614.f9991a2d.johnxj@comcast.net> 1142752873.25044-0.ifup.de:898
+
+
+and a recogniced spam:
+
+Mar 19 08:36:33 h780152 spamd[18424]: connection from localhost [127.0.0.1] at port 49145
+Mar 19 08:36:33 h780152 spamd[18424]: checking message <3388717865.3821662804@douglas.co.za> for root:98.
+Mar 19 08:36:37 h780152 spamd[18424]: identified spam (8.1/6.0) for root:98 in 4.2 seconds, 1432 bytes.
+Mar 19 08:36:37 h780152 spamd[18424]: result: Y 8 - FORGED_RCVD_HELO,INFO_TLD,RCVD_BY_IP,RCVD_IN_XBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=4.2,size=1432,mid=<3388717865.3821662804@douglas.co.za>,autolearn=no
+Mar 19 08:36:37 h780152 qmail-scanner[31528]: Clear:RC:0(213.165.64.100):SA:1(8.1/6.0): 4.195255 1371 srs0=k3bc=5k=douglas.co.za=deonegqf@gmx.net peter@ifup.de $E}{UALLYY_EXPLICIT:_Group_glorious_teens_hardcoore <3388717865.3821662804@douglas.co.za> 1142753793.31530-0.ifup.de:134
+
+
+Thanks Peter
--- /dev/null
+Jul 7 10:51:24 eva sshd[19537]: Invalid user admin from 83.15.231.75
+Jul 7 10:51:25 eva sshd[19539]: Invalid user admin from 83.15.231.75
+Jul 7 10:51:26 eva sshd[19542]: Invalid user admin from 83.15.231.75
+Jul 7 10:51:26 eva sshd[19544]: Invalid user admin from 83.15.231.75
+Jul 7 10:51:28 eva sshd[19546]: Invalid user admin from 83.15.231.75
+Jul 7 10:51:28 eva sshd[19548]: Invalid user admin from 83.15.231.75
+Jul 7 10:51:29 eva sshd[19550]: Invalid user admin from 83.15.231.75
+Jul 7 10:51:30 eva sshd[19553]: Invalid user admin from 83.15.231.75
+Jul 7 10:51:31 eva sshd[19555]: Invalid user admin1 from 83.15.231.75
+Jul 7 10:51:32 eva sshd[19557]: Invalid user admin1 from 83.15.231.75
+Jul 7 10:51:33 eva sshd[19559]: Invalid user admin1 from 83.15.231.75
+Jul 7 10:51:34 eva sshd[19561]: Invalid user admin1 from 83.15.231.75
+Jul 7 10:51:35 eva sshd[19564]: Invalid user admin1 from 83.15.231.75
+Jul 7 10:51:36 eva sshd[19566]: Invalid user admin1 from 83.15.231.75
+Jul 7 10:51:37 eva sshd[19568]: Invalid user admin01 from 83.15.231.75
+Jul 7 10:51:38 eva sshd[19570]: Invalid user admin01 from 83.15.231.75
+Jul 7 10:51:39 eva sshd[19572]: Invalid user admin01 from 83.15.231.75
+Jul 7 10:51:40 eva sshd[19574]: Invalid user admin01 from 83.15.231.75
+Jul 7 10:51:41 eva sshd[19577]: Invalid user admin01 from 83.15.231.75
+Jul 7 10:51:42 eva sshd[19579]: Invalid user test from 83.15.231.75
+Jul 7 10:51:43 eva sshd[19581]: Invalid user test from 83.15.231.75
+Jul 7 10:51:44 eva sshd[19583]: Invalid user test from 83.15.231.75
+Jul 7 10:51:45 eva sshd[19585]: Invalid user test from 83.15.231.75
+Jul 7 10:51:45 eva sshd[19588]: Invalid user test from 83.15.231.75
+Jul 7 10:51:46 eva sshd[19590]: Invalid user test from 83.15.231.75
+Jul 7 10:51:47 eva sshd[19592]: Invalid user test from 83.15.231.75
+Jul 7 10:51:48 eva sshd[19594]: Invalid user test1 from 83.15.231.75
+Jul 7 10:51:49 eva sshd[19596]: Invalid user test1 from 83.15.231.75
+Jul 7 10:51:50 eva sshd[19598]: Invalid user test1 from 83.15.231.75
+Jul 7 10:51:51 eva sshd[19601]: Invalid user test1 from 83.15.231.75
+Jul 7 10:51:52 eva sshd[19603]: Invalid user test1 from 83.15.231.75
+Jul 7 10:51:53 eva sshd[19605]: Invalid user test1 from 83.15.231.75
+Jul 7 10:51:54 eva sshd[19607]: Invalid user test01 from 83.15.231.75
+Jul 7 10:51:55 eva sshd[19609]: Invalid user test01 from 83.15.231.75
+Jul 7 10:51:56 eva sshd[19612]: Invalid user test01 from 83.15.231.75
+Jul 7 10:51:56 eva sshd[19614]: Invalid user test01 from 83.15.231.75
+Jul 7 10:51:58 eva sshd[19616]: Invalid user test01 from 83.15.231.75
+Jul 7 10:51:58 eva sshd[19618]: Invalid user test02 from 83.15.231.75
+Jul 7 10:52:00 eva sshd[19620]: Invalid user test02 from 83.15.231.75
+Jul 7 10:52:00 eva sshd[19623]: Invalid user test02 from 83.15.231.75
+Jul 7 10:52:01 eva sshd[19625]: Invalid user test02 from 83.15.231.75
+Jul 7 10:52:02 eva sshd[19627]: Invalid user test02 from 83.15.231.75
+Jul 7 10:52:03 eva sshd[19629]: Invalid user test03 from 83.15.231.75
+Jul 7 10:52:04 eva sshd[19631]: Invalid user test03 from 83.15.231.75
+Jul 7 10:52:05 eva sshd[19633]: Invalid user test03 from 83.15.231.75
+Jul 7 10:52:06 eva sshd[19636]: Invalid user test03 from 83.15.231.75
+Jul 7 10:52:07 eva sshd[19638]: Invalid user test03 from 83.15.231.75
+Jul 7 10:52:08 eva sshd[19640]: Invalid user test04 from 83.15.231.75
+Jul 7 10:52:09 eva sshd[19642]: Invalid user test04 from 83.15.231.75
+Jul 7 10:52:18 eva sshd[19646]: Invalid user test04 from 83.15.231.75
+Jul 7 10:52:20 eva sshd[19648]: Invalid user test04 from 83.15.231.75
+Jul 7 10:52:20 eva sshd[19651]: Invalid user guest from 83.15.231.75
+Jul 7 10:52:21 eva sshd[19653]: Invalid user guest from 83.15.231.75
+Jul 7 10:52:22 eva sshd[19655]: Invalid user guest from 83.15.231.75
+Jul 7 10:52:23 eva sshd[19657]: Invalid user guest from 83.15.231.75
+Jul 7 10:52:24 eva sshd[19659]: Invalid user guest from 83.15.231.75
+Jul 7 10:52:25 eva sshd[19661]: Invalid user guest from 83.15.231.75
+Jul 7 10:52:26 eva sshd[19664]: Invalid user guest from 83.15.231.75
+Jul 7 10:52:27 eva sshd[19666]: Invalid user guest01 from 83.15.231.75
+Jul 7 10:52:28 eva sshd[19668]: Invalid user guest01 from 83.15.231.75
+Jul 7 10:52:29 eva sshd[19670]: Invalid user ftpadmin from 83.15.231.75
+Jul 7 10:52:30 eva sshd[19672]: Invalid user ftpadmin from 83.15.231.75
+Jul 7 10:52:31 eva sshd[19675]: Invalid user ftpadmin from 83.15.231.75
+Jul 7 10:52:32 eva sshd[19677]: Invalid user ftpadmin from 83.15.231.75
+Jul 7 10:52:33 eva sshd[19679]: Invalid user ftpuser from 83.15.231.75
+Jul 7 10:52:33 eva sshd[19681]: Invalid user ftpuser from 83.15.231.75
+Jul 7 10:52:35 eva sshd[19683]: Invalid user ftpuser from 83.15.231.75
+Jul 7 10:52:35 eva sshd[19686]: Invalid user ftpuser from 83.15.231.75
+Jul 7 10:52:36 eva sshd[19688]: Invalid user backup from 83.15.231.75
+Jul 7 10:52:37 eva sshd[19690]: Invalid user backup from 83.15.231.75
+Jul 7 10:52:38 eva sshd[19692]: Invalid user backup from 83.15.231.75
+Jul 7 10:52:39 eva sshd[19694]: Invalid user backup from 83.15.231.75
+Jul 7 10:52:40 eva sshd[19696]: Invalid user postgres from 83.15.231.75
+Jul 7 10:52:41 eva sshd[19699]: Invalid user postgres from 83.15.231.75
+Jul 7 10:52:43 eva sshd[19703]: Invalid user account from 83.15.231.75
+Jul 7 10:52:44 eva sshd[19705]: Invalid user webmaster from 83.15.231.75
+Jul 7 10:52:45 eva sshd[19707]: Invalid user webmaster from 83.15.231.75
+Jul 7 10:52:46 eva sshd[19710]: Invalid user webmaster from 83.15.231.75
+Jul 7 10:52:46 eva sshd[19712]: Invalid user webmaster from 83.15.231.75
+Jul 7 10:52:48 eva sshd[19714]: Invalid user webmaster from 83.15.231.75
+Jul 7 10:52:48 eva sshd[19716]: Invalid user webadmin from 83.15.231.75
+Jul 7 10:52:49 eva sshd[19718]: Invalid user webadmin from 83.15.231.75
+Jul 7 10:52:50 eva sshd[19721]: Invalid user webadmin from 83.15.231.75
+Jul 7 10:52:51 eva sshd[19723]: Invalid user webadmin from 83.15.231.75
+Jul 7 10:52:52 eva sshd[19725]: Invalid user webadmin from 83.15.231.75
+Jul 7 10:52:53 eva sshd[19727]: Invalid user nagios from 83.15.231.75
+Jul 7 10:52:54 eva sshd[19729]: Invalid user nagios from 83.15.231.75
+Jul 7 10:52:55 eva sshd[19731]: Invalid user nagios from 83.15.231.75
+Jul 7 10:52:56 eva sshd[19734]: Invalid user nagios from 83.15.231.75
+Jul 7 10:52:57 eva sshd[19736]: Invalid user nagios from 83.15.231.75
+Jul 7 10:52:58 eva sshd[19738]: Invalid user ftptest from 83.15.231.75
+Jul 7 10:52:59 eva sshd[19740]: Invalid user ftptest from 83.15.231.75
+Jul 7 10:53:00 eva sshd[19742]: Invalid user ftptest from 83.15.231.75
+Jul 7 10:53:01 eva sshd[19745]: Invalid user ftptest from 83.15.231.75
+Jul 7 10:53:01 eva sshd[19747]: Invalid user ftptest from 83.15.231.75
+Jul 7 10:53:02 eva sshd[19749]: Invalid user ftptest from 83.15.231.75
+Jul 7 10:53:03 eva sshd[19751]: Invalid user library from 83.15.231.75
+Jul 7 10:53:04 eva sshd[19753]: Invalid user library from 83.15.231.75
+Jul 7 10:53:05 eva sshd[19755]: Invalid user library from 83.15.231.75
+Jul 7 10:53:06 eva sshd[19758]: Invalid user ftpguest from 83.15.231.75
+Jul 7 10:53:07 eva sshd[19760]: Invalid user ftpguest from 83.15.231.75
+Jul 7 10:53:08 eva sshd[19762]: Invalid user ftpguest from 83.15.231.75
+Jul 7 10:53:09 eva sshd[19764]: Invalid user ftpguest from 83.15.231.75
+Jul 7 10:53:10 eva sshd[19766]: Invalid user info from 83.15.231.75
+Jul 7 10:53:11 eva sshd[19769]: Invalid user info from 83.15.231.75
+Jul 7 10:53:11 eva sshd[19771]: Invalid user info from 83.15.231.75
+Jul 7 10:53:13 eva sshd[19782]: Invalid user info from 83.15.231.75
+Jul 7 10:53:13 eva sshd[19787]: Invalid user info from 83.15.231.75
+Jul 7 10:53:21 eva sshd[19805]: Invalid user upload from 83.15.231.75
+Jul 7 10:53:22 eva sshd[19807]: Invalid user upload from 83.15.231.75
+Jul 7 10:53:23 eva sshd[19809]: Invalid user upload from 83.15.231.75
+Jul 7 10:53:23 eva sshd[19811]: Invalid user upload from 83.15.231.75
+Jul 7 10:53:25 eva sshd[19813]: Invalid user upload from 83.15.231.75
+Jul 7 10:53:25 eva sshd[19816]: Invalid user upload from 83.15.231.75
+Jul 7 10:53:26 eva sshd[19818]: Invalid user upload from 83.15.231.75
+Jul 7 10:53:27 eva sshd[19820]: Invalid user usertest from 83.15.231.75
+Jul 7 10:53:28 eva sshd[19822]: Invalid user update from 83.15.231.75
+Jul 7 10:53:29 eva sshd[19824]: Invalid user update from 83.15.231.75
+Jul 7 10:53:30 eva sshd[19826]: Invalid user update from 83.15.231.75
+Jul 7 10:53:31 eva sshd[19829]: Invalid user update from 83.15.231.75
+Jul 7 10:53:32 eva sshd[19831]: Invalid user update from 83.15.231.75
+Jul 7 10:53:33 eva sshd[19833]: Invalid user update from 83.15.231.75
+Jul 7 10:53:40 eva sshd[19845]: Invalid user apache from 83.15.231.75
+Jul 7 10:53:41 eva sshd[19847]: Invalid user apache from 83.15.231.75
+Jul 7 10:53:42 eva sshd[19849]: Invalid user apache from 83.15.231.75
+Jul 7 10:53:43 eva sshd[19851]: Invalid user apache from 83.15.231.75
+Jul 7 10:53:44 eva sshd[19853]: Invalid user apache from 83.15.231.75
+Jul 7 10:53:45 eva sshd[19855]: Invalid user apache from 83.15.231.75
+Jul 7 10:53:46 eva sshd[19858]: Invalid user webuser from 83.15.231.75
+Jul 7 10:53:47 eva sshd[19860]: Invalid user webuser from 83.15.231.75
+Jul 7 10:53:48 eva sshd[19862]: Invalid user webuser from 83.15.231.75
+Jul 7 10:53:49 eva sshd[19864]: Invalid user webuser from 83.15.231.75
+Jul 7 10:53:50 eva sshd[19866]: Invalid user webuser from 83.15.231.75
+Jul 7 10:53:51 eva sshd[19869]: Invalid user webuser from 83.15.231.75
+Jul 7 10:53:51 eva sshd[19871]: Invalid user webuser from 83.15.231.75
+Jul 7 10:53:53 eva sshd[19873]: Invalid user oracle from 83.15.231.75
+Jul 7 10:53:54 eva sshd[19875]: Invalid user oracle from 83.15.231.75
+Jul 7 10:53:58 eva sshd[19878]: Invalid user oracle from 83.15.231.75
+Jul 7 10:53:59 eva sshd[19880]: Invalid user oracle from 83.15.231.75
+Jul 7 10:54:00 eva sshd[19882]: Invalid user cyrus from 83.15.231.75
+Jul 7 10:54:01 eva sshd[19885]: Invalid user cyrus from 83.15.231.75
+Jul 7 10:54:01 eva sshd[19887]: Invalid user cyrus from 83.15.231.75
+Jul 7 10:54:02 eva sshd[19889]: Invalid user cyrus from 83.15.231.75
+Jul 7 10:54:03 eva sshd[19891]: Invalid user server from 83.15.231.75
+Jul 7 10:54:04 eva sshd[19893]: Invalid user server from 83.15.231.75
+Jul 7 10:54:06 eva sshd[19898]: Invalid user daniel from 83.15.231.75
+Jul 7 10:54:07 eva sshd[19900]: Invalid user user from 83.15.231.75
+Jul 7 10:54:08 eva sshd[19902]: Invalid user user from 83.15.231.75
+Jul 7 10:54:09 eva sshd[19904]: Invalid user user from 83.15.231.75
+Jul 7 10:54:10 eva sshd[19906]: Invalid user user from 83.15.231.75
+Jul 7 10:54:11 eva sshd[19909]: Invalid user user from 83.15.231.75
+Jul 7 10:54:12 eva sshd[19911]: Invalid user linux from 83.15.231.75
+Jul 7 10:54:13 eva sshd[19913]: Invalid user linux from 83.15.231.75
+Jul 7 10:54:13 eva sshd[19915]: Invalid user linux from 83.15.231.75
+Jul 7 10:54:15 eva sshd[19917]: Invalid user linux from 83.15.231.75
+Jul 7 10:54:15 eva sshd[19920]: Invalid user linux from 83.15.231.75
+Jul 7 10:54:16 eva sshd[19922]: Invalid user student from 83.15.231.75
+Jul 7 10:54:17 eva sshd[19924]: Invalid user student from 83.15.231.75
+Jul 7 10:54:18 eva sshd[19926]: Invalid user student from 83.15.231.75
+Jul 7 10:54:19 eva sshd[19928]: Invalid user student from 83.15.231.75
+Jul 7 10:54:20 eva sshd[19930]: Invalid user student from 83.15.231.75
+Jul 7 10:54:21 eva sshd[19933]: Invalid user temp from 83.15.231.75
+Jul 7 10:54:22 eva sshd[19935]: Invalid user temp from 83.15.231.75
+Jul 7 10:54:23 eva sshd[19937]: Invalid user temp from 83.15.231.75
+Jul 7 10:54:24 eva sshd[19939]: Invalid user temp from 83.15.231.75
+Jul 7 10:54:25 eva sshd[19941]: Invalid user temp from 83.15.231.75
+Jul 7 10:54:26 eva sshd[19944]: Invalid user contact from 83.15.231.75
+Jul 7 10:54:26 eva sshd[19946]: Invalid user contact from 83.15.231.75
+Jul 7 10:54:27 eva sshd[19948]: Invalid user ftpd from 83.15.231.75
+Jul 7 10:54:28 eva sshd[19950]: Invalid user gopher from 83.15.231.75
+Jul 7 10:54:29 eva sshd[19952]: Invalid user gopher from 83.15.231.75
+Jul 7 10:54:30 eva sshd[19954]: Invalid user jobs from 83.15.231.75
+Jul 7 10:54:31 eva sshd[19957]: Invalid user sysadmin from 83.15.231.75
+Jul 7 10:54:32 eva sshd[19959]: Invalid user sysadmin from 83.15.231.75
+Jul 7 10:54:33 eva sshd[19961]: Invalid user sysadmin from 83.15.231.75
+Jul 7 10:54:34 eva sshd[19963]: Invalid user sysadmin from 83.15.231.75
+Jul 7 10:54:35 eva sshd[19965]: Invalid user named from 83.15.231.75
+Jul 7 10:54:36 eva sshd[19968]: Invalid user pgsql from 83.15.231.75
+Jul 7 10:54:36 eva sshd[19970]: Invalid user pgsql from 83.15.231.75
+Jul 7 10:54:38 eva sshd[19972]: Invalid user pgsql from 83.15.231.75
+Jul 7 10:54:38 eva sshd[19974]: Invalid user pgsql from 83.15.231.75
+Jul 7 10:54:39 eva sshd[19976]: Invalid user unix from 83.15.231.75
+Jul 7 10:54:40 eva sshd[19979]: Invalid user unix from 83.15.231.75
+Jul 7 10:54:41 eva sshd[19981]: Invalid user unix from 83.15.231.75
+Jul 7 10:54:42 eva sshd[19983]: Invalid user unix from 83.15.231.75
+Jul 7 10:54:49 eva sshd[20000]: Invalid user postmaster from 83.15.231.75
+Jul 7 10:54:50 eva sshd[20003]: Invalid user postmaster from 83.15.231.75
+Jul 7 10:54:51 eva sshd[20005]: Invalid user operator from 83.15.231.75
+Jul 7 10:54:52 eva sshd[20007]: Invalid user operator from 83.15.231.75
+Jul 7 10:54:54 eva sshd[20011]: Invalid user users from 83.15.231.75
+Jul 7 10:54:55 eva sshd[20013]: Invalid user internet from 83.15.231.75
+Jul 7 10:54:56 eva sshd[20016]: Invalid user internet from 83.15.231.75
+Jul 7 10:54:58 eva sshd[20020]: Invalid user carlos from 83.15.231.75
+Jul 7 10:54:58 eva sshd[20022]: Invalid user adm from 83.15.231.75
+Jul 7 10:55:00 eva sshd[20024]: Invalid user data from 83.15.231.75
+Jul 7 10:55:00 eva sshd[20027]: Invalid user nologin from 83.15.231.75
+Jul 7 10:55:01 eva sshd[20029]: Invalid user smtp from 83.15.231.75
+Jul 7 10:55:03 eva sshd[20031]: Invalid user gdm from 83.15.231.75
+Jul 7 10:55:04 eva sshd[20033]: Invalid user martin from 83.15.231.75
+Jul 7 10:55:05 eva sshd[20035]: Invalid user carlos from 83.15.231.75
+Jul 7 10:55:06 eva sshd[20038]: Invalid user david from 83.15.231.75
+Jul 7 10:55:06 eva sshd[20040]: Invalid user richard from 83.15.231.75
+Jul 7 10:55:08 eva sshd[20042]: Invalid user andy from 83.15.231.75
+Jul 7 10:55:08 eva sshd[20044]: Invalid user kevin from 83.15.231.75
+Jul 7 10:55:10 eva sshd[20046]: Invalid user jeff from 83.15.231.75
+Jul 7 10:55:10 eva sshd[20049]: Invalid user data from 83.15.231.75
+Jul 7 10:55:11 eva sshd[20051]: Invalid user patrick from 83.15.231.75
+Jul 7 10:55:12 eva sshd[20053]: Invalid user jane from 83.15.231.75
+Jul 7 10:55:13 eva sshd[20055]: Invalid user sql from 83.15.231.75
+Jul 7 10:55:14 eva sshd[20057]: Invalid user tester from 83.15.231.75
+Jul 7 10:55:15 eva sshd[20059]: Invalid user andrew from 83.15.231.75
+Jul 7 10:55:16 eva sshd[20062]: Invalid user steven from 83.15.231.75
+Jul 7 10:55:17 eva sshd[20064]: Invalid user angela from 83.15.231.75
+Jul 7 10:55:18 eva sshd[20066]: Invalid user andrea from 83.15.231.75
+Jul 7 10:55:19 eva sshd[20068]: Invalid user webaccount from 83.15.231.75
+Jul 7 10:55:20 eva sshd[20070]: Invalid user seth from 83.15.231.75
+Jul 7 10:55:21 eva sshd[20073]: Invalid user bobby from 83.15.231.75
+Jul 7 10:55:21 eva sshd[20075]: Invalid user peter from 83.15.231.75
+Jul 7 10:55:23 eva sshd[20077]: Invalid user john from 83.15.231.75
+Jul 7 10:55:23 eva sshd[20079]: Invalid user mike from 83.15.231.75
+Jul 7 10:55:24 eva sshd[20081]: Invalid user ally from 83.15.231.75
+Jul 7 10:55:25 eva sshd[20084]: Invalid user norman from 83.15.231.75
+Jul 7 10:55:26 eva sshd[20086]: Invalid user nike from 83.15.231.75
+Jul 7 10:55:27 eva sshd[20088]: Invalid user diana from 83.15.231.75
+Jul 7 10:55:28 eva sshd[20090]: Invalid user george from 83.15.231.75
+Jul 7 10:55:29 eva sshd[20092]: Invalid user james from 83.15.231.75
+Jul 7 10:55:30 eva sshd[20094]: Invalid user transfer from 83.15.231.75
+Jul 7 10:55:31 eva sshd[20097]: Invalid user spam from 83.15.231.75
+Jul 7 10:55:32 eva sshd[20099]: Invalid user spam from 83.15.231.75
+Jul 7 10:55:35 eva sshd[20102]: Invalid user denis from 83.15.231.75
+Jul 7 10:55:36 eva sshd[20104]: Invalid user anders from 83.15.231.75
+Jul 7 10:55:37 eva sshd[20106]: Invalid user friends from 83.15.231.75
+Jul 7 10:55:38 eva sshd[20108]: Invalid user friend from 83.15.231.75
+Jul 7 10:55:39 eva sshd[20110]: Invalid user blast from 83.15.231.75
+Jul 7 10:55:40 eva sshd[20112]: Invalid user ferrari from 83.15.231.75
+Jul 7 10:55:41 eva sshd[20115]: Invalid user bill from 83.15.231.75
+Jul 7 10:55:42 eva sshd[20117]: Invalid user bill from 83.15.231.75
+Jul 7 10:55:43 eva sshd[20119]: Invalid user bill from 83.15.231.75
+Jul 7 10:55:44 eva sshd[20121]: Invalid user bill from 83.15.231.75
+Jul 7 10:55:45 eva sshd[20123]: Invalid user demo from 83.15.231.75
+Jul 7 10:55:46 eva sshd[20126]: Invalid user forum from 83.15.231.75
+Jul 7 10:55:47 eva sshd[20128]: Invalid user master from 83.15.231.75
+Jul 7 10:55:48 eva sshd[20130]: Invalid user pat from 83.15.231.75
+Jul 7 10:55:49 eva sshd[20132]: Invalid user jan from 83.15.231.75
+Jul 7 10:55:50 eva sshd[20134]: Invalid user mark from 83.15.231.75
+Jul 7 10:55:50 eva sshd[20137]: Invalid user support from 83.15.231.75
+Jul 7 10:55:51 eva sshd[20139]: Invalid user cold from 83.15.231.75
+Jul 7 10:55:52 eva sshd[20141]: Invalid user smith from 83.15.231.75
+Jul 7 10:55:53 eva sshd[20143]: Invalid user ppp from 83.15.231.75
+Jul 7 10:55:54 eva sshd[20145]: Invalid user anna from 83.15.231.75
+Jul 7 10:55:55 eva sshd[20147]: Invalid user seba from 83.15.231.75
+Jul 7 10:55:56 eva sshd[20150]: Invalid user lotus from 83.15.231.75
+Jul 7 10:55:57 eva sshd[20152]: Invalid user engine from 83.15.231.75
+Jul 7 10:55:58 eva sshd[20154]: Invalid user domain from 83.15.231.75
+Jul 7 10:55:59 eva sshd[20156]: Invalid user www from 83.15.231.75
+Jul 7 10:56:00 eva sshd[20158]: Invalid user www from 83.15.231.75
+Jul 7 10:56:01 eva sshd[20161]: Invalid user www from 83.15.231.75
+Jul 7 10:56:02 eva sshd[20163]: Invalid user www from 83.15.231.75
+Jul 7 10:56:03 eva sshd[20165]: Invalid user www from 83.15.231.75
+Jul 7 10:56:03 eva sshd[20167]: Invalid user masters from 83.15.231.75
+Jul 7 10:56:05 eva sshd[20169]: Invalid user users from 83.15.231.75
+Jul 7 10:56:05 eva sshd[20172]: Invalid user users from 83.15.231.75
+Jul 7 10:56:06 eva sshd[20174]: Invalid user solaris from 83.15.231.75
+Jul 7 10:56:07 eva sshd[20176]: Invalid user cvs from 83.15.231.75
+Jul 7 10:56:08 eva sshd[20178]: Invalid user guest1 from 83.15.231.75
+Jul 7 10:56:09 eva sshd[20180]: Invalid user guest02 from 83.15.231.75
+Jul 7 10:56:10 eva sshd[20182]: Invalid user www-data from 83.15.231.75
+Aug 7 15:13:17 eva sshd[27633]: Invalid user webmaster from 200.94.18.3
+Aug 7 15:13:23 eva sshd[27650]: Invalid user sales from 200.94.18.3
+Aug 7 15:13:24 eva sshd[27652]: Invalid user admin from 200.94.18.3
+Aug 7 15:13:26 eva sshd[27655]: Invalid user andrea from 200.94.18.3
+Aug 7 15:13:28 eva sshd[27657]: Invalid user backup from 200.94.18.3
+Aug 7 15:13:29 eva sshd[27659]: Invalid user guest from 200.94.18.3
+Aug 7 15:13:31 eva sshd[27662]: Invalid user guest1 from 200.94.18.3
+Aug 7 15:13:33 eva sshd[27664]: Invalid user guest2 from 200.94.18.3
+Aug 7 15:13:34 eva sshd[27666]: Invalid user guest3 from 200.94.18.3
+Aug 7 15:13:36 eva sshd[27669]: Invalid user guest4 from 200.94.18.3
+Aug 7 15:13:38 eva sshd[27671]: Invalid user guest5 from 200.94.18.3
+Aug 7 15:13:39 eva sshd[27673]: Invalid user guest6 from 200.94.18.3
+Aug 7 15:13:41 eva sshd[27676]: Invalid user guest7 from 200.94.18.3
+Aug 7 15:13:43 eva sshd[27678]: Invalid user guest8 from 200.94.18.3
+Aug 7 15:13:44 eva sshd[27680]: Invalid user guest9 from 200.94.18.3
+Aug 7 15:13:46 eva sshd[27683]: Invalid user guest10 from 200.94.18.3
+Aug 7 15:13:48 eva sshd[27685]: Invalid user michael from 200.94.18.3
+Aug 7 15:13:50 eva sshd[27688]: Invalid user gigi from 200.94.18.3
+Aug 7 15:13:52 eva sshd[27692]: Invalid user france from 200.94.18.3
+Aug 7 15:13:54 eva sshd[27694]: Invalid user raider from 200.94.18.3
+Aug 7 15:13:55 eva sshd[27696]: Invalid user movie from 200.94.18.3
+Aug 7 15:13:57 eva sshd[27699]: Invalid user movies from 200.94.18.3
+Aug 7 15:13:59 eva sshd[27701]: Invalid user judith from 200.94.18.3
+Aug 7 15:14:00 eva sshd[27705]: Invalid user default from 200.94.18.3
+Aug 7 15:14:02 eva sshd[27708]: Invalid user sean from 200.94.18.3
+Aug 7 15:14:04 eva sshd[27710]: Invalid user erik from 200.94.18.3
+Aug 7 15:14:05 eva sshd[27713]: Invalid user house from 200.94.18.3
+Aug 7 15:14:07 eva sshd[27721]: Invalid user status from 200.94.18.3
+Aug 7 15:14:09 eva sshd[27727]: Invalid user music from 200.94.18.3
+Aug 7 15:14:10 eva sshd[27734]: Invalid user test from 200.94.18.3
+Aug 7 15:14:12 eva sshd[27737]: Invalid user christian from 200.94.18.3
+Aug 7 15:14:14 eva sshd[27744]: Invalid user upload from 200.94.18.3
+Aug 7 15:14:15 eva sshd[27746]: Invalid user security from 200.94.18.3
+Aug 7 15:14:17 eva sshd[27749]: Invalid user scanner from 200.94.18.3
+Aug 7 15:14:19 eva sshd[27751]: Invalid user work from 200.94.18.3
+Aug 7 15:14:20 eva sshd[27753]: Invalid user eli from 200.94.18.3
+Aug 7 15:14:22 eva sshd[27756]: Invalid user ariel from 200.94.18.3
+Aug 7 15:14:24 eva sshd[27759]: Invalid user matt from 200.94.18.3
+Aug 7 15:14:25 eva sshd[27761]: Invalid user smoke from 200.94.18.3
+Aug 7 15:14:27 eva sshd[27764]: Invalid user papa from 200.94.18.3
+Aug 7 15:14:29 eva sshd[27766]: Invalid user beth from 200.94.18.3
+Aug 7 15:14:30 eva sshd[27768]: Invalid user samba from 200.94.18.3
+Aug 7 15:14:32 eva sshd[27771]: Invalid user library from 200.94.18.3
+Aug 7 15:14:34 eva sshd[27773]: Invalid user don from 200.94.18.3
+Aug 7 15:14:35 eva sshd[27775]: Invalid user webuser from 200.94.18.3
+Aug 7 15:14:37 eva sshd[27778]: Invalid user monitor from 200.94.18.3
+Aug 7 15:14:39 eva sshd[27780]: Invalid user roberto from 200.94.18.3
+Aug 7 15:14:40 eva sshd[27782]: Invalid user mama from 200.94.18.3
+Aug 7 15:14:42 eva sshd[27785]: Invalid user windows from 200.94.18.3
+Aug 7 15:14:44 eva sshd[27787]: Invalid user fritz from 200.94.18.3
+Aug 7 15:14:45 eva sshd[27789]: Invalid user linux from 200.94.18.3
+Aug 7 15:14:47 eva sshd[27797]: Invalid user debian from 200.94.18.3
+Aug 7 15:14:49 eva sshd[27805]: Invalid user darwin from 200.94.18.3
+Aug 7 15:14:50 eva sshd[27807]: Invalid user redhat from 200.94.18.3
+Aug 7 15:14:52 eva sshd[27810]: Invalid user edith from 200.94.18.3
+Aug 7 15:14:54 eva sshd[27812]: Invalid user neo from 200.94.18.3
+Aug 7 15:14:55 eva sshd[27814]: Invalid user neo from 200.94.18.3
+Aug 7 15:14:57 eva sshd[27817]: Invalid user bebe from 200.94.18.3
+Aug 7 15:14:59 eva sshd[27819]: Invalid user postgres from 200.94.18.3
+Aug 7 15:15:00 eva sshd[27821]: Invalid user antonio from 200.94.18.3
+Aug 7 15:15:02 eva sshd[27824]: Invalid user archive from 200.94.18.3
+Aug 7 15:15:05 eva sshd[27845]: Invalid user cathy from 200.94.18.3
+Aug 7 15:15:06 eva sshd[27848]: Invalid user alex from 200.94.18.3
+Aug 7 15:15:08 eva sshd[27850]: Invalid user download from 200.94.18.3
+Aug 7 15:15:10 eva sshd[27852]: Invalid user eric from 200.94.18.3
+Aug 7 15:15:11 eva sshd[27855]: Invalid user gaby from 200.94.18.3
+Aug 7 15:15:13 eva sshd[27857]: Invalid user beer from 200.94.18.3
+Aug 7 15:15:15 eva sshd[27859]: Invalid user mp3 from 200.94.18.3
+Aug 7 15:15:16 eva sshd[27862]: Invalid user ghost from 200.94.18.3
+Aug 7 15:15:18 eva sshd[27864]: Invalid user virus from 200.94.18.3
+Aug 7 15:15:20 eva sshd[27871]: Invalid user gloria from 200.94.18.3
+Aug 7 15:15:21 eva sshd[27874]: Invalid user erwin from 200.94.18.3
+Aug 7 15:15:23 eva sshd[27881]: Invalid user update from 200.94.18.3
+Aug 7 15:15:25 eva sshd[27883]: Invalid user kiss from 200.94.18.3
+Aug 7 15:15:26 eva sshd[27886]: Invalid user army from 200.94.18.3
+Aug 7 15:15:28 eva sshd[27888]: Invalid user andreas from 200.94.18.3
+Aug 7 15:15:33 eva sshd[27891]: Invalid user jojo from 200.94.18.3
+Aug 7 15:15:34 eva sshd[27893]: Invalid user service from 200.94.18.3
--- /dev/null
+20070717,30020,1=3,41=SWS-3.0.1.86/lists,100=Version 3.0.3299,3=7,2=29
+20070717,30024,100=SWS-3.0.1.86,2=36
+20070717,30044,1=3,3=1,2=302
+20070717,30044,1=3,1202=20070715.002,1203=20070715.002,3=7,2=301
+20070717,30225,1=3,41=SWS-3.0.1.86/dictionaries,100=Version 3.0.638,3=7,2=29
+20070717,30517,1=3,41=SWS-3.0.1.86/vendor-config,100=Version 3.0.6,3=7,2=29
+20070717,40031,1=3,41=SWS-3.0.1.86/lists,100=Version 3.0.3299,3=7,2=29
+20070717,73613,1=5,11=10.1.1.3,10=userc,3=1,2=1
+20070717,103426,1=5,11=1.2.3.4,10=virtadmin,3=1,2=1
+20070717,73614,1=5,11=1.2.3.4,1106=News,60=http://news.bbc.co.uk/,10=userX,1000=212.58.240.42,2=27
+20070717,115252,1=5,11=1.2.3.4,1106=Miscellaneous,60=https://ad.doubleclick.net/,10=userY,1000=216.73.87.52,2=27
+20070717,122017,1=5,11=2.3.4.5,1106=Finance,60=http://www.esl.org/abc.exe,10=userB,1000=208.2.188.219,2=27
--- /dev/null
+May 27 15:52:37 valhalla telnetd[4882]: refused connect from mstr195175-16075.dial-in.ttnet.net.tr
+May 27 16:48:29 valhalla telnetd[5010]: refused connect from 88.226.34.75
+Jun 2 09:50:28 queen in.telnetd[19636]: [ID 947420 local2.warning] refused connect from 220-129-149-114.dynamic.hinet.net
+May 11 10:28:07 queen in.telnetd[19847]: [ID 927837 local2.info] connect from dsl85-105-30859.ttnet.net.tr
+May 30 17:11:32 hayaletgemi telnetd[360652]: connect from valhalla.metu.edu.tr
+May 12 14:45:17 hayaletgemi in.telnetd[4821]: [ID 927837 local2.info] connect from dsl85-105-30859.ttnet.net.tr
+May 12 14:45:17 hayaletgemi telnetd[4821]: [ID 682499 daemon.info] ttloop: read: Not a data message
+May 28 17:14:52 queen telnetd[76014]: connect from vod85-15-3859.ttnet.net.tr
+May 28 17:14:53 queen telnetd[76014]: ttloop: read: A connection with a remote socket was reset by that socket.
+Jun 2 09:59:27 valhalla-eth in.telnetd[19826]: [ID 927837 local2.info] connect from adsl105-3085-tr.ttnet.net.tr
+Jun 2 09:59:28 valhalla-eth telnetd[19826]: [ID 485252 daemon.info] ttloop: peer died: Error 0
+May 29 23:57:28 isik telnetd[946360]: connect from 85-10-085.ttnet.net.tr
+May 29 23:57:28 isik telnetd[946360]: ttloop: peer died: A file or directory in the path name does not exist.
+May 29 20:59:00 valhalla-eth telnetd[2507000]: warning: can't verify hostname: gethostbyname(dsl.dynamic812154227.ttnet.net.tr
+May 30 00:19:11 valhalla-eth telnetd[987186]: warning: can't verify hostname: gethostbyname(131.1.satis-tl.ru) failed
--- /dev/null
+ Apr 14 19:18:56 mozart in.telnetd[11634]: connect from 192.168.11.200
+ Apr 14 19:18:56 mozart imapd[11635]: connect from 192.168.11.200
+ Apr 14 19:18:56 mozart in.fingerd[11637]: connect from 192.168.11.200
+ Apr 14 19:18:56 mozart ipop3d[11638]: connect from 192.168.11.200
+ Apr 14 19:18:56 mozart in.telnetd[11639]: connect from 192.168.11.200
+ Apr 14 19:18:56 mozart in.ftpd[11640]: connect from 192.168.11.200
+ Apr 14 19:19:03 mozart ipop3d[11642]: connect from 192.168.11.200
+ Apr 14 19:19:03 mozart imapd[11643]: connect from 192.168.11.200
+ Apr 14 19:19:04 mozart in.fingerd[11646]: connect from 192.168.11.200
+ Apr 14 19:19:05 mozart in.fingerd[11648]: connect from 192.168.11.200
+
+ Apr 14 21:01:58 mozart imapd[11667]: command stream end of file, while reading line user=??? host=[192.168.11.200]
+ Apr 14 21:01:58 mozart ipop3d[11668]: No such file or directory while reading line user=??? host=[192.168.11.200]
+ Apr 14 21:02:05 mozart sendmail[11675]: NOQUEUE: [192.168.11.200]: expn root
+
+ Apr 14 21:03:09 mozart telnetd[11682]: ttloop: peer died: Invalid or incomplete multibyte or wide character
+ Apr 14 21:03:12 mozart ftpd[11688]: FTP session closed
--- /dev/null
+31220 06/01/2005 19:05:22.120 SEV=8 IKEDBG/0 RPT=41554 12.34.56.78 RECEIVED Message (msgid=0) with payloads :HDR + SA (1) + NONE (0) total length : 84
+31222 06/01/2005 19:05:22.120 SEV=8 IKEDBG/0 RPT=41555 12.34.56.78 RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84
+31224 06/01/2005 19:05:22.120 SEV=9 IKEDBG/0 RPT=41556 12.34.56.78 processing SA payload
+31225 06/01/2005 19:05:22.120 SEV=8 IKEDECODE/0 RPT=28390 12.34.56.78 SA Payload Decode : DOI : IPSEC (1)
+31228 06/01/2005 19:05:22.120 SEV=8 IKEDECODE/0 RPT=28391 12.34.56.78 Proposal Decode:
+31233 06/01/2005 19:05:22.120 SEV=8 IKEDECODE/0 RPT=28393 12.34.56.78 Phase 1 SA Attribute Decode for Transform # 1:
+31238 06/01/2005 19:05:22.120 SEV=12 IKEDECODE/0 RPT=28394 IKE Decode of received SA attributes follows: 0000: 80010005 80020002 80030001 80040002 ................
+31241 06/01/2005 19:05:22.120 SEV=7 IKEDBG/0 RPT=41557 12.34.56.78 Oakley proposal is acceptable
+31244 06/01/2005 19:05:22.230 SEV=9 IKEDBG/46 RPT=12648 12.34.56.78 constructing Cisco Unity VID payload
+31245 06/01/2005 19:05:22.230 SEV=9 IKEDBG/46 RPT=12649 12.34.56.78 constructing xauth V6 VID payload
+31247 06/01/2005 19:05:22.230 SEV=9 IKEDBG/38 RPT=1153 12.34.56.78 Constructing VPN 3000 spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)
+31286 06/01/2005 19:05:22.460 SEV=8 AUTHDBG/1 RPT=1302 AUTH_Open() returns 277
+31287 06/01/2005 19:05:22.460 SEV=7 AUTH/12 RPT=1302 Authentication session opened: handle = 277
+31311 06/01/2005 19:05:22.560 SEV=6 AUTH/41 RPT=1240 12.34.56.78 Authentication successful: handle = 277, server = Internal, group = L2L: Smc
+31325 06/01/2005 19:05:22.560 SEV=4 AUTH/22 RPT=1084 User [L2L: Smc] Group [L2L: Smc] connected, Session Type: IPSec/LAN-to-LAN
+31326 06/01/2005 19:05:22.570 SEV=4 AUTH/84 RPT=1029 LAN-to-LAN tunnel to headend device 12.34.56.78 connected
+31351 06/01/2005 19:05:22.580 SEV=7 AUTH/13 RPT=1300 Authentication session closed: handle = 277
+31352 06/01/2005 19:05:25.540 SEV=4 EVENT/39 RPT=1915 Event Manager erased file(s) LOG34591.TXT when saving file: log35028.txt
+22929 04/06/2005 10:07:08.170 SEV=3 AUTH/5 RPT=10801 66.119.119.212 Authentication rejected: Reason = Unspecified handle = 732, server = 162.116.30.137, user = Romano_Bobby, domain = <not specified>
+Nov 23 19:10:03 test.net 24067 23/11/2006 19:10:03.123 SEV=4 IKE/52 RPT=764 112.10.1.1 Group [NONE] User [xyz] User (xyz) authenticated.
--- /dev/null
+Sep 14 07:21:42 iron vpopmail[939]: vchkpw-pop3: password fail keith1@xxxx.com:219.136.100.198
+Sep 14 07:21:42 iron vpopmail[937]: vchkpw-pop3: password fail keith2@xxxx.com:219.136.100.198
+Sep 14 07:21:42 iron vpopmail[935]: vchkpw-pop3: password fail keith3@xxxx.com:219.136.100.198
+Sep 14 07:21:42 iron vpopmail[931]: vchkpw-pop3: password fail keith4@xxxx.com:219.136.100.198
+Sep 14 07:21:41 iron vpopmail[923]: vchkpw-pop3: password fail keith5@xxxx.com:219.136.100.198
+Sep 14 07:21:40 iron vpopmail[910]: vchkpw-pop3: password fail keith6@xxxx.com:219.136.100.198
+Sep 14 07:21:40 iron vpopmail[903]: vchkpw-pop3: password fail keith7@xxxx.com:219.136.100.198
+Sep 14 07:21:40 iron vpopmail[901]: vchkpw-pop3: password fail keith9@xxxx.com:219.136.100.198
+Sep 14 07:21:39 iron vpopmail[899]: vchkpw-pop3: password fail keitha@xxxx.com:219.136.100.198
+Sep 14 07:21:39 iron vpopmail[896]: vchkpw-pop3: password fail keithb@xxxx.com:219.136.100.198
+Sep 14 07:21:39 iron vpopmail[893]: vchkpw-pop3: password fail keithc@xxxx.com:219.136.100.198
+Sep 14 07:21:39 iron vpopmail[890]: vchkpw-pop3: password fail keithd@xxxx.com:219.136.100.198
+Sep 14 07:21:38 iron vpopmail[883]: vchkpw-pop3: password fail keithe@xxxx.com:219.136.100.198
+Sep 14 07:21:38 iron vpopmail[888]: vchkpw-pop3: password fail keithf@xxxx.com:219.136.100.198
+Sep 14 07:21:38 iron vpopmail[881]: vchkpw-pop3: password fail keithg@xxxx.com:219.136.100.198
+Sep 14 07:21:38 iron vpopmail[884]: vchkpw-pop3: password fail keithh@xxxx.com:219.136.100.198
+Sep 14 07:21:38 iron vpopmail[878]: vchkpw-pop3: password fail keithi@xxxx.com:219.136.100.198
+Sep 14 07:21:38 iron vpopmail[872]: vchkpw-pop3: password fail keithj@xxxx.com:219.136.100.198
+Sep 14 07:21:38 iron vpopmail[873]: vchkpw-pop3: password fail keithk@xxxx.com:219.136.100.198
+Sep 14 07:21:38 iron vpopmail[876]: vchkpw-pop3: password fail keithl@xxxx.com:219.136.100.198
+Sep 14 07:21:38 iron vpopmail[870]: vchkpw-pop3: password fail keithm@xxxx.com:219.136.100.198
+Sep 14 07:21:38 iron vpopmail[868]: vchkpw-pop3: password fail keithn@xxxx.com:219.136.100.198
+Sep 14 07:21:38 iron vpopmail[866]: vchkpw-pop3: password fail keitho@xxxx.com:219.136.100.198
+Sep 14 07:21:38 iron vpopmail[863]: vchkpw-pop3: password fail keithp@xxxx.com:219.136.100.198
+Sep 14 07:21:37 iron vpopmail[858]: vchkpw-pop3: password fail keithq@xxxx.com:219.136.100.198
+Sep 14 07:21:37 iron vpopmail[860]: vchkpw-pop3: password fail keiths@xxxx.com:219.136.100.198
--- /dev/null
+86 200.255.5.155 TCP_MISS/404 1495 GET http://pawlacz.com/nul.php - DIRECT/193.84.182.19 text/html
+588 200.255.5.155 TCP_MISS/404 1495 GET http://pawlacz.com/nul.php - DIRECT/193.84.182.19 text/html
+9 200.255.5.155 TCP_NEGATIVE_HIT/404 726 GET http://arborfolia.com/nul.php - NONE/- text/html
+326 200.255.5.155 TCP_MISS/404 717 GET http://arborfolia.com/nul.php - DIRECT/66.49.208.142 text/html
+1001 200.255.5.155 TCP_MISS/404 4439 GET http://appaloosa.no/nul.php - DIRECT/85.19.133.103 text/html
+966 200.255.5.155 TCP_MISS/404 4439 GET http://appaloosa.no/nul.php - DIRECT/85.19.133.103 text/html
+543 200.255.5.155 TCP_MISS/404 518 GET http://1point2.iae.nl/nul.php - DIRECT/212.61.24.92 text/html
+545 200.255.5.155 TCP_MISS/404 518 GET http://1point2.iae.nl/nul.php - DIRECT/212.61.24.92 text/html
+504 200.255.5.155 TCP_MISS/404 443 GET http://ujscie.one.pl/nul.php - DIRECT/82.96.66.63 text/html
+
+
+OSSEC HIDS Notification.
+2006 Jun 20 08:09:32
+
+Received From: (wrouter) 200.255.5.3->/usr/local/squid/var/logs/access.log
+Rule: 5055 fired (level 10) -> "Multiple attempts to access a non-existent file.'"
+Portion of the log(s):
+
+576 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html
+543 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html
+955 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html
+934 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html
+328 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html
+329 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html
+546 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html
+512 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html
+2085 200.255.5.155 TCP_MISS/404 502 GET http://www.jonogueira.com/nul.php - DIRECT/69.0.160.233 text/html
+
+
+
+ --END OF NOTIFICATION
+
+
+
+ OSSEC HIDS Notification.
+ 2006 Jun 20 08:09:33
+
+ Received From: (wrouter) 200.255.5.3->/usr/local/squid/var/logs/access.log
+ Rule: 5055 fired (level 10) -> "Multiple attempts to access a non-existent file.'"
+ Portion of the log(s):
+
+ 1004 200.255.5.155 TCP_MISS/404 1812 GET http://avenue.ee/nul.php - DIRECT/195.5.116.3 text/html
+ 784 200.255.5.155 TCP_MISS/404 1812 GET http://avenue.ee/nul.php - DIRECT/195.5.116.3 text/html
+ 543 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html
+ 955 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html
+ 934 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html
+ 328 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html
+ 329 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html
+ 546 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html
+ 512 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html
+
+http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=223894
+
+http://www.trendmicro.co.jp/vinfo/virusencyclo/default5.asp?VName=TROJ_BAGLE.EY&VSect=T
--- /dev/null
+Fri Mar 31 10:22:44 2006 0 201.44.122.146 32003 /usr/pages/users/resende/htdocs/images/festas/bannerterror.jpg a _ d r canalresende ftp 0 * c
+
+ "Fri Mar 31 10:22:45 2006 0 201.44.122.146 88302
+ /usr/pages/users/resende/htdocs/images/festas/banterror.jpg a _ d r
+ canalresende ftp 0 * c"
+
+Mon Apr 17 18:27:14 2006 1 64.160.42.130 0 /pub/lyx/devel/log b _ o a mozilla@example.com ftp 0 * i
+Mon Apr 17 18:27:20 2006 2 64.160.42.130 42930 /pub/lyx/devel/log/qtbuild.log b _ o a mozilla@example.com ftp 0 * c
+Mon Apr 17 20:35:20 2006 1 66.249.66.74 0 /pub/noweb b _ o a googlebot@google.com ftp 0 * i
+Tue Apr 18 00:29:01 2006 176 193.219.28.2 6359760 /pub/lyx/devel/lyx-devel.tar.bz2 b _ o a mirror@icm.edu.pl ftp 0 * i
+Tue Apr 18 00:30:02 2006 60 193.219.28.2 0 /pub/lyx/devel/log/xformsbuild.log b _ o a mirror@icm.edu.pl ftp 0 * i
+Tue Apr 18 00:31:02 2006 60 193.219.28.2 0 /pub/lyx/devel/log/qtbuild.log b _ o a mirror@icm.edu.pl ftp 0 * i
+Tue Apr 18 10:47:30 2006 1 66.249.65.137 0 /pub/lyx/html b _ o a googlebot@google.com ftp 0 * i
+Tue Apr 18 15:48:41 2006 1 83.135.64.94 0 /pub/lyx b _ o a mozilla@example.com ftp 0 * i
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/mailscanner_rules.xml, 2011/09/08 dcid Exp $
+
- Example of MailScanner rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/mcafee_av_rules.xml, 2011/09/08 dcid Exp $
+
- McAfee AV rules for OSSEC.
-
- Copyright (C) 2008 Michael Starks
- Foundation.
-->
-<var name="MCAFEE_ERROR">^259|^100|^1000|^1001|^1002|^1003|^1004|^1005|^1006|^1007|^1008|^5003|^5005|^5008|^5010|^5011|^5019|^5020|^5021|^5022|^5030|^5031|^5032|^5033|^5034|^5035|^5046|^5047|^5048|^5049|^5051|^5054|^5057|^5059|^5060|^5063|^5063</var>
-<var name="MCAFEE_WARN">^258|^5001|^5028|^5036|^5037|^5038|^5039|^5040|^5041|^5053|^5056|^5061|^5062|^5065</var>
-<var name="MCAFEE_INFO">^257|^5000|^5026|^5052|^5055</var>
+<var name="MCAFEE_ERROR">^259$|^100$|^1000$|^1001$|^1002$|^1003$|^1004$|^1005$|^1006$|^1007$|^1008$|^5003$|^5005$|^5008$|^5010$|^5011$|^5019$|^5020$|^5021$|^5022$|^5030$|^5031$|^5032$|^5033$|^5034$|^5035$|^5046$|^5047$|^5048$|^5049$|^5051$|^5054$|^5057$|^5059$|^5060$|^5063$|^5063$</var>
+<var name="MCAFEE_WARN">^258$|^5001$|^5028$|^5036$|^5037$|^5038$|^5039$|^5040$|^5041$|^5053$|^5056$|^5061$|^5062$|^5065$</var>
+<var name="MCAFEE_INFO">^257$|^5000$|^5026$|^5052$|^5055$</var>
<var name="MCAFEE_VIRUS_OK">quarantined|moved to quarantine|file was deleted|deleted successfully|has been deleted|message deleted|deleted after|cleaned|successfully deleted</var>
<var name="MCAFEE_VIRUS">The file \.+ contain|infected with|User defined detection|scan found|error attempting to clean</var>
<var name="MCAFEE_FREQ">10</var>
<description>McAfee Windows AV - Scan completed with no viruses found.</description>
</rule>
- <rule id="7509" level="7">
+ <rule id="7509" level="5">
<if_sid>7500</if_sid>
<match>scan was cancelled |has taken too long</match>
<description>McAfee Windows AV - Virus scan cancelled.</description>
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/ms-exchange_rules.xml, 2011/09/08 dcid Exp $
+
- Example of MS Exchange rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/ms-se_rules.xml, 2011/09/08 dcid Exp $
+
- Official Microsoft Security Essentials rules for OSSEC.
-
- Copyright (C) 2010 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/ms_dhcp_rules.xml, 2011/09/08 dcid Exp $
+
- Microsoft Windows 2003 ipv4, Windows 2008 ipv4/ipv6 DHCP rules for OSSEC.
- Author: phishphreek@gmail.com
- License: http://www.ossec.net/en/licensing.html (http://gplv3.fsf.org)
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/ms_ftpd_rules.xml, 2011/09/08 dcid Exp $
+
- Example of Microsoft FTP rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/msauth_rules.xml, 2011/09/08 dcid Exp $
+
- Example of Microsoft Windows (2000, XP, 2003) rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<rule id="18106" level="5">
<if_sid>18105</if_sid>
- <id>^529|^530|^531|^532|^533|^534|^535|^536|^537|^539|^4625</id>
+ <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
<description>Windows Logon Failure.</description>
<group>win_authentication_failed,</group>
</rule>
<rule id="18107" level="3">
<if_sid>18104</if_sid>
- <id>^528|^540|^672|^673|^4624|^4769</id>
+ <id>^528$|^540$|^672$|^673$|^4624$|^4769$</id>
<description>Windows Logon Success.</description>
<group>authentication_success,</group>
</rule>
<rule id="18108" level="4">
<if_sid>18105</if_sid>
- <id>^577</id>
+ <id>^577$</id>
<description>Failed attempt to perform a privileged </description>
<description>operation.</description>
</rule>
<rule id="18109" level="3">
<if_sid>18104</if_sid>
- <id>^682|^683</id>
+ <id>^682$|^683$</id>
<description>Session reconnected/disconnected to winstation.</description>
</rule>
<rule id="18110" level="8">
<if_sid>18104</if_sid>
- <id>^624|^626|^645|^4720|^4722|^4741</id>
+ <id>^624$|^626$|^645$|^4720$|^4722$|^4741$</id>
<description>User account enabled or created.</description>
<group>adduser,account_changed,</group>
</rule>
<rule id="18111" level="8">
<if_sid>18104</if_sid>
- <id>^628|^642|^685|^4738|^4781</id>
+ <id>^628$|^642$|^685$|^4738$|^4781$</id>
<description>User account changed.</description>
<group>account_changed,</group>
</rule>
<rule id="18112" level="8">
<if_sid>18104</if_sid>
- <id>^630|^629|^4725|^4726</id>
+ <id>^630$|^629$|^4725$|^4726$</id>
<description>User account disabled or deleted.</description>
<group>adduser,account_changed,</group>
</rule>
<rule id="18113" level="8">
<if_sid>18104</if_sid>
- <id>^612|^643|^4719|^4907|^4912</id>
+ <id>^612$|^643$|^4719$|^4907$|^4912$</id>
<description>Windows Audit Policy changed.</description>
<group>policy_changed,</group>
</rule>
<rule id="18115" level="8">
<if_sid>18104</if_sid>
- <id>^640</id>
+ <id>^640$</id>
<description>General account database changed.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com259.html</info>
<group>adduser,account_changed,</group>
<rule id="18116" level="9">
<if_sid>18104</if_sid>
- <id>^644|^4740</id>
+ <id>^644$|^4740$</id>
<description>User account locked out (multiple login errors).</description>
<group>authentication_failures,</group>
</rule>
<rule id="18117" level="7">
<if_sid>18104</if_sid>
- <id>^513|^4609</id>
+ <id>^513$|^4609$</id>
<description>Windows is shutting down.</description>
<group>system_shutdown,</group>
</rule>
<rule id="18118" level="9">
<if_sid>18104</if_sid>
- <id>^517</id>
+ <id>^517$</id>
<description>Windows audit log was cleared.</description>
<group>logs_cleared,</group>
</rule>
<rule id="18120" level="0">
<if_sid>18105</if_sid>
- <id>^680</id>
+ <id>^680$</id>
<description>Windows login attempt (ignored). Duplicated.</description>
</rule>
<rule id="18125" level="5">
<if_sid>18102, 18103</if_sid>
- <id>^20187|^20014|^20078|^20050|^20049|^20189</id>
+ <id>^20187$|^20014$|^20078$|^20050$|^20049$|^20189$</id>
<description>Remote access login failure.</description>
<group>authentication_failed,</group>
</rule>
<rule id="18126" level="3">
<if_sid>18101</if_sid>
- <id>^20158</id>
+ <id>^20158$</id>
<description>Remote access login success.</description>
<group>authentication_success,</group>
</rule>
<rule id="18127" level="8">
<if_sid>18104</if_sid>
- <id>^646|^647</id>
+ <id>^646$|^647$</id>
<description>Computer account changed/deleted.</description>
<group>account_changed,</group>
</rule>
<rule id="18129" level="8">
<if_sid>18103</if_sid>
- <id>^13570</id>
+ <id>^13570$</id>
<description>Windows file system full.</description>
<group>low_diskspace,</group>
</rule>
<!-- Granular windows login rules -->
<rule id="18130" level="5">
<if_sid>18106</if_sid>
- <id>^529</id>
+ <id>^529$</id>
<description>Logon Failure - Unknown user or bad password.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com190.html</info>
<group>win_authentication_failed,</group>
<rule id="18131" level="5">
<if_sid>18106</if_sid>
- <id>^530</id>
+ <id>^530$</id>
<description>Logon Failure - Account logon time restriction </description>
<description>violation.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com191.html</info>
<rule id="18132" level="5">
<if_sid>18106</if_sid>
- <id>^531</id>
+ <id>^531$</id>
<description>Logon Failure - Account currently disabled.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com192.html</info>
<group>win_authentication_failed,login_denied,</group>
<rule id="18133" level="5">
<if_sid>18106</if_sid>
- <id>^532</id>
+ <id>^532$</id>
<description>Logon Failure - Specified account expired.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com193.html</info>
<group>win_authentication_failed,login_denied,</group>
<rule id="18134" level="7">
<if_sid>18106</if_sid>
- <id>^533</id>
+ <id>^533$</id>
<description>Logon Failure - User not allowed to login at </description>
<description>this computer.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com194.html</info>
<rule id="18135" level="5">
<if_sid>18106</if_sid>
- <id>^534</id>
+ <id>^534$</id>
<description>Logon Failure - User not granted logon type.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com195.html</info>
<group>win_authentication_failed,</group>
<rule id="18136" level="5">
<if_sid>18106</if_sid>
- <id>^535</id>
+ <id>^535$</id>
<description>Logon Failure - Account's password expired.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com196.html</info>
<group>win_authentication_failed,</group>
<rule id="18137" level="5">
<if_sid>18106</if_sid>
- <id>^536|^537</id>
+ <id>^536$|^537$</id>
<description>Logon Failure - Internal error.</description>
<group>win_authentication_failed,</group>
</rule>
<rule id="18138" level="7">
<if_sid>18106</if_sid>
- <id>^539</id>
+ <id>^539$</id>
<description>Logon Failure - Account locked out.</description>
<group>win_authentication_failed,</group>
</rule>
<rule id="18139" level="5">
<if_sid>18105</if_sid>
- <id>^672|^673|^675|^676|^681|^4769</id>
+ <id>^672$|^673$|^675$|^676$|^681$|^4769$</id>
<description>Windows DC Logon Failure.</description>
<group>win_authentication_failed,</group>
</rule>
- <rule id="18140" level="7">
+ <rule id="18140" level="5">
<if_sid>18104</if_sid>
- <id>^520</id>
+ <id>^520$</id>
<description>System time changed.</description>
<group>time_changed,</group>
</rule>
<rule id="18141" level="7">
<if_sid>18102</if_sid>
- <id>^1076</id>
+ <id>^1076$</id>
<match>unexpected shutdown</match>
<group>system_error, system_shutdown,</group>
<description>Unexpected Windows shutdown.</description>
<rule id="18142" level="5">
<if_sid>18104</if_sid>
- <id>^671|^4767</id>
+ <id>^671$|^4767$</id>
<description>User account unlocked.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com291.html</info>
<group>account_changed,</group>
<rule id="18143" level="8">
<if_sid>18114</if_sid>
- <id>^631|^635|^658</id>
+ <id>^631$|^635$|^658$</id>
<description>Security enabled group created.</description>
<group>adduser,account_changed,</group>
</rule>
<rule id="18144" level="8">
<if_sid>18114</if_sid>
- <id>^634|^638|^662</id>
+ <id>^634$|^638$|^662$</id>
<description>Security enabled group deleted.</description>
<group>adduser,account_changed,</group>
</rule>
<!-- Some services change their startup type automatically -->
<rule id="18145" level="3">
<if_sid>18101</if_sid>
- <id>^7040</id>
+ <id>^7040$</id>
<group>policy_changed,</group>
<description>Service startup type was changed.</description>
<info type="text">This does not appear to be logged on Windows 2000.</info>
<rule id="18146" level="5">
<if_sid>18101</if_sid>
- <id>^11724</id>
+ <id>^11724$</id>
<options>alert_by_email</options>
<description>Application Uninstalled.</description>
</rule>
<rule id="18147" level="5">
<if_sid>18101</if_sid>
- <id>^11707</id>
+ <id>^11707$</id>
<options>alert_by_email</options>
<description>Application Installed.</description>
</rule>
<rule id="18148" level="3">
<if_sid>18104</if_sid>
- <id>^4608</id>
+ <id>^4608$</id>
<description>Windows is starting up.</description>
</rule>
<rule id="18149" level="3">
<if_sid>18104</if_sid>
- <id>^538|^4634|^4647</id>
+ <id>^538$|^4634$|^4647$</id>
<description>Windows User Logoff.</description>
</rule>
<rule id="18217" level="12">
<if_sid>18207,18208</if_sid>
- <regex> ID:\s+\p*S-1-5-32-544\p*</regex>
+ <regex> ID:\s+\p*S-1-5-32-544</regex>
<description>Administrators Group Changed</description>
<group>group_changed,win_group_changed,</group>
<info>http://support.microsoft.com/kb/243330</info>
-->
<rule id="18121" level="0">
<if_sid>18107,18149</if_sid>
- <id>^528|^538|^540</id>
+ <id>^528$|^538$|^540$</id>
<user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user>
<description>Windows Logon Success (ignored).</description>
</rule>
<!-- MS SQL rules -->
<rule id="18180" level="5">
<if_sid>18105</if_sid>
- <id>^18456</id>
+ <id>^18456$</id>
<group>win_authentication_failed,</group>
<description>MS SQL Server Logon Failure.</description>
</rule>
<rule id="18181" level="3">
<if_sid>18104</if_sid>
- <id>^18454|^18453</id>
+ <id>^18454$|^18453$</id>
<description>MS SQL Server Logon Success.</description>
<group>authentication_success,</group>
</rule>
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/mysql_rules.xml, 2011/09/08 dcid Exp $
+
- Official MySQL rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/named_rules.xml, 2011/09/08 dcid Exp $
+
- Example of Named rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<group name="syslog,named,">
- <rule id="12100" level="0" noalert="1">
+ <rule id="12100" level="0">
<decoded_as>named</decoded_as>
<description>Grouping of the named rules</description>
</rule>
<if_sid>12100</if_sid>
<regex>update \S+ denied</regex>
<description>DNS update using RFC2136 Dynamic protocol.</description>
- <!-- <info>http://www.isc.org/index.pl?/sw/bind/FAQ.php</info> dead link, and don't know what the issue is with this -->
</rule>
- <rule id="12108" level="4">
+ <rule id="12108" level="0">
<if_sid>12100</if_sid>
- <match>query (cache) denied</match>
- <description>Query cache denied (maybe config error).</description>
+ <match>query (cache) denied|: query (cache)</match>
+ <description>Query cache denied (probably config error).</description>
<info type="link">http://www.reedmedia.net/misc/dns/errors.html</info>
</rule>
<regex>^zone \S+: expired</regex>
<description>Zone transfer error.</description>
</rule>
-
+
+ <rule id="12113" level="0">
+ <if_sid>12100</if_sid>
+ <match>zone transfer deferred due to quota</match>
+ <description>Zone transfer deferred.</description>
+ </rule>
+
+ <rule id="12114" level="1">
+ <if_sid>12100</if_sid>
+ <match>bad owner name (check-names)</match>
+ <description>Hostname contains characters that check-names does not like.</description>
+ </rule>
+
+ <rule id="12115" level="0">
+ <if_sid>12100</if_sid>
+ <match>loaded serial|transferred serial</match>
+ <description>Zone transfer.</description>
+ </rule>
+
+ <rule id="12116" level="1">
+ <if_sid>12100</if_sid>
+ <match>syntax error near|</match>
+ <match>reloading configuration failed: unexpected token</match>
+ <description>Syntax error in a named configuration file.</description>
+ </rule>
+
+
+ <rule id="12117" level="1">
+ <if_sid>12100</if_sid>
+ <regex>refresh: retry limit for master \S+ exceeded</regex>
+ <description>Zone transfer rety limit exceeded</description>
+ </rule>
+
+ <rule id="12118" level="1">
+ <if_sid>12100</if_sid>
+ <match>already exists previous definition</match>
+ <description>Zone has been duplicated.</description>
+ </rule>
+
+ <rule id="12119" level="3">
+ <if_sid>12100</if_sid>
+ <match>starting BIND</match>
+ <description>BIND has been started</description>
+ </rule>
+
+ <rule id="12120" level="1">
+ <if_sid>12100</if_sid>
+ <match>has no address records</match>
+ <description>Missing A or AAAA record</description>
+ </rule>
+
+ <rule id="12121" level="1">
+ <if_sid>12100</if_sid>
+ <regex>zone \S+: \(master\) removed</regex>
+ <description>Zone has been removed from a master server</description>
+ </rule>
+
+ <rule id="12122" level="1">
+ <if_sid>12100</if_sid>
+ <regex>loading from master file \S+ failed: not at top of zone$</regex>
+ <description>Origin of zone and owner name of SOA do not match.</description>
+ </rule>
+
+ <rule id="12123" level="0">
+ <if_sid>12100</if_sid>
+ <match>already exists previous definition</match>
+ <description>Zone has been duplicated</description>
+ </rule>
+
+ <rule id="12125" level="3">
+ <if_sid>12100</if_sid>
+ <match>reloading configuration failed: unexpected end of input</match>
+ <description>BIND Configuration error.</description>
+ </rule>
+
+ <rule id="12126" level="0">
+ <if_sid>12100</if_sid>
+ <regex>zone \S+: \(master\) removed</regex>
+ <description>Zone has been removed from a master server</description>
+ </rule>
+
+ <rule id="12127" level="1">
+ <if_sid>12100</if_sid>
+ <regex>loading from master file \S+ failed: not at top of zone$</regex>
+ <description>Origin of zone and owner name of SOA do not match.</description>
+ </rule>
+
+ <rule id="12128" level="1">
+ <if_sid>12100</if_sid>
+ <match>^transfer of|</match>
+ <match>AXFR started$</match>
+ <description>Zone transfer.</description>
+ </rule>
+
+ <rule id="12129" level="4">
+ <if_sid>12128</if_sid>
+ <match>failed to connect: connection refused</match>
+ <description>Zone transfer failed, unable to connect to master.</description>
+ </rule>
+
+ <rule id="12130" level="2">
+ <if_sid>12100</if_sid>
+ <match>IPv6 interfaces failed</match>
+ <description>Could not listen on IPv6 interface.</description>
+ </rule>
+
+ <rule id="12131" level="2">
+ <if_sid>12100</if_sid>
+ <match>failed; interface ignored</match>
+ <description>Could not bind to an interface.</description>
+ </rule>
+
+ <rule id="12132" level="0">
+ <if_sid>12128</if_sid>
+ <match>failed while receiving responses: not authoritative</match>
+ <description>Master is not authoritative for zone.</description>
+ </rule>
+
+ <rule id="12133" level="4">
+ <if_sid>12100</if_sid>
+ <regex>open: \S+: permission denied$</regex>
+ <description>Could not open configuration file, permission denied.</description>
+ </rule>
+
+ <rule id="12134" level="4">
+ <if_sid>12100</if_sid>
+ <match>loading configuration: permission denied</match>
+ <description>Could not open configuration file, permission denied.</description>
+ </rule>
+
+ <rule id="12135" level="0">
+ <if_sid>12100</if_sid>
+ <match>IN SOA -E</match>
+ <description>Domain in SOA -E.</description>
+ </rule>
+
+ <rule id="12136" level="4">
+ <if_sid>12128</if_sid>
+ <match>failed to connect: host unreachable</match>
+ <description>Master appears to be down.</description>
+ </rule>
+
+ <rule id="12137" level="0">
+ <if_sid>12100</if_sid>
+ <match>IN AXFR -</match>
+ <description>Domain is queried for a zone transferred.</description>
+ </rule>
+
+ <rule id="12138" level="0">
+ <if_sid>12100</if_sid>
+ <match> IN A +</match>
+ <description>Domain A record found.</description>
+ </rule>
+
+ <rule id="12139" level="3">
+ <if_sid>12100</if_sid>
+ <regex>client \S+: bad zone transfer request: \S+: non-authoritative zone \(NOTAUTH\)</regex>
+ <description>Bad zone transfer request.</description>
+ </rule>
+
+ <rule id="12140" level="2">
+ <if_sid>12100</if_sid>
+ <match>refresh: failure trying master</match>
+ <description>Cannot refresh a domain from the master server.</description>
+ </rule>
+
+ <rule id="12141" level="1">
+ <if_sid>12100</if_sid>
+ <match>SOA record not at top of zone</match>
+ <description>Origin of zone and owner name of SOA do not match.</description>
+ </rule>
+
+ <rule id="12142" level="0">
+ <if_sid>12100</if_sid>
+ <match>command channel listening on</match>
+ <description>named command channel is listening.</description>
+ </rule>
+
+ <rule id="12143" level="0">
+ <if_sid>12100</if_sid>
+ <match>automatic empty zone</match>
+ <description>named has created an automatic empty zone.</description>
+ </rule>
+
+ <rule id="12144" level="9">
+ <if_sid>12100</if_sid>
+ <match>reloading configuration failed: out of memory</match>
+ <description>Server does not have enough memory to reload the configuration.</description>
+ </rule>
+
+ <rule id="12145" level="1">
+ <if_sid>12100</if_sid>
+ <regex>zone transfer \S+ denied</regex>
+ <description>zone transfer denied</description>
+ </rule>
+
+ <rule id="12146" level="0">
+ <if_sid>12100</if_sid>
+ <match>error sending response: host unreachable$</match>
+ <description>Cannot send a DNS response.</description>
+ </rule>
+
+ <rule id="12147" level="0">
+ <if_sid>12100</if_sid>
+ <regex>update forwarding \.+ denied$</regex>
+ <description>Cannot update forwarding domain.</description>
+ </rule>
+
+ <rule id="12148" level="0">
+ <if_sid>12100</if_sid>
+ <match>: parsing failed$</match>
+ <description>Parsing of a configuration file has failed.</description>
+ </rule>
+
</group> <!-- SYSLOG,NAMED -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/netscreenfw_rules.xml, 2011/09/08 dcid Exp $
+
- Official Netscreen Firewall rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/nginx_rules.xml, 2011/09/08 dcid Exp $
+
- Official Nginx rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
--- /dev/null
+ <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+ -->
+
+
+
+ <!-- Modify it at your will. -->
+
+<group name="local,syslog,openbsd">
+
+ <rule id="51500" level="0" noalert="1">
+ <decoded_as>bsd_kernel</decoded_as>
+ <description>Grouping of bsd_kernel alerts</description>
+ </rule>
+
+ <rule id="51501" level="1">
+ <if_sid>51500</if_sid>
+ <match>ichiic0: abort failed, status 0x40</match>
+ <description>A timeout occurred waiting for a transfer.</description>
+ </rule>
+
+ <rule id="51502" level="0">
+ <if_sid>51500</if_sid>
+ <match>Check Condition (error 0x70) on opcode 0x0</match>
+ <description>Check media in optical drive.</description>
+ </rule>
+
+ <rule id="51503" level="1">
+ <if_sid>51500</if_sid>
+ <match>BBB bulk-in clear stall failed</match>
+ <description>A disk has timed out.</description>
+ </rule>
+
+ <rule id="51504" level="1">
+ <if_sid>51500</if_sid>
+ <match>arp info overwritten for</match>
+ <description>arp info has been overwritten for a host</description>
+ </rule>
+
+ <rule id="51505" level="5">
+ <if_sid>51500</if_sid>
+ <match>was not properly unmounted</match>
+ <description>A filesystem was not properly unmounted, likely system crash</description>
+ </rule>
+
+ <rule id="51506" level="1">
+ <if_sid>51500</if_sid>
+ <match>UKC> quit</match>
+ <description>UKC was used, possibly modifying a kernel at boot time.</description>
+ </rule>
+
+ <rule id="51507" level="1">
+ <if_sid>51500</if_sid>
+ <match>Michael MIC failure</match>
+ <description>Michael MIC failure: Checksum failure in the tkip protocol.</description>
+ </rule>
+
+ <rule id="51508" level="2">
+ <if_sid>51500</if_sid>
+ <match>soft error (corrected)</match>
+ <description>A soft error has been corrected on a hard drive, </description>
+ <description>this is a possible early sign of failure.</description>
+ </rule>
+
+ <rule id="51509" level="1">
+ <if_sid>51500</if_sid>
+ <regex>acpithinkpad\d:</regex>
+ <match>unknown event</match>
+ <description>Unknown acpithinkpad event</description>
+ </rule>
+
+ <rule id="51510" level="5">
+ <if_sid>51500</if_sid>
+ <match>Critical temperature, shutting down</match>
+ <description>System shutdown due to temperature</description>
+ </rule>
+
+ <rule id="51511" level="1">
+ <if_sid>51500</if_sid>
+ <match>_AL0[0] _PR0 failed</match>
+ <description>Unknown ACPI event (bug 6299 in OpenBSD bug tracking system).</description>
+ </rule>
+
+ <rule id="51512" level="1">
+ <if_sid>51500</if_sid>
+ <match>ehci_freex: xfer=0xffff8000003ef800 not busy, 0x4f4e5155</match>
+ <description>USB diagnostic message.</description>
+ </rule>
+
+ <rule id="51513" level="1">
+ <if_sid>51500</if_sid>
+ <match>ichiic0: abort failed, status 0x0</match>
+ <description>Possible APM or ACPI event.</description>
+ </rule>
+
+ <rule id="51514" level="3">
+ <if_sid>51500</if_sid>
+ <match>Filesystem is not clean - run fsck</match>
+ <description>Unclean filesystem, run fsck.</description>
+ </rule>
+
+ <rule id="51515" level="0">
+ <if_sid>51500</if_sid>
+ <match>atascsi_passthru_done, timeout</match>
+ <description>Timeout in atascsi_passthru_done.</description>
+ </rule>
+
+ <rule id="51516" level="0">
+ <if_sid>51500</if_sid>
+ <regex>RTC BIOS diagnostic error 80\pclock_battery\p</regex>
+ <description>Clock battery error 80</description>
+ </rule>
+
+ <rule id="51518" level="3">
+ <if_sid>51500</if_sid>
+ <match>i/o error on block</match>
+ <description>I/O error on a storage device</description>
+ </rule>
+
+ <rule id="51519" level="1">
+ <if_sid>51500</if_sid>
+ <match>kbc: cmd word write error</match>
+ <description>kbc error.</description>
+ </rule>
+
+ <rule id="51520" level="1">
+ <if_sid>51500</if_sid>
+ <match>BBB reset failed, IOERROR</match>
+ <description>USB reset failed, IOERROR.</description>
+ </rule>
+
+ <rule id="51521" level="0" noalert="1">
+ <decoded_as>groupdel</decoded_as>
+ <description>Grouping for groupdel rules.</description>
+ <group>groupdel,</group>
+ </rule>
+
+ <rule id="51522" level="2">
+ <if_sid>51521</if_sid>
+ <match>group deleted</match>
+ <description>Group deleted.</description>
+ <group>groupdel,</group>
+ </rule>
+
+ <rule id="51523" level="0">
+ <program_name>savecore</program_name>
+ <match>no core dump</match>
+ <description>No core dumps.</description>
+ </rule>
+
+ <rule id="51524" level="4">
+ <program_name>reboot</program_name>
+ <match>rebooted by</match>
+ <description>System was rebooted.</description>
+ </rule>
+
+ <rule id="51525" level="0">
+ <program_name>^ftp-proxy</program_name>
+ <match>proxy cannot connect to server</match>
+ <description>ftp-proxy cannot connect to a server.</description>
+ </rule>
+
+ <rule id="51526" level="0">
+ <decoded_as>bsd_kernel</decoded_as>
+ <match>uncorrectable data error reading fsbn</match>
+ <description>Hard drive is dying.</description>
+ </rule>
+
+ <rule id="51527" level="0">
+ <decoded_as>bsd_kernel</decoded_as>
+ <match>^carp</match>
+ <action>state transition</action>
+ <status>MASTER -> BACKUP</status>
+ <description>CARP master to backup.</description>
+ </rule>
+
+ <rule id="51528" level="0">
+ <decoded_as>bsd_kernel</decoded_as>
+ <match>duplicate IP6 address</match>
+ <description>Duplicate IPv6 address.</description>
+ </rule>
+
+ <rule id="51529" level="0">
+ <decoded_as>bsd_kernel</decoded_as>
+ <match>failed loadfirmware of file</match>
+ <description>Could not load a firmware.</description>
+ </rule>
+
+ <rule id="51530" level="0">
+ <program_name>^hotplugd</program_name>
+ <match>Permission denied$</match>
+ <description>hotplugd could not open a file.</description>
+ </rule>
+
+</group> <!-- SYSLOG,LOCAL -->
+
+
+ <!-- EOF -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/ossec_rules.xml, 2012/03/30 dcid Exp $
+
- Official ossec rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<group>rootcheck,</group>
</rule>
+ <rule id="519" level="7">
+ <if_sid>516</if_sid>
+ <match>^System Audit: Web vulnerability</match>
+ <description>System Audit: Vulnerable web application found.</description>
+ <group>rootcheck,</group>
+ </rule>
+
<!-- Process monitoring rules -->
<rule id="530" level="0">
<if_sid>500</if_sid>
<match>cdrom|/media|usb|/mount|floppy|dvd</match>
<description>Ignoring external medias.</description>
</rule>
-
+
+ <rule id="533" level="7">
+ <if_sid>530</if_sid>
+ <match>ossec: output: 'netstat -tan</match>
+ <check_diff />
+ <description>Listened ports status (netstat) changed (new port opened or closed).</description>
+ </rule>
+
+ <rule id="534" level="1">
+ <if_sid>530</if_sid>
+ <match>ossec: output: 'w'</match>
+ <check_diff />
+ <options>no_log</options>
+ <description>List of logged in users. It will not be alerted by default.</description>
+ </rule>
+
+ <rule id="535" level="1">
+ <if_sid>530</if_sid>
+ <match>ossec: output: 'last -n </match>
+ <check_diff />
+ <options>no_log</options>
+ <description>List of the last logged in users.</description>
+ </rule>
+
<rule id="550" level="7">
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<description>Microsoft Event log cleared.</description>
<group>logs_cleared,</group>
</rule>
+
+ <rule id="594" level="5">
+ <category>ossec</category>
+ <if_sid>550</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Integrity Checksum Changed</description>
+ </rule>
+
+ <rule id="595" level="5">
+ <category>ossec</category>
+ <if_sid>551</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Integrity Checksum Changed Again (2nd time)</description>
+ </rule>
+
+ <rule id="596" level="5">
+ <category>ossec</category>
+ <if_sid>552</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Integrity Checksum Changed Again (3rd time)</description>
+ </rule>
+
+ <rule id="597" level="5">
+ <category>ossec</category>
+ <if_sid>553</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Entry Deleted. Unable to Retrieve Checksum</description>
+ </rule>
+
+ <rule id="598" level="5">
+ <category>ossec</category>
+ <if_sid>554</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Entry Added to the System</description>
+ </rule>
+
+<!-- active response rules
+Example:
+Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
+-->
+
+<rule id="600" level="0">
+ <decoded_as>ar_log</decoded_as>
+ <description>Active Response Messages Grouped</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="601" level="3">
+ <if_sid>600</if_sid>
+ <action>firewall-drop.sh</action>
+ <status>add</status>
+ <description>Host Blocked by firewall-drop.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="602" level="3">
+ <if_sid>600</if_sid>
+ <action>firewall-drop.sh</action>
+ <status>delete</status>
+ <description>Host Unblocked by firewall-drop.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="603" level="3">
+ <if_sid>600</if_sid>
+ <action>host-deny.sh</action>
+ <status>add</status>
+ <description>Host Blocked by host-deny.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="604" level="3">
+ <if_sid>600</if_sid>
+ <action>host-deny.sh</action>
+ <status>delete</status>
+ <description>Host Unblocked by host-deny.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="605" level="3">
+ <if_sid>600</if_sid>
+ <action>route-null.sh</action>
+ <status>add</status>
+ <description>Host Blocked by route-null.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="606" level="3">
+ <if_sid>600</if_sid>
+ <action>route-null.sh</action>
+ <status>delete</status>
+ <description>Host Unblocked by route-null.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
</group> <!-- OSSEC -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/pam_rules.xml, 2012/07/23 dcid Exp $
+
- Official Unix Pam rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<description>Ignoring Annoying Ubuntu/debian cron login events.</description>
</rule>
+ <rule id="5523" level="0">
+ <if_sid>5504</if_sid>
+ <regex>^pam_unix\S+: check pass; user unknown$</regex>
+ <description>Ignoring events with a user or a password.</description>
+ </rule>
+
<rule id="5551" level="10" frequency="6" timeframe="180">
<if_matched_sid>5503</if_matched_sid>
<same_source_ip />
<group>authentication_failures,</group>
</rule>
+ <rule id="5552" level="0">
+ <if_sid>5500</if_sid>
+ <match>gdm:auth): conversation failed</match>
+ <description>PAM and gdm are not playing nicely.</description>
+ </rule>
+
+ <rule id="5553" level="4">
+ <program_name>login</program_name>
+ <match>cannot open shared object file: No such file or directory</match>
+ <description>PAM misconfiguration.</description>
+ </rule>
+
+ <rule id="5554" level="4">
+ <program_name>login</program_name>
+ <match>illegal module type: </match>
+ <description>PAM misconfiguration.</description>
+ </rule>
+
+ <rule id="5555" level="3">
+ <match>: password changed for</match>
+ <description>User changed password.</description>
+ </rule>
+
+
</group> <!-- SYSLOG,pam -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/php_rules.xml, 2012/05/09 dcid Exp $
+
- Official PHP rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<options>alert_by_email</options>
</rule>
+ <rule id="31413" level="5" ignore="1200">
+ <if_sid>31410</if_sid>
+ <match>bytes written, possibly out of free disk space in</match>
+ <description>PHP internal error (server out of space).</description>
+ <options>alert_by_email</options>
+ <group>low_diskspace,</group>
+ </rule>
<!-- PHP Fatal errors
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/pix_rules.xml, 2011/11/01 dcid Exp $
+
- Official PIX rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<rule id="4386" level="10" frequency="8" timeframe="240">
<if_matched_sid>4334</if_matched_sid>
- <description>Nultiple AAA (VPN) authentication failures.</description>
+ <description>Multiple AAA (VPN) authentication failures.</description>
<group>authentication_failures,</group>
</rule>
</group> <!-- SYSLOG,PIX -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/policy_rules.xml, 2011/09/08 dcid Exp $
+
- Official Policy rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/postfix_rules.xml, 2011/09/08 dcid Exp $
+
- Official postfix rules for OSSEC.
- Author: Ahmet Ozturk
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/postgresql_rules.xml, 2011/09/08 dcid Exp $
+
- Official PostgreSQL rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/proftpd_rules.xml, 2011/09/08 dcid Exp $
+
- Official Proftpd rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<if_sid>11200</if_sid>
<match>error setting IPV6_V6ONLY: Protocol not available|</match>
<match> - mod_delay/|PAM(setcred): System error|</match>
- <match>PAM(close_session): System error</match>
+ <match>PAM(close_session): System error|cap_set_proc failed|reverting to normal operation|error retrieving information about user</match>
<description>IPv6 error and mod-delay info (ignored).</description>
</rule>
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/pure-ftpd_rules.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/racoon_rules.xml, 2011/09/08 dcid Exp $
+
- Racoon VPN rules for OSSEC HIDS.
- Author: Daniel B. Cid
- License: http://www.ossec.net/en/licensing.html
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/roundcube_rules.xml, 2011/09/08 dcid Exp $
+
- Official Roundcube rules for OSSEC.
-
- Author: Michael Starks
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/rules_config.xml, 2011/09/08 dcid Exp $
+
- Rules config.
- Configuration options. This file must always be included, otherwise
- most of the rules will not work properly.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/sendmail_rules.xml, 2011/09/08 dcid Exp $
+
- Official sendmail rules for OSSEC.
- Author: Ahmet Ozturk
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/smbd_rules.xml, 2011/09/08 dcid Exp $
+
- Official SMB rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<match>Unable to connect to CUPS server</match>
<description>Samba network problems (unable to connect).</description>
</rule>
+
+ <rule id="13106" level="0" noalert="1">
+ <decoded_as>nmbd</decoded_as>
+ </rule>
+
+ <rule id="13108" level="1">
+ <if_sid>13100</if_sid>
+ <match>smbd is already running</match>
+ <description>An attempt has been made to start smbd but the process is already running.</description>
+ </rule>
+
+ <rule id="13109" level="1">
+ <if_sid>13106</if_sid>
+ <match>nmbd is already running</match>
+ <description>An attempt has been made to start nmbd but the process is already running.</description>
+ </rule>
+
+ <rule id="13110" level="2">
+ <if_sid>13100</if_sid>
+ <match>Connection denied from</match>
+ <description>Connection was denied.</description>
+ </rule>
+
+ <rule id="13111" level="3">
+ <if_sid>13100</if_sid>
+ <match>Socket is not connected</match>
+ <description>Socket is not connected, write failed.</description>
+ </rule>
+
+ <rule id="13112" level="3">
+ <decoded_as>iptables</decoded_as>
+ <match>gvfsd-smb</match>
+ <regex>segfault at \S+ ip \S+ sp \S+ error \d+ in</regex>
+ <description>Segfault in gvfs-smb.</description>
+ </rule>
+
+
+
</group> <!-- SYSLOG,SMBD, -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/solaris_bsm_rules.xml, 2011/09/08 dcid Exp $
+
- Official Solaris BSM Auditing rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/sonicwall_rules.xml, 2011/09/08 dcid Exp $
+
- Official SonicWall rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/spamd_rules.xml, 2011/09/08 dcid Exp $
+
- Spamd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/squid_rules.xml, 2011/09/08 dcid Exp $
+
- Official Squid rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: sshd_rules.xml,v 1.22 2010/12/19 14:50:14 ddp Exp $
- Official SSHD rules for OSSEC.
-
- - Copyright (C) 2009 Trend Micro Inc.
+ - Copyright (C) 2009-2011 Trend Micro Inc.
- All rights reserved.
-
- This program is a free software; you can redistribute it
<if_sid>5700</if_sid>
<match>error: Could not get shadow information for NOUSER|</match>
<match>fatal: Read from socket failed: |error: ssh_msg_send: write|</match>
- <match>^syslogin_perform_logout: </match>
+ <match>^syslogin_perform_logout: |^pam_succeed_if(sshd:auth): error retrieving information about user|can't verify hostname: getaddrinfo</match>
<description>Useless SSHD message without an user/ip and context.</description>
</rule>
<if_sid>5700</if_sid>
<match>authentication failure; logname= uid=0 euid=0 tty=ssh|</match>
<match>input_userauth_request: invalid user|</match>
- <match>PAM: User not known to the underlying authentication module for illegal user</match>
+ <match>PAM: User not known to the underlying authentication module for illegal user|</match>
+ <match>error retrieving information about user</match>
<description>Useless/Duplicated SSHD message without a user/ip.</description>
</rule>
<rule id="5719" level="10" frequency="6" timeframe="120" ignore="60">
<if_matched_sid>5718</if_matched_sid>
<description>Multiple access attempts using a denied user.</description>
+ <group>invalid_login,</group>
</rule>
<rule id="5720" level="10" frequency="6">
<description>Multiple SSHD authentication failures.</description>
<group>authentication_failures,</group>
</rule>
+
+ <rule id="5721" level="0">
+ <if_sid>5700</if_sid>
+ <match>Received disconnect from</match>
+ <description>System disconnected from sshd.</description>
+ </rule>
+
+ <rule id="5722" level="0">
+ <if_sid>5700</if_sid>
+ <match>Connection closed</match>
+ <description>ssh connection closed.</description>
+ </rule>
+
+ <rule id="5723" level="0">
+ <if_sid>5700</if_sid>
+ <match>error: buffer_get_bignum2_ret: negative numbers not supported</match>
+ <info>This maybe a bad key in authorized_keys.</info>
+ <description>SSHD key error.</description>
+ </rule>
+
+ <rule id="5724" level="0">
+ <if_sid>5700</if_sid>
+ <match>fatal: buffer_get_bignum2: buffer error</match>
+ <info>This error may relate to ssh key handling.</info>
+ <description>SSHD key error.</description>
+ </rule>
+
+ <rule id="5725" level="0">
+ <if_sid>5700</if_sid>
+ <match>fatal: Write failed: Host is down</match>
+ <description>Host ungracefully disconnected.</description>
+ </rule>
+
+ <rule id="5726" level="5">
+ <if_sid>5700</if_sid>
+ <match>error: PAM: Module is unknown for</match>
+ <description>Unknown PAM module, PAM misconfiguration.</description>
+ </rule>
+
+ <rule id="5727" level="0">
+ <if_sid>5700</if_sid>
+ <match>failed: Address already in use.</match>
+ <description>Attempt to start sshd when something already bound to the port.</description>
+ </rule>
+
+ <rule id="5728" level="4">
+ <if_sid>5700</if_sid>
+ <match>Authentication service cannot retrieve user credentials</match>
+ <info>May be related to PAM module errors.</info>
+ <description>Authentication services were not able to retrieve user credentials.</description>
+ <group>authentication_failed</group>
+ </rule>
+
+ <rule id="5729" level="0">
+ <if_sid>5700</if_sid>
+ <match>debug1: attempt</match>
+ <description>Debug message.</description>
+ </rule>
+
+ <rule id="5730" level="4">
+ <if_sid>5700</if_sid>
+ <regex>error: connect to \S+ port \d+ failed: Connection refused</regex>
+ <description>SSHD is not accepting connections.</description>
+ </rule>
+
+ <rule id="5731" level="6">
+ <if_sid>5700</if_sid>
+ <match>AKASSH_Version_Mapper1.</match>
+ <description>SSH Scanning.</description>
+ <group>recon,</group>
+ </rule>
+
+ <rule id="5732" level="0">
+ <if_sid>5700</if_sid>
+ <match>error: connect_to </match>
+ <description>Possible port forwarding failure.</description>
+ </rule>
+
+ <rule id="5733" level="0">
+ <if_sid>5700</if_sid>
+ <match>Invalid credentials</match>
+ <description>User entered incorrect password.</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <rule id="5734" level="0">
+ <if_sid>5700</if_sid>
+ <match>Could not load host key</match>
+ <description>sshd could not load one or more host keys.</description>
+ <info>This may be related to an upgrade to OpenSSH.</info>
+ </rule>
+
+ <rule id="5735" level="0">
+ <if_sid>5700</if_sid>
+ <match>Write failed: Broken pipe</match>
+ <description>Failed write due to one host disappearing.</description>
+ </rule>
+
+ <rule id="5736" level="0">
+ <if_sid>5700</if_sid>
+ <match>^error: setsockopt SO_KEEPALIVE: Connection reset by peer$|</match>
+ <match>^error: accept: Software caused connection abort$</match>
+ <description>Connection reset or aborted.</description>
+ </rule>
+
+ <rule id="5737" level="5">
+ <if_sid>5700</if_sid>
+ <match>^fatal: Cannot bind any address.$</match>
+ <description>sshd cannot bind to configured address.</description>
+ </rule>
+
+ <rule id="5738" level="5">
+ <if_sid>5700</if_sid>
+ <match>set_loginuid failed opening loginuid$</match>
+ <description>pam_loginuid could not open loginuid.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
</group> <!-- SYSLOG, SSHD -->
<!-- EOF -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/symantec-av_rules.xml, 2011/09/08 dcid Exp $
+
- Official Symantec AV rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/symantec-ws_rules.xml, 2011/09/08 dcid Exp $
+
- Official Symantec Web Security rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: syslog_rules.xml,v 1.22 2010/11/25 17:06:17 ddp Exp $
- Official Generic Syslog rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<description>Process exiting (killed).</description>
<group>service_availability,</group>
</rule>
+
+ <rule id="1009" level="0">
+ <if_sid>1002</if_sid>
+ <match>terminated without error|can't verify hostname: getaddrinfo|</match>
+ <match>PPM exceeds tolerance</match>
+ <description>Ignoring known false positives on rule 1002..</description>
+ </rule>
</group> <!-- SYSLOG,ERRORS -->
<match>^Authentication passed</match>
<description>Pop3 Authentication passed.</description>
</rule>
+
+ <rule id="2507" level="0">
+ <decoded_as>openldap</decoded_as>
+ <description>OpenLDAP group.</description>
+ </rule>
+
+ <rule id="2508" level="3">
+ <if_sid>2507</if_sid>
+ <match>ACCEPT from</match>
+ <description>OpenLDAP connection open.</description>
+ </rule>
+
+ <rule id="2509" level="5" timeframe="10" frequency="0">
+ <if_sid>2507</if_sid>
+ <if_matched_sid>2508</if_matched_sid>
+ <same_id />
+ <match>RESULT tag=97 err=49</match>
+ <description>OpenLDAP authentication failed.</description>
+ </rule>
+
</group> <!-- SYSLOG,ACESSCONTROL -->
<rule id="5111" level="0">
<if_sid>5100</if_sid>
- <match>ipw2200: Firmware error detected.</match>
+ <match>ipw2200: Firmware error detected.| ACPI Error</match>
<description>Kernel device error.</description>
</rule>
<options>alert_by_email</options>
<description>First time (su) is executed by user.</description>
</rule>
+
+ <rule id="5306" level="0">
+ <if_sid>5300</if_sid>
+ <match>unknown class</match>
+ <info>OpenBSD uses login classes, and an inappropriate login class was used.</info>
+ <description>A user has attempted to su to an unknown class.</description>
+ </rule>
+
</group> <!-- SYSLOG,SU -->
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/telnetd_rules.xml, 2011/09/08 dcid Exp $
+
- Telnetd rules for OSSEC.
- Author: Ahmet Ozturk
- License: http://www.ossec.net/en/licensing.html
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_da.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_de.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_en.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_es.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_fr.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_fr_funny.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_it.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_nl.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_no.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_pt_br.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_ro.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_sk.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_sv.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/translated/pure_ftpd/pure-ftpd_rules_tr.xml, 2011/09/08 dcid Exp $
+
- Official pure-ftpd rules for OSSEC.
- Author: Peter Ahlert <peter@ifup.de>
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/trend-osce_rules.xml, 2011/09/08 dcid Exp $
+
- Official Trend Micro OSCE (Office Scan) rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/vmpop3d_rules.xml, 2011/09/08 dcid Exp $
+
- Official rules for vm-pop3d.
-
- License: http://www.ossec.net/en/licensing.html
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/vmware_rules.xml, 2011/09/08 dcid Exp $
+
- Official VMWare ESX rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/vpn_concentrator_rules.xml, 2011/09/08 dcid Exp $
+
-
- Official Cisco VPN Concentrator rules for OSSEC.
-
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/vpopmail_rules.xml, 2011/09/08 dcid Exp $
+
- Official rules for vpopmail.
-
- Author: Ceg Ryan <cegryan ( at ) gmail.com>
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/vsftpd_rules.xml, 2011/09/08 dcid Exp $
+
- Official vsftpd rules for OSSEC.
- Author: Joachim Vorrath <joachim.vorrath@vorrath-net.de>
- Author: Jorge Augusto Senger <jorge@br10.com.br>
--- /dev/null
+<!-- @(#) $Id: ./etc/rules/web_appsec_rules.xml, 2012/08/11 dcid Exp $
+
+ -
+ - Web attacks/vulns specific rules for OSSEC.
+ -
+ - Copyright (C) 2012 Daniel B. Cid (dcid@dcid.me)
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -->
+
+
+<!-- Collection of rules for common web attacks that we are seeing in the wild.
+ - The real goal is to stop bots and automated attacks from doing further damage
+ - on sites that are not updated.
+ -->
+<group name="web,appsec,attack">
+
+
+
+ <!-- Checking POST / requests - WP comment spam coming from fake search engines.
+ -->
+ <rule id="31501" level="6">
+ <if_sid>31100</if_sid>
+ <match>POST /</match>
+ <url>/wp-comments-post.php</url>
+ <regex>Googlebot|MSNBot|BingBot</regex>
+ <description>WordPress Comment Spam (coming from a fake search engine UA).</description>
+ </rule>
+
+ <!-- Timthumb scans.
+ -->
+ <rule id="31502" level="6">
+ <if_sid>31100</if_sid>
+ <url>thumb.php|timthumb.php</url>
+ <regex> "GET \S+thumb.php?src=\S+.php</regex>
+ <description>TimThumb vulnerability exploit attempt.</description>
+ </rule>
+
+ <!-- osCommerce login.php bypass
+ -->
+ <rule id="31503" level="6">
+ <if_sid>31100</if_sid>
+ <url>login.php</url>
+ <regex> "POST /\S+.php/login.php?cPath=</regex>
+ <description>osCommerce login.php bypass attempt.</description>
+ </rule>
+
+ <!-- osCommerce file manager login.php bypass
+ -->
+ <rule id="31504" level="6">
+ <if_sid>31100</if_sid>
+ <url>login.php</url>
+ <regex> "GET /\S+/admin/file_manager.php/login.php</regex>
+ <description>osCommerce file manager login.php bypass attempt.</description>
+ </rule>
+
+ <!-- Timthumb backdoor access.
+ -->
+ <rule id="31505" level="6">
+ <if_sid>31100</if_sid>
+ <url>/cache/external</url>
+ <regex> "GET /\S+/cache/external\S+.php</regex>
+ <description>TimThumb backdoor access attempt.</description>
+ </rule>
+
+ <!-- Timthumb backdoor access.
+ -->
+ <rule id="31506" level="6">
+ <if_sid>31100</if_sid>
+ <url>cart.php</url>
+ <regex> "GET /\S+cart.php?\S+templatefile=../</regex>
+ <description>Cart.php directory transversal attempt.</description>
+ </rule>
+
+ <!-- MSSQL IIS inject rules -->
+ <rule id="31507" level="6">
+ <if_sid>31100</if_sid>
+ <url>DECLARE%20@S%20CHAR|%20AS%20CHAR</url>
+ <description>MSSQL Injection attempt (ur.php, urchin.js).</description>
+ </rule>
+
+ <!-- BAD/Annoying user agents -->
+ <rule id="31508" level="6">
+ <if_sid>31100</if_sid>
+ <match> "ZmEu"| "libwww-perl/</match>
+ <description>Blacklisted user agent (known malicious user agent).</description>
+ </rule>
+
+ <!-- WordPress wp-login.php brute force -->
+ <rule id="31509" level="3">
+ <if_sid>31108</if_sid>
+ <url>wp-login.php</url>
+ <regex>] "POST \S+wp-login.php</regex>
+ <description>WordPress login attempt.</description>
+ </rule>
+
+ <!-- If we see frequent wp-login POST's, it is likely a bot. -->
+ <rule id="31510" level="6" frequency="4" timeframe="120" ignore="30">
+ <if_matched_sid>31509</if_matched_sid>
+ <same_source_ip />
+ <description>WordPress wp-login.php brute force attempt.</description>
+ </rule>
+
+ <!-- Nothing wrong with wget per se, but it misses a lot of links
+ - that generates many 404s. Blocking it to avoid the noise.
+ -->
+ <rule id="31511" level="6">
+ <if_sid>31100</if_sid>
+ <match>" "Wget/</match>
+ <description>Blacklisted user agent (wget).</description>
+ </rule>
+
+ <!-- Uploadify scans.
+ -->
+ <rule id="31512" level="6">
+ <if_sid>31100</if_sid>
+ <url>uploadify.php</url>
+ <regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex>
+ <description>TimThumb vulnerability exploit attempt.</description>
+ </rule>
+
+ <!-- BBS delete.php skin_path.
+ -->
+ <rule id="31513" level="6">
+ <if_sid>31100</if_sid>
+ <url>delete.php</url>
+ <regex> "GET \S+/delete.php?board_skin_path=http://\S+.php</regex>
+ <description>BBS delete.php exploit attempt.</description>
+ </rule>
+
+ <!-- Anomaly rules - Used on common web attacks -->
+ <rule id="31550" level="6">
+ <if_sid>31100</if_sid>
+ <url>%00</url>
+ <regex> "GET /\S+.php?\S+%00</regex>
+ <description>Anomaly URL query (attempting to pass null termination).</description>
+ </rule>
+
+
+
+
+
+
+
+
+</group>
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/web_rules.xml, 2012/05/08 dcid Exp $
+
-
- Official Web access rules for OSSEC.
-
<group>attack,</group>
</rule>
+ <rule id="31110" level="6">
+ <if_sid>31100</if_sid>
+ <url>?-d|?-s|?-a|?-b|?-w</url>
+ <description>PHP CGI-bin vulnerability attempt.</description>
+ <group>attack,</group>
+ </rule>
+
+ <rule id="31109" level="6">
+ <if_sid>31100</if_sid>
+ <url>+as+varchar(8000)</url>
+ <regex>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</regex>
+ <description>MSSQL Injection attempt (/ur.php, urchin.js)</description>
+ <group>attack,</group>
+ </rule>
+
+
<!-- If your site have a search engine, you may need to ignore
- it in here.
-->
<description>Ignored URLs for the web attacks</description>
</rule>
- <rule id="31115" level="13" maxsize="2900">
+ <rule id="31115" level="13" maxsize="5900">
<if_sid>31100</if_sid>
<description>URL too long. Higher than allowed on most </description>
<description>browsers. Possible attack.</description>
<rule id="31151" level="10" frequency="10" timeframe="120">
<if_matched_sid>31101</if_matched_sid>
<same_source_ip />
- <description>Mutiple web server 400 error codes </description>
+ <description>Multiple web server 400 error codes </description>
<description>from same source ip.</description>
<group>web_scan,recon,</group>
</rule>
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/wordpress_rules.xml, 2011/09/08 dcid Exp $
+
- Official Wordpress rules for OSSEC.
-
- Author: Daniel B. Cid
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/zeus_rules.xml, 2011/09/08 dcid Exp $
+
-
- Official Zeus rules for OSSEC.
-
# Parte 3.1/agente
serverip="Qual é o endereço de IP do servidor OSSEC HIDS?"
+serveraddr="Qual é o endereço de IP/hostname do servidor OSSEC HIDS?"
addingip="Adicionando IP do servidor"
+addingname="Adicionando hostname do servidor"
# Parte 3.2
# Part 3.1/agent
serverip="请输入 OSSEC HIDS 服务器的IP地址"
+serveraddr="请输入 OSSEC HIDS 服务器的IP地址或主机名"
addingip="添加服务器IP "
+addingname="添加服务器主机名 "
# Part 3.2
/var/www/logs/error_log
/var/log/httpd/error_log
/var/log/httpd/access_log
+/var/log/nginx/access.log
+/var/log/nginx/error.log
/var/log/apache2/error.log
/var/log/apache2/access.log
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
+ <include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
+ <include>openbsd_rules.xml</include>
+ <include>clam_av_rules.xml</include>
+ <include>bro-ids_rules.xml</include>
+ <include>dropbear_rules.xml</include>
<include>local_rules.xml</include>
</rules>
/var/log/asl.log
/var/log/dpkg.log
/var/log/vmware/hostd.log
+/var/log/proftpd/proftpd.log
# Part 3.1/agent
serverip="Wiw lautet die IP Addresse des OSSEC HIDS Servers?"
+serveraddr="Wiw lautet die IP Addresse/Host des OSSEC HIDS Servers?"
addingip="Server IP hinzugefügt"
+addingname="Server Host hinzugefügt"
# Part 3.2
# Part 3.1/agent
serverip="Ποιά είναι η διεύθυνση IP του διακομιστή OSSEC HIDS;"
+serveraddr="Ποιά είναι η διεύθυνση IP/Host του διακομιστή OSSEC HIDS;"
addingip="Προστέθηκε η διεύθυνση διακομιστή"
+addingname="Προστέθηκε η διεύθυνση διακομιστή"
# Part 3.2
user="User"
host="Host"
hitanyorabort="Press ENTER to continue or Ctrl-C to abort."
-whattoinstall="What kind of installation do you want (server, agent, local or help)?"
+whattoinstall="What kind of installation do you want (server, agent, local, hybrid or help)?"
serverchose="Server installation chosen"
clientchose="Agent(client) installation chosen"
localchose="Local installation chosen"
whatsmtp="What's your SMTP server ip/host?"
# Part 3.1/agent
-serverip="What's the IP Address of the OSSEC HIDS server?"
+serveraddr="What's the IP Address or hostname of the OSSEC HIDS server?"
addingip="Adding Server IP"
+addingname="Adding Hostname"
+configprofile="Enter the agent's config profile name (default: blank)"
+addingcfg="Setting agent's config profile name"
# Part 3.2
- - You have three installation options: server, agent or local.
+ - You have these installation options: server, agent, local, or hybrid.
- If you choose 'server', you will be able to analyze all
the logs, create e-mail notifications and responses,
the server does, except receiving remote messages from
the agents or external syslog devices.
+ - If you choose 'hybrid', you get the 'local' installation
+ plus the 'agent' installation.
+
- Choose 'server' if you are setting up a log/analysis server.
- Choose 'agent' if you have another machine to run as a log
- Choose 'local' if you only have one system to monitor.
+ - Choose 'hybrid' if you want this standalone system to analyze
+ local logs before forwarding alerts to another server.
+
- More information at:
http://www.ossec.net/en/manual.html#starting
# Part 3.1/agent
serverip="Cuál es la direccion del servidor OSSEC HIDS?"
+serveraddr="Cuál es la direccion ó nombre de vuestro del servidor OSSEC HIDS?"
addingip="Agregando el IP del servidor"
-
+addingname="Agregando el nombre del servidor"
# Part 3.2
runsyscheck="Desea Usted agregar el servidor de integridad del sistema?"
# Part 3.1/agent
serverip="Quelle est l'adresse IP de votre serveur OSSEC HIDS ?"
+serveraddr="Quelle est l'adresse IP ou le nom d'hôte de votre serveur OSSEC HIDS ?"
addingip="Ajout de l'IP du Serveur"
+addingname="Ajout de le nom d'hôte du Serveur"
# Part 3.2
--- /dev/null
+
+ Hiba 0x1.
+ Ez a script csak a saját könyvtárából futtatható.
+ Kérem lépjen be a kérdéses script könyvtárába mielőtt futtatná.
+ Úgy kell futtatnia, mint ./install.sh ."
+
--- /dev/null
+
+ Hiba 0x2.
+ Ezen script használatához root jogosultsággal kell remdelkeznie.
+
--- /dev/null
+
+ Hiba 0x3.
+ A telepítés folytatásához szüksége van egy fordító programra (pl. gcc vagy cc).
+
--- /dev/null
+
+ Hiba 0x4.
+ Rossz telepítési típus. Csak agent(kliens), szerver vagy lokális lehet.
+
--- /dev/null
+
+ Hiba 0x5.
+ Hiba merült fel a kompilálás közben. Nem tudtam befejezni a telepítést.
+
--- /dev/null
+ ** A Magyar nyelvű telepítéshez válassza [hu].
--- /dev/null
+# Configuration
+yes="i"
+no="n"
+yesmatch="i"
+nomatch="n"
+agent="agent"
+local="lokális"
+server="szerver"
+help="segítség"
+
+# Global
+moreinfo="További információk: "
+starting="OSSEC HIDS Indítása"
+systemis="A rendszer"
+modifiedinit="Init script módosítva, hogy bootoláskor automatikusan indítsa az OSSEC HIDS-et."
+noboot="Ismeretlen rendszer. Nincs init script hozzáadva."
+
+# Part 1
+installscript="Telepítő Script"
+system="Rendszer"
+user="Felhasználó"
+host="Hoszt"
+hitanyorabort="Nyomjon ENTER-t a folytatáshoz vagy Ctrl-C-t a megszakításhoz."
+whattoinstall="Milyen típusú telepítést szeretne? (szerver, agent, lokális vagy segítség)?"
+serverchose="Szerver telepítés kiválasztva"
+clientchose="Agent(kliens) telepítés kiválasztva"
+localchose="Lokális telepítés kiválasztva"
+
+# Part 2
+settingupenv="A telepítési környezet létrehozása"
+wheretoinstall="Válassza ki az OSSEC HIDS telepítési helyét"
+installat="A telepítés a következő helyre történik: "
+deletedir="A célkönyvtár már létezik. Törölhetem?"
+
+# Part 3
+configuring="A következő konfigurálása: "
+mailnotify="Szeretne e-mail értesítést?"
+nomail="E-mail értesítés kikapcsolva"
+whatsemail="Mi az ön e-mail címe?"
+yoursmtp="Az ön SMTP szerverének állapota: "
+usesmtp="Szeretné használni?"
+usingsmtp="SMTP szerver használata: "
+whatsmtp="Mi az ön SMTP szerverének ip címe/hoszt neve?"
+
+# Part 3.1/agent
+serverip="Mi az IP címe az OSSEC HIDS szervernek?"
+serveraddr="Mi az IP címe/hoszt neve az OSSEC HIDS szervernek?"
+addingip="Szerver IP hozzáadása"
+addingname="Szerver hoszt neve hozzáadása"
+
+
+# Part 3.2
+runsyscheck="Szeretné futtatni az integritás ellenőrző démont?"
+nosyscheck="Rendszerellenőrzés mellőzése (integritás ellenőrző démon)"
+yessyscheck="Rendszerellenőrzés futtatása (integritás ellenőrző démon)"
+
+# Part 3.3
+runrootcheck="Szeretné futtatni a rootkit detektáló motort?"
+norootcheck="Gyökérellenőrzés mellőzése (rootkit detektálás)"
+yesrootcheck="Gyökérellenőrzés futtatása (rootkit detektálás)"
+
+# Part 3.4/server/local
+enable_ar="Szeretné bekapcsolni az active response funkciót?"
+noactive="Active response kikapcsolva"
+nohosts="host-deny kikapcsolva"
+yeshosts="host-deny bekapcsolva (lokális) for levels >= 6"
+firewallar="Szeretné bekapcsolni a firewall-drop response funkciót?"
+nofirewall="firewall-drop kikapcsolva."
+yesfirewall="firewall-drop bekapcsolva (lokális) for levels >= 6"
+defaultwhitelist="Alapértelmezett fehér lista az active response számára:"
+addwhite="Szeretne további IP címeket hozzáadni a fehér listához?"
+ipswhite="IP-k (szóközzel elválasztva): "
+
+# Part 3.5/server/local
+syslog="Be szeretné kapcsolni a távoli rendszernaplózást (port 514 udp)?"
+nosyslog="Távoli rendszernaplózás kikapcsolva"
+yessyslog="Távoli rendszernaplózás bekapcsolva"
+
+# Part 3.4/3.5
+readlogs="A konfiguráció beállítása a következő naplók elemzéséhez:"
+
+# Part 5
+installing="A rendszer telepítése"
+runningmake="A Make fájl futtatása"
+
+# Final
+configurationdone="A konfiguráció sikeresen befejeződött"
+tostart="Az OSSEC HIDS indítása"
+tostop="Az OSSEC HIDS leállítása"
+configat="A konfigurációs fájl megtekinthető vagy módosítható itt: "
+addserveragent="A kliens és szerver összekapcsolásához, minden egyes klienst
+ hozzá kell adnia a szerverhez."
+runma="Futtassa a 'manage_agents' parancsot a kliensek hozzáadásához
+ vagy eltávolításához."
+presskey="A folytatáshoz nyomja meg az ENTER-t"
+
+# Update
+wanttoupdate="Az OSSEC már telepítve van. Szeretné frissíteni?"
+unabletoupdate="A frissítés nem lehetséges. Egy teljesen új installáció szükséges."
+updatecompleted="A frissítés sikeresen befejeződött."
+updatefailed="A frissítés meghiúsult."
+updaterules="Szeretné frissíteni a szabályokat?"
+updatingrules="A szabályok frissítése."
+notupdatingrules="Nincs szabály frissítés."
+
+# Pf support
+pfenable="Szeretné alkalmazni a PF tűzfalat az active response során?"
+nopf="PF response kikapcsolva."
+pftablename="Az alkalmazandó PF tábla neve?"
+pfmessage="Adja hozzá a következő sorokat a PF szabályainak kezdetéhez"
--- /dev/null
+ Ön elindította az OSSEC HIDS telepítési folyamatát.
+ Egy C fordító programnak, már előzőleg telepítve kell lennie a rendszerén.
+ Egyéb kérdések vagy észrevételek esetén, kérem küldjön egy e-mailt
+ a dcid@ossec.net vagy a (daniel.cid@gmail.com) címre.
+
--- /dev/null
+
+ - Három féle telepítési lehetősége van: szerver, agent(kliens) vagy helyi.
+
+ - Ha a 'szerver' opciót választja, akkor képes lesz kielemezni
+ minden naplót, létrehozni e-mail értesítéseket és válaszokat,
+ és ugyancsak lehetősége nyílik távoli syslog gépektől és
+ az 'agent'(kliens)-t futtató rendszerektől naplókat fogadni
+ (ahol a forgalom titkosított kapcsolaton keresztül zajlik a szerver felé).
+
+ - Ha az 'agent'(kliens) opciót választja, lehetősége lesz olvasni a
+ helyi fájlokat (a syslog-ból, snort-ból, apache-ból, stb.) és
+ továbbküldeni őket (titkosítva) a szerverre elemzés céljából.
+
+ - Ha a 'local'(helyi) opciót választja, akkor képes lesz mindazt megtenni,
+ amire a szerver képes, kivéve a távoli üzenetek(naplók) fogadását
+ a kliensektől vagy külső syslog eszközöktől.
+
+ - Válassza a 'szerver' telepítést, ha egy
+ naplózó/elemző szervert szeretne létrehozni.
+
+ - Válassza az 'agent' telepítést, ha van egy gépe, amit naplózó
+ szervernek használ és erre a szerverre szeretné továbbítani
+ a naplókat további elemzés céljából
+ (ideális megoldás webszervereknek, adatbázis szervereknek , stb).
+
+ - Válassza a 'lokális' telepítést, ha csak egy rendszere van,
+ amit monitoroznia kell.
+
+ - További információk: http://www.ossec.net/en/manual.html#starting
--- /dev/null
+
+ Köszönjük, hogy az OSSEC HIDS programot használja!
+ Ha egyéb kérdése, javaslata van, illetve valamilyen bugot talált
+ a programban, lépjen velünk kapcsolatba a contact@ossec.net,
+ vagy a nyilvános levelezőlistánkat használva az
+ ossec-list@ossec.net e-mail címeken.
+ ( http://www.ossec.net/main/support/ ).
+
+ További információkért látogasson el a http://www.ossec.net weboldalra.
+
+ --- A befejezéshez nyomjon ENTER-t (alább további információkat talál). ---
+
--- /dev/null
+
+ - Először hozzá kell adnia ezt a klienst a szerverhez,
+ így azok tudnak kommunikálni egymással. Amikor ezzel
+ végzett, már futtathatja a 'manage_agents' eszközt,
+ a hitelesítő kulcs szerverről történő importálásához.
--- /dev/null
+
+ - Nem történt intézkedés az OSSEC HIDS bootoláskor
+ történő automatikus indításának beállítása érdekében.
+ Adja hozzá a következő sort az ön init scriptjéhez.
--- /dev/null
+ - Ha egyéb fájlokat is szeretne monitorozni,
+ csak változtassa meg az ossec.conf-ot
+ és adjon hozzá egy új helyi fájl bejegyzést.
+ A konfigurálással kapcsolatos egyéb kérdéseire választ kaphat,
+ ha felkeresi weboldalunkat: http://www.ossec.net .
+
+ --- A folytatáshoz nyomja meg az ENTER billentyűt ---
+
--- /dev/null
+
+ 3.4- Az active response funkció lehetővé teszi
+ specifikus parancsok végrehajtását a beérkezett események alapján.
+ Például, önnek így lehetősége van blokkolni egy IP címet
+ vagy egy adott felhasználó hozzáférését.
+ További információk:
+ http://www.ossec.net/en/manual.html#active-response
--- /dev/null
+ - Active response bekapcsolva.
+
+ - Alapértelmezés szerint engedélyezheti a host-deny és a
+ firewall-drop responses funkciókat.
+ Az első hozzá fog adni egy hosztot az /etc/hosts.deny
+ fájlhoz, és a második pedig blokkolni fogja a hosztot
+ (linux esetében) az iptables vagy (Solaris, FreeBSD
+ vagy NetBSD esetében) az ipfilter tűzfalakban.
+ - Ezek a funkciók az SSHD brute force scan-ek,
+ a portscan-ek és néhány egyéb támadási forma
+ megakadályozására használhatók.
+ Példának okáért ezeket a blokkolási mechanizmusokat,
+ akár a snort riasztásokra is alapozhatja.
# Part 3.1/agent
serverip="Qual'è l'indirizzo IP del server OSSEC HIDS?"
+serveraddr="Qual'è l'indirizzo IP/host del server OSSEC HIDS?"
addingip="Aggiungo l'IP del Server"
-
+addingname="Aggiunta di host nome del Server"
# Part 3.2
runsyscheck="Vuoi attivare il demone di controllo dell'integrità?"
# Part 3.1/agent
serverip="OSSEC HIDS サーバの IP アドレスは何ですか?"
+serveraddr="OSSEC HIDS サーバの IP/hostname アドレスは何ですか?"
addingip="サーバの IP を加えています"
+addingname="サーバの hostname を加えています"
# Part 3.2
# Part 3.1/agent
serverip="Wat is het IP adres van uw OSSEC HIDS host?"
+serveraddr="Wat is het IP adres/host van uw OSSEC HIDS host?"
addingip="Toevoegen van server IP"
+addingname="Toevoegen van server host"
# Part 3.2
# Część 3.1/agent
serverip="Podaj adres IP serwera OSSEC HIDS."
+serveraddr="Podaj adres IP (hostname) serwera OSSEC HIDS."
addingip="Dodaje IP serwera"
+addingname="Dodaje hostname serwera"
# Część 3.2
# Part 3.1/agent
serverip="Какой IP адрес у Вашего OSSEC HIDS сервера?"
+serveraddr="Какой IP адрес (Hostname) у Вашего OSSEC HIDS сервера?"
addingip="Добавляется IP адрес сервера"
+addingname="Добавляется IP (host) адрес сервера"
# Part 3.2
# Part 3.1/agent
serverip="Koja je IP adresa OSSEC HIDS servera?"
+serveraddr="Koja je IP adresa/host OSSEC HIDS servera?"
addingip="Dodaje serverov IP"
+addingname="Dodaje serverov hostname"
# Part 3.2
# Part 3.1/agent
serverip="OSSEC HIDS sunucusunun IP adresi nedir?"
+serveraddr="OSSEC HIDS sunucusunun IP adresi veya ismi nedir?"
addingip="Sunucu IP adresi ekleniyor"
+addingname="Sunucu ismi ekleniyor"
# Part 3.2
#!/bin/sh
# Installation script for the OSSEC
# Author: Daniel B. Cid <daniel.cid@gmail.com>
-# Last modification: Mar 02, 2006
+# Last modification: Aug 30, 2012
# Changelog 19/03/2006 - Rafael M. Capovilla <under@underlinux.com.br>
# New function AddWhite to allow users to add more Ips in the white_list
# Changelog 15/07/2006 - Rafael M. Capovilla <under@underlinux.com.br>
# New function AddTable to add support for OpenBSD pf rules in firewall-drop active response
+# Changelog 29 March 2012 - Adding hybrid mode (standalone + agent)
+
### Looking up for the execution directory
echo "$0 debug"
echo "$0 binary-install"
exit 1;
- fi
+ fi
done
-
+
##########
{
echo ""
echo "5- ${installing}"
-
+
echo "DIR=\"${INSTALLDIR}\"" > ${LOCATION}
echo "CC=${CC}" >> ${LOCATION}
echo "GCC=${CC}" >> ${LOCATION}
echo "CLANG=clang" >> ${LOCATION}
-
+
# Changing Config.OS with the new C flags
# Checking if debug is enabled
if [ "X${SET_DEBUG}" = "Xdebug" ]; then
CEXTRA="${CEXTRA} -DDEBUGAD"
fi
-
+
echo "CEXTRA=${CEXTRA}" >> ./src/Config.OS
-
+
# Makefile
echo " - ${runningmake}"
cd ./src
cd ../
catError "0x5-build"
fi
-
- # Building everything
+
+ # Building everything
make build
if [ $? != 0 ]; then
cd ../
catError "0x5-build"
- fi
+ fi
fi
-
+
# If update, stop ossec
if [ "X${update_only}" = "Xyes" ]; then
UpdateStopOSSEC
- fi
+ fi
# Making the right installation type
if [ "X$INSTYPE" = "Xserver" ]; then
./InstallServer.sh
-
- elif [ "X$INSTYPE" = "Xagent" ]; then
+
+ elif [ "X$INSTYPE" = "Xagent" ]; then
./InstallAgent.sh
elif [ "X$INSTYPE" = "Xlocal" ]; then
fi
cd ../
-
-
+
+
# Generate the /etc/ossec-init.conf
VERSION_FILE="./src/VERSION"
VERSION=`cat ${VERSION_FILE}`
echo "TYPE=\"${INSTYPE}\"" >> ${OSSEC_INIT}
chmod 600 ${OSSEC_INIT}
cp -pr ${OSSEC_INIT} ${INSTALLDIR}${OSSEC_INIT}
- chmod 644 ${INSTALLDIR}${OSSEC_INIT}
-
+ chmod 640 ${INSTALLDIR}${OSSEC_INIT}
+
- # If update_rules is set, we need to tweak
+ # If update_rules is set, we need to tweak
# ossec.conf to read the new signatures.
if [ "X${update_rules}" = "Xyes" ]; then
UpdateOSSECRules
- fi
+ fi
# If update, start OSSEC
if [ "X${update_only}" = "Xyes" ]; then
- UpdateStartOSSEC
- fi
-
+ UpdateStartOSSEC
+ fi
+
# Calling the init script to start ossec hids during boot
if [ "X${update_only}" = "X" ]; then
runInit
if [ $? = 1 ]; then
notmodified="yes"
- fi
- fi
-
+ fi
+ fi
+
}
read AS
else
AS=${USER_ENABLE_SYSCHECK}
- fi
+ fi
echo ""
case $AS in
$nomatch)
SYSCHECK="yes"
echo " - ${yessyscheck}."
;;
- esac
+ esac
# Adding to the config file
if [ "X$SYSCHECK" = "Xyes" ]; then
UseRootcheck()
{
- # Rootkit detection configuration
+ # Rootkit detection configuration
echo ""
$ECHO " 3.3- ${runrootcheck} ($yes/$no) [$yes]: "
-
+
if [ "X${USER_ENABLE_ROOTCHECK}" = "X" ]; then
read ES
else
ES=${USER_ENABLE_ROOTCHECK}
- fi
-
+ fi
+
echo ""
case $ES in
$nomatch)
echo " <rootcheck>" >> $NEWCONFIG
echo " <disabled>yes</disabled>" >> $NEWCONFIG
echo " </rootcheck>" >> $NEWCONFIG
- fi
+ fi
}
##########
SetupLogs()
{
+ if [ "x${USER_CLEANINSTALL}" = "xy" ]; then
+ OPENDIR=`dirname $INSTALLDIR`
+ echo "" >> $NEWCONFIG
+ echo " <localfile>" >> $NEWCONFIG
+ echo " <log_format>ossecalert</log_format>" >> $NEWCONFIG
+ echo " <location>$OPENDIR/logs/alerts/alerts.log</location>" >>$NEWCONFIG
+ echo " </localfile>" >> $NEWCONFIG
+ echo "" >> $NEWCONFIG
+ return;
+ fi
NB=$1
echo ""
echo " <!-- Files to monitor (localfiles) -->" >> $NEWCONFIG
LOG_FILES=`cat ${SYSLOG_TEMPLATE}`
for i in ${LOG_FILES}; do
- # If log file present, add it
+ # If log file present, add it
ls $i > /dev/null 2>&1
if [ $? = 0 ]; then
echo " -- $i"
echo " <location>$i</location>" >>$NEWCONFIG
echo " </localfile>" >> $NEWCONFIG
fi
- done
+ done
+
# Getting snort files
SNORT_FILES=`cat ${SNORT_TEMPLATE}`
if [ $? = 0 ]; then
echo "" >> $NEWCONFIG
echo " <localfile>" >> $NEWCONFIG
-
+
head -n 1 $i|grep "\[**\] "|grep -v "Classification:" > /dev/null
if [ $? = 0 ]; then
echo " <log_format>snort-full</log_format>" >> $NEWCONFIG
echo " -- $i (snort-fast file)"
fi
echo " <location>$i</location>" >>$NEWCONFIG
- echo " </localfile>" >> $NEWCONFIG
+ echo " </localfile>" >> $NEWCONFIG
fi
- done
-
+ done
+
# Getting apache logs
APACHE_FILES=`cat ${APACHE_TEMPLATE}`
for i in ${APACHE_FILES}; do
echo " <log_format>apache</log_format>" >> $NEWCONFIG
echo " <location>$i</location>" >>$NEWCONFIG
echo " </localfile>" >> $NEWCONFIG
-
+
echo " -- $i (apache log)"
fi
done
echo " <log_format>postgresql_log</log_format>" >> $NEWCONFIG
echo " <location>$i</location>" >>$NEWCONFIG
echo " </localfile>" >> $NEWCONFIG
-
+
echo " -- $i (postgresql log)"
fi
done
-
-
- echo ""
+
+ if [ "X$NUNAME" = "XLinux" ]; then
+ echo "" >> $NEWCONFIG
+ echo " <localfile>" >> $NEWCONFIG
+ echo " <log_format>command</log_format>" >> $NEWCONFIG
+ echo " <command>df -h</command>" >> $NEWCONFIG
+ echo " </localfile>" >> $NEWCONFIG
+ echo "" >> $NEWCONFIG
+ echo " <localfile>" >> $NEWCONFIG
+ echo " <log_format>full_command</log_format>" >> $NEWCONFIG
+ echo " <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>" >> $NEWCONFIG
+ echo " </localfile>" >> $NEWCONFIG
+ echo "" >> $NEWCONFIG
+ echo " <localfile>" >> $NEWCONFIG
+ echo " <log_format>full_command</log_format>" >> $NEWCONFIG
+ echo " <command>last -n 5</command>" >> $NEWCONFIG
+ echo " </localfile>" >> $NEWCONFIG
+ fi
+
+
+
+
+ echo ""
catMsg "0x106-logs"
+# install.sh
##########
# ConfigureClient()
##########
ConfigureClient()
{
- echo ""
- echo "3- ${configuring} $NAME."
- echo ""
-
- if [ "X${USER_AGENT_SERVER_IP}" = "X" ]; then
- # Looping and asking for server ip
+ echo ""
+ echo "3- ${configuring} $NAME."
+ echo ""
+
+ if [[ "X${USER_AGENT_SERVER_IP}" = "X" && "X${USER_AGENT_SERVER_NAME}" = "X" ]]; then
+ # Looping and asking for server ip or hostname
while [ 1 ]; do
- $ECHO " 3.1- ${serverip}: "
- read IPANSWER
- echo $IPANSWER | grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" > /dev/null 2>&1
+ $ECHO " 3.1- ${serveraddr}: "
+ read ADDRANSWER
+ # Is it an IP?
+ echo $ADDRANSWER | grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" > /dev/null 2>&1
if [ $? = 0 ]; then
- echo ""
- IP=$IPANSWER
- echo " - ${addingip} $IP"
+ echo ""
+ IP=$ADDRANSWER
+ echo " - ${addingip} $IP"
+ break;
+ # Must be a name
+ elif [ $? != 0 ]; then
+ echo ""
+ HNAME=$ADDRANSWER
+ echo " - ${addingname} $HNAME"
break;
fi
done
else
IP=${USER_AGENT_SERVER_IP}
- fi
+ HNAME=${USER_AGENT_SERVER_NAME}
+ fi
- echo "<ossec_config>" > $NEWCONFIG
+ echo "<ossec_config>" > $NEWCONFIG
echo " <client>" >> $NEWCONFIG
- echo " <server-ip>$IP</server-ip>" >> $NEWCONFIG
- echo " </client>" >> $NEWCONFIG
+ if [ "X${IP}" != "X" ]; then
+ echo " <server-ip>$IP</server-ip>" >> $NEWCONFIG
+ elif [ "X${HNAME}" != "X" ]; then
+ echo " <server-hostname>$HNAME</server-hostname>" >> $NEWCONFIG
+ fi
+ echo " </client>" >> $NEWCONFIG
echo "" >> $NEWCONFIG
# Syscheck?
read ANY
else
ANY=${USER_ENABLE_ACTIVE_RESPONSE}
- fi
-
+ fi
+
case $ANY in
$nomatch)
echo ""
{
echo ""
echo "3- ${configuring} $NAME."
-
-
+
+
# Configuring e-mail notification
echo ""
$ECHO " 3.1- ${mailnotify} ($yes/$no) [$yes]: "
-
+
if [ "X${USER_ENABLE_EMAIL}" = "X" ]; then
read ANSWER
else
ANSWER=${USER_ENABLE_EMAIL}
fi
-
+
case $ANSWER in
$nomatch)
echo ""
EMAILNOTIFY="yes"
$ECHO " - ${whatsemail} "
if [ "X${USER_EMAIL_ADDRESS}" = "X" ]; then
-
+
read EMAIL
echo "${EMAIL}" | grep -E "^[a-zA-Z0-9_.-]{1,36}@[a-zA-Z0-9_.-]{1,54}$" > /dev/null 2>&1 ;RVAL=$?;
# Ugly e-mail validation
else
EMAIL=${USER_EMAIL_ADDRESS}
fi
-
+
ls ${HOST_CMD} > /dev/null 2>&1
if [ $? = 0 ]; then
- HOSTTMP=`${HOST_CMD} -W 5 -t mx devmail.ossec.net 2>/dev/null`
+ HOSTTMP=`${HOST_CMD} -W 5 -t mx ossec.net 2>/dev/null`
if [ $? = 1 ]; then
- # Trying without the -W
- HOSTTMP=`${HOST_CMD} -t mx devmail.ossec.net 2>/dev/null`
- fi
- if [ "X$HOSTTMP" = "X${OSSECMX}" -o "X$HOSTTMP" = "X${OSSECMX2}" -o "X$HOSTTMP" = "X${OSSECMX3}" ];then
+ # Trying without the -W
+ HOSTTMP=`${HOST_CMD} -t mx ossec.net 2>/dev/null`
+ fi
+ echo "x$HOSTTMP" | grep "ossec.net mail is handled" > /dev/null 2>&1
+ if [ $? = 0 ]; then
# Breaking down the user e-mail
EMAILHOST=`echo ${EMAIL} | cut -d "@" -f 2`
if [ "X${EMAILHOST}" = "Xlocalhost" ]; then
SMTPHOST="127.0.0.1"
- else
+ else
HOSTTMP=`${HOST_CMD} -W 5 -t mx ${EMAILHOST}`
SMTPHOST=`echo ${HOSTTMP} | cut -d " " -f 7`
- fi
- fi
+ fi
+ fi
fi
if [ "X${USER_EMAIL_SMTP}" = "X" ]; then
*)
SMTP=${SMTPHOST}
echo ""
- echo " --- ${usingsmtp} ${SMTP}"
+ echo " --- ${usingsmtp} ${SMTP}"
;;
esac
fi
if [ "X${SMTP}" = "X" ]; then
$ECHO " - ${whatsmtp} "
read SMTP
- fi
+ fi
else
SMTP=${USER_EMAIL_SMTP}
- fi
+ fi
;;
esac
- # Writting global parameters
- echo "<ossec_config>" > $NEWCONFIG
+ # Writting global parameters
+ echo "<ossec_config>" > $NEWCONFIG
echo " <global>" >> $NEWCONFIG
if [ "$EMAILNOTIFY" = "yes" ]; then
echo " <email_notification>yes</email_notification>" >> $NEWCONFIG
else
echo " <email_notification>no</email_notification>" >> $NEWCONFIG
fi
-
- echo " </global>" >> $NEWCONFIG
+
+ echo " </global>" >> $NEWCONFIG
echo "" >> $NEWCONFIG
-
+
# Writting rules configuration
cat ${RULES_TEMPLATE} >> $NEWCONFIG
echo "" >> $NEWCONFIG
# Checking if syscheck should run
UseSyscheck
-
+
# Checking if rootcheck should run
UseRootcheck
# Active response
catMsg "0x107-ar"
$ECHO " - ${enable_ar} ($yes/$no) [$yes]: "
-
+
if [ "X${USER_ENABLE_ACTIVE_RESPONSE}" = "X" ]; then
read AR
else
AR=${USER_ENABLE_ACTIVE_RESPONSE}
fi
-
+
case $AR in
$nomatch)
echo ""
ACTIVERESPONSE="yes"
echo ""
catMsg "0x108-ar-enabled"
-
+
echo ""
$ECHO " - ${firewallar} ($yes/$no) [$yes]: "
-
+
if [ "X${USER_ENABLE_FIREWALL_RESPONSE}" = "X" ]; then
read HD2
else
HD2=${USER_ENABLE_FIREWALL_RESPONSE}
fi
-
+
echo ""
case $HD2 in
$nomatch)
echo " - ${yesfirewall}"
FIREWALLDROP="yes"
;;
- esac
+ esac
echo "" >> $NEWCONFIG
echo " <global>" >> $NEWCONFIG
echo " <white_list>127.0.0.1</white_list>" >> $NEWCONFIG
# if [ "X${USER_ENABLE_PF}" = "X" ]; then
# read PFENABLE
# else
- # PFENABLE=${USER_ENABLE_PF}
+ # PFENABLE=${USER_ENABLE_PF}
# fi
- #
+ #
# echo ""
# case $PFENABLE in
# $nomatch)
# AddPFTable
# ;;
# esac
- #fi
+ #fi
echo " </global>" >> $NEWCONFIG
;;
- esac
-
-
+ esac
+
+
if [ "X$INSTYPE" = "Xserver" ]; then
- # Configuring remote syslog
+ # Configuring remote syslog
echo ""
$ECHO " 3.5- ${syslog} ($yes/$no) [$yes]: "
-
+
if [ "X${USER_ENABLE_SYSLOG}" = "X" ]; then
read ANSWER
else
ANSWER=${USER_ENABLE_SYSLOG}
fi
-
+
echo ""
case $ANSWER in
$nomatch)
# Configuring remote connections
SLOG="yes"
fi
-
-
-
+
+
+
if [ "X$RLOG" = "Xyes" ]; then
echo "" >> $NEWCONFIG
echo " <remote>" >> $NEWCONFIG
echo "" >> $NEWCONFIG
cat ${ACTIVE_RESPONSE_TEMPLATE} >> $NEWCONFIG
echo "" >> $NEWCONFIG
- fi
+ fi
fi
-
+
# Setting up the logs
SetupLogs "3.6"
- echo "</ossec_config>" >> $NEWCONFIG
+ echo "</ossec_config>" >> $NEWCONFIG
}
if [ $? = 0 ]; then
INSTALLDIR=$ANSWER;
break;
- fi
+ fi
else
- break;
- fi
+ break;
+ fi
done
else
INSTALLDIR=${USER_DIR}
- fi
+ fi
+
-
CEXTRA="$CEXTRA -DDEFAULTDIR=\\\"${INSTALLDIR}\\\""
-
+
echo ""
echo " - ${installat} ${INSTALLDIR} ."
-
+
if [ "X$INSTYPE" = "Xagent" ]; then
CEXTRA="$CEXTRA -DCLIENT"
elif [ "X$INSTYPE" = "Xlocal" ]; then
- CEXTRA="$CEXTRA -DLOCAL"
- fi
+ CEXTRA="$CEXTRA -DLOCAL"
+ fi
ls $INSTALLDIR >/dev/null 2>&1
if [ $? = 0 ]; then
else
ANSWER=${USER_DELETE_DIR}
fi
-
+
case $ANSWER in
$yesmatch)
rm -rf $INSTALLDIR
if [ ! $? = 0 ]; then
exit 2;
- fi
+ fi
;;
esac
fi
else
ANSWER=$yes
fi
-
+
if [ "X${ANSWER}" = "X" ] ; then
ANSWER=$no
fi
-
+
case $ANSWER in
$no)
break;
else
IPS=${USER_WHITE_LIST}
fi
-
+
for ip in ${IPS};
do
if [ ! "X${ip}" = "X" ]; then
fi
fi
done
-
+
break;
;;
esac
echo " - ${pfmessage}:"
echo " ${moreinfo}"
echo " http://www.ossec.net/en/manual.html#active-response-tools"
-
+
echo ""
echo ""
echo " table <${TABLE}> persist #$TABLE "
if [ ! `isFile ${PREDEF_FILE}` = "${FALSE}" ]; then
. ${PREDEF_FILE}
fi
-
+
# If user language is not set
-
+
if [ "X${USER_LANGUAGE}" = "X" ]; then
-
+
# Choosing the language.
while [ 1 ]; do
echo ""
- for i in `ls ${TEMPLATE}`; do
+ for i in `ls ${TEMPLATE}`; do
# ignore CVS (should not be there anyways and config)
if [ "$i" = "CVS" -o "$i" = "config" ]; then continue; fi
cat "${TEMPLATE}/$i/language.txt"
if [ ! "$i" = "en" ]; then
LG="${LG}/$i"
- fi
+ fi
done
$ECHO " (${LG}) [en]: "
read USER_LG;
if [ "X${USER_LG}" = "X" ]; then
USER_LG="en"
- fi
-
+ fi
+
ls "${TEMPLATE}/${USER_LG}" > /dev/null 2>&1
if [ $? = 0 ]; then
break;
fi
- done;
+ done;
LANGUAGE=${USER_LG}
-
+
else
-
+
# If provided language is not valid, default to english
ls "${TEMPLATE}/${USER_LANGUAGE}" > /dev/null 2>&1
if [ $? = 0 ]; then
LANGUAGE=${USER_LANGUAGE}
else
LANGUAGE="en"
- fi
+ fi
fi # for USER_LANGUAGE
-
-
+
+
. ./src/init/shared.sh
. ./src/init/language.sh
. ./src/init/functions.sh
. ./src/init/init.sh
. ${TEMPLATE}/${LANGUAGE}/messages.txt
-
-
+
+
# Must be executed as ./install.sh
if [ `isFile ${VERSION_FILE}` = "${FALSE}" ]; then
catError "0x1-location";
# Must be root
if [ ! "X$ME" = "Xroot" ]; then
catError "0x2-beroot";
- fi
+ fi
# Checking dependencies
checkDependencies
clear
-
+
# Initial message
echo " $NAME $VERSION ${installscript} - http://www.ossec.net"
-
+
catMsg "0x101-initial"
echo " - $system: $UNAME"
. ./src/init/update.sh
# Is this an update?
- if [ "`isUpdate`" = "${TRUE}" ]; then
+ if [ "`isUpdate`" = "${TRUE}" -a "x${USER_CLEANINSTALL}" = "x" ]; then
echo ""
ct="1"
while [ $ct = "1" ]; do
read ANY
else
ANY=$yes
- fi
+ fi
case $ANY in
$yes)
;;
*)
ct="1"
- ;;
+ ;;
esac
done
-
+
# Do some of the update steps.
if [ "X${update_only}" = "Xyes" ]; then
USER_INSTALL_TYPE=`getPreinstalled`
USER_DIR=`getPreinstalledDir`
USER_DELETE_DIR="$nomatch"
- fi
+ fi
ct="1"
-
+
# We dont need to update the rules on agent installs
if [ "X${USER_INSTALL_TYPE}" = "Xagent" ]; then
ct="0"
fi
-
+
while [ $ct = "1" ]; do
- ct="0"
+ ct="0"
$ECHO " - ${updaterules} ($yes/$no): "
if [ "X${USER_UPDATE_RULES}" = "X" ]; then
read ANY
- else
+ else
ANY=$yes
fi
-
+
case $ANY in
$yes)
update_rules="yes"
break;
;;
- $no)
+ $no)
break;
;;
*)
ct="1"
;;
- esac
+ esac
done
- fi
+ fi
echo ""
- fi
-
+ fi
+
+ hybrid="hybrid"
+ HYBID=""
+ hybridm=`echo ${hybrid} | cut -b 1`
serverm=`echo ${server} | cut -b 1`
localm=`echo ${local} | cut -b 1`
agentm=`echo ${agent} | cut -b 1`
read ANSWER
case $ANSWER in
-
+
${helpm}|${help})
catMsg "0x102-installhelp"
;;
-
+
${server}|${serverm})
echo ""
echo " - ${serverchose}."
INSTYPE="server"
break;
;;
-
+
${agent}|${agentm})
echo ""
echo " - ${clientchose}."
INSTYPE="agent"
break;
;;
-
+
+ ${hybrid}|${hybridm})
+ echo ""
+ echo " - ${localchose} (hybrid)."
+ INSTYPE="local"
+ HYBID="go"
+ break;
+ ;;
${local}|${localm})
echo ""
- echo " - ${localchose}."
+ echo " - ${localchose}."
INSTYPE="local"
break;
;;
# Setting up the environment
setEnv
-
+
# Configuring the system (based on the installation type)
- if [ "X${update_only}" = "X" ]; then
- if [ "X$INSTYPE" = "Xserver" ]; then
+ if [ "X${update_only}" = "X" ]; then
+ if [ "X$INSTYPE" = "Xserver" ]; then
ConfigureServer
elif [ "X$INSTYPE" = "Xagent" ]; then
ConfigureClient
elif [ "X$INSTYPE" = "Xlocal" ]; then
- ConfigureServer
+ ConfigureServer
else
catError "0x4-installtype"
fi
- fi
+ fi
- # Installing (calls the respective script
+ # Installing (calls the respective script
# -- InstallAgent.sh or InstallServer.sh
Install
catMsg "0x103-thanksforusing"
-
+
if [ "X${update_only}" = "Xyes" ]; then
# Message for the update
if [ "X`sh ./src/init/fw-check.sh`" = "XPF" -a "X${ACTIVERESPONSE}" = "Xyes" ]; then
if [ "X$USER_NO_STOP" = "X" ]; then
read ANY
- fi
+ fi
AddPFTable
- fi
+ fi
echo ""
echo " - ${updatecompleted}"
echo ""
exit 0;
- fi
+ fi
+
-
if [ "X$USER_NO_STOP" = "X" ]; then
read ANY
fi
# PF firewall message
if [ "X`sh ./src/init/fw-check.sh`" = "XPF" -a "X${ACTIVERESPONSE}" = "Xyes" ]; then
AddPFTable
- fi
+ fi
if [ "X$INSTYPE" = "Xserver" ]; then
- echo ""
+ echo ""
echo " - ${addserveragent}"
echo " ${runma}:"
echo ""
echo " ${moreinfo}"
echo " http://www.ossec.net/en/manual.html#ma"
echo ""
-
+
elif [ "X$INSTYPE" = "Xagent" ]; then
- catMsg "0x104-client"
+ catMsg "0x104-client"
echo " $INSTALLDIR/bin/manage_agents"
echo ""
echo " ${moreinfo}"
fi
}
+_f_cfg="./install.cfg.sh"
-
+if [ -f $_f_cfg ]; then
+ . $_f_cfg
+fi
### Calling main function where everything happens
main
-exit 0
+if [ "x$HYBID" = "xgo" ]; then
+ echo " --------------------------------------------"
+ echo " Finishing Hybrid setup (agent configuration)"
+ echo " --------------------------------------------"
+ echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+ echo "" >> ./etc/preloaded-vars.conf
+ echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+ echo "" >> ./etc/preloaded-vars.conf
+ echo 'USER_INSTALL_TYPE="agent"' >> ./etc/preloaded-vars.conf
+ echo "" >> ./etc/preloaded-vars.conf
+ echo "USER_DIR=\"$INSTALLDIR/ossec-agent\"" >> ./etc/preloaded-vars.conf
+ echo "" >> ./etc/preloaded-vars.conf
+ echo 'USER_ENABLE_ROOTCHECK="n"' >> ./etc/preloaded-vars.conf
+ echo "" >> ./etc/preloaded-vars.conf
+ echo 'USER_ENABLE_SYSCHECK="n"' >> ./etc/preloaded-vars.conf
+ echo "" >> ./etc/preloaded-vars.conf
+ echo 'USER_ENABLE_ACTIVE_RESPONSE="n"' >> ./etc/preloaded-vars.conf
+ echo "" >> ./etc/preloaded-vars.conf
+ echo 'USER_UPDATE="n"' >> ./etc/preloaded-vars.conf
+ echo "" >> ./etc/preloaded-vars.conf
+ echo 'USER_UPDATE_RULES="n"' >> ./etc/preloaded-vars.conf
+ echo "" >> ./etc/preloaded-vars.conf
+ echo 'USER_CLEANINSTALL="y"' >> ./etc/preloaded-vars.conf
+ echo "" >> ./etc/preloaded-vars.conf
+ ./install.sh
+fi
+exit 0
+
-## EOF ##
+#### exit ? ###
include ${PT}Config.OS
-CFLAGS = -g -Wall -I${PT} -I${PT}headers ${CPATH} ${CEXTRA} ${DEXTRA} ${EEXTRA} ${FEXTRA} ${GEXTRA} ${HEXTRA} -DARGV0=\"${NAME}\" -DXML_VAR=\"var\" -DOSSECHIDS
+CFLAGS = -g -Wall -I${PT} -I${PT}headers ${CPATH} ${CEXTRA} ${DEXTRA} ${EEXTRA} ${FEXTRA} ${GEXTRA} ${HEXTRA} ${CGEOIP} -DARGV0=\"${NAME}\" -DXML_VAR=\"var\" -DOSSECHIDS
SOURCES = *.c
OBJECTS = *.o
# Moving the binary files
cp -pr ../bin/ossec-agentd ${DIR}/bin/
+cp -pr ../bin/agent-auth ${DIR}/bin/
cp -pr ../bin/ossec-logcollector ${DIR}/bin/
cp -pr ../bin/ossec-syscheckd ${DIR}/bin/
cp -pr ../bin/ossec-execd ${DIR}/bin/
cp -pr ./init/ossec-client.sh ${DIR}/bin/ossec-control
cp -pr ../bin/manage_agents ${DIR}/bin/
+cp -pr ../contrib/util.sh ${DIR}/bin/
+chown root:${GROUP} ${DIR}/bin/util.sh
+chmod +x ${DIR}/bin/util.sh
# Copying active response modules
sh ./init/fw-check.sh execute > /dev/null
done
# Default for all directories
-chmod -R 550 ${DIR}
-chown -R root:${GROUP} ${DIR}
+chmod 550 ${DIR}
+chmod 550 ${DIR}/*
+chown root:${GROUP} ${DIR}
+chown root:${GROUP} ${DIR}/*
# AnalysisD needs to write to alerts: log, mail and cmds
chown -R ${USER}:${GROUP} ${DIR}/queue/alerts
# To the ossec fts queue
chown -R ${USER}:${GROUP} ${DIR}/queue/fts
chmod -R 750 ${DIR}/queue/fts
-chmod 740 ${DIR}/queue/fts/* > /dev/null 2>&1
+chmod 750 ${DIR}/queue/fts/* > /dev/null 2>&1
# To the ossec syscheck/rootcheck queue
chown -R ${USER}:${GROUP} ${DIR}/queue/syscheck
chmod -R 750 ${DIR}/queue/rootcheck
chmod 740 ${DIR}/queue/rootcheck/* > /dev/null 2>&1
-chown -R ${USER}:${GROUP} ${DIR}/queue/diff
-chmod -R 750 ${DIR}/queue/diff
+chown ${USER}:${GROUP} ${DIR}/queue/diff
+chown ${USER}:${GROUP} ${DIR}/queue/diff/* > /dev/null 2>&1
+chmod 750 ${DIR}/queue/diff
chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1
chown -R ${USER_REM}:${GROUP} ${DIR}/queue/agent-info
-chmod -R 755 ${DIR}/queue/agent-info
-chmod 744 ${DIR}/queue/agent-info/* > /dev/null 2>&1
+chmod -R 750 ${DIR}/queue/agent-info
+chmod 740 ${DIR}/queue/agent-info/* > /dev/null 2>&1
chown -R ${USER_REM}:${GROUP} ${DIR}/queue/rids
-chmod -R 755 ${DIR}/queue/rids
-chmod 744 ${DIR}/queue/rids/* > /dev/null 2>&1
+chmod -R 750 ${DIR}/queue/rids
+chmod 740 ${DIR}/queue/rids/* > /dev/null 2>&1
chown -R ${USER}:${GROUP} ${DIR}/queue/agentless
-chmod -R 755 ${DIR}/queue/agentless
-chmod 744 ${DIR}/queue/agentless/* > /dev/null 2>&1
+chmod -R 750 ${DIR}/queue/agentless
+chmod 740 ${DIR}/queue/agentless/* > /dev/null 2>&1
# For the stats directory
chmod -R 750 ${DIR}/logs
touch ${DIR}/logs/ossec.log
chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
-chmod 664 ${DIR}/logs/ossec.log
+chmod 660 ${DIR}/logs/ossec.log
+
+touch ${DIR}/logs/active-responses.log
+chown ${USER}:${GROUP} ${DIR}/logs/active-responses.log
+chmod 660 ${DIR}/logs/active-responses.log
# For the rules directory
ls ${DIR}/rules/*.xml > /dev/null 2>&1
fi
cp -pr ../etc/rules/* ${DIR}/rules/
+find ${DIR}/rules/ -type f -exec chmod 440 {} \;
# If the local_rules is saved, moved it back
ls ${DIR}/rules/saved_local_rules.xml.$$ > /dev/null 2>&1
ls /etc/localtime > /dev/null 2>&1
if [ $? = 0 ]; then
cp -pL /etc/localtime ${DIR}/etc/;
- chmod 555 ${DIR}/etc/localtime
+ chmod 440 ${DIR}/etc/localtime
chown root:${GROUP} ${DIR}/etc/localtime
fi
# Solaris Needs some extra files
if [ "$UNAME" = "SunOS" ]; then
mkdir -p ${DIR}/usr/share/lib/zoneinfo/
- chmod -R 555 ${DIR}/usr/
+ chmod -R 550 ${DIR}/usr/
cp -pr /usr/share/lib/zoneinfo/* ${DIR}/usr/share/lib/zoneinfo/
fi
ls /etc/TIMEZONE > /dev/null 2>&1
if [ $? = 0 ]; then
cp -p /etc/TIMEZONE ${DIR}/etc/;
- chmod 555 ${DIR}/etc/TIMEZONE
+ chmod 550 ${DIR}/etc/TIMEZONE
fi
cp -pr ../bin/agent_control ${DIR}/bin/
cp -pr ../bin/syscheck_control ${DIR}/bin/
cp -pr ../bin/rootcheck_control ${DIR}/bin/
+cp -pr ../contrib/util.sh ${DIR}/bin/
+chown root:${GROUP} ${DIR}/bin/util.sh
+chmod +x ${DIR}/bin/util.sh
# Local install chosen
if [ "X$LOCAL" = "Xlocal" ]; then
cp -p ../active-response/*.sh ${DIR}/active-response/bin/
cp -p ../active-response/firewalls/*.sh ${DIR}/active-response/bin/
-chmod 755 ${DIR}/active-response/bin/*
+chmod 550 ${DIR}/active-response/bin/*
chown root:${GROUP} ${DIR}/active-response/bin/*
chown root:${GROUP} ${DIR}/bin/*
# Shares sources
SOURCES="shared config"
# Binaries
-BINARIES="os_maild os_dbd os_csyslogd agentlessd os_execd analysisd logcollector remoted client-agent addagent util rootcheck syscheckd monitord"
+BINARIES="os_maild os_dbd os_csyslogd agentlessd os_execd analysisd logcollector remoted client-agent addagent util rootcheck syscheckd monitord os_auth"
ROOTCHECKBIN="rootcheck"
DIRECTORIES="" # Directories to make
ls /usr/include/openssl/opensslconf.h > /dev/null 2>&1
if [ $? = 0 ]; then
echo "DEXTRA=-DUSE_OPENSSL" >> Config.OS
+ echo "OPENSSLCMD=-lssl -lcrypto" >> Config.OS
fi
# Checking for inotify
if [ "X$OS" = "XLinux" ]; then
- ls /usr/include/sys/inotify.h > /dev/null 2>&1
- if [ $? = 0 ]; then
+ #ls /usr/include/sys/inotify.h > /dev/null 2>&1
+ #if [ $? = 0 ]; then
+ # echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
+ #fi
+
+ if [ -e /usr/include/sys/inotify.h ]; then
echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
- fi
+ elif [ -e /usr/include/x86_64-linux-gnu/sys/inotify.h ]; then
+ echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
+ fi
fi
@echo "\"make setdb\" to enable database support."
@echo "\"make unsetdb\" to disable database support."
@echo "\"make setoneway\" to enable one-way connection to the manager."
+ @echo "\"make setgeoip\" to enable source IP geolocalization."
clean:
@/bin/sh ./Makeall clean
setprelude:
@echo "CPRELUDE=-DPRELUDE -lprelude `libprelude-config --pthread-cflags` `libprelude-config --libs`" >> ./Config.OS
+setgeoip:
+ @echo "CGEOIP=-DGEOIP -I/usr/local/include -L/usr/local/lib -lGeoIP" >> ./Config.OS
+
setdb:
@cd ./os_dbd; echo "CDB=`./dbmake.sh`" >> ../Config.OS;
setmaxagents:
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/addagent/b64.c, 2011/09/08 dcid Exp $
+ */
/*
* Copyright (C), 2000-2004 by the monit project group.
* All Rights Reserved.
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software Foundation,
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
/**
- * Implementation of base64 encoding/decoding.
+ * Implementation of base64 encoding/decoding.
*
* @author Jan-Henrik Haukeland, <hauk@tildeslash.com>
*
out = (char *)calloc(sizeof(char), size*4/3+4);
if(!out)
return NULL;
-
+
p = out;
for(i = 0; i < size; i+=3) {
* 'dest'. The dest buffer is NUL terminated.
* Return NULL in case of error
*/
-char *decode_base64(const char *src)
+char *decode_base64(const char *src)
{
- if(src && *src)
+ if(src && *src)
{
char *dest;
unsigned char *p;
int k, l = strlen(src)+1;
unsigned char *buf;
-
+
/* The size of the dest will always be less than
* the source
*/
dest = (char *)calloc(sizeof(char), l + 13);
if(!dest)
return(NULL);
-
+
p = (unsigned char *)dest;
-
+
buf = malloc(l);
if(!buf)
return(NULL);
/* Ignore non base64 chars as per the POSIX standard */
- for(k=0, l=0; src[k]; k++)
+ for(k=0, l=0; src[k]; k++)
{
- if(is_base64(src[k]))
+ if(is_base64(src[k]))
{
buf[l++]= src[k];
}
- }
+ }
- for(k=0; k<l; k+=4)
+ for(k=0; k<l; k+=4)
{
char c1='A', c2='A', c3='A', c4='A';
unsigned char b1=0, b2=0, b3=0, b4=0;
c1= buf[k];
- if(k+1<l)
+ if(k+1<l)
{
c2= buf[k+1];
}
{
char *s;
char *d;
-
+
if(argc < 2)
{
printf("%s string\n",argv[0]);
d = decode_base64(s);
printf("decode:%s\n",d);
-
+
exit(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/addagent/main.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
#include "manage_agents.h"
-
+#include <stdlib.h>
/** help **/
void helpmsg()
printf("\t-V Display OSSEC version.\n");
printf("\t-l List available agents.\n");
printf("\t-e <id> Extracts key for an agent (Manager only).\n");
- printf("\t-i <id> Import authentication key (Agent only).\n\n");
+ printf("\t-i <id> Import authentication key (Agent only).\n");
+ printf("\t-f <file> Bulk generate client keys from file. (Manager only).\n\n");
exit(1);
}
int c = 0, cmdlist = 0;
char *cmdexport = NULL;
char *cmdimport = NULL;
-
+ char *cmdbulk = NULL;
+
#ifndef WIN32
char *dir = DEFAULTDIR;
char *group = GROUPGLOBAL;
int gid;
#endif
-
+
/* Setting the name */
OS_SetName(ARGV0);
-
- while((c = getopt(argc, argv, "Vhle:i:")) != -1){
+
+ while((c = getopt(argc, argv, "Vhle:i:f:")) != -1){
switch(c){
case 'V':
print_version();
ErrorExit("%s: -i needs an argument",ARGV0);
cmdimport = optarg;
break;
+ case 'f':
+ #ifdef CLIENT
+ ErrorExit("%s: You can't bulk generate keys on an agent.", ARGV0);
+ #endif
+ if(!optarg)
+ ErrorExit("%s: -f needs an argument",ARGV0);
+ cmdbulk = optarg;
+ printf("Bulk load file: %s\n", cmdbulk);
+ break;
case 'l':
cmdlist = 1;
break;
}
}
-
-
+
+
/* Getting currently time */
time1 = time(0);
restart_necessary = 0;
-
-
- #ifndef WIN32
+
+
+ #ifndef WIN32
/* Getting the group name */
gid = Privsep_GetGroup(group);
if(gid < 0)
{
ErrorExit(USER_ERROR, ARGV0, "", group);
}
-
-
+
+
/* Setting the group */
if(Privsep_SetGroup(gid) < 0)
{
ErrorExit(SETGID_ERROR, ARGV0, group);
}
-
-
+
+
/* Chrooting to the default directory */
if(Privsep_Chroot(dir) < 0)
{
k_extract(cmdexport);
exit(0);
}
+ else if(cmdbulk)
+ {
+ k_bulkload(cmdbulk);
+ exit(0);
+ }
{
int leave_s = 0;
print_banner();
-
- user_msg = read_from_user();
-
+
+ /* Get ACTION from the environment. If ACTION is specified,
+ * we must set leave_s = 1 to ensure that the loop will end */
+ user_msg = getenv("OSSEC_ACTION");
+ if (user_msg == NULL) {
+ user_msg = read_from_user();
+ }
+ else{
+ leave_s = 1;
+ }
+
/* All the allowed actions */
switch(user_msg[0])
{
case 'i':
case 'I':
k_import(NULL);
- break;
+ break;
case 'l':
case 'L':
list_agents(0);
- break;
+ break;
case 'r':
case 'R':
remove_agent();
leave_s = 1;
break;
case 'V':
- print_version();
+ print_version();
break;
- default:
+ default:
printf("\n ** Invalid Action ** \n\n");
- break;
+ break;
}
if(leave_s)
{
- break;
+ break;
}
-
+
continue;
-
+
}
/* Checking if restart message is necessary */
printf("\n");
}
printf(EXIT);
-
+
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/addagent/manage_agents.c, 2012/02/07 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#include "manage_agents.h"
#include "os_crypto/md5/md5_op.h"
-
+#include <stdlib.h>
/* Global internal variables */
/* Removing spaces from the beginning */
while(*str == ' ' || *str == '\t')
str++;
-
-
+
+
/* Removing any trailing new lines or \r */
do
{
}
}while(tmp_str != NULL);
-
+
/* Removing spaces at the end of the string */
tmp_str = str;
size = strlen(str)-1;
-
+
while((size >= 0) && (tmp_str[size] == ' ' || tmp_str[size] == '\t'))
{
tmp_str[size] = '\0';
size--;
}
-
+
return(str);
}
FILE *fp;
char str1[STR_SIZE +1];
char str2[STR_SIZE +1];
-
+
os_md5 md1;
os_md5 md2;
-
+
char *user_input;
char *_name;
char *_id;
/* Allocating for c_ip */
os_calloc(1, sizeof(os_ip), c_ip);
-
-
+
+
#ifndef WIN32
chmod(AUTH_FILE, 0440);
#endif
-
+
/* Setting time 2 */
time2 = time(0);
-
+
/* Source is time1+ time2 +pid + ppid */
#ifndef WIN32
#ifdef __OpenBSD__
rand1 = random();
-
+
/* Zeroing strings */
memset(str1,'\0', STR_SIZE +1);
memset(str2,'\0', STR_SIZE +1);
printf(ADD_NEW);
-
+
/* Getting the name */
memset(name, '\0', FILE_SIZE +1);
{
printf(ADD_NAME);
fflush(stdout);
- _name = read_from_user();
+ /* Read the agent's name from user environment. If it is invalid
+ * we should force user to provide a name from input device. */
+ _name = getenv("OSSEC_AGENT_NAME");
+ if (_name == NULL || NameExist(_name) || !OS_IsValidName(_name))
+ _name = read_from_user();
if(strcmp(_name, QUIT) == 0)
return(0);
{
printf(ADD_IP);
fflush(stdout);
-
- _ip = read_from_user();
-
+
+ /* Read IP address from user's environment. If that IP is invalid,
+ * force user to provide IP from input device */
+ _ip = getenv("OSSEC_AGENT_IP");
+ if (_ip == NULL || !OS_IsValidIP(_ip, c_ip))
+ _ip = read_from_user();
+
/* quit */
if(strcmp(_ip, QUIT) == 0)
return(0);
-
+
strncpy(ip, _ip, FILE_SIZE -1);
-
+
if(!OS_IsValidIP(ip, c_ip))
{
printf(IP_ERROR, ip);
}
} while(!_ip);
-
-
+
+
do
{
/* Default ID */
- i = 1024;
+ i = MAX_AGENTS + 768;
snprintf(id, 8, "%03d", i);
while(!IDExist(id))
{
printf(ADD_ID, id);
fflush(stdout);
- _id = read_from_user();
-
+ /* Get Agent id from environment. If 0, use default ID. If null,
+ * get from user input. If value from environment is invalid,
+ * we force user to specify an ID from the terminal. Otherwise,
+ * our program goes to infinite loop. */
+ _id = getenv("OSSEC_AGENT_ID");
+ if (_id == NULL || IDExist(_id) || !OS_IsValidID(_id)) {
+ _id = read_from_user();
+ }
+ /* If user specified 0 as Agent ID, he meant use default value.
+ * NOTE: a bad condistion can cause infinite loop. */
+ if (strcmp(_id,"0") == 0) {
+ strncpy(_id, id, FILE_SIZE -1);
+ }
/* quit */
if(strcmp(_id, QUIT) == 0)
printf(ADD_ERROR_ID, id);
} while(IDExist(id) || !OS_IsValidID(id));
-
-
+
+
printf(AGENT_INFO, id, name, ip);
fflush(stdout);
do
{
printf(ADD_CONFIRM);
- user_input = read_from_user();
-
- /* If user accepts to add */
+ /* Confirmation by an environment variable. The valid value is y/Y.
+ * If the user provide anything other string, it is considered as
+ * n/N; please note that the old code only accepts y/Y/n/N. So if
+ * the variable OSSEC_ACTION_CONFIRMED is 'foobar', the program will
+ * go into an infinite loop. */
+ user_input = getenv("OSSEC_ACTION_CONFIRMED");
+ if (user_input == NULL) user_input = read_from_user();
+
+ /* If user accepts to add */
if(user_input[0] == 'y' || user_input[0] == 'Y')
{
time3 = time(0);
#ifndef WIN32
chmod(AUTH_FILE, 0440);
#endif
-
-
+
+
/* Random 1: Time took to write the agent information.
* Random 2: Time took to choose the action.
* Random 3: All of this + time + pid
* Random 4: Md5 all of this + the name, key and ip
* Random 5: Final key
*/
-
+
snprintf(str1, STR_SIZE, "%d%s%d",time3-time2, name, rand1);
snprintf(str2, STR_SIZE, "%d%s%s%d", time2-time1, ip, id, rand2);
OS_MD5_Str(str1, md1);
OS_MD5_Str(str2, md2);
- snprintf(str1, STR_SIZE, "%s%d%d%d",md1,(int)getpid(), (int)random(),
+ snprintf(str1, STR_SIZE, "%s%d%d%d",md1,(int)getpid(), (int)random(),
time3);
OS_MD5_Str(str1, md1);
restart_necessary = 1;
break;
}
- else if(user_input[0] == 'n' || user_input[0] == 'N')
+ else /* if(user_input[0] == 'n' || user_input[0] == 'N') */
{
printf(ADD_NOT);
break;
FILE *fp;
char *user_input;
char u_id[FILE_SIZE +1];
-
+
u_id[FILE_SIZE] = '\0';
if(!print_agents(0, 0, 0))
printf(REMOVE_ID);
fflush(stdout);
- user_input = read_from_user();
+ user_input = getenv("OSSEC_AGENT_ID");
+ if (user_input == NULL || !IDExist(user_input)) {
+ user_input = read_from_user();
+ }
if(strcmp(user_input, QUIT) == 0)
return(0);
printf(NO_ID, user_input);
}
} while(!IDExist(user_input));
-
+
do
{
printf(REMOVE_CONFIRM);
fflush(stdout);
- user_input = read_from_user();
-
+ user_input = getenv("OSSEC_ACTION_CONFIRMED");
+ if (user_input == NULL) {
+ user_input = read_from_user();
+ }
/* If user confirm */
if(user_input[0] == 'y' || user_input[0] == 'Y')
{
{
ErrorExit(MEM_ERROR, ARGV0);
}
-
+
fp = fopen(AUTH_FILE, "r+");
if(!fp)
{
/* Remove counter for id */
- delete_agentinfo(full_name);
+ delete_agentinfo(full_name);
OS_RemoveCounter(u_id);
free(full_name);
full_name = NULL;
restart_necessary = 1;
break;
}
- else if(user_input[0] == 'n' || user_input[0] == 'N')
+ else /* if(user_input[0] == 'n' || user_input[0] == 'N') */
{
printf(REMOVE_NOT);
break;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/addagent/manage_agents.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* Extract or import a key */
int k_extract(char *cmdextract);
int k_import(char *cmdimport);
+int k_bulkload(char *cmdbulk);
/* Validation functions */
int OS_IsValidName(char *u_name);
int IDExist(char *id);
int NameExist(char *u_name);
char *getFullnameById(char *id);
+char *OS_AddNewAgent(char *name, char *ip, char *id, char *key);
+
/* Print available agents */
int print_agents(int print_status, int active_only, int csv_output);
int list_agents(int cmdlist);
-
+
/* clear a line */
char *chomp(char *str);
#define ADDED "Added.\n"
#define ADD_NOT "Not Adding ..\n"
#define PRESS_ENTER "** Press ENTER to return to the main menu.\n"
-#define MUST_RESTART "\n** You must restart the server for your changes" \
- " to have effect.\n\n"
+#define MUST_RESTART "\n** You must restart OSSEC for your changes" \
+ " to take effect.\n\n"
/* Add errors */
#define ADD_ERROR_ID "\n** ID '%s' already present. They must be unique.\n\n"
#define NO_AGENT "\n** No agent available. You need to add one first.\n"
#define NO_ID "\n** Invalid ID '%s' given. ID is not present.\n"
#define NO_KEY "\n** Invalid authentication key. Starting over again.\n"
-#define INVALID_ID "\n** Invalid ID '%s' given. ID must be numeric (max 5 digits).\n\n"
+#define INVALID_ID "\n** Invalid ID '%s' given. ID must be numeric (max 8 digits).\n\n"
#define INVALID_NAME "\n** Invalid name '%s' given. Name must contain only alphanumeric characters (min=2, max=32).\n\n"
/* Remove agent */
#define REMOVE_DONE "Agent '%s' removed.\n"
#define REMOVE_NOT "Not removing ..\n"
-/* Import agent */
+/* Import agent */
#define IMPORT_KEY "\n* Provide the Key generated by the server.\n" \
"* The best approach is to cut and paste it.\n" \
"*** OBS: Do not include spaces or new lines.\n\n" \
"Paste it here (or '\\q' to quit): "
-
-/* extract key */
+
+/* extract key */
#define EXTRACT_KEY "Provide the ID of the agent to extract " \
"the key (or '\\q' to quit): "
#define EXTRACT_MSG "\nAgent key information for '%s' is: \n%s\n"
"\n* %s %s Agent manager. *" \
"\n* The following options are available: *" \
"\n****************************************\n"
-
+
#define BANNER_OPT " (A)dd an agent (A).\n" \
" (E)xtract key for an agent (E).\n" \
" (L)ist already added agents (L).\n" \
#define BANNER_CLIENT " (I)mport key from the server (I).\n" \
" (Q)uit.\n" \
"Choose your action: I or Q: "
-
+
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/addagent/manage_keys.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#include "manage_agents.h"
-
+#include "os_crypto/md5/md5_op.h"
+#include <stdlib.h>
/* b64 function prototypes */
char *decode_base64(const char *src);
char *encode_base64(int size, char *src);
+char *trimwhitespace(char *str)
+{
+ char *end;
+
+ // Trim leading space
+ while(isspace(*str)) str++;
+
+ if(*str == 0) // All spaces?
+ return str;
+
+ // Trim trailing space
+ end = str + strlen(str) - 1;
+ while(end > str && isspace(*end)) end--;
+
+ // Write new null terminator
+ *(end+1) = 0;
+
+ return str;
+}
/* Import a key */
int k_import(char *cmdimport)
FILE *fp;
char *user_input;
char *b64_dec;
-
+
char *name; char *ip; char *tmp_key;
-
+
char line_read[FILE_SIZE +1];
-
+
/* Parsing user argument. */
if(cmdimport)
{
printf(IMPORT_KEY);
- user_input = read_from_user();
+ user_input = getenv("OSSEC_AGENT_KEY");
+ if (user_input == NULL) {
+ user_input = read_from_user();
+ }
}
/* quit */
if(strcmp(user_input, QUIT) == 0)
return(0);
-
+
b64_dec = decode_base64(user_input);
if(b64_dec == NULL)
{
return(0);
}
-
+
memset(line_read, '\0', FILE_SIZE +1);
strncpy(line_read, b64_dec, FILE_SIZE);
return(0);
}
*tmp_key = '\0';
-
- printf("\n");
+
+ printf("\n");
printf(AGENT_INFO, b64_dec, name, ip);
-
+
while(1)
{
printf(ADD_CONFIRM);
fflush(stdout);
- user_input = read_from_user();
+ user_input = getenv("OSSEC_ACTION_CONFIRMED");
+ if (user_input == NULL) {
+ user_input = read_from_user();
+ }
if(user_input[0] == 'y' || user_input[0] == 'Y')
{
/* Removing sender counter. */
OS_RemoveCounter("sender");
-
+
printf(ADDED);
printf(PRESS_ENTER);
read_from_user();
restart_necessary = 1;
return(1);
}
- else if(user_input[0] == 'n' || user_input[0] == 'N')
+ else /* if(user_input[0] == 'n' || user_input[0] == 'N') */
{
printf("%s", ADD_NOT);
return(0);
}
}
}
-
+
printf(NO_KEY);
printf(PRESS_ENTER);
read_from_user();
} while(!IDExist(user_input));
}
-
+
/* Trying to open the auth file */
fp = fopen(AUTH_FILE, "r");
if(!fp)
{
ErrorExit(FOPEN_ERROR, ARGV0, AUTH_FILE);
}
-
+
fsetpos(fp, &fp_pos);
memset(n_id, '\0', USER_SIZE +1);
strncpy(n_id, user_input, USER_SIZE -1);
-
-
+
+
if(fgets(line_read, FILE_SIZE, fp) == NULL)
{
printf(ERROR_KEYS);
}
chomp(line_read);
-
+
b64_enc = encode_base64(strlen(line_read),line_read);
if(b64_enc == NULL)
{
return(0);
}
+/* Bulk generate client keys from file */
+int k_bulkload(char *cmdbulk)
+{
+ int i = 1;
+ FILE *fp, *infp;
+ char str1[STR_SIZE +1];
+ char str2[STR_SIZE +1];
+
+ os_md5 md1;
+ os_md5 md2;
+ char line[FILE_SIZE+1];
+ char name[FILE_SIZE +1];
+ char id[FILE_SIZE +1];
+ char ip[FILE_SIZE+1];
+ os_ip *c_ip;
+ char delims[] = ",";
+ char * token = NULL;
+
+ /* Checking if we can open the input file */
+ printf("Opening: [%s]\n", cmdbulk);
+ infp = fopen(cmdbulk,"r");
+ if(!infp)
+ {
+ perror("Failed.");
+ ErrorExit(FOPEN_ERROR, ARGV0, cmdbulk);
+ }
+
+
+ /* Checking if we can open the auth_file */
+ fp = fopen(AUTH_FILE,"a");
+ if(!fp)
+ {
+ ErrorExit(FOPEN_ERROR, ARGV0, AUTH_FILE);
+ }
+ fclose(fp);
+
+ /* Allocating for c_ip */
+ os_calloc(1, sizeof(os_ip), c_ip);
+
+ while(fgets(line, FILE_SIZE - 1, infp) != NULL)
+ {
+ if (1 >= strlen(trimwhitespace(line)))
+ continue;
+
+ memset(ip, '\0', FILE_SIZE +1);
+ token = strtok(line, delims);
+ strncpy(ip, trimwhitespace(token),FILE_SIZE -1);
+
+ memset(name, '\0', FILE_SIZE +1);
+ token = strtok(NULL, delims);
+ strncpy(name, trimwhitespace(token),FILE_SIZE -1);
+
+ #ifndef WIN32
+ chmod(AUTH_FILE, 0440);
+ #endif
+
+ /* Setting time 2 */
+ time2 = time(0);
+
+
+ /* Source is time1+ time2 +pid + ppid */
+ #ifndef WIN32
+ #ifdef __OpenBSD__
+ srandomdev();
+ #else
+ srandom(time2 + time1 + getpid() + getppid());
+ #endif
+ #else
+ srandom(time2 + time1 + getpid());
+ #endif
+
+ rand1 = random();
+
+
+ /* Zeroing strings */
+ memset(str1,'\0', STR_SIZE +1);
+ memset(str2,'\0', STR_SIZE +1);
+
+
+ /* check the name */
+ if(!OS_IsValidName(name))
+ {
+ printf(INVALID_NAME,name);
+ continue;
+ }
+
+ /* Search for name -- no duplicates */
+ if(NameExist(name))
+ {
+ printf(ADD_ERROR_NAME, name);
+ continue;
+ }
+
+
+ if(!OS_IsValidIP(ip, c_ip))
+ {
+ printf(IP_ERROR, ip);
+ continue;
+ }
+
+ do
+ {
+ /* Default ID */
+ i = 1024;
+ snprintf(id, 8, "%03d", i);
+ while(!IDExist(id))
+ {
+ i--;
+ snprintf(id, 8, "%03d", i);
+
+ /* No key present, use id 0 */
+ if(i <= 0)
+ {
+ i = 0;
+ break;
+ }
+ }
+ snprintf(id, 8, "%03d", i+1);
+
+ if(!OS_IsValidID(id))
+ printf(INVALID_ID, id);
+
+ /* Search for ID KEY -- no duplicates */
+ if(IDExist(id))
+ printf(ADD_ERROR_ID, id);
+
+ } while(IDExist(id) || !OS_IsValidID(id));
+
+ printf(AGENT_INFO, id, name, ip);
+ fflush(stdout);
+
+
+ time3 = time(0);
+ rand2 = random();
+
+ fp = fopen(AUTH_FILE,"a");
+ if(!fp)
+ {
+ ErrorExit(FOPEN_ERROR, ARGV0, KEYS_FILE);
+ }
+ #ifndef WIN32
+ chmod(AUTH_FILE, 0440);
+ #endif
+
+
+ /* Random 1: Time took to write the agent information.
+ * Random 2: Time took to choose the action.
+ * Random 3: All of this + time + pid
+ * Random 4: Md5 all of this + the name, key and ip
+ * Random 5: Final key
+ */
+
+ snprintf(str1, STR_SIZE, "%d%s%d",time3-time2, name, rand1);
+ snprintf(str2, STR_SIZE, "%d%s%s%d", time2-time1, ip, id, rand2);
+
+ OS_MD5_Str(str1, md1);
+ OS_MD5_Str(str2, md2);
+
+ snprintf(str1, STR_SIZE, "%s%d%d%d",md1,(int)getpid(), (int)random(),
+ time3);
+ OS_MD5_Str(str1, md1);
+
+ //fprintf(fp,"%s %s %s %s%s\n",id, name, ip, md1,md2);
+ fprintf(fp,"%s %s %s %s%s\n",id, name, c_ip->ip, md1,md2);
+
+ fclose(fp);
+
+ printf(AGENT_ADD);
+ restart_necessary = 1;
+ };
+
+ fclose(infp);
+ return(0);
+}
+
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/addagent/read_from_user.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
{
memset(__user_buffer, '\0', USER_SIZE +1);
- if((fgets(__user_buffer, USER_SIZE -1, stdin) == NULL) ||
+ if((fgets(__user_buffer, USER_SIZE -1, stdin) == NULL) ||
(strlen(__user_buffer) >= (USER_SIZE -2)))
{
printf(INPUT_LARGE);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/addagent/validate.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
#include "manage_agents.h"
+#include "os_crypto/md5/md5_op.h"
+
+char *OS_AddNewAgent(char *name, char *ip, char *id, char *key)
+{
+ int i = 0;
+ FILE *fp;
+ int rand1;
+ os_md5 md1;
+ os_md5 md2;
+ char str1[STR_SIZE +1];
+ char str2[STR_SIZE +1];
+ char *muname = NULL;
+ char *finals = NULL;
+
+ char nid[9];
+
+
+ #ifndef WIN32
+ #ifdef __OpenBSD__
+ srandomdev();
+ #else
+ srandom(time(0) + getpid() + getppid());
+ #endif
+ #else
+ srandom(time(0) + getpid());
+ #endif
+
+ rand1 = random();
+ muname = getuname();
+
+ snprintf(str1, STR_SIZE, "%d%s%d%s",(int)time(0), name, rand1, muname);
+ snprintf(str2, STR_SIZE, "%s%s%ld", ip, id, (long int)random());
+ OS_MD5_Str(str1, md1);
+ OS_MD5_Str(str2, md2);
+
+
+ nid[8] = '\0';
+ if(id == NULL)
+ {
+ i = 1024;
+ snprintf(nid, 6, "%d", i);
+ while(IDExist(nid))
+ {
+ i++;
+ snprintf(nid, 6, "%d", i);
+ if(i >= 4000)
+ {
+ return(NULL);
+ }
+ }
+ id = nid;
+ }
+
+ fp = fopen(KEYSFILE_PATH,"a");
+ if(!fp)
+ {
+ return(NULL);
+ }
+
+ os_calloc(2048, sizeof(char), finals);
+ if (ip == NULL){
+ snprintf(finals, 2048, "%s %s any %s%s",id, name, md1,md2);
+ } else {
+ snprintf(finals, 2048, "%s %s %s %s%s",id, name, ip, md1,md2);
+ }
+ fprintf(fp, "%s\n",finals);
+
+ fclose(fp);
+ return(finals);
+}
int OS_IsValidID(char *id)
{
int id_len = 0;
int i = 0;
-
- /* ID must not be null */
+
+ /* ID must not be null */
if(!id)
return(0);
id_len = strlen(id);
- /* Check ID length, it should contain max. 5 characters */
+ /* Check ID length, it should contain max. 8 characters */
if (id_len > 8)
return(0);
if(!(isdigit((int)id[i])))
return(0);
}
-
+
return(1);
}
{
continue;
}
-
+
ip = strchr(name, ' ');
if(ip)
{
snprintf(final_str, FILE_SIZE -1, "%s-%s", name, ip);
fclose(fp);
- return(final_str);
+ return(final_str);
}
}
}
FILE *fp;
char line_read[FILE_SIZE +1];
line_read[FILE_SIZE] = '\0';
-
- /* ID must not be null */
+
+ /* ID must not be null */
if(!id)
return(0);
- fp = fopen(AUTH_FILE, "r");
+ if(isChroot())
+ fp = fopen(AUTH_FILE, "r");
+ else
+ fp = fopen(KEYSFILE_PATH, "r");
+
if(!fp)
return(0);
-
+
fseek(fp, 0, SEEK_SET);
fgetpos(fp, &fp_pos);
-
+
while(fgets(line_read,FILE_SIZE -1, fp) != NULL)
{
char *name;
fgetpos(fp, &fp_pos);
continue;
}
-
+
name = strchr(line_read, ' ');
if(name)
{
/* check if it contains any non-alphanumeric characters */
for(i = 0; i < strlen(u_name); i++)
{
- if(!isalnum((int)u_name[i]) && (u_name[i] != '-') &&
+ if(!isalnum((int)u_name[i]) && (u_name[i] != '-') &&
(u_name[i] != '_') && (u_name[i] != '.'))
return(0);
}
(*u_name == '\n'))
return(0);
- fp = fopen(AUTH_FILE, "r");
+ if(isChroot())
+ fp = fopen(AUTH_FILE, "r");
+ else
+ fp = fopen(KEYSFILE_PATH, "r");
+
if(!fp)
return(0);
{
continue;
}
-
+
ip = strchr(name, ' ');
if(ip)
{
return(0);
fseek(fp, 0, SEEK_SET);
-
+
memset(line_read,'\0',FILE_SIZE);
-
+
while(fgets(line_read, FILE_SIZE -1, fp) != NULL)
{
char *name;
if(line_read[0] == '#')
continue;
-
+
name = strchr(line_read, ' ');
if(name)
{
{
continue;
}
-
+
ip = strchr(name, ' ');
if(ip)
{
printf(PRINT_AVAILABLE);
total++;
-
+
if(print_status)
{
int agt_status = get_agent_status(name, ip);
{
continue;
}
-
+
if(csv_output)
{
- printf("%s,%s,%s,%s,\n", line_read, name, ip,
- print_agent_status(agt_status));
+ printf("%s,%s,%s,%s,\n", line_read, name, ip,
+ print_agent_status(agt_status));
}
else
{
- printf(PRINT_AGENT_STATUS, line_read, name, ip,
+ printf(PRINT_AGENT_STATUS, line_read, name, ip,
print_agent_status(agt_status));
}
}
printf(PRINT_AGENT, line_read, name, ip);
}
}
-
+
}
}
}
char *aip = NULL;
DIR *dirp;
struct dirent *dp;
-
+
if(!csv_output)
{
printf("\nList of agentless devices:\n");
fclose(fp);
if(total)
return(1);
-
- return(0);
+
+ return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/agentlessd/agentlessd.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
char sys_location[1024 +1];
sys_location[1024] = '\0';
- snprintf(sys_location, 1024, "%s/(%s) %s",
+ snprintf(sys_location, 1024, "%s/(%s) %s",
AGENTLESS_ENTRYDIRPATH, script, host);
fp = fopen(sys_location, "w");
sys_location[1024] = '\0';
snprintf(sys_location, 1024, "(%s) %s->%s", script, host, SYSCHECK);
-
+
if(SendMSG(lessdc.queue, msg, sys_location, SYSCHECK_MQ) < 0)
{
merror(QUEUE_SEND, ARGV0);
sys_location[1024] = '\0';
snprintf(sys_location, 1024, "(%s) %s->%s", script, host, SYSCHECK);
-
+
if(SendMSG(lessdc.queue, msg, sys_location, LOCALFILE_MQ) < 0)
{
merror(QUEUE_SEND, ARGV0);
snprintf(buf, 2048, "%s/%s->%s/diff.%d",
DIFF_DIR_PATH, host, script, alert_diff_time);
-
+
fp = fopen(buf, "r");
if(!fp)
{
else
{
/* Weird diff with only one large line. */
- buf[256] = '\0';
+ buf[256] = '\0';
}
}
else
/* Getting up to 8 line changes. */
tmp_str = buf;
-
+
while(tmp_str && (*tmp_str != '\0'))
{
tmp_str = strchr(tmp_str, '\n');
if(!tmp_str)
- break;
+ break;
else if(n >= 7)
{
- *tmp_str = '\0';
+ *tmp_str = '\0';
break;
}
n++;
- tmp_str++;
+ tmp_str++;
}
buf, n>=7?
"\nMore changes..":
"");
-
-
+
+
snprintf(buf, 1024, "(%s) %s->agentless", script, host);
-
+
if(SendMSG(lessdc.queue, diff_alert, buf, LOCALFILE_MQ) < 0)
{
merror(QUEUE_SEND, ARGV0);
os_md5 md5sum_old;
os_md5 md5sum_new;
-
+
old_location[1024] = '\0';
new_location[1024] = '\0';
tmp_location[1024] = '\0';
if(OS_MD5_File(new_location, md5sum_new) != 0)
{
merror("%s: ERROR: Invalid internal state (missing '%s').",
- ARGV0, new_location);
+ ARGV0, new_location);
return(0);
}
/* Run diff. */
date_of_change = File_DateofChange(old_location);
- snprintf(diff_cmd, 2048, "diff \"%s\" \"%s\" > \"%s/%s->%s/diff.%d\" "
+ snprintf(diff_cmd, 2048, "diff \"%s\" \"%s\" > \"%s/%s->%s/diff.%d\" "
"2>/dev/null",
- tmp_location, old_location,
+ tmp_location, old_location,
DIFF_DIR_PATH, host, script, date_of_change);
if(system(diff_cmd) != 256)
{
merror("%s: ERROR: Unable to run diff for %s->%s",
ARGV0, host, script);
- return(0);
+ return(0);
}
{
FILE *fp = NULL;
char sys_location[1024 +1];
-
+
sys_location[1024] = '\0';
snprintf(sys_location, 1024, "%s/%s->%s/%s", DIFF_DIR_PATH, host, script,
DIFF_NEW_FILE);
}
}
- snprintf(sys_location, 1024, "%s/%s->%s/%s", DIFF_DIR_PATH, host,
+ snprintf(sys_location, 1024, "%s/%s->%s/%s", DIFF_DIR_PATH, host,
script, DIFF_NEW_FILE);
fp = fopen(sys_location, "w");
if(!fp)
char command[OS_SIZE_1024 +1];
FILE *fp;
FILE *fp_store = NULL;
-
-
+
+
buf[0] = '\0';
command[0] = '\0';
- command[OS_SIZE_1024] = '\0';
-
-
+ command[OS_SIZE_1024] = '\0';
+
+
while(entry->server[i])
{
/* Ignored entry. */
i++;
continue;
}
-
-
- /* We only test for the first server entry. */
+
+
+ /* We only test for the first server entry. */
else if(test_it)
{
int ret_code = 0;
- snprintf(command, OS_SIZE_1024,
- "%s/%s test test >/dev/null 2>&1",
+ snprintf(command, OS_SIZE_1024,
+ "%s/%s test test >/dev/null 2>&1",
AGENTLESSDIRPATH, entry->type);
ret_code = system(command);
{
merror("%s: ERROR: Expect command not found (or bad "
"arguments) for '%s'.",
- ARGV0, entry->type);
+ ARGV0, entry->type);
}
merror("%s: ERROR: Test failed for '%s' (%d). Ignoring.",
ARGV0, entry->type, ret_code/256);
verbose("%s: INFO: Test passed for '%s'.", ARGV0, entry->type);
return(0);
}
-
+
if(entry->server[i][0] == 's')
{
- snprintf(command, OS_SIZE_1024, "%s/%s \"use_su\" \"%s\" %s 2>&1",
- AGENTLESSDIRPATH, entry->type, entry->server[i] +1,
+ snprintf(command, OS_SIZE_1024, "%s/%s \"use_su\" \"%s\" %s 2>&1",
+ AGENTLESSDIRPATH, entry->type, entry->server[i] +1,
entry->options);
}
else if(entry->server[i][0] == 'o')
{
- snprintf(command, OS_SIZE_1024, "%s/%s \"use_sudo\" \"%s\" %s 2>&1",
- AGENTLESSDIRPATH, entry->type, entry->server[i] +1,
+ snprintf(command, OS_SIZE_1024, "%s/%s \"use_sudo\" \"%s\" %s 2>&1",
+ AGENTLESSDIRPATH, entry->type, entry->server[i] +1,
entry->options);
}
else
{
- snprintf(command, OS_SIZE_1024, "%s/%s \"%s\" %s 2>&1",
- AGENTLESSDIRPATH, entry->type, entry->server[i] +1,
+ snprintf(command, OS_SIZE_1024, "%s/%s \"%s\" %s 2>&1",
+ AGENTLESSDIRPATH, entry->type, entry->server[i] +1,
entry->options);
}
tmp_str = strchr(buf, '\n');
if(tmp_str)
*tmp_str = '\0';
-
+
if(strncmp(buf, "ERROR: ", 7) == 0)
{
- merror("%s: ERROR: %s: %s: %s", ARGV0,
+ merror("%s: ERROR: %s: %s: %s", ARGV0,
entry->type, entry->server[i] +1, buf +7);
entry->error_flag++;
break;
}
else if(strncmp(buf, "INFO: ", 6) == 0)
{
- verbose("%s: INFO: %s: %s: %s", ARGV0,
+ verbose("%s: INFO: %s: %s: %s", ARGV0,
entry->type, entry->server[i] +1, buf +6);
}
else if(strncmp(buf, "FWD: ", 4) == 0)
{
tmp_str = buf + 5;
- send_intcheck_msg(entry->type, entry->server[i]+1,
+ send_intcheck_msg(entry->type, entry->server[i]+1,
tmp_str);
}
else if(strncmp(buf, "LOG: ", 4) == 0)
else if((entry->state & LESSD_STATE_DIFF) &&
(strncmp(buf, "STORE: ", 7) == 0))
{
- fp_store = open_diff_file(entry->server[i]+1,
+ fp_store = open_diff_file(entry->server[i]+1,
entry->type);
}
else if(fp_store)
}
else
{
- save_agentless_entry(entry->server[i] +1,
+ save_agentless_entry(entry->server[i] +1,
entry->type, "syscheck");
}
pclose(fp);
}
else
{
- merror("%s: ERROR: popen failed on '%s' for '%s'.", ARGV0,
+ merror("%s: ERROR: popen failed on '%s' for '%s'.", ARGV0,
entry->type, entry->server[i] +1);
entry->error_flag++;
}
{
fclose(fp_store);
}
-
+
return(0);
}
/* Main agentlessd */
void Agentlessd()
{
- time_t tm;
- struct tm *p;
+ time_t tm;
+ struct tm *p;
- int today = 0;
+ int today = 0;
int thismonth = 0;
int thisyear = 0;
int test_it = 1;
/* Waiting a few seconds to settle */
sleep(2);
memset(str, '\0', OS_SIZE_1024 +1);
-
-
+
+
/* Getting currently time before starting */
tm = time(NULL);
p = localtime(&tm);
-
+
today = p->tm_mday;
thismonth = p->tm_mon;
thisyear = p->tm_year+1900;
-
+
/* Connecting to the message queue
* Exit if it fails.
if(lessdc.entries[i]->error_flag != 99)
{
merror("%s: ERROR: Too many failures for '%s'. Ignoring it.",
- ARGV0, lessdc.entries[i]->type);
+ ARGV0, lessdc.entries[i]->type);
lessdc.entries[i]->error_flag = 99;
}
continue;
}
-
+
/* Run the check again if the frequency has elapsed. */
if((lessdc.entries[i]->state & LESSD_STATE_PERIODIC) &&
- ((lessdc.entries[i]->current_state +
+ ((lessdc.entries[i]->current_state +
lessdc.entries[i]->frequency) < tm))
{
run_periodic_cmd(lessdc.entries[i], test_it);
if(!test_it)
lessdc.entries[i]->current_state = tm;
}
-
+
i++;
sleep(i);
}
-
+
/* We only check every minute */
test_it = 0;
sleep(60);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/agentlessd/agentlessd.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/agentlessd/main.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/* Setting the name */
OS_SetName(ARGV0);
-
+
while((c = getopt(argc, argv, "Vdhtfu:g:D:c:")) != -1){
switch(c){
if(!optarg)
ErrorExit("%s: -D needs an argument",ARGV0);
dir=optarg;
+ break;
case 'c':
if(!optarg)
ErrorExit("%s: -c needs an argument",ARGV0);
cfg = optarg;
break;
case 't':
- test_config = 1;
+ test_config = 1;
break;
default:
help(ARGV0);
if(test_config)
exit(0);
-
+
/* Going on daemon mode */
- if(!run_foreground)
+ if(!run_foreground)
{
nowDaemon();
goDaemonLight();
}
chdir(dir);
-
+
/* Exiting if not configured. */
if(!lessdc.entries)
{
verbose("%s: INFO: Not configured. Exiting.", ARGV0);
exit(0);
}
-
-
+
+
/* Privilege separation */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR,ARGV0,group);
-
- /* Changing user */
+
+ /* Changing user */
if(Privsep_SetUser(uid) < 0)
ErrorExit(SETUID_ERROR,ARGV0,user);
/* Signal manipulation */
StartSIG(ARGV0);
-
+
/* Creating PID files */
if(CreatePID(ARGV0, getpid()) < 0)
ErrorExit(PID_ERROR,ARGV0);
-
+
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
-
+
/* the real daemon now */
Agentlessd();
#!/usr/bin/env expect
-# @(#) $Id$
+# @(#) $Id: ./src/agentlessd/scripts/main.exp, 2011/09/08 dcid Exp $
+
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
#!/bin/sh
-# @(#) $Id$
+# @(#) $Id: ./src/agentlessd/scripts/register_host.sh, 2012/07/23 dcid Exp $
+
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
echo "ERROR: Unable to creating entry (echo failed)."
exit 1;
fi
+ chmod 744 $MYPASS
echo "*Host $2 added."
else
#!/usr/bin/env expect
-# @(#) $Id$
+# @(#) $Id: ./src/agentlessd/scripts/ssh.exp, 2011/09/08 dcid Exp $
+
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
#!/usr/bin/env expect
-# @(#) $Id$
+# @(#) $Id: ./src/agentlessd/scripts/ssh_asa-fwsmconfig_diff, 2011/09/08 dcid Exp $
+
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
if {$argc < 1} {
- send_user "ERROR: ssh_pixconfig_diff <hostname> <commands>\n";
+ send_user "ERROR: ssh_asa-fwsmconfig_diff <hostname> <commands>\n";
+ send_user "ERROR: Must be run from /var/ossec\n";
exit 1;
}
#!/usr/bin/env expect
-# @(#) $Id$
+# @(#) $Id: ./src/agentlessd/scripts/ssh_foundry_diff, 2011/09/08 dcid Exp $
+
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
#!/usr/bin/env expect
-# @(#) $Id$
+# @(#) $Id: ./src/agentlessd/scripts/ssh_generic_diff, 2011/09/08 dcid Exp $
+
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
#!/usr/bin/env expect
-# @(#) $Id$
+# @(#) $Id: ./src/agentlessd/scripts/ssh_integrity_check_bsd, 2011/09/08 dcid Exp $
+
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
#!/usr/bin/env expect
-# @(#) $Id$
+# @(#) $Id: ./src/agentlessd/scripts/ssh_integrity_check_linux, 2011/09/08 dcid Exp $
+
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
#!/usr/bin/env expect
-# @(#) $Id$
+# @(#) $Id: ./src/agentlessd/scripts/ssh_nopass.exp, 2011/09/08 dcid Exp $
+
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
#!/usr/bin/env expect
-# @(#) $Id$
+# @(#) $Id: ./src/agentlessd/scripts/ssh_pixconfig_diff, 2011/09/08 dcid Exp $
+
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
send_user "ERROR: Unable to connect to remote host: $hostname .\n"
exit 1;
}
- "* password:*" {
+ "*Password:*" {
send "$pass\r"
expect {
#!/usr/bin/env expect
-# @(#) $Id$
+# @(#) $Id: ./src/agentlessd/scripts/sshlogin.exp, 2011/09/08 dcid Exp $
+
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
#!/usr/bin/env expect
-# @(#) $Id$
+# @(#) $Id: ./src/agentlessd/scripts/su.exp, 2011/09/08 dcid Exp $
+
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/active-response.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#include "shared.h"
#include "active-response.h"
/* Setting right permission */
- chmod(DEFAULTARPATH, 0444);
+ chmod(DEFAULTARPATH, 0440);
/* Reading configuration */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/active-response.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#ifndef _AR__H
#define _AR__H
* to the appropriate lists.
*/
int AR_ReadConfig(int test_config, char *cfgfile);
-
+
/* Active response commands */
OSList *ar_commands;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/alerts/alerts.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/alerts/exec.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
#include "eventinfo.h"
-/* OS_Exec v0.1
+/* OS_Exec v0.1
*/
void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
{
/* Cleaning the IP */
if(lf->srcip && (ar->ar_cmd->expect & SRCIP))
{
- ip = strrchr(lf->srcip, ':');
- if(ip)
+ if(strncmp(lf->srcip, "::ffff:", 7) == 0)
{
- ip++;
+ ip = lf->srcip + 7;
}
else
{
ip = lf->srcip;
}
-
/* Checking if IP is to ignored */
if(Config.white_list)
{
OSMatch **wl;
srcip_size = strlen(ip);
-
+
wl = Config.hostname_white_list;
while(*wl)
{
{
ip = "-";
}
-
-
+
+
/* Getting username */
if(lf->dstuser && (ar->ar_cmd->expect & USERNAME))
{
}
- /* active response on the server.
+ /* active response on the server.
* The response must be here if the ar->location is set to AS
* or the ar->location is set to local (REMOTE_AGENT) and the
* event location is from here.
- */
+ */
if((ar->location & AS_ONLY) ||
((ar->location & REMOTE_AGENT) && (lf->location[0] != '(')) )
{
if(!(Config.ar & LOCAL_AR))
return;
-
+
snprintf(exec_msg, OS_SIZE_1024,
"%s %s %s %d.%ld %d %s",
ar->name,
merror("%s: Error communicating with execd.", ARGV0);
}
}
-
- /* Active response to the forwarder */
- else if((Config.ar & REMOTE_AR) && (lf->location[0] == '('))
+
+ /* Active response to the forwarder */
+ else if((Config.ar & REMOTE_AR))
{
- int rc;
- snprintf(exec_msg, OS_SIZE_1024,
- "%s %c%c%c %s %s %s %s %d.%ld %d %s",
- lf->location,
- (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
- (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
- (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
- ar->agent_id != NULL? ar->agent_id: "(null)",
- ar->name,
- user,
- ip,
- lf->time,
- __crt_ftell,
- lf->generated_rule->sigid,
- lf->location);
-
+ int rc;
+ /*If lf->location start with a ( was generated by remote agent and its ID is included in lf->location
+ if missing then it must of been generated by the local analysisd so prepend a false id tag */
+ if(lf->location[0] == '(') {
+ snprintf(exec_msg, OS_SIZE_1024,
+ "%s %c%c%c %s %s %s %s %d.%ld %d",
+ lf->location,
+ (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
+ (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
+ (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
+ ar->agent_id != NULL? ar->agent_id: "(null)",
+ ar->name,
+ user,
+ ip,
+ lf->time,
+ __crt_ftell,
+ lf->generated_rule->sigid);
+ } else {
+ snprintf(exec_msg, OS_SIZE_1024,
+ "(local_source) %s %c%c%c %s %s %s %s %d.%ld %d",
+ lf->location,
+ (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
+ (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
+ (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
+ ar->agent_id != NULL? ar->agent_id: "(null)",
+ ar->name,
+ user,
+ ip,
+ lf->time,
+ __crt_ftell,
+ lf->generated_rule->sigid);
+ }
+
if((rc = OS_SendUnix(*arq, exec_msg, 0)) < 0)
{
if(rc == OS_SOCKBUSY)
}
else
{
- merror("%s: AR socket error (shutdown?).", ARGV0);
+ merror("%s: AR socket error (shutdown?).", ARGV0);
}
merror("%s: Error communicating with ar queue (%d).", ARGV0, rc);
}
}
-
+
return;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/alerts/exec.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/alerts/getloglocation.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
char __alogfile[OS_FLSIZE+1];
char __flogfile[OS_FLSIZE+1];
-/* OS_InitLog */
+/* OS_InitLog */
void OS_InitLog()
{
OS_InitFwLog();
__crt_day = 0;
-
- /* alerts and events log file */
- memset(__alogfile,'\0',OS_FLSIZE +1);
- memset(__elogfile,'\0',OS_FLSIZE +1);
- memset(__flogfile,'\0',OS_FLSIZE +1);
+
+ /* alerts and events log file */
+ memset(__alogfile,'\0',OS_FLSIZE +1);
+ memset(__elogfile,'\0',OS_FLSIZE +1);
+ memset(__flogfile,'\0',OS_FLSIZE +1);
_eflog = NULL;
_aflog = NULL;
_fflog = NULL;
-
+
/* Setting the umask */
umask(0027);
}
-/* gzips a log file
+/* gzips a log file
int OS_CompressLog(int yesterday, char *prev_month, int prev_year)
- -- moved to monitord.
-*/
+ -- moved to monitord.
+*/
/* OS_GetLogLocation: v0.1, 2005/04/25 */
int OS_GetLogLocation(Eventinfo *lf)
{
- /* Checking what directories to create
+ /* Checking what directories to create
* Checking if the year directory is there.
* If not, create it. Same for the month directory.
*/
-
+
/* For the events */
if(_eflog)
{
fclose(_eflog);
_eflog = NULL;
}
-
+
snprintf(__elogfile,OS_FLSIZE,"%s/%d/", EVENTS, lf->year);
if(IsDir(__elogfile) == -1)
if(mkdir(__elogfile,0770) == -1)
_eflog = fopen(__elogfile,"a");
if(!_eflog)
ErrorExit("%s: Error opening logfile: '%s'",ARGV0,__elogfile);
-
+
/* Creating a symlink */
unlink(EVENTS_DAILY);
link(__elogfile, EVENTS_DAILY);
-
+
/* for the alerts logs */
if(_aflog)
fclose(_aflog);
_aflog = NULL;
}
-
+
snprintf(__alogfile,OS_FLSIZE,"%s/%d/", ALERTS, lf->year);
if(IsDir(__alogfile) == -1)
if(mkdir(__alogfile,0770) == -1)
lf->day);
_aflog = fopen(__alogfile,"a");
-
+
if(!_aflog)
ErrorExit("%s: Error opening logfile: '%s'",ARGV0,__alogfile);
-
+
/* Creating a symlink */
unlink(ALERTS_DAILY);
link(__alogfile, ALERTS_DAILY);
-
+
/* For the firewall events */
if(_fflog)
fclose(_fflog);
_fflog = NULL;
}
-
+
snprintf(__flogfile,OS_FLSIZE,"%s/%d/", FWLOGS, lf->year);
if(IsDir(__flogfile) == -1)
if(mkdir(__flogfile,0770) == -1)
/* Creating a symlink */
unlink(FWLOGS_DAILY);
link(__flogfile, FWLOGS_DAILY);
-
- /* Setting the new day */
+
+ /* Setting the new day */
__crt_day = lf->day;
return(0);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/alerts/getloglocation.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* @param lf Event structure
*
* @retval 0 success
- * -1 error
+ * -1 error
*/
int OS_GetLogLocation(Eventinfo *lf);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/alerts/log.c, 2012/03/30 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
#include "eventinfo.h"
#include "config.h"
+#ifdef GEOIP
+/* GeoIP Stuff */
+#include "GeoIP.h"
+#include "GeoIPCity.h"
+
+#define RFC1918_10 (167772160 & 4278190080) /* 10/8 */
+#define RFC1918_172 (2886729728 & 4293918720) /* 172.17/12 */
+#define RFC1918_192 (3232235520 & 4294901760) /* 192.168/16 */
+#define NETMASK_8 4278190080 /* 255.0.0.0 */
+#define NETMASK_12 4293918720 /* 255.240.0.0 */
+#define NETMASK_16 4294901760 /* 255.255.0.0 */
+
+static const char * _mk_NA( const char * p ){
+ return p ? p : "N/A";
+}
+
+/* StrIP2Long */
+/* Convert an dot-quad IP address into long format
+ */
+unsigned long StrIP2Int(char *ip) {
+ unsigned int c1,c2,c3,c4;
+ /* IP address is not coming from user input -> We can trust it */
+ /* only minimal checking is performed */
+ int len = strlen(ip);
+ if ((len < 7) || (len > 15)) return 0;
+
+ sscanf(ip, "%d.%d.%d.%d", &c1, &c2, &c3, &c4);
+ return((unsigned long)c4+c3*256+c2*256*256+c1*256*256*256);
+}
+
+
+/* GeoIPLookup */
+/* Use the GeoIP API to locate an IP address
+ */
+char *GeoIPLookup(char *ip)
+{
+ GeoIP *gi;
+ GeoIPRecord *gir;
+ char buffer[OS_SIZE_1024 +1];
+ unsigned long longip;
+
+ /* Dumb way to detect an IPv6 address */
+ if (strchr(ip, ':')) {
+ /* Use the IPv6 DB */
+ gi = GeoIP_open(Config.geoip_db_path, GEOIP_INDEX_CACHE);
+ if (gi == NULL) {
+ merror(INVALID_GEOIP_DB, ARGV0, Config.geoip6_db_path);
+ return("Unknown");
+ }
+ gir = GeoIP_record_by_name_v6(gi, (const char *)ip);
+ }
+ else {
+ /* Use the IPv4 DB */
+ /* If we have a RFC1918 IP, do not perform a DB lookup (performance) */
+ longip = StrIP2Int(ip);
+ if (longip == 0 ) return("Unknown");
+ if ((longip & NETMASK_8) == RFC1918_10 ||
+ (longip & NETMASK_12) == RFC1918_172 ||
+ (longip & NETMASK_16) == RFC1918_192) return("");
+
+ gi = GeoIP_open(Config.geoip_db_path, GEOIP_INDEX_CACHE);
+ if (gi == NULL) {
+ merror(INVALID_GEOIP_DB, ARGV0, Config.geoip_db_path);
+ return("Unknown");
+ }
+ gir = GeoIP_record_by_name(gi, (const char *)ip);
+ }
+ if (gir != NULL) {
+ sprintf(buffer,"%s,%s,%s",
+ _mk_NA(gir->country_code),
+ _mk_NA(GeoIP_region_name_by_code(gir->country_code, gir->region)),
+ _mk_NA(gir->city)
+ );
+ GeoIP_delete(gi);
+ return(buffer);
+ }
+ GeoIP_delete(gi);
+ return("Unknown");
+}
+#endif /* GEOIP */
/* Drop/allow patterns */
OSMatch FWDROPpm;
/* OS_Store: v0.2, 2005/02/10 */
-/* Will store the events in a file
+/* Will store the events in a file
* The string must be null terminated and contain
* any necessary new lines, tabs, etc.
*
*/
void OS_Store(Eventinfo *lf)
{
+ if(strcmp(lf->location, "ossec-keepalive") == 0)
+ {
+ return;
+ }
+ if(strstr(lf->location, "->ossec-keepalive") != NULL)
+ {
+ return;
+ }
+
fprintf(_eflog,
"%d %s %02d %s %s%s%s %s\n",
lf->year,
lf->location,
lf->full_log);
- fflush(_eflog);
+ fflush(_eflog);
return;
}
void OS_LogOutput(Eventinfo *lf)
{
+#ifdef GEOIP
+ char geoip_msg_src[OS_SIZE_1024 +1];
+ char geoip_msg_dst[OS_SIZE_1024 +1];
+ geoip_msg_src[0] = '\0';
+ geoip_msg_dst[0] = '\0';
+ if (Config.loggeoip) {
+ if (lf->srcip) { strncpy(geoip_msg_src, GeoIPLookup(lf->srcip), OS_SIZE_1024); }
+ if (lf->dstip) { strncpy(geoip_msg_dst, GeoIPLookup(lf->dstip), OS_SIZE_1024); }
+ }
+#endif
printf(
"** Alert %d.%ld:%s - %s\n"
- "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
- "Src IP: %s\nUser: %s\n%.1256s\n",
+ "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'"
+ "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
lf->time,
__crt_ftell,
lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
lf->generated_rule->sigid,
lf->generated_rule->level,
lf->generated_rule->comment,
- lf->srcip == NULL?"(none)":lf->srcip,
- lf->dstuser == NULL?"(none)":lf->dstuser,
+
+ lf->srcip == NULL?"":"\nSrc IP: ",
+ lf->srcip == NULL?"":lf->srcip,
+
+#ifdef GEOIP
+ (strlen(geoip_msg_src) == 0)?"":"\nSrc Location: ",
+ (strlen(geoip_msg_src) == 0)?"":geoip_msg_src,
+#else
+ "",
+ "",
+#endif
+
+ lf->srcport == NULL?"":"\nSrc Port: ",
+ lf->srcport == NULL?"":lf->srcport,
+
+ lf->dstip == NULL?"":"\nDst IP: ",
+ lf->dstip == NULL?"":lf->dstip,
+
+#ifdef GEOIP
+ (strlen(geoip_msg_dst) == 0)?"":"\nDst Location: ",
+ (strlen(geoip_msg_dst) == 0)?"":geoip_msg_dst,
+#else
+ "",
+ "",
+#endif
+
+ lf->dstport == NULL?"":"\nDst Port: ",
+ lf->dstport == NULL?"":lf->dstport,
+
+ lf->dstuser == NULL?"":"\nUser: ",
+ lf->dstuser == NULL?"":lf->dstuser,
+
lf->full_log);
/* _writefile: v0.2, 2005/02/09 */
void OS_Log(Eventinfo *lf)
{
+#ifdef GEOIP
+ char geoip_msg_src[OS_SIZE_1024 +1];
+ char geoip_msg_dst[OS_SIZE_1024 +1];
+ geoip_msg_src[0] = '\0';
+ geoip_msg_dst[0] = '\0';
+ if (Config.loggeoip) {
+ if (lf->srcip) { strncpy(geoip_msg_src, GeoIPLookup(lf->srcip), OS_SIZE_1024 ); }
+ if (lf->dstip) { strncpy(geoip_msg_dst, GeoIPLookup(lf->dstip), OS_SIZE_1024 ); }
+ }
+#endif
/* Writting to the alert log file */
fprintf(_aflog,
"** Alert %d.%ld:%s - %s\n"
- "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
- "Src IP: %s\nUser: %s\n%.1256s\n",
+ "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'"
+ "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
lf->time,
__crt_ftell,
lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
lf->generated_rule->sigid,
lf->generated_rule->level,
lf->generated_rule->comment,
- lf->srcip == NULL?"(none)":lf->srcip,
- lf->dstuser == NULL?"(none)":lf->dstuser,
+
+ lf->srcip == NULL?"":"\nSrc IP: ",
+ lf->srcip == NULL?"":lf->srcip,
+
+#ifdef GEOIP
+ (strlen(geoip_msg_src) == 0)?"":"\nSrc Location: ",
+ (strlen(geoip_msg_src) == 0)?"":geoip_msg_src,
+#else
+ "",
+ "",
+#endif
+
+ lf->srcport == NULL?"":"\nSrc Port: ",
+ lf->srcport == NULL?"":lf->srcport,
+
+ lf->dstip == NULL?"":"\nDst IP: ",
+ lf->dstip == NULL?"":lf->dstip,
+
+#ifdef GEOIP
+ (strlen(geoip_msg_dst) == 0)?"":"\nDst Location: ",
+ (strlen(geoip_msg_dst) == 0)?"":geoip_msg_dst,
+#else
+ "",
+ "",
+#endif
+
+ lf->dstport == NULL?"":"\nDst Port: ",
+ lf->dstport == NULL?"":lf->dstport,
+
+ lf->dstuser == NULL?"":"\nUser: ",
+ lf->dstuser == NULL?"":lf->dstuser,
+
lf->full_log);
ErrorExit(REGEX_COMPILE, ARGV0, FWALLOW,
FWALLOWpm.error);
}
-
+
}
* action, there is no point in going
* forward over here
*/
- if(!lf->action || !lf->srcip)
+ if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport ||
+ !lf->dstport || !lf->protocol)
{
return(0);
}
os_free(lf->action);
os_strdup("CLOSED", lf->action);
break;
- /* allow, accept, */
+ /* allow, accept, */
case 'a':
case 'A':
/* pass/permitted */
case 'P':
/* open */
case 'o':
- case 'O':
+ case 'O':
os_free(lf->action);
- os_strdup("ALLOW", lf->action);
+ os_strdup("ALLOW", lf->action);
break;
default:
if(OSMatch_Execute(lf->action,strlen(lf->action),&FWDROPpm))
os_free(lf->action);
os_strdup("UNKNOWN", lf->action);
}
- break;
+ break;
}
lf->srcport,
lf->dstip,
lf->dstport);
-
+
fflush(_fflog);
return(1);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/alerts/log.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/analysisd.c, 2012/07/26 dcid Exp $
+ */
-/* Copyright (C) 2010 Trend Micro Inc.
+/* Copyright (C) 2010-2012 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* Part of the OSSEC
* Available at http://www.ossec.net
*/
-
+
/* ossec-analysisd.
* Responsible for correlation and log decoding.
int DecodeSyscheck(Eventinfo *lf);
int DecodeRootcheck(Eventinfo *lf);
int DecodeHostinfo(Eventinfo *lf);
-
+
/* For Decoders */
int ReadDecodeXML(char *file);
/** int main(int argc, char **argv)
*/
-#ifndef TESTRULE
+#ifndef TESTRULE
int main(int argc, char **argv)
#else
int main_analysisd(int argc, char **argv)
if(!optarg)
ErrorExit("%s: -D needs an argument",ARGV0);
dir = optarg;
+ break;
case 'c':
if(!optarg)
ErrorExit("%s: -c needs an argument",ARGV0);
cfg = optarg;
break;
case 't':
- test_config = 1;
+ test_config = 1;
break;
default:
help(ARGV0);
debug1(STARTED_MSG,ARGV0);
DEBUG_MSG("%s: DEBUG: Starting on debug mode - %d ", ARGV0, (int)time(0));
-
+
/*Check if the user/group given are valid */
uid = Privsep_GetUser(user);
gid = Privsep_GetGroup(group);
/* Found user */
debug1(FOUND_USER, ARGV0);
-
+
/* Initializing Active response */
AR_Init();
if(AR_ReadConfig(test_config, cfg) < 0)
ErrorExit(CONFIG_ERROR,ARGV0, cfg);
}
debug1(ASINIT, ARGV0);
-
-
+
+
/* Reading configuration file */
if(GlobalConf(cfg) < 0)
{
}
debug1(READ_CONFIG, ARGV0);
-
+
/* Fixing Config.ar */
Config.ar = ar_flag;
if(Config.ar == -1)
Config.ar = 0;
-
-
+
+
/* Getting servers hostname */
memset(__shost, '\0', 512);
if(gethostname(__shost, 512 -1) != 0)
{
- strncpy(__shost, OSSEC_SERVER, 512 -1);
+ strncpy(__shost, OSSEC_SERVER, 512 -1);
}
else
{
if(_ltmp)
*_ltmp = '\0';
}
-
+
/* going on Daemon mode */
- if(!test_config || !run_foreground)
+ if(!test_config && !run_foreground)
{
nowDaemon();
goDaemon();
}
-
+
/* Starting prelude */
#ifdef PRELUDE
nowChroot();
-
-
+
+
/*
- * Anonymous Section: Load rules, decoders, and lists
+ * Anonymous Section: Load rules, decoders, and lists
*
* As lists require two pass loading of rules that make use of list lookups
- * are created with blank database structs, and need to be filled in after
- * completion of all rules and lists.
+ * are created with blank database structs, and need to be filled in after
+ * completion of all rules and lists.
*/
{
{
/* Initializing the decoders list */
OS_CreateOSDecoderList();
- if(!Config.decoders)
+ if(!Config.decoders)
{ /* Legacy loading */
/* Reading decoders */
if(!ReadDecodeXML(XML_DECODER))
verbose("%s: INFO: Reading decoder file %s.", ARGV0, *decodersfiles);
if(!ReadDecodeXML(*decodersfiles))
ErrorExit(CONFIG_ERROR, ARGV0, *decodersfiles);
-
- free(*decodersfiles);
- decodersfiles++;
+
+ free(*decodersfiles);
+ decodersfiles++;
}
}
}
{ /* Load Lists */
/* Initializing the lists of list struct */
- Lists_OP_CreateLists();
+ Lists_OP_CreateLists();
/* Load each list into list struct */
{
char **listfiles;
verbose("%s: INFO: Reading rules file: '%s'", ARGV0, *rulesfiles);
if(Rules_OP_ReadRules(*rulesfiles) < 0)
ErrorExit(RULES_ERROR, ARGV0, *rulesfiles);
-
- free(*rulesfiles);
- rulesfiles++;
+
+ free(*rulesfiles);
+ rulesfiles++;
}
free(Config.includes);
Config.includes = NULL;
}
-
+
/* Find all rules with that require list lookups and attache the
- * the correct list struct to the rule. This keeps rules from having to
+ * the correct list struct to the rule. This keeps rules from having to
* search thought the list of lists for the correct file during rule evaluation.
*/
OS_ListLoadRules();
}
}
-
+
/* Fixing the levels/accuracy */
{
int total_rules;
total_rules = _setlevels(tmp_node, 0);
if(!test_config)
- verbose("%s: INFO: Total rules enabled: '%d'", ARGV0, total_rules);
+ verbose("%s: INFO: Total rules enabled: '%d'", ARGV0, total_rules);
}
AddHash_Rule(tmp_node);
}
-
-
+
+
/* Ignored files on syscheck */
{
char **files;
{
if(!test_config)
verbose("%s: INFO: Ignoring file: '%s'", ARGV0, *files);
- files++;
+ files++;
}
}
"log_fw",
0, 1);
-
+
/* Success on the configuration test */
if(test_config)
exit(0);
-
+
/* Verbose message */
debug1(PRIVSEP_MSG, ARGV0, dir, user);
StartSIG(ARGV0);
- /* Setting the user */
+ /* Setting the user */
if(Privsep_SetUser(uid) < 0)
ErrorExit(SETUID_ERROR,ARGV0,user);
-
-
+
+
/* Creating the PID file */
if(CreatePID(ARGV0, getpid()) < 0)
ErrorExit(PID_ERROR,ARGV0);
if(Config.hostname_white_list == NULL)
{
if(Config.ar)
- verbose("%s: INFO: No Hostname in the white list for active reponse.",
+ verbose("%s: INFO: No Hostname in the white list for active reponse.",
ARGV0);
}
else
{
int wlc = 0;
OSMatch **wl;
-
+
wl = Config.hostname_white_list;
while(*wl)
{
/* Going to main loop */
OS_ReadMSG(m_queue);
- if (Config.picviz)
+ if (Config.picviz)
{
OS_PicvizClose();
}
exit(0);
-
+
}
* Main function. Receives the messages(events)
* and analyze them all.
*/
-#ifndef TESTRULE
+#ifndef TESTRULE
void OS_ReadMSG(int m_queue)
#else
void OS_ReadMSG_analysisd(int m_queue)
Eventinfo *lf;
RuleInfo *stats_rule;
-
+
/* Null to global currently pointers */
currently_rule = NULL;
/* Initializing Rootcheck */
RootcheckInit();
-
-
+
+
/* Initializing host info */
HostinfoInit();
-
-
+
+
/* Creating the event list */
OS_CreateEventList(Config.memorysize);
{
ErrorExit(FTS_LIST_ERROR, ARGV0);
}
-
+
/* Starting the active response queues */
if(Config.ar)
/* Waiting the ARQ to settle .. */
sleep(3);
-
+
#ifndef LOCAL
if(Config.ar & REMOTE_AR)
{
if((arq = StartMQ(ARQUEUE, WRITE)) < 0)
{
merror(ARQ_ERROR, ARGV0);
-
+
/* If LOCAL_AR is set, keep it there */
if(Config.ar & LOCAL_AR)
{
verbose(CONN_TO, ARGV0, ARQUEUE, "active-response");
}
}
-
+
#else
/* Only for LOCAL_ONLY installs */
if(Config.ar & REMOTE_AR)
}
}
#endif
-
+
if(Config.ar & LOCAL_AR)
{
if((execdq = StartMQ(EXECQUEUE, WRITE)) < 0)
{
merror(ARQ_ERROR, ARGV0);
-
+
/* If REMOTE_AR is set, keep it there */
if(Config.ar & REMOTE_AR)
{
/* Doing some cleanup */
memset(msg, '\0', OS_MAXSTR +1);
-
-
+
+
/* Initializing the logs */
{
lf = (Eventinfo *)calloc(1,sizeof(Eventinfo));
Free_Eventinfo(lf);
}
-
-
+
+
debug1("%s: DEBUG: Startup completed. Waiting for new messages..",ARGV0);
-
+
/* Daemon loop */
while(1)
{
lf = (Eventinfo *)calloc(1,sizeof(Eventinfo));
-
+
/* This shouldn't happen .. */
if(lf == NULL)
{
ErrorExit(MEM_ERROR,ARGV0);
}
-
+
DEBUG_MSG("%s: DEBUG: Waiting for msgs - %d ", ARGV0, (int)time(0));
-
+
/* Receive message from queue */
if((i = OS_RecvUnix(m_queue, OS_MAXSTR, msg)))
{
Free_Eventinfo(lf);
continue;
}
-
+
/* Message before extracting header */
DEBUG_MSG("%s: DEBUG: Received msg: %s ", ARGV0, msg);
-
+
/* Clean the msg appropriately */
if(OS_CleanMSG(msg, lf) < 0)
{
/* Msg cleaned */
DEBUG_MSG("%s: DEBUG: Msg cleanup: %s ", ARGV0, lf->log);
-
+
/* Currently rule must be null in here */
currently_rule = NULL;
prev_year = lf->year;
}
}
-
-
+
+
/* Incrementing number of events received */
hourly_events++;
if(msg[0] == SYSCHECK_MQ)
{
hourly_syscheck++;
-
+
if(!DecodeSyscheck(lf))
{
/* We don't process syscheck events further */
DecodeEvent(lf);
}
-
+
/* Firewall event */
if(lf->decoder_info->type == FIREWALL)
/* If we could not get any information from
* the log, just ignore it
*/
- hourly_firewall++;
+ hourly_firewall++;
if(Config.logfw)
{
if(!FW_Log(lf))
{
void *saved_rule = lf->generated_rule;
char *saved_log;
-
+
/* Saving previous log */
saved_log = lf->full_log;
-
+
lf->generated_rule = stats_rule;
lf->full_log = __stats_comment;
/* Checking the rules */
- DEBUG_MSG("%s: DEBUG: Checking the rules - %d ",
+ DEBUG_MSG("%s: DEBUG: Checking the rules - %d ",
ARGV0, lf->decoder_info->type);
-
+
/* Looping all the rules */
rulenode_pt = OS_GetFirstRule();
- if(!rulenode_pt)
+ if(!rulenode_pt)
{
ErrorExit("%s: Rules in an inconsistent state. Exiting.",
ARGV0);
{
if(!lf->generated_rule)
{
- goto CLMEM;
+ goto CLMEM;
}
-
+
/* We go ahead in here and process the alert. */
currently_rule = lf->generated_rule;
}
-
+
/* The categories must match */
- else if(rulenode_pt->ruleinfo->category !=
+ else if(rulenode_pt->ruleinfo->category !=
lf->decoder_info->type)
{
continue;
}
/* Checking each rule. */
- else if((currently_rule = OS_CheckIfRuleMatch(lf, rulenode_pt))
+ else if((currently_rule = OS_CheckIfRuleMatch(lf, rulenode_pt))
== NULL)
{
continue;
}
- /* Checking ignore time */
+ /* Checking ignore time */
if(currently_rule->ignore_time)
{
if(currently_rule->time_ignored == 0)
* is less than the time it should be ignored,
* leave (do not alert again).
*/
- else if((lf->time - currently_rule->time_ignored)
+ else if((lf->time - currently_rule->time_ignored)
< currently_rule->ignore_time)
{
break;
/* Pointer to the rule that generated it */
lf->generated_rule = currently_rule;
-
+
/* Checking if we should ignore it */
if(currently_rule->ckignore && IGnore(lf))
{
lf->generated_rule = NULL;
break;
}
-
-
+
+
/* Checking if we need to add to ignore list */
if(currently_rule->ignore)
{
{
OS_PicvizLog(lf);
}
-
+
/* Execute an active response */
if(currently_rule->ar)
do_ar = 1;
if((*rule_ar)->ar_cmd->expect & USERNAME)
{
- if(!lf->dstuser ||
+ if(!lf->dstuser ||
!OS_PRegex(lf->dstuser,"^[a-zA-Z._0-9@?-]*$"))
{
if(lf->dstuser)
}
else
{
- lf->sid_node_to_delete =
+ lf->sid_node_to_delete =
currently_rule->sid_prev_matched->last_node;
}
}
/* Group list */
else if(currently_rule->group_prev_matched)
{
- i = 0;
-
+ i = 0;
+
while(i < currently_rule->group_prev_matched_sz)
{
if(!OSList_AddData(
- currently_rule->group_prev_matched[i],
+ currently_rule->group_prev_matched[i],
lf))
{
merror("%s: Unable to add data to grp list.",ARGV0);
i++;
}
}
-
+
OS_AddEvent(lf);
break;
/* Cleaning the memory */
CLMEM:
-
+
/* Only clear the memory if the eventinfo was not
- * added to the stateful memory
+ * added to the stateful memory
* -- message is free inside clean event --
*/
if(lf->generated_rule == NULL)
* status,
*/
RuleInfo *currently_rule = curr_node->ruleinfo;
-
-
+
+
/* Can't be null */
if(!currently_rule)
{
merror("%s: Inconsistent state. currently rule NULL", ARGV0);
return(NULL);
}
-
+
#ifdef TESTRULE
if(full_output && !alert_only)
print_out(" Trying rule: %d - %s", currently_rule->sigid,
currently_rule->comment);
#endif
-
-
+
+
/* Checking if any decoder pre-matched here */
- if(currently_rule->decoded_as &&
+ if(currently_rule->decoded_as &&
currently_rule->decoded_as != lf->decoder_info->id)
{
return(NULL);
}
-
-
+
+
/* Checking program name */
if(currently_rule->program_name)
{
if(!lf->program_name)
return(NULL);
- if(!OSMatch_Execute(lf->program_name,
- lf->p_name_size,
+ if(!OSMatch_Execute(lf->program_name,
+ lf->p_name_size,
currently_rule->program_name))
return(NULL);
}
{
return(NULL);
}
-
+
if(!OSMatch_Execute(lf->id,
strlen(lf->id),
currently_rule->id))
#endif
}
-
+
/* Checking if any word to match exists */
if(currently_rule->match)
{
if(!OSMatch_Execute(lf->log, lf->size, currently_rule->match))
return(NULL);
- }
+ }
+
-
/* Checking if exist any regex for this rule */
if(currently_rule->regex)
{
if(!OSRegex_Execute(lf->log, currently_rule->regex))
return(NULL);
}
-
-
+
+
/* Checking for actions */
if(currently_rule->action)
{
return(NULL);
}
-
+
/* Checking for the url */
if(currently_rule->url)
{
{
return(NULL);
}
-
+
if(!OSMatch_Execute(lf->url, strlen(lf->url), currently_rule->url))
{
return(NULL);
{
return(NULL);
}
-
+
if(!OSMatch_Execute(lf->srcport,
strlen(lf->srcport),
currently_rule->srcport))
{
return(NULL);
}
-
+
if(!OSMatch_Execute(lf->dstport,
strlen(lf->dstport),
currently_rule->dstport))
#endif
}
} /* END PACKET_INFO */
-
+
/* Extra information from event */
if(currently_rule->alert_opts & DO_EXTRAINFO)
}
}
-
+
/* If it is a context rule, search for it */
if(currently_rule->context == 1)
{
if(full_output && !alert_only)
print_out(" *Rule %d matched.", currently_rule->sigid);
#endif
-
-
+
+
/* Search for dependent rules */
if(curr_node->child)
{
RuleNode *child_node = curr_node->child;
RuleInfo *child_rule = NULL;
-
+
#ifdef TESTRULE
if(full_output && !alert_only)
print_out(" *Trying child rules.");
#endif
-
+
while(child_node)
{
child_rule = OS_CheckIfRuleMatch(lf, child_node);
{
return(child_rule);
}
-
+
child_node = child_node->next;
}
}
-
+
/* If we are set to no alert, keep going */
if(currently_rule->alert_opts & NO_ALERT)
{
return(NULL);
}
-
+
hourly_alerts++;
currently_rule->firedtimes++;
{
if(curr_node->ruleinfo->firedtimes)
{
- fprintf(flog, "%d-%d-%d-%d\n",
- thishour,
+ fprintf(flog, "%d-%d-%d-%d\n",
+ thishour,
curr_node->ruleinfo->sigid,
curr_node->ruleinfo->level,
curr_node->ruleinfo->firedtimes);
curr_node->ruleinfo->firedtimes = 0;
}
-
+
if(curr_node->child)
{
RuleNode *child_node = curr_node->child;
/* Looping on all the rules and printing the stats from them */
do
{
- LoopRule(rulenode_pt, flog);
+ LoopRule(rulenode_pt, flog);
}while((rulenode_pt = rulenode_pt->next) != NULL);
hourly_events = 0;
hourly_syscheck = 0;
hourly_firewall = 0;
-
+
fclose(flog);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/analysisd.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/cleanevent.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-
+
/* OS_CleanMSG v0.3: 2006/03/04
- * Format a received message in the
+ * Format a received message in the
* Eventinfo structure.
*/
int OS_CleanMSG(char *msg, Eventinfo *lf)
merror(FORMAT_ERROR, ARGV0);
return(-1);
}
-
+
*pieces = '\0';
- pieces++;
-
-
+ pieces++;
+
+
os_strdup(msg, lf->location);
-
-
+
+
/* Getting the log length */
loglen = strlen(pieces) + 1;
-
-
+
+
/* Assigning the values in the strucuture (lf->full_log) */
os_malloc((2*loglen) +1, lf->full_log);
-
-
- /* Setting the whole message at full_log */
+
+
+ /* Setting the whole message at full_log */
strncpy(lf->full_log, pieces, loglen);
lf->log = lf->full_log+loglen;
strncpy(lf->log, pieces, loglen);
-
-
- /* Checking for the syslog date format.
- * ( ex: Dec 29 10:00:01
+
+
+ /* Checking for the syslog date format.
+ * ( ex: Dec 29 10:00:01
* or 2007-06-14T15:48:55-04:00 for syslog-ng isodate
* or 2009-05-22T09:36:46.214994-07:00 for rsyslog )
*/
if(
(
- (loglen > 17) &&
- (pieces[3] == ' ') &&
- (pieces[6] == ' ') &&
- (pieces[9] == ':') &&
- (pieces[12] == ':') &&
+ (loglen > 17) &&
+ (pieces[3] == ' ') &&
+ (pieces[6] == ' ') &&
+ (pieces[9] == ':') &&
+ (pieces[12] == ':') &&
(pieces[15] == ' ') && (lf->log+=16)
- )
+ )
||
(
(loglen > 33) &&
(pieces[10] == 'T') &&
(pieces[13] == ':') &&
(pieces[16] == ':') &&
-
+
(
((pieces[22] == ':') &&
(pieces[25] == ' ') && (lf->log+=26)) ||
((pieces[19] == '.') &&
(pieces[29] == ':') && (lf->log+=32))
)
-
+
)
- )
+ )
{
/* Checking for an extra space in here */
if(*lf->log == ' ')
/* Hostname */
pieces = lf->hostname = lf->log;
-
-
+
+
/* Checking for a valid hostname */
while(isValidChar(*pieces) == 1)
{
pieces++;
}
-
-
+
+
/* Checking if it is a syslog without hostname (common on Solaris. */
if(*pieces == ':' && pieces[1] == ' ')
{
lf->log = pieces;
}
-
- /* Extracting the hostname */
+
+ /* Extracting the hostname */
else if(*pieces != ' ')
{
/* Invalid hostname */
/* Extracting program_name */
- /* Valid names:
- * p_name:
+ /* Valid names:
+ * p_name:
* p_name[pid]:
* p_name[pid]: [ID xx facility.severity]
* auth|security:info p_name:
- *
- */
+ *
+ */
while(isValidChar(*pieces) == 1)
{
pieces++;
*pieces = '\0';
pieces+=2;
}
-
+
/* Checking for the second format: p_name[pid]: */
else if((*pieces == '[') && (isdigit((int)pieces[1])))
{
pieces++;
while(isalnum((int)*pieces))
pieces++;
-
+
if(*pieces == ' ')
{
pieces++;
lf->program_name = NULL;
}
}
-
-
+
+
/* Removing [ID xx facility.severity] */
if(pieces)
{
/* Setting log after program name */
lf->log = pieces;
- if((pieces[0] == '[') &&
+ if((pieces[0] == '[') &&
(pieces[1] == 'I') &&
(pieces[2] == 'D') &&
(pieces[3] == ' '))
lf->p_name_size = strlen(lf->program_name);
}
}
-
- /* xferlog date format
+
+ /* xferlog date format
* Mon Apr 17 18:27:14 2006 1 64.160.42.130
*/
else if((loglen > 28) &&
/* Moving log to the beginning of the message */
lf->log+=24;
}
-
+
/* Checking for snort date format
- * ex: 01/28-09:13:16.240702 [**]
- */
- else if( (loglen > 24) &&
- (pieces[2] == '/') &&
+ * ex: 01/28-09:13:16.240702 [**]
+ */
+ else if( (loglen > 24) &&
+ (pieces[2] == '/') &&
(pieces[5] == '-') &&
- (pieces[8] == ':') &&
+ (pieces[8] == ':') &&
(pieces[11]== ':') &&
- (pieces[14]== '.') &&
+ (pieces[14]== '.') &&
(pieces[21] == ' ') )
{
lf->log+=23;
/* Checking for apache log format */
/* [Fri Feb 11 18:06:35 2004] [warn] */
- else if( (loglen > 27) &&
- (pieces[0] == '[') &&
+ else if( (loglen > 27) &&
+ (pieces[0] == '[') &&
(pieces[4] == ' ') &&
- (pieces[8] == ' ') &&
+ (pieces[8] == ' ') &&
(pieces[11]== ' ') &&
- (pieces[14]== ':') &&
+ (pieces[14]== ':') &&
(pieces[17]== ':') &&
- (pieces[20]== ' ') &&
+ (pieces[20]== ' ') &&
(pieces[25]== ']') )
{
lf->log+=27;
}
-
+
/* Checking for the osx asl log format.
* Examples:
* [Time 2006.12.28 15:53:55 UTC] [Facility auth] [Sender sshd] [PID 483] [Message error: PAM: Authentication failure for username from 192.168.0.2] [Level 3] [UID -2] [GID -2] [Host Hostname]
{
/* Do not read more than 1 message entry -> log tampering */
short unsigned int done_message = 0;
-
-
+
+
/* Removing the date */
lf->log+=25;
if(pieces)
{
*pieces = '\0';
-
+
/* Setting program_name size */
lf->p_name_size = strlen(lf->program_name);
-
+
pieces++;
}
/* Invalid program name */
break;
}
}
-
+
/* Getting message */
else if((strncmp(pieces, "Message ", 8) == 0) &&
(done_message == 0))
{
pieces+=8;
done_message = 1;
-
+
lf->log = pieces;
/* Getting the closing brackets */
*pieces = '\0';
pieces++;
}
-
+
/* Invalid hostname */
else
{
pieces = strchr(pieces, '[');
}
}
-
+
/* Checking for squid date format
* 1140804070.368 11623
* seconds from 00:00:00 1970-01-01 UTC
*/
- else if((loglen > 32) &&
+ else if((loglen > 32) &&
(pieces[0] == '1') &&
(pieces[10] == '.') &&
(pieces[14] == ' ') &&
}
- /* Every message must be in the format
+ /* Every message must be in the format
* hostname->location or
* (agent) ip->location.
*/
lf->hostname = __shost;
}
-
+
/* Setting up the event data */
lf->time = c_time;
p = localtime(&c_time);
-
+
/* Assign hour, day, year and month values */
lf->day = p->tm_mday;
lf->year = p->tm_year+1900;
p->tm_hour,
p->tm_min,
p->tm_sec);
-
+
/* Setting the global hour/weekday */
__crt_hour = p->tm_hour;
- __crt_wday = p->tm_wday;
-
-
+ __crt_wday = p->tm_wday;
+
+
#ifdef TESTRULE
if(!alert_only)
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/compiled_rules/generic_samples.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-/** Note: If the rule fails to match it should return NULL.
+/** Note: If the rule fails to match it should return NULL.
* If you want processing to continue, return lf (the eventinfo structure).
*/
-
+
/* Example 1:
if(*target_user != *caller_user)
return(lf);
- if(*target_user == '\t' ||
+ if(*target_user == '\t' ||
(*target_user == ' ' && target_user[1] == ' '))
- break;
+ break;
- target_user++;caller_user++;
+ target_user++;caller_user++;
}
/* If we got in here, the accounts are the same.
* So, we return NULL since we only want to alert if they are different.
- */
+ */
return(NULL);
}
return(lf);
}
-
+
/* Simple request, no query. */
if(!strchr(lf->url,'?'))
{
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
Config.syscheck_ignore = NULL;
Config.white_list = NULL;
Config.hostname_white_list = NULL;
-
+
/* Default actions -- only log above level 1 */
Config.mailbylevel = 7;
Config.logbylevel = 1;
/* Minimum memory size */
if(Config.memorysize < 64)
Config.memorysize = 64;
-
+
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/config.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#ifndef _CONFIG__H
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/decode-xml.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
{
return(OSStore_GetPosition(os_decoder_store, name));
}
-
+
return(0);
}
{
int p_id = 0;
char *p_name;
-
+
nnode = node->osdecoder;
- nnode->id = getDecoderfromlist(nnode->name);
-
+ nnode->id = getDecoderfromlist(nnode->name);
+
/* Id can noit be 0 */
if(nnode->id == 0)
{
/* Setting parent name */
nnode->name = p_name;
}
-
-
+
+
/* Id can noit be 0 */
if(nnode->id == 0)
{
{
return(0);
}
-
+
if(strcmp(names[0], "offset") == 0)
{
int offset = 0;
-
+
/* Offsets can be: after_parent, after_prematch
* or after_regex.
*/
merror(INV_OFFSET, ARGV0, values[0]);
offset |= AFTER_ERROR;
}
-
+
return(offset);
}
/* ReaddecodeXML */
int ReadDecodeXML(char *file)
{
-
- debug1("ReadDecoderXML File = %s", file);
OS_XML xml;
XML_NODE node = NULL;
- /* XML variables */
+ /* XML variables */
/* These are the available options for the rule configuration */
-
+
char *xml_plugindecoder = "plugin_decoder";
char *xml_decoder = "decoder";
char *xml_decoder_name = "name";
int i = 0;
OSDecoderInfo *NULL_Decoder_tmp = NULL;
-
-
- /* Reading the XML */
+
+
+ /* Reading the XML */
if((i = OS_ReadXML(file,&xml)) < 0)
{
if((i == -2) && (strcmp(file, XML_LDECODER) == 0))
{
return(-2);
}
-
+
merror(XML_ERROR, ARGV0, file, xml.err, xml.err_line);
return(0);
}
-
+
/* Applying any variable found */
if(OS_ApplyVariables(&xml) != 0)
{
NULL_Decoder = (void *)NULL_Decoder_tmp;
-
+
i = 0;
while(node[i])
{
char *prematch;
char *p_name;
-
- if(!node[i]->element ||
+
+ if(!node[i]->element ||
strcasecmp(node[i]->element, xml_decoder) != 0)
{
merror(XML_INVELEM, ARGV0, node[i]->element);
return(0);
}
-
+
/* Getting name */
if((!node[i]->attributes) || (!node[i]->values)||
return(0);
}
-
+
/* Checking for additional entries */
if(node[i]->attributes[1] && node[i]->values[1])
{
merror(XML_INVELEM, ARGV0, node[i]->element);
return(0);
}
-
+
if(node[i]->attributes[2])
{
merror(XML_INVELEM, ARGV0, node[i]->element);
}
}
-
+
/* Getting decoder options */
elements = OS_GetElementsbyNode(&xml,node[i]);
if(elements == NULL)
merror(MEM_ERROR,ARGV0);
return(0);
}
-
-
+
+
/* Default values to the list */
pi->parent = NULL;
pi->id = 0;
pi->get_next = 0;
pi->regex_offset = 0;
pi->prematch_offset = 0;
-
+
regex = NULL;
prematch = NULL;
p_name = NULL;
-
-
+
+
/* Checking if strdup worked */
if(!pi->name)
{
merror(MEM_ERROR, ARGV0);
return(0);
}
-
+
/* Add decoder */
if(!addDecoder2list(pi->name))
{
merror(XML_VALUENULL, ARGV0, elements[j]->element);
return(0);
}
-
+
/* Checking if it is a child of a rule */
else if(strcasecmp(elements[j]->element, xml_parent) == 0)
{
pi->parent = _loadmemory(pi->parent, elements[j]->content);
}
-
+
/* Getting the regex */
else if(strcasecmp(elements[j]->element,xml_regex) == 0)
{
int r_offset;
r_offset = ReadDecodeAttrs(elements[j]->attributes,
elements[j]->values);
-
+
if(r_offset & AFTER_ERROR)
{
merror(DEC_REGEX_ERROR, ARGV0, pi->name);
return(0);
}
-
- /* Only the first regex entry may have an offset */
+
+ /* Only the first regex entry may have an offset */
if(regex && r_offset)
{
merror(DUP_REGEX, ARGV0, pi->name);
merror(DEC_REGEX_ERROR, ARGV0, pi->name);
return(0);
}
-
+
/* regex offset */
if(r_offset)
{
pi->regex_offset = r_offset;
}
-
+
/* Assign regex */
regex =
_loadmemory(regex,
elements[j]->content);
}
-
+
/* Getting the pre match */
else if(strcasecmp(elements[j]->element,xml_prematch)==0)
{
int r_offset;
-
+
r_offset = ReadDecodeAttrs(
elements[j]->attributes,
elements[j]->values);
ErrorExit(DEC_REGEX_ERROR, ARGV0, pi->name);
}
-
+
/* Only the first prematch entry may have an offset */
if(prematch && r_offset)
{
{
pi->prematch_offset = r_offset;
}
-
+
prematch =
_loadmemory(prematch,
elements[j]->content);
int ed_c = 0;
for(ed_c = 0; plugin_decoders[ed_c] != NULL; ed_c++)
{
- if(strcmp(plugin_decoders[ed_c],
+ if(strcmp(plugin_decoders[ed_c],
elements[j]->content) == 0)
{
/* Initializing plugin */
return(0);
}
}
-
-
+
+
/* Getting the type */
else if(strcmp(elements[j]->element, xml_type) == 0)
{
else if(strcmp(elements[j]->content, "ids") == 0)
pi->type = IDS;
else if(strcmp(elements[j]->content, "web-log") == 0)
- pi->type = WEBLOG;
+ pi->type = WEBLOG;
else if(strcmp(elements[j]->content, "syslog") == 0)
pi->type = SYSLOG;
else if(strcmp(elements[j]->content, "squid") == 0)
pi->type = SQUID;
else if(strcmp(elements[j]->content, "windows") == 0)
- pi->type = WINDOWS;
+ pi->type = WINDOWS;
else if(strcmp(elements[j]->content, "host-information") == 0)
pi->type = HOST_INFO;
else if(strcmp(elements[j]->content, "ossec") == 0)
- pi->type = OSSEC_RL;
+ pi->type = OSSEC_RL;
else
{
merror("%s: Invalid decoder type '%s'.",
return(0);
}
}
-
+
/* Getting the order */
else if(strcasecmp(elements[j]->element,xml_order)==0)
{
char **norder, **s_norder;
int order_int = 0;
-
+
/* Maximum number is 8 for the order */
norder = OS_StrBreak(',',elements[j]->content, 8);
s_norder = norder;
order_int++;
}
order_int = 0;
-
+
/* Checking the values from the order */
while(*norder)
free(s_norder);
}
-
+
/* Getting the fts order */
else if(strcasecmp(elements[j]->element,xml_fts)==0)
{
char **norder;
char **s_norder;
-
+
/* Maximum number is 8 for the fts */
norder = OS_StrBreak(',',elements[j]->content, 8);
if(norder == NULL)
ErrorExit(MEM_ERROR,ARGV0);
-
-
+
+
/* Saving the initial point to free later */
s_norder = norder;
-
-
+
+
/* Checking the values from the fts */
while(*norder)
{
/* NEXT */
j++;
-
+
} /* while(elements[j]) */
-
+
OS_ClearNode(elements);
-
+
/* Prematch must be set */
if(!prematch && !pi->parent && !p_name)
merror(DEC_REGEX_ERROR, ARGV0, pi->name);
return(0);
}
-
+
/* For the offsets */
if(pi->regex_offset & AFTER_PARENT && !pi->parent)
merror(DEC_REGEX_ERROR, ARGV0, pi->name);
return(0);
}
-
+
if(pi->regex_offset & AFTER_PREMATCH)
{
/* If after_prematch is set, but rule have
return(0);
}
}
-
+
/* For the after_regex offset */
if(pi->regex_offset & AFTER_PREVREGEX)
{
return(0);
}
}
-
+
/* Checking the prematch offset */
if(pi->prematch_offset)
}
}
-
+
/* Compiling the regex/prematch */
if(prematch)
{
free(prematch);
}
-
+
/* Compiling the p_name */
if(p_name)
{
free(p_name);
}
-
+
/* We may not have the pi->regex */
if(regex)
{
merror(DECODE_ADD, ARGV0, pi->name);
return(0);
}
-
+
/* Adding osdecoder to the list */
if(!OS_AddOSDecoder(pi))
{
- merror(DECODER_ERROR, ARGV0);
+ merror(DECODER_ERROR, ARGV0);
return(0);
}
/* Cleaning node and XML structures */
OS_ClearNode(node);
-
+
OS_ClearXML(&xml);
int SetDecodeXML()
-{
+{
/* Adding rootcheck decoder to list */
addDecoder2list(ROOTCHECK_MOD);
addDecoder2list(SYSCHECK_MOD);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/decoder.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-
+
#include "shared.h"
#include "os_regex/os_regex.h"
#include "os_xml/os_xml.h"
{
print_out("\n**Phase 2: Completed decoding.");
}
- #endif
+ #endif
- do
+ do
{
nnode = node->osdecoder;
/* First checking program name */
if(lf->program_name)
{
- if(!OSMatch_Execute(lf->program_name, lf->p_name_size,
+ if(!OSMatch_Execute(lf->program_name, lf->p_name_size,
nnode->program_name))
{
continue;
#ifdef TESTRULE
if(!alert_only)print_out(" decoder: '%s'", nnode->name);
- #endif
-
+ #endif
+
lf->decoder_info = nnode;
-
+
child_node = node->child;
{
char *llog;
- /* If we have an offset set, use it */
+ /* If we have an offset set, use it */
if(nnode->prematch_offset & AFTER_PARENT)
{
llog = pmatch;
return;
child_node = child_node->next;
- nnode = NULL;
+ nnode = NULL;
}
else
{
nnode->plugindecoder(lf);
return;
}
-
-
+
+
/* Getting the regex */
while(child_node)
{
}
/* ok to return */
- return;
+ return;
}while((node=node->next) != NULL);
#ifdef TESTRULE
print_out(" No decoder matched.");
}
#endif
-
+
}
#ifdef TESTRULE
if(!alert_only)print_out(" dstuser: '%s'", field);
#endif
-
+
lf->dstuser = field;
return(NULL);
}
#ifdef TESTRULE
if(!alert_only)print_out(" srcuser: '%s'", field);
#endif
-
+
lf->srcuser = field;
return(NULL);
}
#ifdef TESTRULE
if(!alert_only)print_out(" srcip: '%s'", field);
#endif
-
+
lf->srcip = field;
return(NULL);
}
#ifdef TESTRULE
if(!alert_only)print_out(" dstip: '%s'", field);
#endif
-
+
lf->dstip = field;
return(NULL);
}
#ifdef TESTRULE
if(!alert_only)print_out(" srcport: '%s'", field);
#endif
-
+
lf->srcport = field;
return(NULL);
}
#ifdef TESTRULE
if(!alert_only)print_out(" dstport: '%s'", field);
#endif
-
+
lf->dstport = field;
return(NULL);
}
#ifdef TESTRULE
if(!alert_only)print_out(" proto: '%s'", field);
#endif
-
+
lf->protocol = field;
return(NULL);
}
#ifdef TESTRULE
if(!alert_only)print_out(" action: '%s'", field);
#endif
-
+
lf->action = field;
return(NULL);
}
#ifdef TESTRULE
if(!alert_only)print_out(" id: '%s'", field);
#endif
-
+
lf->id = field;
return(NULL);
}
#ifdef TESTRULE
if(!alert_only)print_out(" url: '%s'", field);
#endif
-
+
lf->url = field;
return(NULL);
}
#ifdef TESTRULE
if(!alert_only)print_out(" extra_data: '%s'", field);
#endif
-
+
lf->data = field;
return(NULL);
}
#ifdef TESTRULE
if(!alert_only)print_out(" status: '%s'", field);
#endif
-
+
lf->status = field;
return(NULL);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/decoder.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#define AFTER_PARENT 0x001 /* 1 */
#define AFTER_PREMATCH 0x002 /* 2 */
-#define AFTER_PREVREGEX 0x004 /* 4 */
-#define AFTER_ERROR 0x010
+#define AFTER_PREVREGEX 0x004 /* 4 */
+#define AFTER_ERROR 0x010
u_int16_t id;
u_int16_t regex_offset;
u_int16_t prematch_offset;
-
+
int fts;
char *parent;
char *name;
char *ftscomment;
-
+
OSRegex *regex;
OSRegex *prematch;
OSMatch *program_name;
-
+
void (*plugindecoder)(void *lf);
void (**order)(void *lf, char *field);
}OSDecoderInfo;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/decoders_list.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
{
return(osdecodernode_forpname);
}
-
+
return(osdecodernode_nopname);
}
{
OSDecoderNode *tmp_node = s_node;
int rm_f = 0;
-
+
if(tmp_node)
{
OSDecoderNode *new_node;
-
+
new_node = (OSDecoderNode *)calloc(1,sizeof(OSDecoderNode));
if(new_node == NULL)
{
if((tmp_node->osdecoder->prematch ||
tmp_node->osdecoder->regex) && pi->regex_offset)
{
- rm_f = 1;
+ rm_f = 1;
}
-
+
/* Multi-regexes patterns cannot have prematch */
if(pi->prematch)
{
return(NULL);
}
}
-
+
}while(tmp_node->next && (tmp_node = tmp_node->next));
-
-
+
+
/* Must have a prematch set */
if(!rm_f && (pi->regex_offset & AFTER_PREVREGEX))
{
merror(INV_OFFSET, ARGV0, pi->name);
return(NULL);
}
-
+
tmp_node->next = new_node;
-
+
new_node->next = NULL;
- new_node->osdecoder = pi;
+ new_node->osdecoder = pi;
new_node->child = NULL;
}
-
+
else
{
/* Must not have a previous regex set */
/* We can actually have two lists. One with program
* name and the other without.
*/
- if(pi->program_name)
+ if(pi->program_name)
{
osdecodernode = osdecodernode_forpname;
}
osdecodernode = osdecodernode_nopname;
}
-
+
/* Search for parent on both lists */
if(pi->parent)
{
}
tmp_node = tmp_node->next;
}
-
+
/* List without p name */
tmp_node = osdecodernode_nopname;
{
return(1);
}
-
+
merror(PPLUGIN_INV, ARGV0, pi->parent);
- return(0);
+ return(0);
}
else
{
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/hostinfo.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/* Opening HOSTINFO_FILE */
snprintf(_hi_buf,OS_SIZE_1024, "%s", HOSTINFO_FILE);
-
+
/* r+ to read and write. Do not truncate */
_hi_fp = fopen(_hi_buf,"r+");
return;
}
-
+
/* clearing the buffer */
memset(_hi_buf, '\0', OS_MAXSTR +1);
{
int changed = 0;
int bf_size;
-
+
char *ip;
char *portss;
char *tmpstr;
char opened[OS_MAXSTR + 1];
FILE *fp;
-
+
/* Checking maximum number of errors */
if(hi_err > 30)
{
"Ignoring it.", ARGV0);
return(0);
}
-
+
/* Zeroing buffers */
buffer[OS_MAXSTR] = '\0';
/* Copying log to buffer */
strncpy(buffer,lf->log, OS_MAXSTR);
-
-
+
+
/* Getting ip */
tmpstr = __go_after(buffer, HOST_HOST);
if(!tmpstr)
return(0);
}
-
+
/* Setting ip */
ip = tmpstr;
tmpstr = strchr(tmpstr, ',');
*tmpstr = '\0';
}
bf_size = strlen(ip);
-
-
+
+
/* Reads the file and search for a possible
* entry
*/
/* Removing new line */
tmpstr = strchr(_hi_buf, '\n');
if(tmpstr)
- *tmpstr = '\0';
+ *tmpstr = '\0';
/* Checking for ip */
if(strncmp(ip, _hi_buf, bf_size) == 0)
{
- /* Cannot use strncmp to avoid errors with crafted files */
+ /* Cannot use strncmp to avoid errors with crafted files */
if(strcmp(portss, _hi_buf + bf_size) == 0)
{
return(0);
changed = 1;
}
}
- }
+ }
+
-
/* Adding the new entry at the end of the file */
fseek(fp, 0, SEEK_END);
fprintf(fp,"%s%s\n", ip, portss);
/* Setting decoder */
lf->decoder_info = hostinfo_dec;
-
+
/* Setting comment */
if(changed == 1)
{
{
hostinfo_dec->id = id_new;
}
-
+
return(1);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/plugin_decoders.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* List of plugins. All three lists must be in the same order */
char *(plugin_decoders[])={"PF_Decoder",
- "SymantecWS_Decoder",
+ "SymantecWS_Decoder",
"SonicWall_Decoder",
"OSSECAlert_Decoder",
NULL};
-void *(plugin_decoders_init[]) = {PF_Decoder_Init,
+void *(plugin_decoders_init[]) = {PF_Decoder_Init,
SymantecWS_Decoder_Init,
- SonicWall_Decoder_Init,
+ SonicWall_Decoder_Init,
OSSECAlert_Decoder_Init,
NULL};
-void *(plugin_decoders_exec[]) = {PF_Decoder_Exec,
+void *(plugin_decoders_exec[]) = {PF_Decoder_Exec,
SymantecWS_Decoder_Exec,
SonicWall_Decoder_Exec,
OSSECAlert_Decoder_Exec,
NULL};
-
+
#endif
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/plugins/ossecalert_decoder.c, 2012/03/28 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#define oa_strchr(x,y,z) z = strchr(x,y); if(!z){ return(NULL); }
-/* OSSECAlert decoder
+/* OSSECAlert decoder
* Will extract the rule_id and point back to the original rule.
* Will also extract srcip and username if available.
* Examples:
- *
- */
+ *
+ */
void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
{
char *oa_id = 0;
/* Checking the alert level. */
- if(strncmp("Alert Level: ", lf->log, 12) != 0)
+ if(strncmp("Alert Level: ", lf->log, 12) != 0 &&
+ strncmp("ossec: Alert Level:", lf->log, 18) != 0)
{
return(NULL);
}
-
+
/* Going past the level. */
oa_strchr(lf->log, ';', tmp_str);
tmp_str++;
if(*tmp_str != ' ')
{
return(NULL);
- }
+ }
tmp_str++;
-
+
/* Getting id. */
oa_id = tmp_str;
oa_strchr(tmp_str, ' ', tmp_str);
/* Setting location; */
oa_location = tmp_str;
-
+
oa_strchr(tmp_str, ';', tmp_str);
*tmp_str = '\0';
}
else
{
- snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname,
+ snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname,
lf->location, oa_location);
free(lf->location);
os_strdup(oa_newlocation, lf->location);
*tmp_str = ';';
tmp_str++;
-
+
/* Getting additional fields. */
while((*tmp_str == ' ') && (tmp_str[1] != ' '))
{
*tmp_str = ';';
tmp_str++;
}
-
+
/* Removing space. */
while(*tmp_str == ' ')
tmp_str++;
-
-
+
+
/* Creating new full log. */
free(lf->full_log);
os_strdup(tmp_str, lf->full_log);
lf->log = lf->full_log;
-
+
/* Rule that generated. */
lf->generated_rule = rule_pointer;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/plugins/pf_decoder.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
}
-/* OpenBSD PF decoder
+/* OpenBSD PF decoder
* Will extract the action,srcip,dstip,protocol,srcport,dstport
*
* Examples:
* Mar 30 15:54:22.174412 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030: udp 89
* Mar 30 17:47:40.390143 rule 2/(match) pass in on lo0: 127.0.0.1 > 127.0.0.1: icmp: echo reply
* Mar 30 17:47:41.400075 rule 3/(match) pass out on lo0: 127.0.0.1 > 127.0.0.1: icmp: echo request
- */
+ */
void *PF_Decoder_Exec(Eventinfo *lf)
{
int port_count = 0;
/* tmp_str should be: Mar 30 15:54:22.171929 rule 3/(match) pass out .. */
tmp_str = strchr(lf->log, ')');
-
+
/* Didn't match */
if(!tmp_str)
{
return(NULL);
}
-
+
/* Going to the action entry */
tmp_str++;
if(*tmp_str != ' ')
return(NULL);
}
-
+
/* Jumping to the src ip */
tmp_str = strchr(tmp_str, ':');
if(!tmp_str)
tmp_str++;
-
+
/* tmp_str should be: 192.168.2.10.1514 > .. */
aux_str = strchr(tmp_str, ' ');
if(!aux_str)
return(NULL);
-
-
+
+
/* Setting aux_str to 0 for strdup */
*aux_str = '\0';
-
+
os_strdup(tmp_str, lf->srcip);
-
+
/* Aux str has a valid pointer to lf->log now */
*aux_str = ' ';
aux_str++;
-
-
-
+
+
+
/* Setting the source port if present */
tmp_str = lf->srcip;
while(*tmp_str != '\0')
{
if(*tmp_str == '.')
port_count++;
-
-
+
+
/* Found port */
if(port_count == 4)
{
os_strdup(tmp_str, lf->srcport);
break;
}
-
+
tmp_str++;
}
tmp_str = strchr(aux_str, ':');
if(!tmp_str)
return(NULL);
-
-
+
+
/* Setting aux_str to 0 for strdup */
*tmp_str = '\0';
-
+
os_strdup(aux_str, lf->dstip);
-
-
+
+
/* tmp str has a valid pointer to lf->log now */
*tmp_str = ':';
tmp_str++;
{
if(*aux_str == '.')
port_count++;
-
-
+
+
/* Found port */
if(port_count == 4)
{
os_strdup(aux_str, lf->dstport);
break;
}
-
+
aux_str++;
}
{
os_strdup("TCP", lf->protocol);
}
-
+
break;
}
-
+
return(NULL);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/plugins/sonicwall_decoder.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/** Global variables -- not thread safe. If we ever multi thread
* analysisd, these will need to be changed.
- */
+ */
OSRegex *__sonic_regex_prid = NULL;
OSRegex *__sonic_regex_sdip = NULL;
OSRegex *__sonic_regex_prox = NULL;
-/* SonicWall decoder
+/* SonicWall decoder
* Will extract the id, severity, action, srcip, dstip, protocol,srcport,dstport
* severity will be extracted as status.
* Examples:
* Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000
* Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN
- */
+ */
void *SonicWall_Decoder_Exec(Eventinfo *lf)
{
int i = 0;
/* Zeroing category */
category[0] = '\0';
lf->decoder_info->type = SYSLOG;
-
-
-
+
+
+
/** We first run our regex to extract the severity, cat and id. **/
if(!(tmp_str = OSRegex_Execute(lf->log, __sonic_regex_prid)))
{
/* Clearing all substrings */
__sonic_regex_prid->sub_strings[0] = NULL;
__sonic_regex_prid->sub_strings[2] = NULL;
-
+
free(__sonic_regex_prid->sub_strings[1]);
__sonic_regex_prid->sub_strings[1] = NULL;
}
{
return(NULL);
}
- if(__sonic_regex_sdip->sub_strings[0] &&
- __sonic_regex_sdip->sub_strings[1] &&
- __sonic_regex_sdip->sub_strings[2] &&
+ if(__sonic_regex_sdip->sub_strings[0] &&
+ __sonic_regex_sdip->sub_strings[1] &&
+ __sonic_regex_sdip->sub_strings[2] &&
__sonic_regex_sdip->sub_strings[3])
{
/* Setting all the values */
i = 0;
tmp_str += 6;
-
+
/* Allocating memory for the protocol */
os_calloc(8, sizeof(char), proto);
-
+
/** Setting the category/action based on the id. **/
/* IDS event */
{
lf->decoder_info->type = IDS;
}
-
+
/* Firewall connection opened */
else if((strcmp(lf->id, "98") == 0) ||
- (strcmp(lf->id, "597") == 0) ||
- (strcmp(lf->id, "598") == 0))
+ (strcmp(lf->id, "597") == 0) ||
+ (strcmp(lf->id, "598") == 0))
{
lf->decoder_info->type = FIREWALL;
- os_strdup("pass", lf->action);
+ os_strdup("pass", lf->action);
}
-
+
/* Firewall connection dropped */
else if((strcmp(lf->id, "38") == 0) ||
(strcmp(lf->id, "36") == 0) ||
(strcmp(lf->id, "37") == 0))
{
lf->decoder_info->type = FIREWALL;
- os_strdup("drop", lf->action);
+ os_strdup("drop", lf->action);
}
-
+
/* Firewall connection closed */
else if(strcmp(lf->id, "537") == 0)
{
lf->decoder_info->type = FIREWALL;
os_strdup("close", lf->action);
}
-
+
/* Proxy msg */
else if(strcmp(lf->id, "97") == 0)
{
{
return(NULL);
}
-
+
/* We first run our regex to extract the severity and id. */
if(!OSRegex_Execute(tmp_str, __sonic_regex_prox))
{
return(NULL);
}
-
+
/* Getting HTTP page */
- if(__sonic_regex_prox->sub_strings[1] &&
+ if(__sonic_regex_prox->sub_strings[1] &&
__sonic_regex_prox->sub_strings[2])
{
char *final_url;
int url_size = strlen(__sonic_regex_prox->sub_strings[1]) +
strlen(__sonic_regex_prox->sub_strings[2]) + 2;
-
+
os_calloc(url_size +1, sizeof(char), final_url);
- snprintf(final_url, url_size, "%s%s",
+ snprintf(final_url, url_size, "%s%s",
__sonic_regex_prox->sub_strings[1],
__sonic_regex_prox->sub_strings[2]);
return(NULL);
}
-
+
return(NULL);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/plugins/symantecws_decoder.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
}
-/* Symantec Web Security decoder
+/* Symantec Web Security decoder
* Will extract the action, srcip, id, url and username.
*
- * Examples (also online at
+ * Examples (also online at
* http://www.ossec.net/wiki/index.php/Symantec_WebSecurity ).
* 20070717,73613,1=5,11=10.1.1.3,10=userc,3=1,2=1
* 20070717,73614,1=5,11=1.2.3.4,1106=News,60=http://news.bbc.co.uk/,10=userX,1000=212.58.240.42,2=27
- */
+ */
void *SymantecWS_Decoder_Exec(Eventinfo *lf)
{
int count = 0;
char buf_str[OS_SIZE_1024 +1];
char *tmp_str = NULL;
-
+
/* Initializing buffer */
buf_str[0] = '\0';
buf_str[OS_SIZE_1024] = '\0';
-
-
+
+
/* Removing date and time */
if(!(tmp_str = strchr(lf->log, ',')))
{
return(NULL);
}
tmp_str++;
-
-
+
+
/* Getting all the values */
while(tmp_str != NULL)
{
{
count = 0;
tmp_str+=3;
- while(*tmp_str != '\0' && count < 128 && *tmp_str != ',')
+ while(*tmp_str != '\0' && count < 128 && *tmp_str != ',')
{
- buf_str[count] = *tmp_str;
+ buf_str[count] = *tmp_str;
count++; tmp_str++;
}
buf_str[count] = '\0';
os_strdup(buf_str, lf->dstuser);
}
}
-
+
/* Checking the ip address */
else if(strncmp(tmp_str, "11=", 3) == 0)
{
count = 0;
tmp_str+=3;
- while(*tmp_str != '\0' && count < 128 && *tmp_str != ',')
+ while(*tmp_str != '\0' && count < 128 && *tmp_str != ',')
{
- buf_str[count] = *tmp_str;
+ buf_str[count] = *tmp_str;
count++; tmp_str++;
}
buf_str[count] = '\0';
{
count = 0;
tmp_str+=3;
- while(*tmp_str != '\0' && count < OS_SIZE_1024 && *tmp_str != ',')
+ while(*tmp_str != '\0' && count < OS_SIZE_1024 && *tmp_str != ',')
{
- buf_str[count] = *tmp_str;
+ buf_str[count] = *tmp_str;
count++; tmp_str++;
}
buf_str[count] = '\0';
tmp_str++;
}
}
-
+
return(NULL);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/rootcheck.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int i = 0;
rk_err = 0;
-
+
for(;i<MAX_AGENTS;i++)
{
rk_agent_ips[i] = NULL;
rootcheck_dec->fts = 0;
debug1("%s: RootcheckInit completed.", ARGV0);
-
+
return;
}
*agent_id = i;
return(rk_agent_fps[i]);
}
-
- i++;
+
+ i++;
}
/* If here, our agent wasn't found */
if(rk_agent_ips[i] != NULL)
{
snprintf(rk_buf,OS_SIZE_1024, "%s/%s", ROOTCHECK_DIR,agent);
-
+
/* r+ to read and write. Do not truncate */
rk_agent_fps[i] = fopen(rk_buf,"r+");
if(!rk_agent_fps[i])
if(!rk_agent_fps[i])
{
merror(FOPEN_ERROR, ARGV0, rk_buf);
-
+
free(rk_agent_ips[i]);
rk_agent_ips[i] = NULL;
merror("%s: Error handling rootcheck database (fgetpos).",ARGV0);
return(0);
}
-
+
/* Reads the file and search for a possible
* entry
tmpstr = strchr(rk_buf, '\n');
if(tmpstr)
{
- *tmpstr = '\0';
+ *tmpstr = '\0';
}
-
+
/* Old format without the time stampts */
if(rk_buf[0] != '!')
{
- /* Cannot use strncmp to avoid errors with crafted files */
+ /* Cannot use strncmp to avoid errors with crafted files */
if(strcmp(lf->log, rk_buf) == 0)
{
rootcheck_dec->fts = 0;
{
/* Going past time: !1183431603!1183431603 (last, first saw) */
tmpstr = rk_buf + 23;
-
+
/* Matches, we need to upgrade last time saw */
if(strcmp(lf->log, tmpstr) == 0)
{
fsetpos(fp, &fp_pos);
fprintf(fp, "!%d", lf->time);
rootcheck_dec->fts = 0;
- lf->decoder_info = rootcheck_dec;
+ lf->decoder_info = rootcheck_dec;
return(1);
}
}
merror("%s: Error handling rootcheck database (fgetpos3).",ARGV0);
return(0);
}
- }
+ }
+
-
/* Adding the new entry at the end of the file */
fseek(fp, 0, SEEK_END);
fprintf(fp,"!%d!%d %s\n",lf->time, lf->time, lf->log);
rootcheck_dec->fts = 0;
rootcheck_dec->fts |= FTS_DONE;
lf->decoder_info = rootcheck_dec;
- return(1);
+ return(1);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/syscheck.c, 2012/02/07 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int id3;
int idn;
int idd;
-
+
/* Syscheck rule */
OSDecoderInfo *syscheck_dec;
/* File search variables */
fpos_t init_pos;
-
+
}_sdb; /* syscheck db information */
int i = 0;
sdb.db_err = 0;
-
+
for(;i <= MAX_AGENTS;i++)
{
sdb.agent_ips[i] = NULL;
/* Clearing db memory */
memset(sdb.buf, '\0', OS_MAXSTR +1);
memset(sdb.comment, '\0', OS_MAXSTR +1);
-
+
memset(sdb.size, '\0', OS_FLSIZE +1);
memset(sdb.perm, '\0', OS_FLSIZE +1);
memset(sdb.owner, '\0', OS_FLSIZE +1);
sdb.syscheck_dec->name = SYSCHECK_MOD;
sdb.syscheck_dec->type = OSSEC_RL;
sdb.syscheck_dec->fts = 0;
-
+
sdb.id1 = getDecoderfromlist(SYSCHECK_MOD);
sdb.id2 = getDecoderfromlist(SYSCHECK_MOD2);
sdb.id3 = getDecoderfromlist(SYSCHECK_MOD3);
sdb.idn = getDecoderfromlist(SYSCHECK_NEW);
sdb.idd = getDecoderfromlist(SYSCHECK_DEL);
-
+
debug1("%s: SyscheckInit completed.", ARGV0);
return;
}
void __setcompleted(char *agent)
{
FILE *fp;
-
+
/* Getting agent file */
snprintf(sdb.buf, OS_FLSIZE , "%s/.%s.cpt", SYSCHECK_DIR, agent);
int i = 0;
/* Finding file pointer */
- while(sdb.agent_ips[i] != NULL)
+ while(sdb.agent_ips[i] != NULL && i < MAX_AGENTS)
{
if(strcmp(sdb.agent_ips[i], lf->location) == 0)
{
{
return;
}
-
+
__setcompleted(lf->location);
int i = 0;
/* Finding file pointer */
- while(sdb.agent_ips[i] != NULL)
+ while(sdb.agent_ips[i] != NULL && i < MAX_AGENTS)
{
if(strcmp(sdb.agent_ips[i], agent) == 0)
{
*agent_id = i;
return(sdb.agent_fps[i]);
}
-
- i++;
+
+ i++;
}
/* If here, our agent wasn't found */
+ if (i == MAX_AGENTS)
+ {
+ merror("%s: Unable to open integrity file. Increase MAX_AGENTS.",ARGV0);
+ return(NULL);
+ }
+
os_strdup(agent, sdb.agent_ips[i]);
/* Getting agent file */
snprintf(sdb.buf, OS_FLSIZE , "%s/%s", SYSCHECK_DIR,agent);
-
-
+
+
/* r+ to read and write. Do not truncate */
sdb.agent_fps[i] = fopen(sdb.buf,"r+");
if(!sdb.agent_fps[i])
sdb.agent_fps[i] = fopen(sdb.buf, "r+");
}
}
-
- /* Checking again */
+
+ /* Checking again */
if(!sdb.agent_fps[i])
{
merror("%s: Unable to open '%s'",ARGV0, sdb.buf);
/* Returning the opened pointer (the beginning of it) */
fseek(sdb.agent_fps[i],0, SEEK_SET);
*agent_id = i;
-
-
+
+
/* Getting if the agent was completed */
if(__iscompleted(agent))
{
- sdb.agent_cp[i][0] = '1';
+ sdb.agent_cp[i][0] = '1';
}
return(sdb.agent_fps[i]);
int p = 0;
int sn_size;
int agent_id;
-
+
char *saved_sum;
char *saved_name;
-
+
FILE *fp;
merror("%s: Error handling integrity database (fgetpos).",ARGV0);
return(0);
}
-
-
+
+
/* Looping the file */
while(fgets(sdb.buf, OS_MAXSTR, fp) != NULL)
{
}
- /* Getting name */
+ /* Getting name */
saved_name = strchr(sdb.buf, ' ');
if(saved_name == NULL)
{
}
*saved_name = '\0';
saved_name++;
-
-
+
+
/* New format - with a timestamp */
if(*saved_name == '!')
{
fgetpos(fp, &sdb.init_pos);
continue;
}
-
+
saved_sum = sdb.buf;
if(saved_sum[-2] == '!')
{
p++;
- if(saved_sum[-1] == '!')
+ if(saved_sum[-1] == '!')
p++;
else if(saved_sum[-1] == '?')
- p+=2;
+ p+=2;
}
}
"File '%.756s' was deleted. Unable to retrieve "
"checksum.", f_name);
}
-
+
/* If file was re-added, do not compare changes */
else if(saved_sum[0] == '-' && saved_sum[1] == '1')
{
"File '%.756s' was re-added.", f_name);
}
- else
+ else
{
int oldperm = 0, newperm = 0;
-
+
/* Providing more info about the file change */
char *oldsize = NULL, *newsize = NULL;
char *olduid = NULL, *newuid = NULL;
"to '%c%c%c%c%c%c%c%c%c'\n",
(oldperm & S_IRUSR)? 'r' : '-',
(oldperm & S_IWUSR)? 'w' : '-',
-
+
(oldperm & S_ISUID)? 's' :
(oldperm & S_IXUSR)? 'x' : '-',
-
+
(oldperm & S_IRGRP)? 'r' : '-',
(oldperm & S_IWGRP)? 'w' : '-',
(oldperm & S_ISGID)? 's' :
(oldperm & S_IXGRP)? 'x' : '-',
-
+
(oldperm & S_IROTH)? 'r' : '-',
(oldperm & S_IWOTH)? 'w' : '-',
(newperm & S_ISUID)? 's' :
(newperm & S_IXUSR)? 'x' : '-',
-
+
(newperm & S_IRGRP)? 'r' : '-',
(newperm & S_IWGRP)? 'w' : '-',
-
+
(newperm & S_ISGID)? 's' :
(newperm & S_IXGRP)? 'x' : '-',
os_strdup(olduid, lf->owner_before);
os_strdup(newuid, lf->owner_after);
#endif
- }
+ }
/* group ownership message */
if(!newgid || !oldgid || strcmp(newgid, oldgid) == 0)
#endif
- /* Provide information about the file */
+ /* Provide information about the file */
snprintf(sdb.comment, OS_MAXSTR, "Integrity checksum changed for: "
"'%.756s'\n"
"%s"
"%s"
"%s"
"%s%s",
- f_name,
+ f_name,
sdb.size,
sdb.perm,
sdb.owner,
lf->log = lf->full_log;
lf->data = NULL;
-
+
/* Setting decoder */
lf->decoder_info = sdb.syscheck_dec;
-
- return(1);
+
+ return(1);
} /* continuiing... */
/* If we reach here, this file is not present on our database */
fseek(fp, 0, SEEK_END);
-
+
fprintf(fp,"+++%s !%d %s\n", c_sum, lf->time, f_name);
+ fflush(fp);
/* Alert if configured to notify on new files */
if((Config.syscheck_alert_new == 1) && (DB_IsCompleted(agent_id)))
snprintf(sdb.comment, OS_MAXSTR,
"New file '%.756s' "
"added to the file system.", f_name);
-
+
/* Creating a new log message */
free(lf->full_log);
{
char *c_sum;
char *f_name;
-
-
+
+
/* Every syscheck message must be in the following format:
- * checksum filename
+ * checksum filename
*/
f_name = strchr(lf->log, ' ');
if(f_name == NULL)
DB_SetCompleted(lf);
return(0);
}
-
+
merror(SK_INV_MSG, ARGV0);
return(0);
}
{
lf->data = NULL;
}
-
-
+
+
/* Checking if file is supposed to be ignored */
if(Config.syscheck_ignore)
{
char **ff_ig = Config.syscheck_ignore;
-
+
while(*ff_ig)
{
if(strncasecmp(*ff_ig, f_name, strlen(*ff_ig)) == 0)
lf->data = NULL;
return(0);
}
-
+
ff_ig++;
}
}
-
-
+
+
/* Checksum is at the beginning of the log */
c_sum = lf->log;
-
-
+
+
/* Searching for file changes */
return(DB_Search(f_name, c_sum, lf));
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/dodiff.c, 2012/07/23 dcid Exp $
+ */
/* Copyright (C) 2010 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
dirrule = strrchr(file, '/');
if(!dirrule)
{
- merror("%s: ERROR: Invalid file name to diff: %s",
+ merror("%s: ERROR: Invalid file name to diff: %s",
ARGV0, file);
return(0);
}
currently_rule->last_events[0] = NULL;
+
if(lf->hostname[0] == '(')
{
htpt = strchr(lf->hostname, ')');
{
*htpt = '\0';
}
- snprintf(flastfile, OS_SIZE_2048, "%s/%s/%d/%s", DIFF_DIR, lf->hostname+1,
- currently_rule->sigid, DIFF_LAST_FILE);
+ snprintf(flastfile, OS_SIZE_2048, "%s/%s/%d/%s", DIFF_DIR, lf->hostname+1,
+ currently_rule->sigid, DIFF_LAST_FILE);
if(htpt)
{
}
else
{
- snprintf(flastfile, OS_SIZE_2048, "%s/%s/%d/%s", DIFF_DIR, lf->hostname,
+ snprintf(flastfile, OS_SIZE_2048, "%s/%s/%d/%s", DIFF_DIR, lf->hostname,
currently_rule->sigid, DIFF_LAST_FILE);
}
date_of_change = File_DateofChange(flastfile);
if(date_of_change <= 0)
{
- merror("last file: %s",flastfile);
if(!_add2last(lf->log, lf->size, flastfile))
{
merror("%s: ERROR: unable to create last file: %s", ARGV0, flastfile);
{
*htpt = '\0';
}
- snprintf(fdifffile, OS_SIZE_2048, "%s/%s/%d/state.%d", DIFF_DIR, lf->hostname+1,
- currently_rule->sigid, date_of_change);
+ snprintf(fdifffile, OS_SIZE_2048, "%s/%s/%d/state.%d", DIFF_DIR, lf->hostname+1,
+ currently_rule->sigid, date_of_change);
if(htpt)
{
}
else
{
- snprintf(fdifffile, OS_SIZE_2048, "%s/%s/%d/state.%d", DIFF_DIR, lf->hostname,
+ snprintf(fdifffile, OS_SIZE_2048, "%s/%s/%d/state.%d", DIFF_DIR, lf->hostname,
currently_rule->sigid, date_of_change);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/eventinfo.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* Part of the OSSEC.
* Available at http://www.ossec.net
*/
-
+
#include "config.h"
Eventinfo *lf;
Eventinfo *first_lf;
OSListNode *lf_node;
-
-
+
+
/* Setting frequency to 0 */
currently_rule->__frequency = 0;
return(NULL);
}
first_lf = (Eventinfo *)lf_node->data;
-
+
do
{
lf = (Eventinfo *)lf_node->data;
-
+
/* If time is outside the timeframe, return */
if((c_time - lf->time) > currently_rule->timeframe)
{
/* Checking if the number of matches worked */
- if(currently_rule->__frequency < currently_rule->frequency)
+ if(currently_rule->__frequency <= 10)
{
- if(currently_rule->__frequency <= 10)
- {
- currently_rule->last_events[currently_rule->__frequency]
- = lf->full_log;
- currently_rule->last_events[currently_rule->__frequency+1]
- = NULL;
- }
+ currently_rule->last_events[currently_rule->__frequency]
+ = lf->full_log;
+ currently_rule->last_events[currently_rule->__frequency+1]
+ = NULL;
+ }
+ if(currently_rule->__frequency < currently_rule->frequency)
+ {
currently_rule->__frequency++;
continue;
}
+ currently_rule->__frequency++;
/* If reached here, we matched */
}
-/* Search LastEvents.
+/* Search LastEvents.
* Will look if any of the last events (inside the timeframe)
- * match the specified rule.
+ * match the specified rule.
*/
Eventinfo *Search_LastEvents(Eventinfo *my_lf, RuleInfo *currently_rule)
{
EventNode *eventnode_pt;
Eventinfo *lf;
Eventinfo *first_lf;
-
+
merror("XXXX : remove me!");
/* Nothing found */
return(NULL);
}
-
+
/* Setting frequency to 0 */
currently_rule->__frequency = 0;
first_lf = (Eventinfo *)eventnode_pt->event;
-
-
+
+
/* Searching all previous events */
do
{
lf = eventnode_pt->event;
-
+
/* If time is outside the timeframe, return */
if((c_time - lf->time) > currently_rule->timeframe)
{
}
- /* We avoid multiple triggers for the same rule
+ /* We avoid multiple triggers for the same rule
* or rules with a lower level.
*/
else if(lf->matched >= currently_rule->level)
{
return(NULL);
}
-
-
+
+
/* The category must be the same */
else if(lf->decoder_info->type != my_lf->decoder_info->type)
{
- continue;
+ continue;
}
-
-
+
+
/* If regex does not match, go to next */
if(currently_rule->if_matched_regex)
{
{
if((!lf->dstuser)||(!my_lf->dstuser))
continue;
-
+
if(strcmp(lf->dstuser,my_lf->dstuser) != 0)
continue;
}
-
+
/* Checking for same id */
if(currently_rule->context_opts & SAME_ID)
{
if((!lf->id) || (!my_lf->id))
continue;
-
+
if(strcmp(lf->id,my_lf->id) != 0)
- continue;
+ continue;
}
-
+
/* Checking for repetitions from same src_ip */
if(currently_rule->context_opts & SAME_SRCIP)
{
if((!lf->srcip)||(!my_lf->srcip))
continue;
-
+
if(strcmp(lf->srcip,my_lf->srcip) != 0)
continue;
}
}
}
-
- /* Checking if the number of matches worked */
+
+ /* Checking if the number of matches worked */
if(currently_rule->__frequency < currently_rule->frequency)
{
if(currently_rule->__frequency <= 10)
{
- currently_rule->last_events[currently_rule->__frequency]
+ currently_rule->last_events[currently_rule->__frequency]
= lf->full_log;
- currently_rule->last_events[currently_rule->__frequency+1]
+ currently_rule->last_events[currently_rule->__frequency+1]
= NULL;
}
-
+
currently_rule->__frequency++;
continue;
}
-
-
+
+
/* If reached here, we matched */
my_lf->matched = currently_rule->level;
lf->matched = currently_rule->level;
first_lf->matched = currently_rule->level;
-
- return(lf);
-
+
+ return(lf);
+
}while((eventnode_pt = eventnode_pt->next) != NULL);
-
+
return(NULL);
}
lf->time = 0;
lf->matched = 0;
-
+
lf->year = 0;
lf->mon[3] = '\0';
lf->hour[9] = '\0';
#ifdef PRELUDE
lf->filename = NULL;
- lf->perm_before = 0;
- lf->perm_after = 0;
- lf->md5_before = NULL;
- lf->md5_after = NULL;
- lf->sha1_before = NULL;
- lf->sha1_after = NULL;
- lf->size_before = NULL;
- lf->size_after = NULL;
- lf->owner_before = NULL;
- lf->owner_after = NULL;
- lf->gowner_before = NULL;
- lf->gowner_after = NULL;
+ lf->perm_before = 0;
+ lf->perm_after = 0;
+ lf->md5_before = NULL;
+ lf->md5_after = NULL;
+ lf->sha1_before = NULL;
+ lf->sha1_after = NULL;
+ lf->size_before = NULL;
+ lf->size_after = NULL;
+ lf->owner_before = NULL;
+ lf->owner_after = NULL;
+ lf->gowner_before = NULL;
+ lf->gowner_after = NULL;
#endif
return;
merror("%s: Trying to free NULL event. Inconsistent..",ARGV0);
return;
}
-
+
if(lf->full_log)
- free(lf->full_log);
+ free(lf->full_log);
if(lf->location)
- free(lf->location);
+ free(lf->location);
if(lf->srcip)
free(lf->srcip);
if(lf->protocol)
free(lf->protocol);
if(lf->action)
- free(lf->action);
+ free(lf->action);
if(lf->status)
free(lf->status);
if(lf->srcuser)
free(lf->srcuser);
if(lf->dstuser)
- free(lf->dstuser);
+ free(lf->dstuser);
if(lf->id)
free(lf->id);
if(lf->command)
free(lf->url);
if(lf->data)
- free(lf->data);
+ free(lf->data);
if(lf->systemname)
- free(lf->systemname);
+ free(lf->systemname);
#ifdef PRELUDE
if(lf->filename)
free(lf->filename);
if (lf->md5_before)
- free(lf->md5_before);
+ free(lf->md5_before);
if (lf->md5_after)
- free(lf->md5_after);
+ free(lf->md5_after);
if (lf->sha1_before)
- free(lf->sha1_before);
+ free(lf->sha1_before);
if (lf->sha1_after)
- free(lf->sha1_after);
+ free(lf->sha1_after);
if (lf->size_before)
- free(lf->size_before);
+ free(lf->size_before);
if (lf->size_after)
- free(lf->size_after);
+ free(lf->size_after);
if (lf->owner_before)
- free(lf->owner_before);
+ free(lf->owner_before);
if (lf->owner_after)
- free(lf->owner_after);
+ free(lf->owner_after);
if (lf->gowner_before)
- free(lf->gowner_before);
+ free(lf->gowner_before);
if (lf->gowner_after)
- free(lf->gowner_after);
+ free(lf->gowner_after);
#endif
/* Freeing node to delete */
if(lf->sid_node_to_delete)
{
- OSList_DeleteThisNode(lf->generated_rule->sid_prev_matched,
+ OSList_DeleteThisNode(lf->generated_rule->sid_prev_matched,
lf->sid_node_to_delete);
}
else if(lf->generated_rule && lf->generated_rule->group_prev_matched)
{
OSList_DeleteOldestNode(lf->generated_rule->group_prev_matched[i]);
i++;
- }
+ }
}
-
+
/* We dont need to free:
* fts
* comment
*/
free(lf);
- lf = NULL;
-
+ lf = NULL;
+
return;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/eventinfo.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/* Other internal variables */
short int matched;
-
+
int time;
int day;
int year;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/eventinfo_list.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-#include "shared.h"
+#include "shared.h"
#include "eventinfo.h"
{
EventNode *eventnode_pt = eventnode;
- return(eventnode_pt);
+ return(eventnode_pt);
}
/* Add an event to the list -- always to the begining */
void OS_AddEvent(Eventinfo *lf)
{
EventNode *tmp_node = eventnode;
-
+
if(tmp_node)
{
EventNode *new_node;
new_node = (EventNode *)calloc(1,sizeof(EventNode));
-
+
if(new_node == NULL)
{
ErrorExit(MEM_ERROR,ARGV0);
}
- /* Always adding to the beginning of the list
+ /* Always adding to the beginning of the list
* The new node will become the first node and
* new_node->next will be the previous first node
*/
new_node->next = tmp_node;
new_node->prev = NULL;
tmp_node->prev = new_node;
-
+
eventnode = new_node;
/* Adding the event to the node */
new_node->event = lf;
_memoryused++;
-
+
/* Need to remove the last nodes */
if(_memoryused > _memorymaxsize)
{
int i = 0;
EventNode *oldlast;
-
- /* Remove at least the last 10 events
+
+ /* Remove at least the last 10 events
* or the events that will not match anymore
* (higher than max frequency)
*/
}
}
}
-
+
else
{
/* Adding first node */
eventnode->prev = NULL;
eventnode->next = NULL;
eventnode->event = lf;
-
- lastnode = eventnode;
+
+ lastnode = eventnode;
}
return;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/fts.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-/* First time seen functions
+/* First time seen functions
*/
char _line[OS_FLSIZE + 1];
_line[OS_FLSIZE] = '\0';
-
-
+
+
fts_list = OSList_Create();
if(!fts_list)
{
merror(LIST_ERROR, ARGV0);
return(0);
}
-
+
/* Getting default list size */
fts_list_size = getDefine_Int("analysisd",
fts_minsize_for_str = getDefine_Int("analysisd",
"fts_min_size_for_str",
6, 128);
-
+
if(!OSList_SetMaxSize(fts_list, fts_list_size))
{
merror(LIST_SIZE_ERROR, ARGV0);
fp_list = fopen(FTS_QUEUE, "w+");
if(fp_list)
fclose(fp_list);
-
+
+ chmod(FTS_QUEUE, 0640);
+
+ int uid = Privsep_GetUser(USER);
+ int gid = Privsep_GetGroup(GROUPGLOBAL);
+ if(uid>=0 && gid>=0)
+ chown(FTS_QUEUE, uid, gid);
+
fp_list = fopen(FTS_QUEUE, "r+");
if(!fp_list)
{
}
}
-
+
/* Creating ignore list */
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
fp_ignore = fopen(IG_QUEUE, "w+");
if(fp_ignore)
fclose(fp_ignore);
-
+
+ chmod(IG_QUEUE, 0640);
+
+ int uid = Privsep_GetUser(USER);
+ int gid = Privsep_GetGroup(GROUPGLOBAL);
+ if(uid>=0 && gid>=0)
+ chown(IG_QUEUE, uid, gid);
+
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
{
}
debug1("%s: DEBUG: FTSInit completed.", ARGV0);
-
+
return(1);
}
*/
void AddtoIGnore(Eventinfo *lf)
{
- fseek(fp_ignore, 0, SEEK_END);
+ fseek(fp_ignore, 0, SEEK_END);
#ifdef TESTRULE
return;
#endif
-
+
/* Assigning the values to the FTS */
fprintf(fp_ignore, "%s %s %s %s %s %s %s %s\n",
(lf->decoder_info->name && (lf->generated_rule->ignore & FTS_NAME))?
(lf->dstip && (lf->generated_rule->ignore & FTS_DSTIP))?
lf->dstip:"",
(lf->data && (lf->generated_rule->ignore & FTS_DATA))?
- lf->data:"",
+ lf->data:"",
(lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
- lf->systemname:"",
+ lf->systemname:"",
(lf->generated_rule->ignore & FTS_LOCATION)?lf->location:"");
fflush(fp_ignore);
(lf->data && (lf->generated_rule->ignore & FTS_DATA))?
lf->data:"",
(lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
- lf->systemname:"",
+ lf->systemname:"",
(lf->generated_rule->ckignore & FTS_LOCATION)?lf->location:"");
_fline[OS_FLSIZE] = '\0';
/* FTS v0.1
* Check if the word "msg" is present on the "queue".
* If it is not, write it there.
- */
+ */
int FTS(Eventinfo *lf)
{
int number_of_matches = 0;
char _line[OS_FLSIZE + 1];
-
+
char *line_for_list = NULL;
OSListNode *fts_node;
if(OSHash_Get(fts_store, _line))
{
return(0);
- }
+ }
+
-
/* Checking if from the last FTS events, we had
* at least 3 "similars" before. If yes, we just
* ignore it.
fts_node = OSList_GetLastNode(fts_list);
while(fts_node)
{
- if(OS_StrHowClosedMatch((char *)fts_node->data, _line) >
+ if(OS_StrHowClosedMatch((char *)fts_node->data, _line) >
fts_minsize_for_str)
{
number_of_matches++;
os_strdup(_line, line_for_list);
OSList_AddData(fts_list, line_for_list);
}
-
-
+
+
/* Storing new entry */
if(line_for_list == NULL)
{
return(0);
}
-
+
#ifdef TESTRULE
return(1);
#endif
-
-
+
+
/* Saving to fts fp */
fseek(fp_list, 0, SEEK_END);
fprintf(fp_list,"%s\n", _line);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/fts.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/lists.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 3) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
void Lists_OP_CreateLists()
{
OS_CreateListsList();
- return;
+ return;
}
int Lists_OP_LoadList(char * listfile)
/* XXX Jeremy: I hate this. I think I'm missing something dumb here */
char *holder;
char a_filename[OS_MAXSTR];
- a_filename[OS_MAXSTR - 2] = '\0';
char b_filename[OS_MAXSTR];
+ ListNode *tmp_listnode_pt = NULL;
+
+ a_filename[OS_MAXSTR - 2] = '\0';
b_filename[OS_MAXSTR - 2] = '\0';
- ListNode *tmp_listnode_pt = NULL;
tmp_listnode_pt = (ListNode *)calloc(1,sizeof(ListNode));
- debug1("crated new listnode for %s\n", listfile);
if (tmp_listnode_pt == NULL)
ErrorExit(MEM_ERROR,ARGV0);
snprintf(a_filename, OS_MAXSTR-1, "%s", listfile);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/lists.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/lists_list.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#include "shared.h"
#include "rules.h"
#include "cdb/cdb.h"
ListNode *global_listnode;
ListRule *global_listrule;
-/*
+/*
*/
ListNode *_OS_AddList(ListNode *new_listnode);
ListNode *OS_GetFirstList()
{
ListNode *listnode_pt = global_listnode;
-
- return(listnode_pt);
+
+ return(listnode_pt);
}
ListRule *OS_GetFirstListRule()
{
- ListRule *listrule_pt = global_listrule;
- return listrule_pt;
+ ListRule *listrule_pt = global_listrule;
+ return listrule_pt;
}
void OS_ListLoadRules()
ListRule *_OS_AddListRule(ListRule *new_listrule)
{
-
+
if(global_listrule == NULL)
{
global_listrule = new_listrule;
- }
- else
+ }
+ else
{
ListRule *last_list_rule = global_listrule;
while(last_list_rule->next != NULL)
{
- last_list_rule = last_list_rule->next;
+ last_list_rule = last_list_rule->next;
}
- last_list_rule->next = new_listrule;
+ last_list_rule->next = new_listrule;
}
return(global_listrule);
}
last_list_node = last_list_node->next;
}
last_list_node->next = new_listnode;
-
+
}
return(global_listnode);
}
do
{
if (strcmp(last_list_node->txt_filename, listname) == 0 ||
- strcmp(last_list_node->cdb_filename, listname) == 0)
+ strcmp(last_list_node->cdb_filename, listname) == 0)
{
/* Found first match returning */
return(last_list_node);
}
return(NULL);
}
-
+
ListNode *OS_FindList(char *listname)
{
ListNode *matched = NULL;
return matched;
}
-ListRule *OS_AddListRule(ListRule *first_rule_list,
- int lookup_type,
- int field,
+ListRule *OS_AddListRule(ListRule *first_rule_list,
+ int lookup_type,
+ int field,
char *listname,
OSMatch *matcher)
{
new_rulelist_pt->field = field;
new_rulelist_pt->next = NULL;
new_rulelist_pt->matcher = matcher;
- new_rulelist_pt->lookup_type = lookup_type;
+ new_rulelist_pt->lookup_type = lookup_type;
new_rulelist_pt->filename = listname;
if((new_rulelist_pt->db = OS_FindList(listname)) == NULL)
new_rulelist_pt->loaded = 0;
cdb_read(&lrule->db->cdb, val, vlen, vpos);
result = OSMatch_Execute(val, vlen, lrule->matcher);
free(val);
- return result;
+ return result;
} else {
return 0;
}
- }
+ }
return 0;
}
{
if(_OS_CDBOpen(lrule->db) == -1) return -1;
if( cdb_find(&lrule->db->cdb, key, strlen(key)) > 0 ) return 1;
- }
+ }
return 0;
}
{
if(_OS_CDBOpen(lrule->db) == -1) return -1;
//snprintf(_ip,128,"%s",key);
- //XXX Breka apart string on the . boundtrys a loop over to longest match.
+ //XXX Breka apart string on the . boundtrys a loop over to longest match.
if( cdb_find(&lrule->db->cdb, key, strlen(key)) > 0 ) {
return 1;
}
- else
+ else
{
char *tmpkey;
os_strdup(key, tmpkey);
if( cdb_find(&lrule->db->cdb, tmpkey, strlen(tmpkey)) > 0 ) {
free(tmpkey);
return 1;
- }
+ }
}
tmpkey[strlen(tmpkey) - 1] = '\0';
}
free(tmpkey);
}
- }
+ }
return 0;
}
int OS_DBSearch(ListRule *lrule, char *key)
{
- //XXX - god damn hack!!! Jeremy Rossi
+ //XXX - god damn hack!!! Jeremy Rossi
if (lrule->loaded == 0)
{
lrule->db = OS_FindList(lrule->filename);
//debug1("LR_STRING_MATCH");
if(OS_DBSeachKey(lrule, key) == 1)
return 1;
- else
+ else
return 0;
break;
case LR_STRING_NOT_MATCH:
else
return 0;
break;
- case LR_ADDRESS_MATCH_VALUE:
+ case LR_ADDRESS_MATCH_VALUE:
//debug1("LR_ADDRESS_MATCH_VALUE");
- // XXX TODO
- return 0;
+ // XXX TODO
+ return 0;
break;
default:
debug1("lists_list.c::OS_DBSearch should never hit default");
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/lists_make.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
str[OS_MAXSTR]= '\0';
char tmp_filename[OS_MAXSTR];
- tmp_filename[OS_MAXSTR - 2] = '\0';
+ tmp_filename[OS_MAXSTR - 2] = '\0';
snprintf(tmp_filename, OS_MAXSTR - 2, "%s.tmp", txt_filename);
/*
}
while((fgets(str, OS_MAXSTR-1,txt_fd)) != NULL)
{
- /* Removing new lines or carriage returns. */
- tmp_str = strchr(str, '\r');
- if(tmp_str)
- *tmp_str = '\0';
- tmp_str = strchr(str, '\n');
- if(tmp_str)
- *tmp_str = '\0';
+ /* Removing new lines or carriage returns. */
+ tmp_str = strchr(str, '\r');
+ if(tmp_str)
+ *tmp_str = '\0';
+ tmp_str = strchr(str, '\n');
+ if(tmp_str)
+ *tmp_str = '\0';
if((val = strchr(str, ':')))
{
*val = '\0';
val++;
}
else
- {
+ {
continue;
}
key = str;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/lists_make.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/makelists.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2010 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* Part of the OSSEC
* Available at http://www.ossec.net
*/
-
+
/* ossec-analysisd.
* Responsible for correlation and log decoding.
*/
-#ifdef ARGV0
- #undef ARGV0
+#ifdef ARGV0
+ #undef ARGV0
#define ARGV0 "ossec-testrule"
#endif
/* Found user */
debug1(FOUND_USER, ARGV0);
-
+
/* Reading configuration file */
if(GlobalConf(cfg) < 0)
{
}
debug1(READ_CONFIG, ARGV0);
-
+
/* Setting the group */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR,ARGV0,group);
ErrorExit(CHROOT_ERROR,ARGV0,dir);
nowChroot();
-
-
+
+
/* Createing the lists for use in rules */
Lists_OP_CreateLists();
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/picviz.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Sebastien Tricaud
* Copyright (C) 2009 Trend Micro Inc.
if(!picviz_fp)
{
merror("%s: Unable to open picviz socket file '%s'.",
- ARGV0, socket);
+ ARGV0, socket);
}
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/picviz.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Sebastien Tricaud
* Copyright (C) 2009 Trend Micro Inc.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/prelude.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
"low","low","low","low",
"medium", "medium", "medium", "medium",
"high", "high", "high", "high", "high"};
-
+
/* Prelude client */
static prelude_client_t *prelude_client;
-static int
+static int
add_idmef_object(idmef_message_t *msg, const char *object, const char *value)
{
int ret = 0;
}
ret = idmef_value_new_from_path(&val, path, value);
- if(ret < 0)
+ if(ret < 0)
{
idmef_path_destroy(path);
return(-1);
}
ret = idmef_path_set(path, msg, val);
- if(ret < 0)
+ if(ret < 0)
{
- merror("%s: OSSEC2Prelude: IDMEF: Cannot add object '%s': %s.",
+ merror("%s: OSSEC2Prelude: IDMEF: Cannot add object '%s': %s.",
ARGV0, object, prelude_strerror(ret));
}
ret = prelude_init(&argc, argv);
- if (ret < 0)
+ if (ret < 0)
{
merror("%s: %s: Unable to initialize the Prelude library: %s.",
ARGV0, prelude_strsource(ret), prelude_strerror(ret));
return;
}
- ret = prelude_client_new(&prelude_client,
+ ret = prelude_client_new(&prelude_client,
profile!=NULL?profile:DEFAULT_ANALYZER_NAME);
- if (!prelude_client)
+ if (!prelude_client)
{
merror("%s: %s: Unable to create a prelude client object: %s.",
ARGV0, prelude_strsource(ret), prelude_strerror(ret));
ret = setup_analyzer(prelude_client_get_analyzer(prelude_client));
- if(ret < 0)
+ if(ret < 0)
{
merror("%s: %s: Unable to setup analyzer: %s",
ARGV0, prelude_strsource(ret), prelude_strerror(ret));
- prelude_client_destroy(prelude_client,
+ prelude_client_destroy(prelude_client,
PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
return;
}
- ret = prelude_client_set_flags(prelude_client,
- prelude_client_get_flags(prelude_client)
+ ret = prelude_client_set_flags(prelude_client,
+ prelude_client_get_flags(prelude_client)
| PRELUDE_CLIENT_FLAGS_ASYNC_TIMER);
if(ret < 0)
{
merror("%s: %s: Unable to set prelude client flags: %s.",
- ARGV0, prelude_strsource(ret), prelude_strerror(ret));
+ ARGV0, prelude_strsource(ret), prelude_strerror(ret));
}
ret = prelude_client_start(prelude_client);
- if (ret < 0)
+ if (ret < 0)
{
merror("%s: %s: Unable to initialize prelude client: %s.",
ARGV0, prelude_strsource(ret), prelude_strerror(ret));
- prelude_client_destroy(prelude_client,
+ prelude_client_destroy(prelude_client,
PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
return;
}
-void FileAccess_PreludeLog(idmef_message_t *idmef,
- int filenum,
- char *filename,
- char *md5,
- char *sha1,
- char *owner,
- char *gowner,
+void FileAccess_PreludeLog(idmef_message_t *idmef,
+ int filenum,
+ char *filename,
+ char *md5,
+ char *sha1,
+ char *owner,
+ char *gowner,
int perm) {
int _checksum_counter = 0;
return;
}
-
+
/* Add the hashs */
if (md5) {
snprintf(_prelude_section,128,"alert.target(0).file(%d).checksum(%d).algorithm",filenum, _checksum_counter);
add_idmef_object(idmef, _prelude_section,owner);
snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).user_id.type",filenum,FILE_USER);
add_idmef_object(idmef, _prelude_section, "user-privs");
- }
+ }
/*add the group owner */
if (gowner) {
debug1("%s: DEBUG: gowner = %s.", ARGV0, gowner);
idmef_message_t *idmef;
RuleInfoDetail *last_info_detail;
-
+
/* Generate prelude alert */
ret = idmef_message_new(&idmef);
if ( ret < 0 ) {
return;
}
-
- add_idmef_object(idmef, "alert.assessment.impact.description",
+
+ add_idmef_object(idmef, "alert.assessment.impact.description",
lf->generated_rule->comment);
- add_idmef_object(idmef, "alert.assessment.impact.severity",
- (lf->generated_rule->level > 15) ? "high":
+ add_idmef_object(idmef, "alert.assessment.impact.severity",
+ (lf->generated_rule->level > 15) ? "high":
ossec2prelude_sev[lf->generated_rule->level]);
-
+
add_idmef_object(idmef, "alert.assessment.impact.completion", "succeeded");
if (lf->action)
case 'T':
snprintf(_prelude_data,256,"CLOSED: %s", lf->action);
break;
- /* allow, accept, */
+ /* allow, accept, */
case 'a':
case 'A':
/* pass/permitted */
case 'P':
/* open */
case 'o':
- case 'O':
+ case 'O':
snprintf(_prelude_data,256,"ALLOW: %s", lf->action);
break;
default:
/* Begin Classification Infomations */
{
- add_idmef_object(idmef, "alert.classification.text",
+ add_idmef_object(idmef, "alert.classification.text",
lf->generated_rule->comment);
}
/* Rule sid is used to create a link to the rule on the OSSEC wiki */
- if(lf->generated_rule->sigid)
+ if(lf->generated_rule->sigid)
{
snprintf(_prelude_section,128,"alert.classification.reference(%d).origin",
classification_counter);
classification_counter);
snprintf(_prelude_data, 256,"http://www.ossec.net/wiki/Rule:%d",
lf->generated_rule->sigid);
- add_idmef_object(idmef, _prelude_section, _prelude_data);
+ add_idmef_object(idmef, _prelude_section, _prelude_data);
classification_counter++;
}
/* Extended Info Details */
- for (last_info_detail = lf->generated_rule->info_details;
- last_info_detail != NULL;
+ for (last_info_detail = lf->generated_rule->info_details;
+ last_info_detail != NULL;
last_info_detail = last_info_detail->next)
{
- if (last_info_detail->type == RULEINFODETAIL_LINK)
+ if (last_info_detail->type == RULEINFODETAIL_LINK)
{
snprintf(_prelude_section,128,"alert.classification.reference(%d).origin",
classification_counter);
add_idmef_object(idmef, _prelude_section, _prelude_data);
snprintf(_prelude_section,128,"alert.classification.reference(%d).url",
classification_counter);
- add_idmef_object(idmef, _prelude_section, last_info_detail->data);
+ add_idmef_object(idmef, _prelude_section, last_info_detail->data);
classification_counter++;
- }
+ }
else if(last_info_detail->type == RULEINFODETAIL_TEXT)
{
snprintf(_prelude_section,128,"alert.classification.reference(%d).origin",
classification_counter);
add_idmef_object(idmef, _prelude_section, "vendor-specific");
-
+
snprintf(_prelude_section,128,"alert.classification.reference(%d).name",
classification_counter);
snprintf(_prelude_data,256,"Rule:%d info",lf->generated_rule->sigid);
{
snprintf(_prelude_section,128,"alert.classification.reference(%d).origin",
classification_counter);
- switch(last_info_detail->type)
+ switch(last_info_detail->type)
{
case RULEINFODETAIL_CVE:
add_idmef_object(idmef, _prelude_section, "cve");
}
- /* Break ok the list of groups on the "," boundry
+ /* Break ok the list of groups on the "," boundry
* For each section create a prelude reference classification
- * that points back to the the OSSEC wiki for more infomation.
+ * that points back to the the OSSEC wiki for more infomation.
*/
- if(lf->generated_rule->group)
+ if(lf->generated_rule->group)
{
char *copy_group;
char new_generated_rule_group[256];
classification_counter);
snprintf(_prelude_data,256,"http://www.ossec.net/wiki/Group:%s",
copy_group);
- add_idmef_object(idmef, _prelude_section, _prelude_data);
+ add_idmef_object(idmef, _prelude_section, _prelude_data);
classification_counter++;
copy_group = strtok(NULL, ",");
/* Begin Node infomation block */
- {
+ {
/* Setting source info. */
add_idmef_object(idmef, "alert.source(0).Spoofed", "no");
- add_idmef_object(idmef, "alert.source(0).Node.Address(0).address",
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address",
lf->srcip);
add_idmef_object(idmef, "alert.source(0).Service.port", lf->srcport);
{
add_idmef_object(idmef, "alert.source(0).User.UserId(0).name", lf->srcuser);
}
-
+
/* Setting target */
add_idmef_object(idmef, "alert.target(0).Service.name", lf->program_name);
add_idmef_object(idmef, "alert.target(0).Spoofed", "no");
- if(lf->dstip)
+ if(lf->dstip)
{
- add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",
lf->dstip);
}
else
{
*tmp_str = '\0';
}
- add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",
new_prelude_target);
}
add_idmef_object(idmef, "alert.target(0).Service.name", lf->hostname);
add_idmef_object(idmef, "alert.target(0).User.UserId(0).name", lf->dstuser);
}
} /* end Node infomation block */
-
+
/* Setting source file. */
add_idmef_object(idmef, "alert.additional_data(0).type", "string");
add_idmef_object(idmef, "alert.additional_data(0).meaning", "Source file");
add_idmef_object(idmef, "alert.additional_data(0).data", lf->location);
additional_data_counter++;
-
+
/* Setting full log. */
add_idmef_object(idmef, "alert.additional_data(1).type", "string");
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/rules.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* Internal functions */
-int getattributes(char **attributes,
+int getattributes(char **attributes,
char **values,
- int *id, int *level,
+ int *id, int *level,
int *maxsize, int *timeframe,
- int *frequency, int *accuracy,
+ int *frequency, int *accuracy,
int *noalert, int *ignore_time, int *overwrite);
/* Rules_OP_ReadRules, v0.3, 2005/03/21
* Read the log rules.
* v0.3: Fixed many memory problems.
- */
+ */
int Rules_OP_ReadRules(char * rulefile)
{
OS_XML xml;
XML_NODE node = NULL;
- /* XML variables */
+ /* XML variables */
/* These are the available options for the rule configuration */
-
+
char *xml_group = "group";
char *xml_rule = "rule";
char *xml_comment = "description";
char *xml_ignore = "ignore";
char *xml_check_if_ignored = "check_if_ignored";
-
+
char *xml_srcip = "srcip";
char *xml_srcport = "srcport";
char *xml_dstip = "dstip";
char *xml_match_key_value = "match_key_value";
char *xml_address_key = "address_match_key";
char *xml_not_address_key = "not_address_match_key";
- char *xml_address_key_value = "address_match_key_value";
+ char *xml_address_key_value = "address_match_key_value";
char *xml_if_sid = "if_sid";
char *xml_if_group = "if_group";
char *xml_if_level = "if_level";
char *xml_fts = "if_fts";
-
+
char *xml_if_matched_regex = "if_matched_regex";
char *xml_if_matched_group = "if_matched_group";
char *xml_if_matched_sid = "if_matched_sid";
-
+
char *xml_same_source_ip = "same_source_ip";
char *xml_same_src_port = "same_src_port";
char *xml_same_dst_port = "same_dst_port";
char *xml_dodiff = "check_diff";
char *xml_different_url = "different_url";
-
+
char *xml_notsame_source_ip = "not_same_source_ip";
char *xml_notsame_user = "not_same_user";
char *xml_notsame_agent = "not_same_agent";
char *xml_notsame_id = "not_same_id";
char *xml_options = "options";
-
+
char *rulepath;
-
+
int i;
int default_timeframe = 360;
debug1("%s is the rulefile", rulefile);
debug1("Not modifing the rule path");
}
-
-
- i = 0;
-
- /* Reading the XML */
+
+
+ i = 0;
+
+ /* Reading the XML */
if(OS_ReadXML(rulepath,&xml) < 0)
{
merror(XML_ERROR, ARGV0, rulepath, xml.err, xml.err_line);
/* Debug wrapper */
debug2("%s: DEBUG: read xml for rule.", ARGV0);
-
-
+
+
/* Applying any variable found */
if(OS_ApplyVariables(&xml) != 0)
{
/* Debug wrapper */
debug2("%s: DEBUG: XML Variables applied.", ARGV0);
-
+
/* Getting the root elements */
node = OS_GetElementsbyNode(&xml,NULL);
{
merror(CONFIG_ERROR, ARGV0, rulepath);
OS_ClearXML(&xml);
- return(-1);
+ return(-1);
}
}
- /* Getting the rules now */
+ /* Getting the rules now */
i=0;
while(node[i])
{
int j = 0;
- /* Getting all rules for a global group */
+ /* Getting all rules for a global group */
rule = OS_GetElementsbyNode(&xml,node[i]);
if(rule == NULL)
{
while(rule[j])
{
RuleInfo *config_ruleinfo = NULL;
-
+
/* Checking if the rule element is correct */
if((!rule[j]->element)||
return(-1);
}
-
+
/* Attribute block */
{
int id = -1,level = -1,maxsize = 0,timeframe = 0;
int frequency = 0, accuracy = 1, noalert = 0, ignore_time = 0;
int overwrite = 0;
-
+
/* Getting default time frame */
timeframe = default_timeframe;
-
+
if(getattributes(rule[j]->attributes,rule[j]->values,
&id,&level,&maxsize,&timeframe,
&frequency,&accuracy,&noalert,
OS_ClearXML(&xml);
return(-1);
}
-
+
if((id == -1) || (level == -1))
{
merror("%s: No rule id or level specified for "
/* Allocating memory and initializing structure */
config_ruleinfo = zerorulemember(id, level, maxsize,
- frequency,timeframe,
+ frequency,timeframe,
noalert, ignore_time, overwrite);
-
+
/* If rule is 0, set it to level 99 to have high priority.
- * set it to 0 again later
+ * set it to 0 again later
*/
if(config_ruleinfo->level == 0)
config_ruleinfo->level = 99;
-
+
/* Each level now is going to be multiplied by 100.
* If the accuracy is set to 0 we don't multiply,
* so it will be at the end of the list. We will
config_ruleinfo->alert_opts |= DO_EXTRAINFO;
}
}
-
+
} /* end attributes/memory allocation block */
* be fine
*/
os_strdup(node[i]->values[0], config_ruleinfo->group);
-
+
/* Rule elements block */
{
char *hostname = NULL;
char *extra_data = NULL;
char *program_name = NULL;
-
+
XML_NODE rule_opt = NULL;
rule_opt = OS_GetElementsbyNode(&xml,rule[j]);
if(rule_opt == NULL)
"other problems for the system. Exiting.",
ARGV0, config_ruleinfo->sigid);
OS_ClearXML(&xml);
- return(-1);
+ return(-1);
}
-
+
while(rule_opt[k])
{
if((!rule_opt[k]->element)||(!rule_opt[k]->content))
}
else if(strcasecmp(rule_opt[k]->element, xml_decoded)==0)
{
- config_ruleinfo->decoded_as =
+ config_ruleinfo->decoded_as =
getDecoderfromlist(rule_opt[k]->content);
-
+
if(config_ruleinfo->decoded_as == 0)
{
merror("%s: Invalid decoder name: '%s'.",
ARGV0, rule_opt[k]->content);
OS_ClearXML(&xml);
- return(-1);
+ return(-1);
}
}
else if(strcasecmp(rule_opt[k]->element,xml_cve)==0)
else
{
for (last_info_detail = config_ruleinfo->info_details;
- last_info_detail->next != NULL;
+ last_info_detail->next != NULL;
last_info_detail = last_info_detail->next)
{
count_info_detail++;
if(config_ruleinfo->info_details == NULL)
{
- config_ruleinfo->info_details = zeroinfodetails(info_type,
+ config_ruleinfo->info_details = zeroinfodetails(info_type,
rule_opt[k]->content);
}
else
{
for (last_info_detail = config_ruleinfo->info_details;
- last_info_detail->next != NULL;
+ last_info_detail->next != NULL;
last_info_detail = last_info_detail->next) {
count_info_detail++;
}
}
else if(strcasecmp(rule_opt[k]->element,xml_day_time)==0)
{
- config_ruleinfo->day_time =
+ config_ruleinfo->day_time =
OS_IsValidTime(rule_opt[k]->content);
if(!config_ruleinfo->day_time)
{
}
else if(strcasecmp(rule_opt[k]->element,xml_week_day)==0)
{
- config_ruleinfo->week_day =
+ config_ruleinfo->week_day =
OS_IsValidDay(rule_opt[k]->content);
-
+
if(!config_ruleinfo->week_day)
{
merror(INVALID_CONFIG, ARGV0,
{
*newline = ' ';
}
-
+
config_ruleinfo->comment=
loadmemory(config_ruleinfo->comment,
rule_opt[k]->content);
else if(strcasecmp(rule_opt[k]->element,xml_srcip)==0)
{
int ip_s = 0;
-
+
/* Getting size of source ip list */
- while(config_ruleinfo->srcip &&
+ while(config_ruleinfo->srcip &&
config_ruleinfo->srcip[ip_s])
{
ip_s++;
}
-
- config_ruleinfo->srcip =
+
+ config_ruleinfo->srcip =
realloc(config_ruleinfo->srcip,
(ip_s + 2) * sizeof(os_ip *));
-
-
+
+
/* Allocating memory for the individual entries */
- os_calloc(1, sizeof(os_ip),
+ os_calloc(1, sizeof(os_ip),
config_ruleinfo->srcip[ip_s]);
config_ruleinfo->srcip[ip_s +1] = NULL;
-
-
+
+
/* Checking if the ip is valid */
- if(!OS_IsValidIP(rule_opt[k]->content,
+ if(!OS_IsValidIP(rule_opt[k]->content,
config_ruleinfo->srcip[ip_s]))
{
merror(INVALID_IP, ARGV0, rule_opt[k]->content);
status =
loadmemory(status,
rule_opt[k]->content);
-
+
if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
config_ruleinfo->alert_opts |= DO_EXTRAINFO;
}
hostname =
loadmemory(hostname,
rule_opt[k]->content);
-
+
if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
config_ruleinfo->alert_opts |= DO_EXTRAINFO;
}
}
else if(strcasecmp(rule_opt[k]->element,xml_action)==0)
{
- config_ruleinfo->action =
+ config_ruleinfo->action =
loadmemory(config_ruleinfo->action,
rule_opt[k]->content);
}
lookup_type = LR_ADDRESS_NOT_MATCH;
else if(strcasecmp(rule_opt[k]->values[list_att_num],xml_address_key_value)==0)
lookup_type = LR_ADDRESS_MATCH_VALUE;
- else
+ else
{
- merror(INVALID_CONFIG, ARGV0,
- rule_opt[k]->element,
+ merror(INVALID_CONFIG, ARGV0,
+ rule_opt[k]->element,
rule_opt[k]->content);
- merror("%s: List match lookup=\"%s\" is not valid.",
+ merror("%s: List match lookup=\"%s\" is not valid.",
ARGV0,rule_opt[k]->values[list_att_num]);
return(-1);
}
rule_type = RULE_STATUS;
else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_action)==0)
rule_type = RULE_ACTION;
- else
+ else
{
- merror(INVALID_CONFIG, ARGV0,
- rule_opt[k]->element,
+ merror(INVALID_CONFIG, ARGV0,
+ rule_opt[k]->element,
rule_opt[k]->content);
- merror("%s: List match field=\"%s\" is not valid.",
+ merror("%s: List match field=\"%s\" is not valid.",
ARGV0,rule_opt[k]->values[list_att_num]);
return(-1);
}
os_calloc(1, sizeof(OSMatch), matcher);
if(!OSMatch_Compile(rule_opt[k]->values[list_att_num], matcher, 0))
{
- merror(INVALID_CONFIG, ARGV0,
- rule_opt[k]->element,
+ merror(INVALID_CONFIG, ARGV0,
+ rule_opt[k]->element,
rule_opt[k]->content);
- merror(REGEX_COMPILE,
- ARGV0,
- rule_opt[k]->values[list_att_num],
+ merror(REGEX_COMPILE,
+ ARGV0,
+ rule_opt[k]->values[list_att_num],
matcher->error);
return(-1);
}
{
merror("%s:List feild=\"%s\" is not valid",ARGV0,
rule_opt[k]->values[list_att_num]);
- merror(INVALID_CONFIG, ARGV0,
+ merror(INVALID_CONFIG, ARGV0,
rule_opt[k]->element, rule_opt[k]->content);
return(-1);
}
if(rule_type == 0)
{
merror("%s:List requires the field=\"\" Attrubute",ARGV0);
- merror(INVALID_CONFIG, ARGV0,
+ merror(INVALID_CONFIG, ARGV0,
rule_opt[k]->element, rule_opt[k]->content);
return(-1);
}
/* Wow it's all ready - this seams too complex to get to this point */
config_ruleinfo->lists = OS_AddListRule(config_ruleinfo->lists,
- lookup_type,
- rule_type,
+ lookup_type,
+ rule_type,
rule_opt[k]->content,
matcher);
if (config_ruleinfo->lists == NULL)
{
merror("%s:List must have a correctly formatted feild attribute",
ARGV0);
- merror(INVALID_CONFIG,
- ARGV0,
- rule_opt[k]->element,
+ merror(INVALID_CONFIG,
+ ARGV0,
+ rule_opt[k]->element,
rule_opt[k]->content);
return(-1);
- }
+ }
/* xml_list eval is done */
}
else if(strcasecmp(rule_opt[k]->element,xml_url)==0)
while(compiled_rules_name[it_id])
{
- if(strcmp(compiled_rules_name[it_id],
+ if(strcmp(compiled_rules_name[it_id],
rule_opt[k]->content) == 0)
break;
it_id++;
/* checking if the name is valid. */
if(!compiled_rules_name[it_id])
{
- merror("%s: ERROR: Compiled rule not found: '%s'",
- ARGV0, rule_opt[k]->content);
- merror(INVALID_CONFIG, ARGV0,
+ merror("%s: ERROR: Compiled rule not found: '%s'",
+ ARGV0, rule_opt[k]->content);
+ merror(INVALID_CONFIG, ARGV0,
rule_opt[k]->element, rule_opt[k]->content);
return(-1);
{
if(!OS_StrIsNum(rule_opt[k]->content))
{
- merror(INVALID_CONFIG, ARGV0,
+ merror(INVALID_CONFIG, ARGV0,
"if_level",
- rule_opt[k]->content);
+ rule_opt[k]->content);
return(-1);
}
rule_opt[k]->content);
return(-1);
}
- config_ruleinfo->if_matched_sid =
+ config_ruleinfo->if_matched_sid =
atoi(rule_opt[k]->content);
}
xml_same_src_port)==0)
{
config_ruleinfo->context_opts|= SAME_SRCPORT;
-
+
if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
}
else if(strcasecmp(rule_opt[k]->element,
xml_dodiff)==0)
{
- config_ruleinfo->context++;
+ config_ruleinfo->context = 1;
config_ruleinfo->context_opts|= SAME_DODIFF;
if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
config_ruleinfo->alert_opts |= DO_EXTRAINFO;
xml_same_dst_port) == 0)
{
config_ruleinfo->context_opts|= SAME_DSTPORT;
-
+
if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
}
xml_different_url) == 0)
{
config_ruleinfo->context_opts|= DIFFERENT_URL;
-
+
if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
}
xml_same_user)==0)
{
config_ruleinfo->context_opts|= SAME_USER;
-
+
if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
}
else if(strcasecmp(rule_opt[k]->element,
xml_options) == 0)
{
- if(strcmp("alert_by_email",
+ if(strcmp("alert_by_email",
rule_opt[k]->content) == 0)
{
if(!(config_ruleinfo->alert_opts & DO_MAILALERT))
config_ruleinfo->alert_opts&=0xfff-DO_MAILALERT;
}
}
- else if(strcmp("log_alert",
+ else if(strcmp("log_alert",
rule_opt[k]->content) == 0)
{
if(!(config_ruleinfo->alert_opts & DO_LOGALERT))
}
}
else
- {
+ {
merror(XML_VALUEERR, ARGV0, xml_options,
rule_opt[k]->content);
config_ruleinfo->sigid);
OS_ClearXML(&xml);
return(-1);
- }
+ }
}
else if(strcasecmp(rule_opt[k]->element,
xml_ignore) == 0)
}
if(!config_ruleinfo->ignore)
{
- merror("%s: Wrong ignore option: '%s'",
+ merror("%s: Wrong ignore option: '%s'",
ARGV0,
rule_opt[k]->content);
return(-1);
}
if(!config_ruleinfo->ckignore)
{
- merror("%s: Wrong check_if_ignored option: '%s'",
+ merror("%s: Wrong check_if_ignored option: '%s'",
ARGV0,
rule_opt[k]->content);
return(-1);
/* Checking for a valid use of frequency */
- if((config_ruleinfo->context_opts ||
+ if((config_ruleinfo->context_opts ||
config_ruleinfo->frequency) &&
!config_ruleinfo->context)
{
OS_ClearXML(&xml);
return(-1);
}
-
+
/* If if_matched_group we must have a if_sid or if_group */
if(if_matched_group)
{
if(!config_ruleinfo->if_sid && !config_ruleinfo->if_group)
{
- os_strdup(if_matched_group,
- config_ruleinfo->if_group);
+ os_strdup(if_matched_group,
+ config_ruleinfo->if_group);
}
}
/* If_matched_sid, we need to get the if_sid */
- if(config_ruleinfo->if_matched_sid &&
+ if(config_ruleinfo->if_matched_sid &&
!config_ruleinfo->if_sid &&
!config_ruleinfo->if_group)
{
os_calloc(16, sizeof(char), config_ruleinfo->if_sid);
- snprintf(config_ruleinfo->if_sid, 15, "%d",
+ snprintf(config_ruleinfo->if_sid, 15, "%d",
config_ruleinfo->if_matched_sid);
}
-
+
/* Checking the regexes */
if(regex)
{
os_calloc(1, sizeof(OSRegex), config_ruleinfo->regex);
if(!OSRegex_Compile(regex, config_ruleinfo->regex, 0))
{
- merror(REGEX_COMPILE, ARGV0, regex,
+ merror(REGEX_COMPILE, ARGV0, regex,
config_ruleinfo->regex->error);
return(-1);
}
free(regex);
regex = NULL;
}
-
+
/* Adding in match */
if(match)
{
free(match);
match = NULL;
}
-
+
/* Adding in id */
if(id)
{
os_calloc(1, sizeof(OSMatch), config_ruleinfo->id);
if(!OSMatch_Compile(id, config_ruleinfo->id, 0))
{
- merror(REGEX_COMPILE, ARGV0, id,
+ merror(REGEX_COMPILE, ARGV0, id,
config_ruleinfo->id->error);
return(-1);
}
os_calloc(1, sizeof(OSMatch), config_ruleinfo->srcport);
if(!OSMatch_Compile(srcport, config_ruleinfo->srcport, 0))
{
- merror(REGEX_COMPILE, ARGV0, srcport,
+ merror(REGEX_COMPILE, ARGV0, srcport,
config_ruleinfo->id->error);
return(-1);
}
os_calloc(1, sizeof(OSMatch), config_ruleinfo->dstport);
if(!OSMatch_Compile(dstport, config_ruleinfo->dstport, 0))
{
- merror(REGEX_COMPILE, ARGV0, dstport,
+ merror(REGEX_COMPILE, ARGV0, dstport,
config_ruleinfo->id->error);
return(-1);
}
if(extra_data)
{
os_calloc(1, sizeof(OSMatch), config_ruleinfo->extra_data);
- if(!OSMatch_Compile(extra_data,
+ if(!OSMatch_Compile(extra_data,
config_ruleinfo->extra_data, 0))
{
merror(REGEX_COMPILE, ARGV0, extra_data,
free(program_name);
program_name = NULL;
}
-
+
/* Adding in user */
if(user)
{
free(user);
user = NULL;
}
-
+
/* Adding in url */
if(url)
{
os_calloc(1, sizeof(OSMatch), config_ruleinfo->url);
if(!OSMatch_Compile(url, config_ruleinfo->url, 0))
{
- merror(REGEX_COMPILE, ARGV0, url,
+ merror(REGEX_COMPILE, ARGV0, url,
config_ruleinfo->url->error);
return(-1);
}
free(url);
url = NULL;
}
-
+
/* Adding matched_group */
if(if_matched_group)
{
- os_calloc(1, sizeof(OSMatch),
+ os_calloc(1, sizeof(OSMatch),
config_ruleinfo->if_matched_group);
-
- if(!OSMatch_Compile(if_matched_group,
+
+ if(!OSMatch_Compile(if_matched_group,
config_ruleinfo->if_matched_group,
0))
{
free(if_matched_group);
if_matched_group = NULL;
}
-
+
/* Adding matched_regex */
if(if_matched_regex)
{
- os_calloc(1, sizeof(OSRegex),
+ os_calloc(1, sizeof(OSRegex),
config_ruleinfo->if_matched_regex);
- if(!OSRegex_Compile(if_matched_regex,
+ if(!OSRegex_Compile(if_matched_regex,
config_ruleinfo->if_matched_regex, 0))
{
- merror(REGEX_COMPILE, ARGV0, if_matched_regex,
+ merror(REGEX_COMPILE, ARGV0, if_matched_regex,
config_ruleinfo->if_matched_regex->error);
return(-1);
}
if(config_ruleinfo->context)
{
int ii = 0;
- os_calloc(MAX_LAST_EVENTS + 1, sizeof(char *),
+ os_calloc(MAX_LAST_EVENTS + 1, sizeof(char *),
config_ruleinfo->last_events);
-
+
/* Zeroing each entry */
for(;ii<=MAX_LAST_EVENTS;ii++)
{
}
}
-
+
/* Adding the rule to the rules list.
* Only the template rules are supposed
* to be at the top level. All others
* will be a "child" of someone.
*/
if(config_ruleinfo->sigid < 10)
- {
+ {
OS_AddRule(config_ruleinfo);
}
else if(config_ruleinfo->alert_opts & DO_OVERWRITE)
{
- if(!OS_AddRuleInfo(NULL, config_ruleinfo,
+ if(!OS_AddRuleInfo(NULL, config_ruleinfo,
config_ruleinfo->sigid))
{
merror("%s: Overwrite rule '%d' not found.",
/* Setting the event_search pointer */
if(config_ruleinfo->if_matched_sid)
{
- config_ruleinfo->event_search =
+ config_ruleinfo->event_search =
(void *)Search_LastSids;
-
+
/* Marking rules that match this id */
- OS_MarkID(NULL, config_ruleinfo);
+ OS_MarkID(NULL, config_ruleinfo);
}
-
+
/* Marking the rules that match if_matched_group */
else if(config_ruleinfo->if_matched_group)
{
OS_MarkGroup(NULL, config_ruleinfo);
/* Setting function pointer */
- config_ruleinfo->event_search =
+ config_ruleinfo->event_search =
(void *)Search_LastGroups;
}
else if(config_ruleinfo->context)
{
- if((config_ruleinfo->context == 1) &&
+ if((config_ruleinfo->context == 1) &&
(config_ruleinfo->context_opts & SAME_DODIFF))
{
config_ruleinfo->context = 0;
}
else
{
- config_ruleinfo->event_search =
+ config_ruleinfo->event_search =
(void *)Search_LastEvents;
}
}
} /* while(rule[j]) */
OS_ClearNode(rule);
i++;
-
+
} /* while (node[i]) */
/* Cleaning global node */
int strsize = strlen(str);
int atsize = strlen(at);
int finalsize = atsize+strsize+1;
-
+
if((atsize > OS_SIZE_2048) || (strsize > OS_SIZE_2048))
{
merror(SIZE_ERROR,ARGV0,str);
return(NULL);
}
-
+
at = realloc(at, (finalsize)*sizeof(char));
-
+
if(at == NULL)
{
merror(MEM_ERROR,ARGV0);
return(NULL);
}
-
+
strncat(at,str,strsize);
-
+
at[finalsize-1]='\0';
-
+
return(at);
}
return(NULL);
os_strdup(data, info_details_pt->data);
info_details_pt->next = NULL;
-
+
return(info_details_pt);
}
-RuleInfo *zerorulemember(int id, int level,
+RuleInfo *zerorulemember(int id, int level,
int maxsize, int frequency,
- int timeframe, int noalert,
+ int timeframe, int noalert,
int ignore_time, int overwrite)
{
RuleInfo *ruleinfo_pt = NULL;
-
+
/* Allocation memory for structure */
ruleinfo_pt = (RuleInfo *)calloc(1,sizeof(RuleInfo));
{
ErrorExit(MEM_ERROR,ARGV0);
}
-
+
/* Default values */
ruleinfo_pt->level = level;
/* Default category is syslog */
ruleinfo_pt->category = SYSLOG;
- ruleinfo_pt->ar = NULL;
-
+ ruleinfo_pt->ar = NULL;
+
ruleinfo_pt->context = 0;
-
+
ruleinfo_pt->sigid = id;
ruleinfo_pt->firedtimes = 0;
ruleinfo_pt->maxsize = maxsize;
ruleinfo_pt->ignore_time = ignore_time;
ruleinfo_pt->timeframe = timeframe;
ruleinfo_pt->time_ignored = 0;
-
- ruleinfo_pt->context_opts = 0;
- ruleinfo_pt->alert_opts = 0;
- ruleinfo_pt->ignore = 0;
- ruleinfo_pt->ckignore = 0;
+
+ ruleinfo_pt->context_opts = 0;
+ ruleinfo_pt->alert_opts = 0;
+ ruleinfo_pt->ignore = 0;
+ ruleinfo_pt->ckignore = 0;
if(noalert)
{
}
if(Config.mailbylevel <= level)
ruleinfo_pt->alert_opts |= DO_MAILALERT;
- if(Config.logbylevel <= level)
+ if(Config.logbylevel <= level)
ruleinfo_pt->alert_opts |= DO_LOGALERT;
/* Overwriting a rule */
ruleinfo_pt->info = NULL;
ruleinfo_pt->cve = NULL;
ruleinfo_pt->info_details = NULL;
-
+
ruleinfo_pt->if_sid = NULL;
ruleinfo_pt->if_group = NULL;
ruleinfo_pt->if_level = NULL;
-
+
ruleinfo_pt->if_matched_regex = NULL;
ruleinfo_pt->if_matched_group = NULL;
ruleinfo_pt->if_matched_sid = 0;
-
- ruleinfo_pt->user = NULL;
+
+ ruleinfo_pt->user = NULL;
ruleinfo_pt->srcip = NULL;
ruleinfo_pt->srcport = NULL;
ruleinfo_pt->dstip = NULL;
ruleinfo_pt->hostname = NULL;
ruleinfo_pt->program_name = NULL;
ruleinfo_pt->action = NULL;
-
+
/* Zeroing last matched events */
ruleinfo_pt->__frequency = 0;
ruleinfo_pt->last_events = NULL;
/* zeroing the list of previous matches */
ruleinfo_pt->sid_prev_matched = NULL;
ruleinfo_pt->group_prev_matched = NULL;
-
+
ruleinfo_pt->sid_search = NULL;
ruleinfo_pt->group_search = NULL;
-
+
ruleinfo_pt->event_search = NULL;
ruleinfo_pt->compiled_rule = NULL;
ruleinfo_pt->lists = NULL;
{
if (!values[k])
{
- merror("rules_op: Entry info type \"%s\" does not have a value",
+ merror("rules_op: Entry info type \"%s\" does not have a value",
attributes[k]);
return (-1);
}
if(strcmp(values[k], "text") == 0)
{
return(RULEINFODETAIL_TEXT);
- }
+ }
else if(strcmp(values[k], "link") == 0)
{
return(RULEINFODETAIL_LINK);
/* Get the attributes */
int getattributes(char **attributes, char **values,
- int *id, int *level,
+ int *id, int *level,
int *maxsize, int *timeframe,
- int *frequency, int *accuracy,
+ int *frequency, int *accuracy,
int *noalert, int *ignore_time, int *overwrite)
{
int k=0;
-
+
char *xml_id = "id";
char *xml_level = "level";
char *xml_maxsize = "maxsize";
char *xml_noalert = "noalert";
char *xml_ignore_time = "ignore";
char *xml_overwrite = "overwrite";
-
-
+
+
/* Getting attributes */
while(attributes[k])
{
merror("rules_op: Invalid accuracy: %s. "
"Must be integer" ,
values[k]);
- return(-1);
+ return(-1);
}
}
/* Rule ignore_time */
merror("rules_op: Invalid ignore_time: %s. "
"Must be integer" ,
values[k]);
- return(-1);
+ return(-1);
}
}
/* Rule noalert */
int rule_ar_size = 0;
int mark_to_ar = 0;
int rule_real_level = 0;
-
+
OSListNode *my_ars_node;
-
-
- /* Setting the correctly levels
+
+
+ /* Setting the correctly levels
* We play internally with the rules, to set
* the priorities... Rules with 0 of accuracy,
* receive a low level and go down in the list
*/
if(rule_config->level == 9900)
rule_real_level = 0;
-
+
else if(rule_config->level >= 100)
rule_real_level = rule_config->level/100;
-
-
+
+
/* No AR for ignored rules */
if(rule_real_level == 0)
{
{
return;
}
-
+
/* Looping on all AR */
my_ars_node = OSList_GetFirstNode(active_responses);
while(my_ars_node)
mark_to_ar = 1;
}
}
-
+
/* Checking if group matches */
if(my_ar->rules_group)
{
mark_to_ar = 1;
}
}
-
+
/* Checking if rule id matches */
if(my_ar->rules_id)
{
else if(isdigit((int)*str_pt))
{
r_id = atoi(str_pt);
-
+
/* mark to ar if id matches */
if(r_id == rule_config->sigid)
{
mark_to_ar = 1;
}
-
+
str_pt = strchr(str_pt, ',');
if(str_pt)
{
}
}
} /* eof of rules_id */
-
-
- /* Bind AR to the rule */
+
+
+ /* Bind AR to the rule */
if(mark_to_ar == 1)
{
rule_ar_size++;
rule_config->ar = realloc(rule_config->ar,
(rule_ar_size + 1)
*sizeof(active_response *));
-
+
/* Always set the last node to NULL */
rule_config->ar[rule_ar_size - 1] = my_ar;
- rule_config->ar[rule_ar_size] = NULL;
+ rule_config->ar[rule_ar_size] = NULL;
}
-
+
my_ars_node = OSList_GetNextNode(active_responses);
}
/* print rule */
void printRuleinfo(RuleInfo *rule, int node)
{
- debug1("%d : rule:%d, level %d, timeout: %d",
+ debug1("%d : rule:%d, level %d, timeout: %d",
node,
- rule->sigid,
+ rule->sigid,
rule->level,
rule->ignore_time);
}
snprintf(_id_key, 14, "%d", node->ruleinfo->sigid);
os_strdup(_id_key, id_key);
-
-
+
+
/* Adding key to hash. */
OSHash_Add(Config.g_rules_hash, id_key, node->ruleinfo);
if(node->child)
node->ruleinfo->level/=100;
l_size++;
-
+
/* Rule information */
printRuleinfo(node->ruleinfo, nnode);
-
+
if(node->child)
{
int chl_size = 0;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/rules.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int __frequency;
char **last_events;
-
+
/* Not an option in the rule */
u_int16_t alert_opts;
/* category */
u_int8_t category;
-
+
/* Decoded as */
u_int16_t decoded_as;
/* Function pointer to the event_search. */
void *(*event_search)(void *lf, void *rule);
-
+
char *group;
OSMatch *match;
OSMatch *program_name;
OSMatch *extra_data;
char *action;
-
+
char *comment; /* description in the xml */
char *info;
char *cve;
RuleInfoDetail *info_details;
ListRule *lists;
-
+
char *if_sid;
char *if_level;
char *if_group;
OSRegex *if_matched_regex;
OSMatch *if_matched_group;
int if_matched_sid;
-
+
void *(*compiled_rule)(void *lf);
active_response **ar;
int get_info_attributes(char **attributes, char **values);
/* RuleInfo functions */
-RuleInfo *zerorulemember(int id,
+RuleInfo *zerorulemember(int id,
int level,
- int maxsize,
+ int maxsize,
int frequency,
- int timeframe,
+ int timeframe,
int noalert,
int ignore_time,
int overwrite);
/** Defition of the internal rule IDS **
** These SIGIDs cannot be used **
** **/
-
+
#define STATS_MODULE 11
#define FTS_MODULE 12
-#define SYSCHECK_MODULE 13
+#define SYSCHECK_MODULE 13
#define HOSTINFO_MODULE 15
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/rules_list.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#include "shared.h"
#include "rules.h"
RuleNode *OS_GetFirstRule()
{
RuleNode *rulenode_pt = rulenode;
-
- return(rulenode_pt);
+
+ return(rulenode_pt);
}
/* Search all rules, including childs */
-int _AddtoRule(int sid, int level, int none, char *group,
+int _AddtoRule(int sid, int level, int none, char *group,
RuleNode *r_node, RuleInfo *read_rule)
{
int r_code = 0;
-
+
/* If we don't have the first node, start from
* the beginning of the list
*/
{
/* Checking if the sigid matches */
if(sid)
- {
+ {
if(r_node->ruleinfo->sigid == sid)
{
- /* Assign the category of this rule to the child
+ /* Assign the category of this rule to the child
* as they must match
*/
read_rule->category = r_node->ruleinfo->category;
-
+
/* If no context for rule, check if the parent has
* and use it.
{
read_rule->last_events = r_node->ruleinfo->last_events;
}
-
+
r_node->child=
_OS_AddRule(r_node->child, read_rule);
return(1);
}
}
-
+
/* Checking if the group matches */
else if(group)
{
- if(OS_WordMatch(group, r_node->ruleinfo->group) &&
+ if(OS_WordMatch(group, r_node->ruleinfo->group) &&
(r_node->ruleinfo->sigid != read_rule->sigid))
{
/* If no context for rule, check if the parent has
/* Checking if the level matches */
else if(level)
{
- if((r_node->ruleinfo->level >= level) &&
+ if((r_node->ruleinfo->level >= level) &&
(r_node->ruleinfo->sigid != read_rule->sigid))
{
r_node->child=
r_code = 1;
}
}
-
-
+
+
/* If we are not searching for the sid/group, the category must
- * be the same.
+ * be the same.
*/
else if(read_rule->category != r_node->ruleinfo->category)
{
continue;
}
-
+
/* If none of them is set, add for the category */
else
{
r_node = r_node->next;
}
-
- return(r_code);
+
+ return(r_code);
}
return(1);
}
- /* Adding for if_sid */
+ /* Adding for if_sid */
if(read_rule->if_sid)
{
int val = 0;
char *sid;
-
+
sid = read_rule->if_sid;
-
+
/* Loop to read all the rules (comma or space separated */
do
{
}
}
- /* Adding for if_group */
+ /* Adding for if_group */
else if(read_rule->if_group)
{
if(!_AddtoRule(0, 0, 0, read_rule->if_group, NULL, read_rule))
"found. Invalid 'if_group'.", read_rule->if_group);
}
}
-
+
/* Just add based on the category */
else
{
RuleNode *_OS_AddRule(RuleNode *_rulenode, RuleInfo *read_rule)
{
RuleNode *tmp_rulenode = _rulenode;
-
+
if(tmp_rulenode != NULL)
{
int middle_insertion = 0;
RuleNode *prev_rulenode = NULL;
RuleNode *new_rulenode = NULL;
-
+
while(tmp_rulenode != NULL)
{
if(read_rule->level > tmp_rulenode->ruleinfo->level)
prev_rulenode = tmp_rulenode;
tmp_rulenode = tmp_rulenode->next;
}
-
+
new_rulenode = (RuleNode *)calloc(1,sizeof(RuleNode));
if(!new_rulenode)
{
prev_rulenode->next = new_rulenode;
}
-
+
new_rulenode->next = tmp_rulenode;
new_rulenode->ruleinfo = read_rule;
new_rulenode->child = NULL;
}
-
+
else
{
prev_rulenode->next = new_rulenode;
prev_rulenode->next->ruleinfo = read_rule;
- prev_rulenode->next->next = NULL;
- prev_rulenode->next->child = NULL;
+ prev_rulenode->next->next = NULL;
+ prev_rulenode->next->child = NULL;
}
}
-
+
else
{
_rulenode = (RuleNode *)calloc(1,sizeof(RuleNode));
r_node->ruleinfo->decoded_as = newrule->decoded_as;
r_node->ruleinfo->ar = newrule->ar;
r_node->ruleinfo->compiled_rule = newrule->compiled_rule;
+ if((newrule->context_opts & SAME_DODIFF) && r_node->ruleinfo->last_events == NULL)
+ {
+ r_node->ruleinfo->last_events = newrule->last_events;
+ }
return(1);
}
while(r_node)
{
- if(OSMatch_Execute(r_node->ruleinfo->group,
+ if(OSMatch_Execute(r_node->ruleinfo->group,
strlen(r_node->ruleinfo->group),
orig_rule->if_matched_group))
{
rule_g++;
}
}
-
- os_realloc(r_node->ruleinfo->group_prev_matched,
+
+ os_realloc(r_node->ruleinfo->group_prev_matched,
(rule_g + 2)*sizeof(OSList *),
- r_node->ruleinfo->group_prev_matched);
-
+ r_node->ruleinfo->group_prev_matched);
+
r_node->ruleinfo->group_prev_matched[rule_g] = NULL;
r_node->ruleinfo->group_prev_matched[rule_g +1] = NULL;
-
+
/* Setting the size */
r_node->ruleinfo->group_prev_matched_sz = rule_g +1;
-
- r_node->ruleinfo->group_prev_matched[rule_g] =
+
+ r_node->ruleinfo->group_prev_matched[rule_g] =
orig_rule->group_search;
}
-/* @(#) $Id$ */
-
+/* @(#) $Id: ./src/analysisd/stats.c, 2011/09/08 dcid Exp $
+ */
+
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
"Friday","Saturday"};
char *(l_month[])={"Jan","Feb","Mar","Apr","May","Jun","Jul","Aug",
"Sep","Oct","Nov","Dec"};
-
+
/* Global vars */
char logfile[OS_FLSIZE +1];
FILE *flog;
-
+
/* Creating the path for the logs */
snprintf(logfile, OS_FLSIZE,"%s/%d/", STATSAVED, prev_year);
if(IsDir(logfile) == -1)
merror(FOPEN_ERROR, ARGV0, logfile);
return;
}
-
+
/* Printing the hourly stats */
for(i=0;i<=23;i++)
{
totals+=_CHour[i];
}
fprintf(flog,"Total events for day:%d\n", totals);
-
+
fclose(flog);
}
/* gethour: v0.2
* Return the parameter (event_number + 20 % of it)
* If event_number < mindiff, return mindiff
- * If event_number > maxdiff, return maxdiff
+ * If event_number > maxdiff, return maxdiff
*/
int gethour(int event_number)
{
event_diff = (event_number * percent_diff)/100;
event_diff++;
-
+
if(event_diff < mindiff)
return(event_number + mindiff);
else if(event_diff > maxdiff)
return(event_number + maxdiff);
-
+
return(event_number + event_diff);
}
{
int i,j;
int inter;
-
-
+
+
/* Print total number of logs received per hour */
print_totals();
-
-
+
+
/* Hourly update */
_RHour[24]++;
inter = _RHour[24];
if(inter > 7)
inter = 7;
-
+
for(i=0;i<=24;i++)
{
char _hourly[128]; /* _hourly file */
-
+
FILE *fp;
-
+
if(i != 24)
{
/* If saved hourly = 0, just copy the current hourly rate */
{
_RHour[i]=(((3*_CHour[i])+(inter*_RHour[i]))/(inter+3))+25;
}
-
+
else
{
/* The average is going to be the number of interactions +
}
}
}
-
+
snprintf(_hourly,128,"%s/%d",STATQUEUE,i);
fp = fopen(_hourly, "w");
if(fp)
{
merror(FOPEN_ERROR, "logstats", _hourly);
}
-
+
_CHour[i] = 0; /* Zeroing the currently hour */
}
inter = _CWHour[i][24];
if(inter > 7)
inter = 7;
-
+
for(j=0;j<=24;j++)
{
if(j != 24)
}
}
}
-
+
snprintf(_weekly,128,"%s/%d/%d",STATWQUEUE,i,j);
fp = fopen(_weekly, "w");
if(fp)
{
merror(FOPEN_ERROR, "logstats", _weekly);
}
-
+
_CWHour[i][j] = 0;
- }
+ }
}
_daily_errors = 0;
" between %d:00 and %d:00 is %d. We "
"reached %d.",__crt_hour,__crt_hour+1,
_RHour[__crt_hour],_CHour[__crt_hour]);
-
-
+
+
_fired = 1;
_daily_errors++;
return(1);
/* We need to have at least 3 days of stats */
if(_RWHour[__crt_wday][24] <= 2)
return(0);
-
+
/* checking for the hour during a specific day of the week */
if(_RWHour[__crt_wday][__crt_hour] != 0)
{
if(_CWHour[__crt_wday][__crt_hour] > _RWHour[__crt_wday][__crt_hour])
{
- if(_CWHour[__crt_wday][__crt_hour] >
+ if(_CWHour[__crt_wday][__crt_hour] >
gethour(_RWHour[__crt_wday][__crt_hour]))
{
snprintf(__stats_comment, 191,
weekdays[__crt_wday],
_RWHour[__crt_wday][__crt_hour],
_CWHour[__crt_wday][__crt_hour]);
-
-
+
+
_fired = 1;
_daily_errors++;
return(1);
maxdiff = getDefine_Int("analysisd",
"stats_maxdiff",
10, 99999);
-
+
mindiff = getDefine_Int("analysisd",
"stats_mindiff",
10, 99999);
_lastmsg = NULL;
_prevlast = NULL;
_pprevlast = NULL;
-
-
+
+
/* They should not be null */
os_strdup(" ", _lastmsg);
os_strdup(" ", _prevlast);
os_strdup(" ", _pprevlast);
-
-
- /* Creating the stat queue directories */
+
+
+ /* Creating the stat queue directories */
if(IsDir(STATWQUEUE) == -1)
if(mkdir(STATWQUEUE,0770) == -1)
{
merror("%s: logstat: Unable to create stat queue: %s",
ARGV0, STATWQUEUE);
return(-1);
- }
+ }
if(IsDir(STATQUEUE) == -1)
if(mkdir(STATQUEUE,0770) == -1)
merror("%s: logstat: Unable to create stat queue: %s",
ARGV0, STATQUEUE);
return(-1);
- }
+ }
/* Creating store dir */
if(IsDir(STATSAVED) == -1)
_CHour[i]=0;
if(File_DateofChange(_hourly) < 0)
_RHour[i] = 0;
-
+
else
{
FILE *fp;
_RHour[i] = 0;
if(_RHour[i] < 0)
- _RHour[i] = 0;
+ _RHour[i] = 0;
fclose(fp);
}
}
_RWHour[i][j] = 0;
if(_RWHour[i][j] < 0)
- _RWHour[i][j] = 0;
+ _RWHour[i][j] = 0;
fclose(fp);
}
}
/* LastMsg_Change: v0.3: 2006/03/21
* v0.3: 2006/03/21: Some performance fixes.
- * v0.2: 2005/03/17
+ * v0.2: 2005/03/17
* If the message is not repeated, rearrange the last
* received messages
*/
{
/* Removing the last one */
free(_pprevlast);
-
+
/* Moving the second to third and the last to second */
_pprevlast = _prevlast;
-
+
_prevlast = _lastmsg;
-
+
os_strdup(log, _lastmsg);
return;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/testrule.c, 2012/07/23 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* Part of the OSSEC
* Available at http://www.ossec.net
*/
-
+
/* ossec-analysisd.
* Responsible for correlation and log decoding.
int SetDecodeXML();
+void logtest_help(const char *prog)
+{
+ print_out(" ");
+ print_out("%s %s - %s (%s)", __name, __version, __author, __contact);
+ print_out("%s", __site);
+ print_out(" ");
+ print_out(" %s: -[Vatfdh] [-U ut_str] [-u user] [-g group] [-c config] [-D dir]", prog);
+ print_out(" -V Version and license message");
+ print_out(" -a Alerts output");
+ print_out(" -t Test configuration");
+ print_out(" -v Verbose (full) output/rule debugging");
+ print_out(" -d Execute in debug mode");
+ print_out(" -h This help message");
+ print_out(" -U <rule:alert:decoder> Unit test. Refer to contrib/ossec-testing/runtests.py");
+ print_out(" -u <user> Run as 'user'");
+ print_out(" -g <group> Run as 'group'");
+ print_out(" -c <config> Read the 'config' file");
+ print_out(" -D <dir> Chroot to 'dir'");
+ print_out(" ");
+ exit(1);
+}
+
/** int main(int argc, char **argv)
{
int t_config = 0;
int c = 0, m_queue = 0;
- char *ut_str = NULL;
+ char *ut_str = NULL;
char *dir = DEFAULTDIR;
char *user = USER;
active_responses = NULL;
memset(prev_month, '\0', 4);
- while((c = getopt(argc, argv, "VatfdhU:u:g:D:c:")) != -1){
+ while((c = getopt(argc, argv, "VatvdhU:u:g:D:c:")) != -1){
switch(c){
case 'V':
print_version();
t_config = 1;
break;
case 'h':
- help(ARGV0);
+ logtest_help(ARGV0);
break;
case 'd':
nowDebug();
if(!optarg)
ErrorExit("%s: -D needs an argument",ARGV0);
dir = optarg;
+ break;
case 'c':
if(!optarg)
ErrorExit("%s: -c needs an argument",ARGV0);
break;
case 'a':
alert_only = 1;
- break;
- case 'f':
- full_output = 1;
+ break;
+ case 'v':
+ full_output = 1;
break;
default:
- help(ARGV0);
+ logtest_help(ARGV0);
break;
}
}
debug1(READ_CONFIG, ARGV0);
-
-
+
+
/* Getting servers hostname */
memset(__shost, '\0', 512);
if(gethostname(__shost, 512 -1) != 0)
{
- strncpy(__shost, OSSEC_SERVER, 512 -1);
+ strncpy(__shost, OSSEC_SERVER, 512 -1);
}
else
{
if(_ltmp)
*_ltmp = '\0';
}
-
+
if(chdir(dir) != 0)
/*
- * Anonymous Section: Load rules, decoders, and lists
+ * Anonymous Section: Load rules, decoders, and lists
*
* As lists require two pass loading of rules that make use of list lookups
- * are created with blank database structs, and need to be filled in after
- * completion of all rules and lists.
+ * are created with blank database structs, and need to be filled in after
+ * completion of all rules and lists.
*/
{
{ /* Lad decders */
/* Initializing the decoders list */
OS_CreateOSDecoderList();
- if(!Config.decoders)
+ if(!Config.decoders)
{ /* Legacy loading */
/* Reading decoders */
if(!ReadDecodeXML("etc/decoder.xml"))
verbose("%s: INFO: Reading decoder file %s.", ARGV0, *decodersfiles);
if(!ReadDecodeXML(*decodersfiles))
ErrorExit(CONFIG_ERROR, ARGV0, *decodersfiles);
-
- free(*decodersfiles);
- decodersfiles++;
+
+ free(*decodersfiles);
+ decodersfiles++;
}
}
}
{ /* Load Lists */
/* Initializing the lists of list struct */
- Lists_OP_CreateLists();
+ Lists_OP_CreateLists();
/* Load each list into list struct */
{
char **listfiles;
listfiles = Config.lists;
while(listfiles && *listfiles)
{
- verbose("%s: INFO: Reading loading the lists file: '%s'", ARGV0, *listfiles);
+ verbose("%s: INFO: Reading the lists file: '%s'", ARGV0, *listfiles);
if(Lists_OP_LoadList(*listfiles) < 0)
ErrorExit(LISTS_ERROR, ARGV0, *listfiles);
free(*listfiles);
debug1("%s: INFO: Reading rules file: '%s'", ARGV0, *rulesfiles);
if(Rules_OP_ReadRules(*rulesfiles) < 0)
ErrorExit(RULES_ERROR, ARGV0, *rulesfiles);
-
- free(*rulesfiles);
- rulesfiles++;
+
+ free(*rulesfiles);
+ rulesfiles++;
}
free(Config.includes);
Config.includes = NULL;
}
-
+
/* Find all rules with that require list lookups and attache the
- * the correct list struct to the rule. This keeps rules from having to
+ * the correct list struct to the rule. This keeps rules from having to
* search thought the list of lists for the correct file during rule evaluation.
*/
OS_ListLoadRules();
}
}
-
+
/* Fixing the levels/accuracy */
{
int total_rules;
RuleNode *tmp_node = OS_GetFirstRule();
total_rules = _setlevels(tmp_node, 0);
- debug1("%s: INFO: Total rules enabled: '%d'", ARGV0, total_rules);
+ debug1("%s: INFO: Total rules enabled: '%d'", ARGV0, total_rules);
}
exit(0);
}
-
+
/* Start up message */
verbose(STARTUP_MSG, ARGV0, getpid());
exit(0);
-
+
}
int exit_code = 0;
char *ut_alertlevel = NULL;
char *ut_rulelevel = NULL;
- char *ut_decoder_name = NULL;
+ char *ut_decoder_name = NULL;
if(ut_str)
{
/* XXX Break apart string */
- ut_rulelevel = ut_str;
+ ut_rulelevel = ut_str;
ut_alertlevel = strchr(ut_rulelevel, ':');
if(!ut_alertlevel)
{
else
{
*ut_alertlevel = '\0';
- ut_alertlevel++;
+ ut_alertlevel++;
}
ut_decoder_name = strchr(ut_alertlevel, ':');
if(!ut_decoder_name)
{
ErrorExit(FTS_LIST_ERROR, ARGV0);
}
-
+
__crt_ftell = 1;
/* Doing some cleanup */
memset(msg, '\0', OS_MAXSTR +1);
-
+
if(!alert_only)
print_out("%s: Type one log per line.\n", ARGV0);
-
-
+
+
/* Daemon loop */
while(1)
{
lf = (Eventinfo *)calloc(1,sizeof(Eventinfo));
-
+
/* This shouldn't happen .. */
if(lf == NULL)
{
/* Fixing the msg. */
snprintf(msg, 15, "1:stdin:");
-
-
-
+
+
+
/* Receive message from queue */
if(fgets(msg +8, OS_MAXSTR, stdin))
{
{
continue;
}
-
-
+
+
if(!alert_only)print_out("\n");
-
+
/* Default values for the log info */
Zero_Eventinfo(lf);
/* Decoding event. */
DecodeEvent(lf);
-
+
/* Looping all the rules */
rulenode_pt = OS_GetFirstRule();
- if(!rulenode_pt)
+ if(!rulenode_pt)
{
ErrorExit("%s: Rules in an inconsistent state. Exiting.",
ARGV0);
}
-
+
#ifdef TESTRULE
if(full_output && !alert_only)
print_out("\n**Rule debugging:");
/* We go ahead in here and process the alert. */
currently_rule = lf->generated_rule;
}
-
+
/* The categories must match */
- else if(rulenode_pt->ruleinfo->category !=
+ else if(rulenode_pt->ruleinfo->category !=
lf->decoder_info->type)
{
continue;
/* Checking each rule. */
- else if((currently_rule = OS_CheckIfRuleMatch(lf, rulenode_pt))
+ else if((currently_rule = OS_CheckIfRuleMatch(lf, rulenode_pt))
== NULL)
{
continue;
print_out(" Rule id: '%d'", currently_rule->sigid);
print_out(" Level: '%d'", currently_rule->level);
print_out(" Description: '%s'",currently_rule->comment);
- for (last_info_detail = currently_rule->info_details; last_info_detail != NULL; last_info_detail = last_info_detail->next)
+ for (last_info_detail = currently_rule->info_details; last_info_detail != NULL; last_info_detail = last_info_detail->next)
{
print_out(" Info - %s: '%s'", ruleinfodetail_text[last_info_detail->type], last_info_detail->data);
}
}
#endif
-
+
/* Ignore level 0 */
}
- /* Checking ignore time */
+ /* Checking ignore time */
if(currently_rule->ignore_time)
{
if(currently_rule->time_ignored == 0)
* is less than the time it should be ignored,
* leave (do not alert again).
*/
- else if((lf->time - currently_rule->time_ignored)
+ else if((lf->time - currently_rule->time_ignored)
< currently_rule->ignore_time)
{
break;
/* Pointer to the rule that generated it */
lf->generated_rule = currently_rule;
-
+
/* Checking if we should ignore it */
if(currently_rule->ckignore && IGnore(lf))
{
lf->generated_rule = NULL;
break;
}
-
+
/* Checking if we need to add to ignore list */
if(currently_rule->ignore)
{
}
else
{
- lf->sid_node_to_delete =
+ lf->sid_node_to_delete =
currently_rule->sid_prev_matched->last_node;
}
}
/* Group list */
else if(currently_rule->group_prev_matched)
{
- i = 0;
-
+ i = 0;
+
while(i < currently_rule->group_prev_matched_sz)
{
if(!OSList_AddData(
- currently_rule->group_prev_matched[i],
+ currently_rule->group_prev_matched[i],
lf))
{
merror("%s: Unable to add data to grp list.",ARGV0);
i++;
}
}
-
+
OS_AddEvent(lf);
break;
char holder[1024];
holder[1] = '\0';
exit_code = 3;
- if(strcasecmp(ut_decoder_name, lf->decoder_info->name) == 0)
+ if(lf->decoder_info->name != NULL && strcasecmp(ut_decoder_name, lf->decoder_info->name) == 0)
{
exit_code--;
snprintf(holder, 1023, "%d", currently_rule->sigid);
/* Only clear the memory if the eventinfo was not
- * added to the stateful memory
+ * added to the stateful memory
* -- message is free inside clean event --
*/
if(lf->generated_rule == NULL)
}
else
{
- exit(exit_code);
+ exit(exit_code);
}
}
exit(exit_code);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/client-agent/agentd.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
{
int rc = 0;
int pid = 0;
- int maxfd = 0;
+ int maxfd = 0;
fd_set fdset;
-
+
struct timeval fdtimeout;
-
+
/* Going daemon */
pid = getpid();
available_server = 0;
nowDaemon();
goDaemon();
-
+
/* Setting group ID */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR, ARGV0, group);
-
+
/* chrooting */
if(Privsep_Chroot(dir) < 0)
ErrorExit(CHROOT_ERROR, ARGV0, dir);
-
+
nowChroot();
maxfd = logr->m_queue;
logr->sock = -1;
-
+
/* Creating PID file */
/* Reading the private keys */
verbose(ENC_READ, ARGV0);
-
+
OS_ReadKeys(&keys);
OS_StartCounter(&keys);
+
+ /* cmoraes : changed the following call to
os_write_agent_info(keys.keyentries[0]->name, NULL, keys.keyentries[0]->id);
+ */
+ os_write_agent_info(keys.keyentries[0]->name, NULL, keys.keyentries[0]->id,
+ logr->profile);
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
-
+
/* Initial random numbers */
#ifdef __OpenBSD__
srandomdev();
#else
srandom( time(0) + getpid()+ pid + getppid());
#endif
-
+
random();
{
ErrorExit(UNABLE_CONN, ARGV0);
}
-
+
/* Setting max fd for select */
if(logr->sock > maxfd)
os_setwait();
start_agent(1);
-
+
os_delwait();
intcheck_file(OSSECCONF, dir);
intcheck_file(OSSEC_DEFINES, dir);
-
+
/* Sending first notification */
run_notify();
-
-
+
+
/* Maxfd must be higher socket +1 */
maxfd++;
-
-
+
+
/* monitor loop */
while(1)
{
fdtimeout.tv_sec = 120;
fdtimeout.tv_usec = 0;
-
+
/* Wait for 120 seconds at a maximum for any descriptor */
rc = select(maxfd, &fdset, NULL, NULL, &fdtimeout);
if(rc == -1)
{
ErrorExit(SELECT_ERROR, ARGV0);
}
-
-
+
+
else if(rc == 0)
{
continue;
- }
+ }
+
-
/* For the receiver */
if(FD_ISSET(logr->sock, &fdset))
{
receive_msg();
}
-
+
/* For the forwarder */
if(FD_ISSET(logr->m_queue, &fdset))
{
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/client-agent/agentd.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/* Receiver messages for Windows */
void *receiver_thread(void *none);
-/* intcheck_file:
+/* intcheck_file:
* Sends integrity checking information about a file to the server.
*/
int intcheck_file(char *file_name, char *dir);
/*** Global variables ***/
/* Global variables. Only modified
- * during startup.
+ * during startup.
*/
#include "shared.h"
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/client-agent/config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/* ClientConf v0.2, 2005/03/03
* Read the config file (for the remote client)
* v0.2: New OS_XML
- */
+ */
int ClientConf(char *cfgfile)
{
int modules = 0;
logr->lip = NULL;
logr->rip_id = 0;
logr->execdq = 0;
+ logr->profile = NULL; /*cmoraes*/
modules|= CCLIENT;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/client-agent/event-forward.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/client-agent/intcheck_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
if(lstat(file_name, &statbuf) < 0)
#endif
{
- snprintf(newsum, 911,"%c:%s:-1 %s%s", SYSCHECK_MQ, SYSCHECK,
+ snprintf(newsum, 911,"%c:%s:-1 %s%s", SYSCHECK_MQ, SYSCHECK,
dir, file_name);
send_msg(0, newsum);
}
}
-
+
snprintf(newsum,911,"%c:%s:%d:%d:%d:%d:%s:%s %s%s",
SYSCHECK_MQ, SYSCHECK,
(int)statbuf.st_size,
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/client-agent/main.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
{
int c = 0;
int test_config = 0;
-
+
char *dir = DEFAULTDIR;
char *user = USER;
char *group = GROUPGLOBAL;
-
+
int uid = 0;
int gid = 0;
-
+
/* Setting the name */
OS_SetName(ARGV0);
group = optarg;
break;
case 't':
- test_config = 1;
+ test_config = 1;
break;
case 'D':
if(!optarg)
ErrorExit(MEM_ERROR, ARGV0);
}
-
+
/* Reading config */
if(ClientConf(DEFAULTCPATH) < 0)
{
if(!logr->rip)
{
merror(AG_INV_IP, ARGV0);
- ErrorExit(CLIENT_ERROR,ARGV0);
+ ErrorExit(CLIENT_ERROR,ARGV0);
}
ErrorExit(AG_NOKEYS_EXIT, ARGV0);
}
-
+
/* Check if the user/group given are valid */
uid = Privsep_GetUser(user);
gid = Privsep_GetGroup(group);
/* Agentd Start */
AgentdStart(dir, uid, gid, user, group);
-
+
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/client-agent/notify.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
time_t g_saved_time = 0;
+char *rand_keepalive_str2(char *dst, int size)
+{
+ static const char text[] = "abcdefghijklmnopqrstuvwxyz"
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "0123456789"
+ "!@#$%^&*()_+-=;'[],./?";
+ int i, len = rand() % (size - 1);
+ for ( i = 0; i < len; ++i )
+ {
+ dst[i] = text[rand() % (sizeof text - 1)];
+ }
+ dst[i] = '\0';
+ return dst;
+}
/* getfiles: Return the name of the files in a directory
*/
int m_size = 512;
char *ret;
-
+
os_md5 md5sum;
-
+
if(OS_MD5_File(SHAREDCFG_FILE, md5sum) != 0)
{
snprintf(ret, m_size, "%s merged.mg\n", md5sum);
-
+
return(ret);
}
/* run_notify: Send periodically notification to server */
void run_notify()
{
+ char keep_alive_random[1024];
char tmp_msg[OS_SIZE_1024 +1];
char *uname;
char *shared_files;
+ os_md5 md5sum;
+
+
+ keep_alive_random[0] = '\0';
time_t curr_time;
return;
}
g_saved_time = curr_time;
-
+
debug1("%s: DEBUG: Sending agent notification.", ARGV0);
/* Send the message.
- * Message is going to be the
- * uname\n checksum file\n checksum file\n
- */
+ * Message is going to be the
+ * uname\n checksum file\n checksum file\n
+ */
/* Getting uname */
uname = getuname();
}
}
+ rand_keepalive_str2(keep_alive_random, 700);
+
/* creating message */
- if(File_DateofChange(AGENTCONFIGINT) > 0)
+ if((File_DateofChange(AGENTCONFIGINT) > 0 ) &&
+ (OS_MD5_File(AGENTCONFIGINT, md5sum) == 0))
{
- os_md5 md5sum;
- if(OS_MD5_File(AGENTCONFIGINT, md5sum) != 0)
- {
- snprintf(tmp_msg, OS_SIZE_1024, "#!-%s\n%s",uname, shared_files);
- }
- else
- {
- snprintf(tmp_msg, OS_SIZE_1024, "#!-%s / %s\n%s",uname, md5sum, shared_files);
- }
+ snprintf(tmp_msg, OS_SIZE_1024, "#!-%s / %s\n%s\n%s",
+ uname, md5sum, shared_files, keep_alive_random);
}
else
{
- snprintf(tmp_msg, OS_SIZE_1024, "#!-%s\n%s",uname, shared_files);
+ snprintf(tmp_msg, OS_SIZE_1024, "#!-%s\n%s\n%s",
+ uname, shared_files, keep_alive_random);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/client-agent/receiver-win.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* receiver_thread:
+/* receiver_thread:
* Receive events from the server.
*/
void *receiver_thread(void *none)
{
int recv_b;
-
+
char file[OS_SIZE_1024 +1];
char buffer[OS_MAXSTR +1];
-
+
char cleartext[OS_MAXSTR + 1];
char *tmp_msg;
-
+
char file_sum[34];
fd_set fdset;
struct timeval selecttime;
-
+
FILE *fp;
/* Setting FP to null, before starting */
fp = NULL;
-
+
memset(cleartext, '\0', OS_MAXSTR +1);
memset(buffer, '\0', OS_MAXSTR +1);
memset(file, '\0', OS_SIZE_1024 +1);
memset(file_sum, '\0', 34);
-
-
+
+
while(1)
{
/* sock must be set. */
FD_ZERO(&fdset);
FD_SET(logr->sock, &fdset);
-
+
/* Wait for 30 seconds. */
selecttime.tv_sec = 30;
selecttime.tv_usec = 0;
-
+
/* Wait for 120 seconds at a maximum for any descriptor */
recv_b = select(0, &fdset, NULL, NULL, &selecttime);
if(recv_b == -1)
continue;
}
- /* Read until no more messages are available */
+ /* Read until no more messages are available */
while((recv_b = recv(logr->sock,buffer,OS_SIZE_1024, 0))>0)
{
/* Id of zero -- only one key allowed */
{
/* This is the only thread that modifies it */
available_server = (int)time(NULL);
-
+
/* Run timeout commands. */
if(logr->execdq >= 0)
WinTimeoutRun(available_server);
-
+
/* If it is an active response message */
if(strncmp(tmp_msg, EXECD_HEADER, strlen(EXECD_HEADER)) == 0)
{
tmp_msg+=strlen(EXECD_HEADER);
-
+
/* Run on windows. */
if(logr->execdq >= 0)
{
WinExecdRun(tmp_msg);
}
-
-
+
+
continue;
- }
+ }
/* Restart syscheck. */
continue;
}
-
+
/* Ack from server */
else if(strcmp(tmp_msg, HC_ACK) == 0)
{
}
/* File update message */
- if(strncmp(tmp_msg, FILE_UPDATE_HEADER,
+ if(strncmp(tmp_msg, FILE_UPDATE_HEADER,
strlen(FILE_UPDATE_HEADER)) == 0)
{
char *validate_file;
/* copying the file sum */
strncpy(file_sum, tmp_msg, 33);
-
+
/* Setting tmp_msg to the beginning of the file name */
validate_file++;
tmp_msg = validate_file;
}
if(tmp_msg[0] == '.')
- tmp_msg[0] = '-';
+ tmp_msg[0] = '-';
-
- snprintf(file, OS_SIZE_1024, "%s/%s",
+
+ snprintf(file, OS_SIZE_1024, "%s/%s",
SHAREDCFG_DIR,
tmp_msg);
}
}
- else if(strncmp(tmp_msg, FILE_CLOSE_HEADER,
+ else if(strncmp(tmp_msg, FILE_CLOSE_HEADER,
strlen(FILE_CLOSE_HEADER)) == 0)
{
/* no error */
fclose(fp);
fp = NULL;
}
-
+
if(file[0] == '\0')
{
/* nada */
if(strcmp(currently_md5, file_sum) != 0)
{
debug1("%s: Failed md5 for: %s -- deleting.",
- ARGV0, file);
+ ARGV0, file);
unlink(file);
}
else
merror("%s: WARN: Unknown message received. No action defined.",
ARGV0);
}
- }
+ }
}
-
+
/* Cleaning up */
if(fp)
{
if(file[0] != '\0')
unlink(file);
}
-
+
return(NULL);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/client-agent/receiver.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
char file[OS_SIZE_1024 +1] = "";
-/* receive_msg:
+/* receive_msg:
* Receive events from the server.
*/
void *receive_msg()
- /* Read until no more messages are available */
+ /* Read until no more messages are available */
while((recv_b = recv(logr->sock, buffer, OS_SIZE_1024, MSG_DONTWAIT)) > 0)
{
buffer[recv_b] = '\0';
{
if(OS_SendUnix(logr->execdq, tmp_msg, 0) < 0)
{
- merror("%s: Error communicating with execd",
+ merror("%s: Error communicating with execd",
ARGV0);
}
}
continue;
- }
+ }
/* Restart syscheck. */
/* File update message */
- if(strncmp(tmp_msg, FILE_UPDATE_HEADER,
+ if(strncmp(tmp_msg, FILE_UPDATE_HEADER,
strlen(FILE_UPDATE_HEADER)) == 0)
{
char *validate_file;
}
if(tmp_msg[0] == '.')
- tmp_msg[0] = '-';
+ tmp_msg[0] = '-';
- snprintf(file, OS_SIZE_1024, "%s/%s",
+ snprintf(file, OS_SIZE_1024, "%s/%s",
SHAREDCFG_DIR,
tmp_msg);
}
}
- else if(strncmp(tmp_msg, FILE_CLOSE_HEADER,
+ else if(strncmp(tmp_msg, FILE_CLOSE_HEADER,
strlen(FILE_CLOSE_HEADER)) == 0)
{
/* no error */
if(strcmp(currently_md5, file_sum) != 0)
{
debug1("%s: ERROR: Failed md5 for: %s -- deleting.",
- ARGV0, file);
+ ARGV0, file);
unlink(file);
}
else
merror("%s: WARN: Unknown message received. No action defined.",
ARGV0);
}
- }
+ }
return(NULL);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/client-agent/sendmsg.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
#include "agentd.h"
#include "os_net/os_net.h"
-
+
/* Sends a message to the server */
int send_msg(int agentid, char *msg)
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/client-agent/start_agent.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
if(logr->rip[1])
{
- verbose("%s: INFO: Closing connection to server (%s:%d).",
+ verbose("%s: INFO: Closing connection to server (%s:%d).",
ARGV0,
logr->rip[rc],
logr->port);
}
-
+
}
-
-
+
+
while(logr->rip[rc])
{
char *tmp_str;
{
char *f_ip;
*tmp_str = '\0';
-
+
f_ip = OS_GetHost(logr->rip[rc], 5);
if(f_ip)
{
ip_str[127] = '\0';
snprintf(ip_str, 127, "%s/%s", logr->rip[rc], f_ip);
-
+
free(f_ip);
free(logr->rip[rc]);
}
else
{
- merror("%s: WARN: Unable to get hostname for '%s'.",
+ merror("%s: WARN: Unable to get hostname for '%s'.",
ARGV0, logr->rip[rc]);
*tmp_str = '/';
tmp_str++;
{
tmp_str = logr->rip[rc];
}
-
-
+
+
verbose("%s: INFO: Trying to connect to server (%s:%d).", ARGV0,
logr->rip[rc],
logr->port);
- logr->sock = OS_ConnectUDP(logr->port, tmp_str);
+ /* IPv6 address: */
+ if(strchr(tmp_str,':') != NULL)
+ {
+ verbose("%s: INFO: Using IPv6 for: %s .", ARGV0, tmp_str);
+ logr->sock = OS_ConnectUDP(logr->port, tmp_str, 1);
+ }
+ else
+ {
+ verbose("%s: INFO: Using IPv4 for: %s .", ARGV0, tmp_str);
+ logr->sock = OS_ConnectUDP(logr->port, tmp_str, 0);
+ }
+
if(logr->sock < 0)
{
logr->sock = -1;
if(logr->rip[rc] == NULL)
{
attempts += 10;
-
+
/* Only log that if we have more than 1 server configured. */
if(logr->rip[1])
merror("%s: ERROR: Unable to connect to any server.",ARGV0);
-
+
sleep(attempts);
rc = 0;
}
{
/* Setting socket non-blocking on HPUX */
#ifdef HPUX
- fcntl(logr->sock, O_NONBLOCK);
+ //fcntl(logr->sock, O_NONBLOCK);
#endif
#ifdef WIN32
int bmode = 1;
-
+
/* Setting socket to non-blocking */
ioctlsocket(logr->sock, FIONBIO, (u_long FAR*) &bmode);
#endif
char buffer[OS_MAXSTR +1];
char cleartext[OS_MAXSTR +1];
char fmsg[OS_MAXSTR +1];
-
+
memset(msg, '\0', OS_MAXSTR +2);
memset(buffer, '\0', OS_MAXSTR +1);
#ifdef ONEWAY
return;
#endif
-
-
+
+
/* Sending start message and waiting for the ack */
while(1)
{
/* Sending start up message */
send_msg(0, msg);
attempts = 0;
-
+
/* Read until our reply comes back */
while(((recv_b = recv(logr->sock, buffer, OS_MAXSTR,
{
send_msg(0, msg);
}
-
+
continue;
}
-
+
/* Id of zero -- only one key allowed */
tmp_msg = ReadSecMSG(&keys, buffer, cleartext, 0, recv_b -1);
if(tmp_msg == NULL)
{
available_server = time(0);
- verbose(AG_CONNECTED, ARGV0, logr->rip[logr->rip_id],
+ verbose(AG_CONNECTED, ARGV0, logr->rip[logr->rip_id],
logr->port);
-
+
if(is_startup)
{
/* Send log message about start up */
- snprintf(msg, OS_MAXSTR, OS_AG_STARTED,
+ snprintf(msg, OS_MAXSTR, OS_AG_STARTED,
keys.keyentries[0]->name,
keys.keyentries[0]->ip->ip);
- snprintf(fmsg, OS_MAXSTR, "%c:%s:%s", LOCALFILE_MQ,
+ snprintf(fmsg, OS_MAXSTR, "%c:%s:%s", LOCALFILE_MQ,
"ossec", msg);
send_msg(0, fmsg);
}
{
sleep(g_attempts);
g_attempts+=(attempts * 3);
-
+
connect_server(0);
}
}
-
+
return;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/active-response.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#include "shared.h"
#include "os_xml/os_xml.h"
#include "os_regex/os_regex.h"
int i = 0;
int r_ar = 0;
int l_ar = 0;
+ int rpt = 0;
/* Xml options */
char *xml_ar_level = "level";
char *xml_ar_timeout = "timeout";
char *xml_ar_disabled = "disabled";
+ char *xml_ar_repeated = "repeated_offenders";
char *tmp_location;
merror(FOPEN_ERROR, ARGV0, DEFAULTARPATH);
return(-1);
}
- chmod(DEFAULTARPATH, 0444);
+ chmod(DEFAULTARPATH, 0440);
/* Allocating for the active-response */
- /* Searching for the commands */
+ /* Searching for the commands */
while(node[i])
{
if(!node[i]->element)
}
/* Command */
- if(strcmp(node[i]->element, xml_ar_command) == 0)
+ if(strcmp(node[i]->element, xml_ar_command) == 0)
{
tmp_ar->command = strdup(node[i]->content);
}
/* Target */
- else if(strcmp(node[i]->element, xml_ar_location) == 0)
+ else if(strcmp(node[i]->element, xml_ar_location) == 0)
{
tmp_location = strdup(node[i]->content);
}
merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
return(OS_INVALID);
}
-
+
tmp_ar->level = atoi(node[i]->content);
/* Making sure the level is valid */
return(OS_INVALID);
}
}
+ else if(strcmp(node[i]->element, xml_ar_repeated) == 0)
+ {
+ /* Nothing - we deal with it on execd. */
+ rpt = 1;
+ }
else
{
merror(XML_INVELEM, ARGV0, node[i]->element);
return(OS_INVALID);
}
i++;
- }
+ }
/* Checking if ar is disabled */
if(ar_flag == -1)
/* Command and location must be there */
if(!tmp_ar->command || !tmp_location)
{
+ if(rpt == 1)
+ {
+ fclose(fp);
+ return(0);
+ }
merror(AR_MISS, ARGV0);
return(-1);
}
}
/* If we didn't set any value for the location */
- if(tmp_ar->location == 0)
+ if(tmp_ar->location == 0)
{
merror(AR_INV_LOC, ARGV0, tmp_location);
return(-1);
}
- /* cleaning tmp_location */
+ /* cleaning tmp_location */
free(tmp_location);
tmp_location = NULL;
{
ErrorExit(MEM_ERROR, ARGV0);
}
- snprintf(tmp_ar->name, OS_FLSIZE, "%s%d",
+ snprintf(tmp_ar->name, OS_FLSIZE, "%s%d",
tmp_ar->ar_cmd->name,
- tmp_ar->timeout);
+ tmp_ar->timeout);
/* Adding to shared file */
- fprintf(fp, "%s - %s - %d\n",
+ fprintf(fp, "%s - %s - %d\n",
tmp_ar->name,
tmp_ar->ar_cmd->executable,
tmp_ar->timeout);
{
ar_flag|= LOCAL_AR;
}
-
+
/* Closing shared file for active response */
fclose(fp);
tmp_command->timeout_allowed = 0;
- /* Searching for the commands */
+ /* Searching for the commands */
while(node[i])
{
if(!node[i]->element)
merror(XML_VALUENULL, ARGV0, node[i]->element);
return(OS_INVALID);
}
- if(strcmp(node[i]->element, command_name) == 0)
+ if(strcmp(node[i]->element, command_name) == 0)
{
tmp_command->name = strdup(node[i]->content);
}
- else if(strcmp(node[i]->element, command_expect) == 0)
+ else if(strcmp(node[i]->element, command_expect) == 0)
{
tmp_str = strdup(node[i]->content);
}
/* Getting the expect */
- if(OS_Regex("user", tmp_str))
- tmp_command->expect |= USERNAME;
- if(OS_Regex("srcip", tmp_str))
- tmp_command->expect |= SRCIP;
+ if(strlen(tmp_str) >= 4)
+ {
+ if(OS_Regex("user", tmp_str))
+ tmp_command->expect |= USERNAME;
+ if(OS_Regex("srcip", tmp_str))
+ tmp_command->expect |= SRCIP;
+ }
free(tmp_str);
tmp_str = NULL;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/active-response.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#ifndef _CAR__H
#define _CAR__H
{
int expect;
int timeout_allowed;
-
+
char *name;
char *executable;
}ar_command;
char *agent_id;
char *rules_id;
char *rules_group;
-
+
ar_command *ar_cmd;
}active_response;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/agentlessd-config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
agentlessd_config *lessd_config = (agentlessd_config *)config;
-
+
/* Getting any configured entry. */
if(lessd_config->entries)
{
s++;
}
-
+
/* Allocating the memory for the config. */
- os_realloc(lessd_config->entries, (s + 2) * sizeof(agentlessd_entries *),
+ os_realloc(lessd_config->entries, (s + 2) * sizeof(agentlessd_entries *),
lessd_config->entries);
os_calloc(1, sizeof(agentlessd_entries), lessd_config->entries[s]);
lessd_config->entries[s + 1] = NULL;
lessd_config->entries[s]->port = 0;
lessd_config->entries[s]->error_flag = 0;
-
+
/* Reading the XML. */
while(node[i])
{
{
char s_content[1024 +1];
s_content[1024] = '\0';
-
+
/* Getting any configured entry. */
j = 0;
if(lessd_config->entries[s]->server)
j++;
}
- os_realloc(lessd_config->entries[s]->server, (j + 2) *
- sizeof(char *),
+ os_realloc(lessd_config->entries[s]->server, (j + 2) *
+ sizeof(char *),
lessd_config->entries[s]->server);
if(strncmp(node[i]->content, "use_su ", 7) == 0)
{
{
snprintf(s_content, 1024, " %s", node[i]->content);
}
-
- os_strdup(s_content,
+
+ os_strdup(s_content,
lessd_config->entries[s]->server[j]);
lessd_config->entries[s]->server[j + 1] = NULL;
}
script_path[1024] = '\0';
snprintf(script_path, 1024, "%s/%s", AGENTLESSDIRPATH,
node[i]->content);
-
+
if(File_DateofChange(script_path) <= 0)
{
merror("%s: ERROR: Unable to find '%s' at '%s'.",
- ARGV0, node[i]->content, AGENTLESSDIRPATH);
+ ARGV0, node[i]->content, AGENTLESSDIRPATH);
merror(XML_VALUEERR,ARGV0, node[i]->element, node[i]->content);
return(OS_INVALID);
}
merror(XML_INV_MISSOPTS, ARGV0);
return(OS_INVALID);
}
-
-
+
+
if((lessd_config->entries[s]->state == LESSD_STATE_PERIODIC) &&
!lessd_config->entries[s]->frequency)
{
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/agentlessd-config.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
int current_state;
int port;
int error_flag;
-
+
char *type;
char **server;
char *options;
char *command;
-
+
}agentlessd_entries;
-/* Configuration structure. */
+/* Configuration structure. */
typedef struct _agentlessd_config
{
int queue;
char *xml_email_level = "email_alert_level";
char *xml_log_level = "log_alert_level";
+#ifdef GEOIP
+ /* GeoIP */
+ char *xml_log_geoip = "use_geoip";
+#endif
+
_Config *Config;
-
+
Config = (_Config *)configp;
-
+
while(node[i])
{
}
Config->logbylevel = atoi(node[i]->content);
}
+#ifdef GEOIP
+ /* Enable GeoIP */
+ else if(strcmp(node[i]->element, xml_log_geoip) == 0)
+ {
+ if(strcmp(node[i]->content, "yes") == 0)
+ { if(Config) Config->loggeoip = 1;}
+ else if(strcmp(node[i]->content, "no") == 0)
+ {if(Config) Config->loggeoip = 0;}
+ else
+ {
+ merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
+ return(OS_INVALID);
+ }
+
+ }
+#endif
else
{
merror(XML_INVELEM, ARGV0, node[i]->element);
#include "os_net/os_net.h"
-int Read_Client(XML_NODE node, void *d1, void *d2)
+int Read_Client(XML_NODE node, void *d1, void *d2)
{
int i = 0;
-
+
/* XML definitions */
char *xml_client_ip = "server-ip";
char *xml_client_hostname = "server-hostname";
char *xml_local_ip = "local_ip";
char *xml_client_port = "port";
char *xml_ar_disabled = "disable-active-response";
+ /* cmoraes */
+ char *xml_profile_name = "config-profile";
agent *logr;
os_realloc(logr->rip, (ip_id + 2) * sizeof(char*), logr->rip);
logr->rip[ip_id] = NULL;
logr->rip[ip_id +1] = NULL;
-
+
os_strdup(node[i]->content, logr->rip[ip_id]);
if(OS_IsValidIP(logr->rip[ip_id], NULL) != 1)
{
os_realloc(logr->rip, (ip_id + 2) * sizeof(char*),
logr->rip);
-
+
s_ip = OS_GetHost(node[i]->content, 5);
if(!s_ip)
{
os_strdup("invalid_ip", s_ip);
}
-
+
f_ip[127] = '\0';
snprintf(f_ip, 127, "%s/%s", node[i]->content, s_ip);
return(OS_INVALID);
}
}
+ /* cmoraes */
+ else if(strcmp(node[i]->element,xml_profile_name) == 0)
+ {
+ /* profile name can be anything hence no validation */
+ os_strdup(node[i]->content, logr->profile);
+ }
else
{
merror(XML_INVELEM, ARGV0, node[i]->element);
int execdq;
int rip_id;
char *lip;
- char **rip; /* remote (server) ip */
+ char **rip; /* remote (server) ip */
+ char *profile;
}agent;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/config.c, 2011/11/01 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/* Read the main elements of the configuration.
*/
-int read_main_elements(OS_XML xml, int modules,
- XML_NODE node,
- void *d1,
+int read_main_elements(OS_XML xml, int modules,
+ XML_NODE node,
+ void *d1,
void *d2)
{
int i = 0;
- char *osglobal = "global";
- char *osrules = "rules";
- char *ossyscheck = "syscheck";
- char *osrootcheck = "rootcheck";
- char *osalerts = "alerts";
- char *osemailalerts = "email_alerts";
- char *osdbd = "database_output";
- char *oscsyslogd = "syslog_output";
- char *oscagentless = "agentless";
- char *oslocalfile = "localfile";
- char *osremote = "remote";
- char *osclient = "client";
- char *oscommand = "command";
- char *osreports = "reports";
- char *osactive_response = "active-response";
-
-
+ char *osglobal = "global"; /*Server Config*/
+ char *osrules = "rules"; /*Server Config*/
+ char *ossyscheck = "syscheck"; /*Agent Config*/
+ char *osrootcheck = "rootcheck"; /*Agent Config*/
+ char *osalerts = "alerts"; /*Server Config*/
+ char *osemailalerts = "email_alerts"; /*Server Config*/
+ char *osdbd = "database_output"; /*Server Config*/
+ char *oscsyslogd = "syslog_output"; /*Server Config*/
+ char *oscagentless = "agentless"; /*Server Config*/
+ char *oslocalfile = "localfile"; /*Agent Config*/
+ char *osremote = "remote"; /*Agent Config*/
+ char *osclient = "client"; /*Agent Config*/
+ char *oscommand = "command"; /*? Config*/
+ char *osreports = "reports"; /*Server Config*/
+ char *osactive_response = "active-response"; /*Agent Config*/
+
+
while(node[i])
{
XML_NODE chld_node = NULL;
-
+
chld_node = OS_GetElementsbyNode(&xml,node[i]);
if(!node[i]->element)
}
else if(strcmp(node[i]->element, osglobal) == 0)
{
- if(((modules & CGLOBAL) || (modules & CMAIL))
+ if(((modules & CGLOBAL) || (modules & CMAIL))
&& (Read_Global(chld_node, d1, d2) < 0))
return(OS_INVALID);
}
if((modules & CSYSCHECK) && (Read_Syscheck(chld_node, d1,d2) < 0))
return(OS_INVALID);
if((modules & CGLOBAL) && (Read_GlobalSK(chld_node, d1, d2) < 0))
- return(OS_INVALID);
+ return(OS_INVALID);
}
else if(strcmp(node[i]->element, osrootcheck) == 0)
{
merror(XML_INVELEM, ARGV0, node[i]->element);
return(OS_INVALID);
}
-
+
//printf("before\n");
OS_ClearNode(chld_node);
//printf("after\n");
/* ReadConfig(int modules, char *cfgfile)
* Read the config files
*/
-int ReadConfig(int modules, char *cfgfile, void *d1, void *d2)
+int ReadConfig(int modules, char *cfgfile, void *d1, void *d2)
{
int i;
OS_XML xml;
char *xml_start_ossec = "ossec_config";
char *xml_start_agent = "agent_config";
+ /* Attributes of the <agent_config> tag */
char *xml_agent_name = "name";
char *xml_agent_os = "os";
char *xml_agent_overwrite = "overwrite";
-
+ /* cmoraes */
+ char *xml_agent_profile = "profile";
+
if(OS_ReadXML(cfgfile,&xml) < 0)
{
}
return(OS_INVALID);
}
-
+
node = OS_GetElementsbyNode(&xml, NULL);
if(!node)
return(OS_INVALID);
}
- OS_ClearNode(chld_node);
+ OS_ClearNode(chld_node);
}
}
else if((modules & CAGENT_CONFIG) &&
/* Checking if this is specific to any agent. */
if(node[i]->attributes && node[i]->values)
- {
+ {
while(node[i]->attributes[attrs] && node[i]->values[attrs])
{
+ /* Checking if there is an "name=" attribute */
if(strcmp(xml_agent_name, node[i]->attributes[attrs]) == 0)
{
#ifdef CLIENT
}
#endif
}
+ else if(strcmp(xml_agent_profile, node[i]->attributes[attrs]) == 0)
+ {
+ #ifdef CLIENT
+ char *agentprofile = os_read_agent_profile();
+ debug2("Read agent config profile name [%s]", agentprofile);
+
+ if(!agentprofile)
+ {
+ passed_agent_test = 0;
+ }
+ else
+ {
+ /* match the profile name of this <agent_config> section
+ * with a comma separated list of values in agent's
+ * <config-profile> tag.
+ */
+ if(!OS_Match2(node[i]->values[attrs], agentprofile))
+ {
+ passed_agent_test = 0;
+ debug2("[%s] did not match agent config profile name [%s]",
+ node[i]->values[attrs], agentprofile);
+ }
+ else
+ {
+ debug2("Matched agent config profile name [%s]", agentprofile);
+ }
+ free(agentprofile);
+ }
+ #endif
+ }
+ /* cmoraes: end add */
else if(strcmp(xml_agent_overwrite, node[i]->attributes[attrs]) == 0)
{
}
attrs++;
}
}
+ #ifdef CLIENT
+ else
+ {
+ debug2("agent_config element does not have any attributes.");
+
+ /* if node does not have any attributes, it is a generic config block.
+ * check if agent has a profile name
+ * if agent does not have profile name, then only read this generic
+ * agent_config block
+ */
+
+ if (!os_read_agent_profile())
+ {
+ debug2("but agent has a profile name.");
+ passed_agent_test = 0;
+ }
+ }
+ #endif
-
/* Main element does not need to have any child */
if(chld_node)
{
return(OS_INVALID);
}
- OS_ClearNode(chld_node);
+ OS_ClearNode(chld_node);
}
}
else
}
i++;
}
-
+
/* Clearing node and xml */
OS_ClearNode(node);
OS_ClearXML(&xml);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/config.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* online at: http://www.ossec.net/en/licensing.html
*/
-
+
#ifndef _HCONFIG__H
#define _HCONFIG__H
#define CDBD 0002000
#define CSYSLOGD 0004000
#define CAGENTLESS 0020000
-#define CREPORTS 0040000
+#define CREPORTS 0040000
#define CAGENT_CONFIG 0010000
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/csyslogd-config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
GeneralConfig *gen_config = (GeneralConfig *)config;
SyslogConfig **syslog_config = (SyslogConfig **)gen_config->data;
-
+
/* Getting Granular mail_to size */
if(syslog_config)
{
s++;
}
-
+
/* Allocating the memory for the config. */
os_realloc(syslog_config, (s + 2) * sizeof(SyslogConfig *), syslog_config);
os_calloc(1, sizeof(SyslogConfig), syslog_config[s]);
syslog_config[s]->location = NULL;
syslog_config[s]->level = 0;
syslog_config[s]->port = 514;
+ syslog_config[s]->format = DEFAULT_CSYSLOG;
/* local 0 facility (16) + severity 4 - warning. --default */
syslog_config[s]->priority = (16 * 8) + 4;
else if(isdigit((int)*str_pt))
{
int id_i = 0;
-
+
r_id = atoi(str_pt);
debug1("%s: DEBUG: Adding '%d' to syslog alerting",
ARGV0, r_id);
-
+
if(syslog_config[s]->rule_id)
{
while(syslog_config[s]->rule_id[id_i])
id_i++;
}
-
+
os_realloc(syslog_config[s]->rule_id,
(id_i +2) * sizeof(int),
syslog_config[s]->rule_id);
-
+
syslog_config[s]->rule_id[id_i + i] = 0;
syslog_config[s]->rule_id[id_i] = r_id;
-
+
str_pt = strchr(str_pt, ',');
if(str_pt)
{
{
/* Default is full format */
}
+ else if (strcmp(node[i]->content, "cef") == 0)
+ {
+ /* Enable the CEF format */
+ syslog_config[s]->format = CEF_CSYSLOG;
+ }
+ else if (strcmp(node[i]->content, "json") == 0)
+ {
+ /* Enable the JSON format */
+ syslog_config[s]->format = JSON_CSYSLOG;
+ }
+ else if (strcmp(node[i]->content, "splunk") == 0)
+ {
+ /* Enable the Splunk Key/Value format */
+ syslog_config[s]->format = SPLUNK_CSYSLOG;
+ }
else
{
merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
else if(strcmp(node[i]->element, xml_syslog_location) == 0)
{
os_calloc(1, sizeof(OSMatch),syslog_config[s]->location);
- if(!OSMatch_Compile(node[i]->content,
+ if(!OSMatch_Compile(node[i]->content,
syslog_config[s]->location, 0))
{
merror(REGEX_COMPILE, ARGV0, node[i]->content,
else if(strcmp(node[i]->element, xml_syslog_group) == 0)
{
os_calloc(1, sizeof(OSMatch),syslog_config[s]->group);
- if(!OSMatch_Compile(node[i]->content,
+ if(!OSMatch_Compile(node[i]->content,
syslog_config[s]->group, 0))
{
merror(REGEX_COMPILE, ARGV0, node[i]->content,
merror(XML_INV_CSYSLOG, ARGV0);
return(OS_INVALID);
}
-
+
gen_config->data = syslog_config;
return(0);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/csyslogd-config.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#include "shared.h"
-
+
#ifndef _CSYSLOGCONFIG__H
#define _CSYSLOGCONFIG__H
/* Syslog formats. */
#define DEFAULT_CSYSLOG 0
+#define CEF_CSYSLOG 1
+#define JSON_CSYSLOG 2
+#define SPLUNK_CSYSLOG 3
/* Syslog severities */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/dbd-config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
char *xml_dbsock = "socket";
char *xml_dbtype = "type";
-
+
db_config = (DBConfig *)config2;
if(!db_config)
{
}
- /* Reading the xml */
+ /* Reading the xml */
while(node[i])
{
if(!node[i]->element)
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/dbd-config.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#ifndef _DBDCONFIG__H
#define _DBDONFIG__H
char *pass;
char *db;
char *sock;
-
+
void *conn;
void *location_hash;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/email-alerts-config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
char *xml_email_donotgroup = "do_not_group";
MailConfig *Mail;
-
+
Mail = (MailConfig *)mailp;
if(!Mail)
{
if(Mail)
{
- os_realloc(Mail->gran_to,
+ os_realloc(Mail->gran_to,
sizeof(char *)*(granto_size +1), Mail->gran_to);
- os_realloc(Mail->gran_id,
+ os_realloc(Mail->gran_id,
sizeof(int *)*(granto_size +1), Mail->gran_id);
- os_realloc(Mail->gran_level,
+ os_realloc(Mail->gran_level,
sizeof(int)*(granto_size +1), Mail->gran_level);
- os_realloc(Mail->gran_set,
+ os_realloc(Mail->gran_set,
sizeof(int)*(granto_size +1), Mail->gran_set);
- os_realloc(Mail->gran_format,
+ os_realloc(Mail->gran_format,
sizeof(int)*(granto_size +1), Mail->gran_format);
- os_realloc(Mail->gran_location,
+ os_realloc(Mail->gran_location,
sizeof(OSMatch)*(granto_size +1), Mail->gran_location);
- os_realloc(Mail->gran_group,
+ os_realloc(Mail->gran_group,
sizeof(OSMatch)*(granto_size +1), Mail->gran_group);
-
+
Mail->gran_to[granto_size -1] = NULL;
Mail->gran_to[granto_size] = NULL;
-
+
Mail->gran_id[granto_size -1] = NULL;
Mail->gran_id[granto_size] = NULL;
-
+
Mail->gran_location[granto_size -1] = NULL;
Mail->gran_location[granto_size] = NULL;
Mail->gran_group[granto_size -1] = NULL;
Mail->gran_group[granto_size] = NULL;
-
+
Mail->gran_level[granto_size -1] = 0;
Mail->gran_level[granto_size] = 0;
-
- Mail->gran_format[granto_size -1] = FULL_FORMAT;
- Mail->gran_format[granto_size] = FULL_FORMAT;
-
+
+ Mail->gran_format[granto_size -1] = FULL_FORMAT;
+ Mail->gran_format[granto_size] = FULL_FORMAT;
+
Mail->gran_set[granto_size -1] = 0;
Mail->gran_set[granto_size] = 0;
}
-
-
+
+
while(node[i])
{
if(!node[i]->element)
else if(isdigit((int)*str_pt))
{
int id_i = 0;
-
+
r_id = atoi(str_pt);
debug1("%s: DEBUG: Adding '%d' to granular e-mail",
ARGV0, r_id);
-
+
if(!Mail->gran_id[granto_size -1])
{
os_calloc(2,sizeof(int),Mail->gran_id[granto_size -1]);
{
id_i++;
}
-
+
os_realloc(Mail->gran_id[granto_size -1],
(id_i +2) * sizeof(int),
- Mail->gran_id[granto_size -1]);
+ Mail->gran_id[granto_size -1]);
Mail->gran_id[granto_size -1][id_i +1] = 0;
}
Mail->gran_id[granto_size -1][id_i] = r_id;
-
+
str_pt = strchr(str_pt, ',');
if(str_pt)
else if(strcmp(node[i]->element, xml_email_location) == 0)
{
os_calloc(1, sizeof(OSMatch),Mail->gran_location[granto_size -1]);
- if(!OSMatch_Compile(node[i]->content,
+ if(!OSMatch_Compile(node[i]->content,
Mail->gran_location[granto_size -1], 0))
{
merror(REGEX_COMPILE, ARGV0, node[i]->content,
else if(strcmp(node[i]->element, xml_email_group) == 0)
{
os_calloc(1, sizeof(OSMatch),Mail->gran_group[granto_size -1]);
- if(!OSMatch_Compile(node[i]->content,
+ if(!OSMatch_Compile(node[i]->content,
Mail->gran_group[granto_size -1], 0))
{
merror(REGEX_COMPILE, ARGV0, node[i]->content,
merror(XML_INV_GRAN_MAIL, ARGV0);
return(OS_INVALID);
}
-
+
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/global-config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
_Config *Config;
Config = (_Config *)configp;
-
-
+
+
/* Shouldn't be here if !Config */
if(!Config)
return(0);
char *xml_smtpserver = "smtp_server";
char *xml_mailmaxperhour = "email_maxperhour";
+#ifdef GEOIP
+ /* GeoIP */
+ char *xml_geoip_db_path = "geoip_db_path";
+ char *xml_geoip6_db_path = "geoip6_db_path";
+#endif
+
_Config *Config;
MailConfig *Mail;
-
+
Config = (_Config *)configp;
Mail = (MailConfig *)mailp;
-
+
/* Getting right white_size */
if(Config && Config->white_list)
{
ww++;
}
}
-
+
/* Getting right white_size */
if(Config && Config->hostname_white_list)
{
ww++;
}
}
-
+
/* Getting mail_to size */
if(Mail && Mail->to)
{
else if(strcmp(node[i]->element, xml_mailnotify) == 0)
{
if(strcmp(node[i]->content, "yes") == 0)
- {
- if(Config) Config->mailnotify = 1;
+ {
+ if(Config) Config->mailnotify = 1;
if(Mail) Mail->mn = 1;
}
else if(strcmp(node[i]->content, "no") == 0)
- {
- if(Config) Config->mailnotify = 0;
+ {
+ if(Config) Config->mailnotify = 0;
if(Mail) Mail->mn = 0;
}
else
else if(strcmp(node[i]->element, xml_prelude) == 0)
{
if(strcmp(node[i]->content, "yes") == 0)
- {
- if(Config) Config->prelude = 1;
+ {
+ if(Config) Config->prelude = 1;
}
else if(strcmp(node[i]->content, "no") == 0)
- {
- if(Config) Config->prelude = 0;
+ {
+ if(Config) Config->prelude = 0;
}
else
{
char *ip_address_regex =
"^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/?"
"([0-9]{0,2}|[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})$";
-
+
if(Config && OS_PRegex(node[i]->content, ip_address_regex))
{
white_size++;
- Config->white_list =
+ Config->white_list =
realloc(Config->white_list, sizeof(os_ip *)*white_size);
if(!Config->white_list)
{
os_calloc(1, sizeof(os_ip), Config->white_list[white_size -2]);
Config->white_list[white_size -1] = NULL;
-
+
if(!OS_IsValidIP(node[i]->content,
Config->white_list[white_size -2]))
{
- merror(INVALID_IP, ARGV0,
+ merror(INVALID_IP, ARGV0,
node[i]->content);
return(OS_INVALID);
}
Config->hostname_white_list =
realloc(Config->hostname_white_list,
sizeof(OSMatch *)*hostname_white_size);
-
+
if(!Config->hostname_white_list)
{
merror(MEM_ERROR, ARGV0);
return(OS_INVALID);
}
- os_calloc(1,
- sizeof(OSMatch),
+ os_calloc(1,
+ sizeof(OSMatch),
Config->hostname_white_list[hostname_white_size -2]);
Config->hostname_white_list[hostname_white_size -1] = NULL;
if(!OSMatch_Compile(
- node[i]->content,
- Config->hostname_white_list[hostname_white_size -2],
+ node[i]->content,
+ Config->hostname_white_list[hostname_white_size -2],
0))
{
merror(REGEX_COMPILE, ARGV0, node[i]->content,
return(-1);
}
}
-
+
#endif
-
+
}
- /* For the email now
+ /* For the email now
* email_to, email_from, smtp_Server and maxperhour.
* We will use a separate structure for that.
*/
return(OS_INVALID);
}
#endif
-
+
if(Mail)
{
mailto_size++;
return(OS_INVALID);
}
}
- #endif
+ #endif
}
else if(strcmp(node[i]->element, xml_mailmaxperhour) == 0)
{
}
}
}
+#ifdef GEOIP
+ /* GeoIP v4 DB location */
+ else if(strcmp(node[i]->element, xml_geoip_db_path) == 0)
+ {
+ if(Config)
+ {
+ os_strdup(node[i]->content, Config->geoip_db_path);
+ }
+ }
+ /* GeoIP v6 DB location */
+ else if(strcmp(node[i]->element, xml_geoip6_db_path) == 0)
+ {
+ if(Config)
+ {
+ os_strdup(node[i]->content, Config->geoip6_db_path);
+ }
+ }
+#endif
else
{
merror(XML_INVELEM, ARGV0, node[i]->element);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/global-config.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#ifndef _CCONFIG__H
#define _CCONFIG__H
u_int8_t mailbylevel;
u_int8_t logbylevel;
u_int8_t logfw;
-
+
/* Prelude support */
u_int8_t prelude;
/* which min. level the alert must be sent to prelude */
/* Mail alerting */
short int mailnotify;
-
- /* For the active response */
+
+ /* For the active response */
int ar;
-
+
/* For the correlation */
int memorysize;
-
- /* List of files to ignore (syscheck) */
+
+ /* List of files to ignore (syscheck) */
char **syscheck_ignore;
/* List of ips to never block */
/* Global rule hash. */
void *g_rules_hash;
+#ifdef GEOIP
+ /* GeoIP support */
+ u_int8_t loggeoip;
+ char *geoip_db_path;
+ char *geoip6_db_path;
+#endif
+
}_Config;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/localfile-config.c, 2012/03/28 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
-#include "shared.h"
+
+#include "shared.h"
#include "localfile-config.h"
{
int pl = 0;
int i = 0;
-
- int glob_set = 0;
-
+
+ int glob_set = 0;
+
#ifndef WIN32
int glob_offset = 0;
#endif
log_config = (logreader_config *)d1;
- /* If config is not set, we need to create it */
+ /* If config is not set, we need to create it */
if(!log_config->config)
{
os_calloc(2, sizeof(logreader), log_config->config);
{
pl++;
}
-
+
/* Allocating more memory */
os_realloc(logf, (pl +2)*sizeof(logreader), log_config->config);
logf = log_config->config;
logf[pl +1].alias = NULL;
logf[pl +1].logformat = NULL;
}
-
+
logf[pl].file = NULL;
logf[pl].command = NULL;
logf[pl].alias = NULL;
logf[pl].djb_program_name = NULL;
logf[pl].ign = 360;
-
+
/* Searching for entries related to files */
i = 0;
while(node[i])
}
else if(strcmp(node[i]->element,xml_localfile_command) == 0)
{
+ /* We don't accept remote commands from the manager - just in case. */
+ if(log_config->agent_cfg == 1 && log_config->accept_remote == 0)
+ {
+ merror("%s: Remote commands are not accepted from the manager. "
+ "Ignoring it on the agent.conf", ARGV0);
+
+ logf[pl].file = NULL;
+ logf[pl].ffile = NULL;
+ logf[pl].command = NULL;
+ logf[pl].alias = NULL;
+ logf[pl].logformat = NULL;
+ logf[pl].fp = NULL;
+ return(OS_INVALID);
+ }
+
os_strdup(node[i]->content, logf[pl].file);
logf[pl].command = logf[pl].file;
}
/* Expand variables on Windows. */
if(strchr(node[i]->content, '%'))
{
- int expandreturn = 0;
+ int expandreturn = 0;
char newfile[OS_MAXSTR +1];
newfile[OS_MAXSTR] = '\0';
- expandreturn = ExpandEnvironmentStrings(node[i]->content,
+ expandreturn = ExpandEnvironmentStrings(node[i]->content,
newfile, OS_MAXSTR);
if((expandreturn > 0) && (expandreturn < OS_MAXSTR))
os_strdup(newfile, node[i]->content);
}
- }
+ }
#endif
* We will call this file multiple times until
* there is no one else available.
*/
- #ifndef WIN32 /* No windows support for glob */
+ #ifndef WIN32 /* No windows support for glob */
if(strchr(node[i]->content, '*') ||
strchr(node[i]->content, '?') ||
strchr(node[i]->content, '['))
{
glob_t g;
-
+
/* Setting ot the first entry of the glob */
if(glob_set == 0)
glob_set = pl +1;
-
+
if(glob(node[i]->content, 0, NULL, &g) != 0)
{
merror(GLOB_ERROR, ARGV0, node[i]->content);
i++;
continue;
}
-
+
/* Checking for the last entry */
if((g.gl_pathv[glob_offset]) == NULL)
{
os_strdup(g.gl_pathv[glob_offset], logf[pl].file);
}
-
+
glob_offset++;
globfree(&g);
pl++;
os_realloc(logf, (pl +2)*sizeof(logreader), log_config->config);
logf = log_config->config;
-
+
logf[pl].file = NULL;
logf[pl].alias = NULL;
logf[pl].logformat = NULL;
logf[pl].fp = NULL;
logf[pl].ffile = NULL;
-
+
logf[pl +1].file = NULL;
logf[pl +1].alias = NULL;
logf[pl +1].logformat = NULL;
}
else if(strchr(node[i]->content, '%'))
#else
- if(strchr(node[i]->content, '%'))
+ if(strchr(node[i]->content, '%'))
#endif /* WIN32 */
/* We need the format file (based on date) */
os_strdup(node[i]->content, logf[pl].ffile);
os_strdup(node[i]->content, logf[pl].file);
}
-
-
+
+
/* Normal file */
else
{
else if(strcmp(logf[pl].logformat, "mysql_log") == 0)
{
}
+ else if(strcmp(logf[pl].logformat, "ossecalert") == 0)
+ {
+ }
else if(strcmp(logf[pl].logformat, "mssql_log") == 0)
{
}
while(logf[pl].logformat[0] == ' ')
logf[pl].logformat++;
-
+
if(logf[pl].logformat[0] != ':')
{
merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
while(*logf[pl].logformat == ' ')
logf[pl].logformat++;
-
- while(logf[pl].logformat[x] >= '0' && logf[pl].logformat[x] <= '9')
+
+ while(logf[pl].logformat[x] >= '0' && logf[pl].logformat[x] <= '9')
x++;
while(logf[pl].logformat[x] == ' ')
if(glob_set)
{
char *format;
-
+
/* Getting log format */
if(logf[pl].logformat)
{
merror(MISS_FILE, ARGV0);
return(OS_INVALID);
}
-
+
if(logf[i].logformat == NULL)
{
logf[i].logformat = format;
merror(MISS_FILE, ARGV0);
return(OS_INVALID);
}
-
+
/* Verifying a valid event log config */
if(strcmp(logf[pl].logformat, EVENTLOG) == 0)
{
}
if((strcmp(logf[pl].logformat, "command") == 0)||
- (strcmp(logf[pl].logformat, "full_command") == 0))
+ (strcmp(logf[pl].logformat, "full_command") == 0))
{
if(!logf[pl].command)
{
#define __CLOGREADER_H
#define EVENTLOG "eventlog"
-#define VCHECK_FILES 64
+#define VCHECK_FILES 64
#define DATE_MODIFIED 1
{
unsigned int size;
int ign;
-
+
#ifdef WIN32
HANDLE h;
int fd;
#else
ino_t fd;
#endif
-
-
- /* ffile - format file is only used when
+
+
+ /* ffile - format file is only used when
* the file has format string to retrieve
* the date,
- */
- char *ffile;
+ */
+ char *ffile;
char *file;
char *logformat;
char *djb_program_name;
char *command;
- char *alias;
+ char *alias;
void (*read)(int i, int *rc, int drop_it);
typedef struct _logreader_config
{
+ int agent_cfg;
+ int accept_remote;
logreader *config;
}logreader_config;
* Foundation
*/
-
+
#ifndef _MCCONFIG__H
#define _MCCONFIG__H
int *gran_set;
int *gran_format;
char **gran_to;
+
+#ifdef GEOIP
+ /* Use GeoIP */
+ int geoip;
+#endif
+
OSMatch **gran_location;
OSMatch **gran_group;
}MailConfig;
/* Remote options */
char *xml_remote_port = "port";
char *xml_remote_proto = "protocol";
+ char *xml_remote_ipv6 = "ipv6";
char *xml_remote_connection = "connection";
char *xml_remote_lip = "local_ip";
while(logr->denyips[deny_size -1])
deny_size++;
}
-
-
+
+
/* conn and port must not be null */
if(!logr->conn)
{
os_calloc(1, sizeof(int), logr->proto);
logr->proto[0] = 0;
}
+ if(!logr->ipv6)
+ {
+ os_calloc(1, sizeof(int), logr->ipv6);
+ logr->ipv6[0] = 0;
+ }
if(!logr->lip)
{
os_calloc(1, sizeof(char *), logr->lip);
logr->lip[0] = NULL;
}
-
-
+
+
/* Cleaning */
while(logr->conn[pl] != 0)
pl++;
logr->port = realloc(logr->port, sizeof(int)*(pl +2));
logr->conn = realloc(logr->conn, sizeof(int)*(pl +2));
logr->proto = realloc(logr->proto, sizeof(int)*(pl +2));
+ logr->ipv6 = realloc(logr->ipv6, sizeof(int)*(pl +2));
logr->lip = realloc(logr->lip, sizeof(char *)*(pl +2));
if(!logr->port || !logr->conn || !logr->proto || !logr->lip)
{
merror(MEM_ERROR, ARGV0);
}
-
+
logr->port[pl] = 0;
logr->conn[pl] = 0;
logr->proto[pl] = 0;
+ logr->ipv6[pl] = 0;
logr->lip[pl] = NULL;
-
+
logr->port[pl +1] = 0;
logr->conn[pl +1] = 0;
logr->proto[pl +1] = 0;
+ logr->ipv6[pl +1] = 0;
logr->lip[pl +1] = NULL;
-
+
while(node[i])
{
if(!node[i]->element)
return(OS_INVALID);
}
}
+ else if(strcasecmp(node[i]->element,xml_remote_ipv6) == 0)
+ {
+ if(strcasecmp(node[i]->content, "yes") == 0)
+ {
+ logr->ipv6[pl] = 1;
+ }
+ }
else if(strcasecmp(node[i]->element,xml_remote_lip) == 0)
{
os_strdup(node[i]->content,logr->lip[pl]);
os_calloc(1, sizeof(os_ip), logr->allowips[allow_size -2]);
logr->allowips[allow_size -1] = NULL;
-
+
if(!OS_IsValidIP(node[i]->content,logr->allowips[allow_size -2]))
{
merror(INVALID_IP, ARGV0, node[i]->content);
{
deny_size++;
logr->denyips = realloc(logr->denyips,sizeof(os_ip *)*deny_size);
- if(!logr->denyips)
+ if(!logr->denyips)
{
merror(MEM_ERROR, ARGV0);
return(OS_INVALID);
merror(CONN_ERROR, ARGV0);
return(OS_INVALID);
}
-
+
/* Set port in here */
if(logr->port[pl] == 0)
{
if(logr->conn[pl] == SECURE_CONN)
logr->port[pl] = DEFAULT_SECURE;
else
- logr->port[pl] = DEFAULT_SYSLOG;
+ logr->port[pl] = DEFAULT_SYSLOG;
}
/* set default protocol */
{
logr->proto[pl] = UDP_PROTO;
}
-
+
return(0);
}
#define __CLOGREMOTE_H
-#define SYSLOG_CONN 1
+#define SYSLOG_CONN 1
#define SECURE_CONN 2
#define UDP_PROTO 6
#define TCP_PROTO 17
int *proto;
int *port;
int *conn;
+ int *ipv6;
char **lip;
os_ip **allowips;
int m_queue;
int sock;
- socklen_t peer_size;
+ socklen_t peer_size;
}remoted;
#endif
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/reports-config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
monitor_config *mon_config = (monitor_config *)config;
-
+
/* Getting any configured entry. */
if(mon_config->reports)
{
s++;
}
-
+
/* Allocating the memory for the config. */
- os_realloc(mon_config->reports, (s + 2) * sizeof(report_config *),
+ os_realloc(mon_config->reports, (s + 2) * sizeof(report_config *),
mon_config->reports);
os_calloc(1, sizeof(report_config), mon_config->reports[s]);
mon_config->reports[s + 1] = NULL;
mon_config->reports[s]->r_filter.show_alerts = 0;
-
+
/* Reading the XML. */
while(node[i])
{
os_strdup(node[i]->content, ncat);
- if(os_report_configfilter(node[i]->element, ncat,
+ if(os_report_configfilter(node[i]->element, ncat,
&mon_config->reports[s]->r_filter, reportf) < 0)
{
merror("%s: Invalid filter: %s:%s (ignored).", __local_name, node[i]->element, node[i]->content);
if(mon_config->reports[s]->title)
merror("%s: No \"email to\" configured for the report '%s'. Ignoring it.", __local_name, mon_config->reports[s]->title);
else
- merror("%s: No \"email to\" and title configured for report. Ignoring it.", __local_name);
+ merror("%s: No \"email to\" and title configured for report. Ignoring it.", __local_name);
}
if(!mon_config->reports[s]->title)
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/reports-config.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
char **emailto;
report_filter r_filter;
}report_config;
-
+
typedef struct _monitor_config
{
short int day_wait;
#include "rootcheck-config.h"
+short eval_bool(char *str)
+{
+ if (str == NULL)
+ return(OS_INVALID);
+ else if (strcmp(str, "yes") == 0)
+ return(1);
+ else if (strcmp(str, "no") == 0)
+ return(0);
+ else
+ return(OS_INVALID);
+}
+
/* Read_Rootcheck: Reads the rootcheck config
*/
-int Read_Rootcheck(XML_NODE node, void *configp, void *mailp)
+int Read_Rootcheck(XML_NODE node, void *configp, void *mailp)
{
int i = 0;
-
+
rkconfig *rootcheck;
-
+
/* XML Definitions */
char *xml_rootkit_files = "rootkit_files";
char *xml_rootkit_trojans = "rootkit_trojans";
char *xml_base_dir = "base_directory";
char *xml_ignore = "ignore";
+ char *xml_check_dev = "check_dev";
+ char *xml_check_files = "check_files";
+ char *xml_check_if = "check_if";
+ char *xml_check_pids = "check_pids";
+ char *xml_check_ports = "check_ports";
+ char *xml_check_sys = "check_sys";
+ char *xml_check_trojans = "check_trojans";
+ char *xml_check_unixaudit = "check_unixaudit";
+ char *xml_check_winapps = "check_winapps";
+ char *xml_check_winaudit = "check_winaudit";
+ char *xml_check_winmalware = "check_winmalware";
rootcheck = (rkconfig *)configp;
-
+
while(node[i])
{
if(!node[i]->element)
/* getting scan all */
else if(strcmp(node[i]->element,xml_scanall) == 0)
{
- if(strcmp(node[i]->content, "yes") == 0)
- rootcheck->scanall = 1;
- else if(strcmp(node[i]->content, "no") == 0)
- rootcheck->scanall = 0;
- else
+ rootcheck->scanall = eval_bool(node[i]->content);
+ if (rootcheck->scanall == OS_INVALID)
{
merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
return(OS_INVALID);
}
else if(strcmp(node[i]->element, xml_disabled) == 0)
{
- if(strcmp(node[i]->content, "yes") == 0)
- rootcheck->disabled = 1;
- else if(strcmp(node[i]->content, "no") == 0)
- rootcheck->disabled = 0;
- else
+ rootcheck->disabled = eval_bool(node[i]->content);
+ if (rootcheck->disabled == OS_INVALID)
{
merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
return(OS_INVALID);
}
else if(strcmp(node[i]->element,xml_readall) == 0)
{
- if(strcmp(node[i]->content, "yes") == 0)
- rootcheck->readall = 1;
- else if(strcmp(node[i]->content, "no") == 0)
- rootcheck->readall = 0;
- else
+ rootcheck->readall = eval_bool(node[i]->content);
+ if (rootcheck->readall == OS_INVALID)
{
merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
return(OS_INVALID);
int j = 0;
while(rootcheck->unixaudit && rootcheck->unixaudit[j])
j++;
-
- os_realloc(rootcheck->unixaudit, sizeof(char *)*(j+2),
+
+ os_realloc(rootcheck->unixaudit, sizeof(char *)*(j+2),
rootcheck->unixaudit);
rootcheck->unixaudit[j] = NULL;
rootcheck->unixaudit[j + 1] = NULL;
-
+
os_strdup(node[i]->content, rootcheck->unixaudit[j]);
}
else if(strcmp(node[i]->element, xml_ignore) == 0)
int j = 0;
while(rootcheck->ignore && rootcheck->ignore[j])
j++;
-
- os_realloc(rootcheck->ignore, sizeof(char *)*(j+2),
+
+ os_realloc(rootcheck->ignore, sizeof(char *)*(j+2),
rootcheck->ignore);
rootcheck->ignore[j] = NULL;
rootcheck->ignore[j + 1] = NULL;
-
+
os_strdup(node[i]->content, rootcheck->ignore[j]);
}
else if(strcmp(node[i]->element, xml_winmalware) == 0)
{
os_strdup(node[i]->content, rootcheck->basedir);
}
+ else if (strcmp(node[i]->element, xml_check_dev) == 0)
+ {
+ rootcheck->checks.rc_dev = eval_bool(node[i]->content);
+ if (rootcheck->checks.rc_dev == OS_INVALID)
+ {
+ merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
+ return(OS_INVALID);
+ }
+ }
+ else if (strcmp(node[i]->element, xml_check_files) == 0)
+ {
+ rootcheck->checks.rc_files = eval_bool(node[i]->content);
+ if (rootcheck->checks.rc_files == OS_INVALID)
+ {
+ merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
+ return(OS_INVALID);
+ }
+ }
+ else if (strcmp(node[i]->element, xml_check_if) == 0)
+ {
+ rootcheck->checks.rc_if = eval_bool(node[i]->content);
+ if (rootcheck->checks.rc_if == OS_INVALID)
+ {
+ merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
+ return(OS_INVALID);
+ }
+ }
+ else if (strcmp(node[i]->element, xml_check_pids) == 0)
+ {
+ rootcheck->checks.rc_pids = eval_bool(node[i]->content);
+ if (rootcheck->checks.rc_pids == OS_INVALID)
+ {
+ merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
+ return(OS_INVALID);
+ }
+ }
+ else if (strcmp(node[i]->element, xml_check_ports) == 0)
+ {
+ rootcheck->checks.rc_ports = eval_bool(node[i]->content);
+ if (rootcheck->checks.rc_ports == OS_INVALID)
+ {
+ merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
+ return(OS_INVALID);
+ }
+ }
+ else if (strcmp(node[i]->element, xml_check_sys) == 0)
+ {
+ rootcheck->checks.rc_sys = eval_bool(node[i]->content);
+ if (rootcheck->checks.rc_sys == OS_INVALID)
+ {
+ merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
+ return(OS_INVALID);
+ }
+ }
+ else if (strcmp(node[i]->element, xml_check_trojans) == 0)
+ {
+ rootcheck->checks.rc_trojans = eval_bool(node[i]->content);
+ if (rootcheck->checks.rc_trojans == OS_INVALID)
+ {
+ merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
+ return(OS_INVALID);
+ }
+ }
+ else if (strcmp(node[i]->element, xml_check_unixaudit) == 0)
+ {
+ #ifndef WIN32
+ rootcheck->checks.rc_unixaudit = eval_bool(node[i]->content);
+ if (rootcheck->checks.rc_unixaudit == OS_INVALID)
+ {
+ merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
+ return(OS_INVALID);
+ }
+ #endif
+ }
+ else if (strcmp(node[i]->element, xml_check_winapps) == 0)
+ {
+ #ifdef WIN32
+ rootcheck->checks.rc_winapps = eval_bool(node[i]->content);
+ if (rootcheck->checks.rc_winapps == OS_INVALID)
+ {
+ merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
+ return(OS_INVALID);
+ }
+ #endif
+ }
+ else if (strcmp(node[i]->element, xml_check_winaudit) == 0)
+ {
+ #ifdef WIN32
+ rootcheck->checks.rc_winaudit = eval_bool(node[i]->content);
+ if (rootcheck->checks.rc_winaudit == OS_INVALID)
+ {
+ merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
+ return(OS_INVALID);
+ }
+ #endif
+ }
+ else if (strcmp(node[i]->element, xml_check_winmalware) == 0)
+ {
+ #ifdef WIN32
+ rootcheck->checks.rc_winmalware = eval_bool(node[i]->content);
+ if (rootcheck->checks.rc_winmalware == OS_INVALID)
+ {
+ merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
+ return(OS_INVALID);
+ }
+ #endif
+ }
else
{
merror(XML_INVELEM, ARGV0, node[i]->element);
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#ifndef __CROOTCHECK_H
int time;
int queue;
+
+ struct _checks
+ {
+ short rc_dev;
+ short rc_files;
+ short rc_if;
+ short rc_pids;
+ short rc_ports;
+ short rc_sys;
+ short rc_trojans;
+
+ #ifdef WIN32
+
+ short rc_winaudit;
+ short rc_winmalware;
+ short rc_winapps;
+
+ #else
+
+ short rc_unixaudit;
+
+ #endif
+
+
+ } checks;
+
}rkconfig;
#endif
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/rules-config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/* Functions to handle the configuration files
*/
-
+#include "config.h"
#include "shared.h"
#include "global-config.h"
-static int cmpr(const void *a, const void *b) {
+static int cmpr(const void *a, const void *b) {
/*printf("%s - %s\n", *(char **)a, *(char **)b);*/
return strcmp(*(char **)a, *(char **)b);
}
static int file_in_list(int list_size, char *f_name, char *d_name, char **alist)
{
- int i = 0;
+ int i = 0;
for(i=0; i<(list_size-1); i++)
{
if((strcmp(alist[i], f_name) == 0 || strcmp(alist[i], d_name) == 0))
return(1);
}
}
- return(0);
+ return(0);
}
int Read_Rules(XML_NODE node, void *configp, void *mailp)
{
int i = 0;
+ int ii = 0;
int rules_size = 1;
int lists_size = 1;
int decoders_size = 1;
-
+
char path[PATH_MAX +2];
char f_name[PATH_MAX +2];
- int start_point = 0;
+ int start_point = 0;
int att_count = 0;
struct dirent *entry;
- DIR *dfd;
- OSRegex regex;
+ DIR *dfd;
+ OSRegex regex;
/* XML definitions */
char *xml_rules_rule = "rule";
char *xml_rules_rules_dir = "rule_dir";
char *xml_rules_lists = "list";
- char *xml_rules_lists_dir = "list_dir";
char *xml_rules_decoders = "decoder";
char *xml_rules_decoders_dir = "decoder_dir";
_Config *Config;
-
+
Config = (_Config *)configp;
-
+
+ /* initialise OSRegex */
+ regex.patterns = NULL;
+ regex.prts_closure = NULL;
+ regex.prts_str = NULL;
+ regex.sub_strings = NULL;
+
while(node[i])
{
if(!node[i]->element)
return(OS_INVALID);
}
/* Mail notification */
- else if((strcmp(node[i]->element, xml_rules_include) == 0) ||
+ else if((strcmp(node[i]->element, xml_rules_include) == 0) ||
(strcmp(node[i]->element, xml_rules_rule) == 0))
{
rules_size++;
- Config->includes = realloc(Config->includes,
+ Config->includes = realloc(Config->includes,
sizeof(char *)*rules_size);
if(!Config->includes)
{
snprintf(f_name, PATH_MAX +1, "%s/%s", node[i]->content, entry->d_name);
/* Just ignore . and .. */
- if((strcmp(entry->d_name,".") == 0) || (strcmp(entry->d_name,"..") == 0))
+ if((strcmp(entry->d_name,".") == 0) || (strcmp(entry->d_name,"..") == 0))
continue;
/* no dups allowed */
if(!Config->decoders)
{
merror(MEM_ERROR, ARGV0);
+ OSRegex_FreePattern(®ex);
return(-1);
}
debug1("Regex does not match \"%s\"", f_name);
}
}
-
+
closedir(dfd);
/* Sort just then newly added items */
qsort(Config->decoders + start_point , decoders_size- start_point -1, sizeof(char *), cmpr);
}
- int ii=0;
debug1("decoders_size %d", decoders_size);
for(ii=0;ii<decoders_size-1;ii++)
debug1("- %s", Config->decoders[ii]);
snprintf(f_name, PATH_MAX +1, "%s/%s", node[i]->content, entry->d_name);
/* Just ignore . and .. */
- if((strcmp(entry->d_name,".") == 0) || (strcmp(entry->d_name,"..") == 0))
+ if((strcmp(entry->d_name,".") == 0) || (strcmp(entry->d_name,"..") == 0))
continue;
/* no dups allowed */
if(!Config->includes)
{
merror(MEM_ERROR, ARGV0);
+ OSRegex_FreePattern(®ex);
return(-1);
}
debug1("Regex does not match \"%s\"", f_name);
}
}
-
+
closedir(dfd);
/* Sort just then newly added items */
qsort(Config->includes + start_point , rules_size - start_point -1, sizeof(char *), cmpr);
else
{
merror(XML_INVELEM, ARGV0, node[i]->element);
+ OSRegex_FreePattern(®ex);
return(OS_INVALID);
}
i++;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/syscheck-config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int dump_syscheck_entry(config *syscheck, char *entry, int vals, int reg, char *restrictfile)
{
int pl = 0;
-
+
if(reg == 1)
{
#ifdef WIN32
{
os_calloc(2, sizeof(char *), syscheck->registry);
syscheck->registry[pl + 1] = NULL;
- os_strdup(entry, syscheck->registry[pl]);
+ os_strdup(entry, syscheck->registry[pl]);
}
else
{
{
pl++;
}
- os_realloc(syscheck->registry, (pl +2) * sizeof(char *),
+ os_realloc(syscheck->registry, (pl +2) * sizeof(char *),
syscheck->registry);
syscheck->registry[pl + 1] = NULL;
os_strdup(entry, syscheck->registry[pl]);
}
#endif
-
+
}
-
+
else
{
if(syscheck->dir == NULL)
os_calloc(2, sizeof(int), syscheck->opts);
syscheck->opts[pl + 1] = 0;
syscheck->opts[pl] = vals;
-
+
os_calloc(2, sizeof(OSMatch *), syscheck->filerestrict);
syscheck->filerestrict[pl] = NULL;
syscheck->filerestrict[pl + 1] = NULL;
{
pl++;
}
- os_realloc(syscheck->dir, (pl +2) * sizeof(char *),
+ os_realloc(syscheck->dir, (pl +2) * sizeof(char *),
syscheck->dir);
syscheck->dir[pl + 1] = NULL;
os_strdup(entry, syscheck->dir[pl]);
- os_realloc(syscheck->opts, (pl +2) * sizeof(int),
+ os_realloc(syscheck->opts, (pl +2) * sizeof(int),
syscheck->opts);
syscheck->opts[pl + 1] = 0;
- syscheck->opts[pl] = vals;
+ syscheck->opts[pl] = vals;
- os_realloc(syscheck->filerestrict, (pl +2) * sizeof(char *),
+ os_realloc(syscheck->filerestrict, (pl +2) * sizeof(char *),
syscheck->filerestrict);
syscheck->filerestrict[pl] = NULL;
syscheck->filerestrict[pl + 1] = NULL;
char **entry;
char *tmp_str;
-
+
/* Getting each entry separately */
entry = OS_StrBreak(',', entries, MAX_DIR_SIZE); /* Max number */
{
int str_len_i;
int str_len_dir;
-
+
str_len_dir = strlen(tmp_entry);
str_len_i = strlen(syscheck->registry[i]);
-
+
if(str_len_dir > str_len_i)
{
str_len_dir = str_len_i;
}
i++;
}
-
+
/* Adding new entry */
dump_syscheck_entry(syscheck, tmp_entry, 0, 1, NULL);
-
-
+
+
/* Next entry */
- entry++;
+ entry++;
}
-
+
return(1);
}
#endif /* For read_reg */
-/* Read directories attributes */
+/* Read directories attributes */
int read_attr(config *syscheck, char *dirs, char **g_attrs, char **g_values)
{
char *xml_check_all = "check_all";
char **dir;
char *tmp_str;
dir = OS_StrBreak(',', dirs, MAX_DIR_SIZE); /* Max number */
+ char **dir_org = dir;
+
+ int ret = 0, i;
/* Dir can not be null */
if(dir == NULL)
char **attrs = NULL;
char **values = NULL;
-
+
tmp_dir = *dir;
restrictfile = NULL;
if(!g_attrs || !g_values)
{
merror(SYSCHECK_NO_OPT, ARGV0, dirs);
- return(0);
+ ret = 0;
+ goto out_free;
}
attrs = g_attrs;
else
{
merror(SK_INV_OPT, ARGV0, *values, *attrs);
- return(0);
+ ret = 0;
+ goto out_free;
}
}
/* Checking sum */
else
{
merror(SK_INV_OPT, ARGV0, *values, *attrs);
- return(0);
+ ret = 0;
+ goto out_free;
}
}
/* Checking md5sum */
else
{
merror(SK_INV_OPT, ARGV0, *values, *attrs);
- return(0);
+ ret = 0;
+ goto out_free;
}
}
/* Checking sha1sum */
else
{
merror(SK_INV_OPT, ARGV0, *values, *attrs);
- return(0);
+ ret = 0;
+ goto out_free;
}
}
/* Checking permission */
else
{
merror(SK_INV_OPT, ARGV0, *values, *attrs);
- return(0);
+ ret = 0;
+ goto out_free;
}
}
/* Checking size */
else
{
merror(SK_INV_OPT, ARGV0, *values, *attrs);
- return(0);
+ ret = 0;
+ goto out_free;
}
}
/* Checking owner */
else
{
merror(SK_INV_OPT, ARGV0, *values, *attrs);
- return(0);
+ ret = 0;
+ goto out_free;
}
}
/* Checking group */
else
{
merror(SK_INV_OPT, ARGV0, *values, *attrs);
- return(0);
+ ret = 0;
+ goto out_free;
}
}
else if(strcmp(*attrs, xml_real_time) == 0)
else
{
merror(SK_INV_OPT, ARGV0, *values, *attrs);
- return(0);
+ ret = 0;
+ goto out_free;
}
}
else if(strcmp(*attrs, xml_report_changes) == 0)
else
{
merror(SK_INV_OPT, ARGV0, *values, *attrs);
- return(0);
+ ret = 0;
+ goto out_free;
}
}
else if(strcmp(*attrs, xml_restrict) == 0)
else
{
merror(SK_INV_ATTR, ARGV0, *attrs);
- return(0);
+ ret = 0;
+ goto out_free;
}
attrs++; values++;
}
{
merror(SYSCHECK_NO_OPT, ARGV0, dirs);
if(restrictfile) free(restrictfile);
- return(0);
+ ret = 0;
+ goto out_free;
}
-
-
+
+
/* Adding directory - looking for the last available */
i = 0;
while(syscheck->dir && syscheck->dir[i])
{
int str_len_i;
int str_len_dir;
-
+
str_len_dir = strlen(tmp_dir);
str_len_i = strlen(syscheck->dir[i]);
-
+
if(str_len_dir > str_len_i)
{
str_len_dir = str_len_i;
if(strcmp(syscheck->dir[i], tmp_dir) == 0)
{
merror(SK_DUP, ARGV0, tmp_dir);
- return(1);
+ ret = 1;
+ goto out_free;
}
i++;
if(glob(tmp_dir, 0, NULL, &g) != 0)
{
merror(GLOB_ERROR, ARGV0, tmp_dir);
- return(1);
+ ret = 1;
+ goto out_free;
}
if(g.gl_pathv[0] == NULL)
{
merror(GLOB_NFOUND, ARGV0, tmp_dir);
- return(1);
+ ret = 1;
+ goto out_free;
}
-
+
while(g.gl_pathv[gindex])
{
dump_syscheck_entry(syscheck, g.gl_pathv[gindex], opts, 0, restrictfile);
gindex++;
}
-
+
globfree(&g);
}
free(restrictfile);
restrictfile = NULL;
}
-
-
+
+
/* Next entry */
- dir++;
+ dir++;
}
-
- return(1);
+
+ ret = 1;
+
+out_free:
+
+ i = 0;
+ while(dir_org[i])
+ free(dir_org[i++]);
+
+ free(dir_org);
+
+ return ret;
}
char *xml_alert_new_files = "alert_new_files";
char *xml_disabled = "disabled";
char *xml_scan_on_start = "scan_on_start";
+ char *xml_prefilter_cmd = "prefilter_cmd";
- /* Configuration example
+ /* Configuration example
<directories check_all="yes">/etc,/usr/bin</directories>
- <directories check_owner="yes" check_group="yes" check_perm="yes"
+ <directories check_owner="yes" check_group="yes" check_perm="yes"
check_sum="yes">/var/log</directories>
*/
config *syscheck;
syscheck = (config *)configp;
-
-
+
+
while(node[i])
{
if(!node[i]->element)
else if(strcmp(node[i]->element,xml_directories) == 0)
{
char dirs[OS_MAXSTR];
-
+
#ifdef WIN32
ExpandEnvironmentStrings(node[i]->content, dirs, sizeof(dirs) -1);
#else
strncpy(dirs, node[i]->content, sizeof(dirs) -1);
#endif
-
+
if(!read_attr(syscheck,
- dirs,
- node[i]->attributes,
+ dirs,
+ node[i]->attributes,
node[i]->values))
{
return(OS_INVALID);
}
/* Getting frequency */
else if(strcmp(node[i]->element,xml_time) == 0)
- {
+ {
if(!OS_StrIsNum(node[i]->content))
{
merror(XML_VALUEERR,ARGV0,node[i]->element,node[i]->content);
return(OS_INVALID);
}
}
-
+
/* Getting if xml_scan_on_start. */
else if(strcmp(node[i]->element, xml_scan_on_start) == 0)
{
return(OS_INVALID);
}
}
-
+
/* Getting if disabled. */
else if(strcmp(node[i]->element,xml_disabled) == 0)
{
return(OS_INVALID);
}
}
-
+
/* Getting file/dir ignore */
else if(strcmp(node[i]->element,xml_ignore) == 0)
{
#ifdef WIN32
char *new_ig = NULL;
os_calloc(2048, sizeof(char), new_ig);
-
- ExpandEnvironmentStrings(node[i]->content, new_ig, 2047);
+
+ ExpandEnvironmentStrings(node[i]->content, new_ig, 2047);
free(node[i]->content);
node[i]->content = new_ig;
#endif
-
+
/* Adding if regex */
if(node[i]->attributes && node[i]->values)
{
if(node[i]->attributes[0] && node[i]->values[0] &&
- (strcmp(node[i]->attributes[0], "type") == 0) &&
+ (strcmp(node[i]->attributes[0], "type") == 0) &&
(strcmp(node[i]->values[0], "sregex") == 0))
{
OSMatch *mt_pt;
-
+
if(!syscheck->ignore_regex)
{
os_calloc(2, sizeof(OSMatch *),syscheck->ignore_regex);
syscheck->ignore_regex);
syscheck->ignore_regex[ign_size +1] = NULL;
}
- os_calloc(1, sizeof(OSMatch),
+ os_calloc(1, sizeof(OSMatch),
syscheck->ignore_regex[ign_size]);
if(!OSMatch_Compile(node[i]->content,
while(syscheck->ignore[ign_size] != NULL)
ign_size++;
- os_realloc(syscheck->ignore,
+ os_realloc(syscheck->ignore,
sizeof(char *)*(ign_size +2),
syscheck->ignore);
syscheck->ignore[ign_size +1] = NULL;
syscheck->registry_ignore_regex);
syscheck->registry_ignore_regex[ign_size +1] = NULL;
}
-
+
os_calloc(1, sizeof(OSMatch),
syscheck->registry_ignore_regex[ign_size]);
}
}
/* We do not add duplicated entries */
- else if(!os_IsStrOnArray(node[i]->content,
+ else if(!os_IsStrOnArray(node[i]->content,
syscheck->registry_ignore))
{
if(!syscheck->registry_ignore)
{
/* alert_new_files option is not read here. */
}
+ else if(strcmp(node[i]->element,xml_prefilter_cmd) == 0)
+ {
+ char cmd[OS_MAXSTR];
+ struct stat statbuf;
+
+ #ifdef WIN32
+ ExpandEnvironmentStrings(node[i]->content, cmd, sizeof(cmd) -1);
+ #else
+ strncpy(cmd, node[i]->content, sizeof(cmd)-1);
+ #endif
+
+ if (strlen(cmd) > 0) {
+ char statcmd[OS_MAXSTR];
+ char *ix;
+ strncpy(statcmd, cmd, sizeof(statcmd)-1);
+ if (NULL != (ix = strchr(statcmd, ' '))) { *ix = '\0'; }
+ if (stat(statcmd, &statbuf) == 0) {
+ // More checks needed (perms, owner, etc.)
+ os_calloc(1, strlen(cmd)+1, syscheck->prefilter_cmd);
+ strncpy(syscheck->prefilter_cmd, cmd, strlen(cmd));
+ }
+ else
+ {
+ merror(XML_VALUEERR,ARGV0, node[i]->element, node[i]->content);
+ return(OS_INVALID);
+ }
+ }
+ }
else
{
merror(XML_INVELEM, ARGV0, node[i]->element);
return(OS_INVALID);
}
i++;
- }
-
+ }
+
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/config/syscheck-config.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#ifndef __SYSCHECKC_H
#define __SYSCHECKC_H
typedef struct _config
{
- int tsleep;
+ int tsleep; /* sleep for sometime for daemon to settle */
int sleep_after;
- int rootcheck;
- int disabled;
+ int rootcheck; /* set to 0 when rootcheck is disabled */
+ int disabled; /* is syscheck disabled? */
int scan_on_start;
int realtime_count;
-
- int time;
- int queue;
-
- int *opts;
- char *workdir;
+ int time; /* frequency (secs) for syscheck to run */
+ int queue; /* file descriptor of socket to write to queue */
+
+ int *opts; /* attributes set in the <directories> tag element */
+
+ char *workdir; /* set to the DEFAULTDIR (/var/ossec) */
char *remote_db;
char *db;
- char *scan_day;
- char *scan_time;
-
- char **ignore;
- void **ignore_regex;
-
- char **dir;
+ char *scan_day; /* run syscheck on this day */
+ char *scan_time; /* run syscheck at this time */
+
+ char **ignore; /* list of files/dirs to ignore */
+ void **ignore_regex; /* regex of files/dirs to ignore */
+
+ char **dir; /* array of directories to be scanned */
void **filerestrict;
/* Windows only registry checking */
#ifdef WIN32
- char **registry_ignore;
- void **registry_ignore_regex;
- char **registry;
+ char **registry_ignore; /* list of registry entries to ignore */
+ void **registry_ignore_regex; /* regex of registry entries to ignore */
+ char **registry; /* array of registry entries to be scanned */
FILE *reg_fp;
#endif
-
+
void *fp;
rtfim *realtime;
+ char *prefilter_cmd;
+
}config;
#endif
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/error_messages/error_messages.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#define FOPEN_ERROR "%s(1103): ERROR: Unable to open file '%s'."
#define SIZE_ERROR "%s(1104): ERROR: Maximum string size reached for: %s."
#define NULL_ERROR "%s(1105): ERROR: Attempted to use null string. "
-#define FORMAT_ERROR "%s(1106): ERROR: String not correctly formated."
+#define FORMAT_ERROR "%s(1106): ERROR: String not correctly formated."
#define MKDIR_ERROR "%s(1107): ERROR: Unable to create directory: '%s'"
#define PERM_ERROR "%s(1108): ERROR: Permission error. Operation not completed."
#define THREAD_ERROR "%s(1109): ERROR: Unable to create new pthread."
#define IMSG_ERROR "%s(1222): ERROR: Invalid msg: %s"
#define SNDMAIL_ERROR "%s(1223): ERROR: Error Sending email to %s (smtp server)"
#define XML_INV_GRAN_MAIL "%s(1224): ERROR: Invalid 'email_alerts' config (missing parameters)."
+#define CHLDWAIT_ERROR "%s(1261): ERROR: Waiting for child process. (status: %d)."
+#define TOOMANY_WAIT_ERROR "%s(1262): ERROR: Too many errors waiting for child process(es)."
/* rootcheck */
#define INVALID_RKCL_NAME "%s(1251): ERROR: Invalid rk configuration name: '%s'."
#define INVALID_RKCL_VALUE "%s(1252): ERROR: Invalid rk configuration value: '%s'."
#define INVALID_ROOTDIR "%s(1253): ERROR: Invalid rootdir (unable to retrieve)."
-#define INVALID_RKCL_VAR "%s(1254): ERROR: Invalid rk variable: '%s'."
+#define INVALID_RKCL_VAR "%s(1254): ERROR: Invalid rk variable: '%s'."
/* syscheck */
#define INVALID_CAT "%s(1273): ERROR: Invalid category '%s' chosen."
#define INVALID_CONFIG "%s(1274): ERROR: Invalid configuration. Element '%s': %s."
#define INVALID_HOSTNAME "%s(1275): ERROR: Invalid hostname in syslog message: '%s'."
+#ifdef GEOIP
+#define INVALID_GEOIP_DB "%s(1276): ERROR: Cannot open GeoIP database: '%s'."
+#endif
/* Log collector */
#define AR_CMD_MISS "%s(1280): ERROR: Missing command options. " \
"You must specify a 'name', 'executable' and 'expect'."
#define AR_MISS "%s(1281): ERROR: Missing options in the active response " \
- "configuration. "
+ "configuration. "
#define ARQ_ERROR "%s(1301): ERROR: Unable to connect to active response queue."
#define AR_INV_LOC "%s(1302): ERROR: Invalid active response location: '%s'."
#define AR_INV_CMD "%s(1303): ERROR: Invalid command '%s' in the active response."
#define ENCFILE_CHANGED "%s(1409): INFO: Authentication file changed. Updating."
#define ENC_READ "%s(1410): INFO: Reading authentication keys file."
-
+
/* Regex errors */
#define REGEX_COMPILE "%s(1450): ERROR: Syntax error on regex: '%s': %d."
#define REGEX_SUBS "%s(1451): ERROR: Missing sub_strings on regex: '%s'."
#define DUP_REGEX "%s(2109): ERROR: Duplicated offsets for same regex: '%s'."
#define INV_DECOPTION "%s(2110): ERROR: Invalid decoder argument for %s: '%s'."
#define DECODE_ADD "%s(2111): ERROR: Additional data to plugin decoder: '%s'."
-
+
#define INV_OFFSET "%s(2120): ERROR: Invalid offset value: '%s'"
#define INV_ATTR "%s(2121): ERROR: Invalid decoder attribute: '%s'"
/* Rules reading errors */
-#define RL_INV_ROOT "%s(5101): ERROR: Invalid root element: '%s'."
+#define RL_INV_ROOT "%s(5101): ERROR: Invalid root element: '%s'."
#define RL_INV_RULE "%s(5102): ERROR: Invalid rule element: '%s'."
#define RL_INV_ENTRY "%s(5103): ERROR: Invalid rule on '%s'. Missing id/level."
#define RL_EMPTY_ATTR "%s(5104): ERROR: Rule attribute '%s' empty."
#define DB_MISS_CONFIG "%s(5205): ERROR: Missing database configuration. "\
"It requires host, user, pass and database."
#define DB_CONFIGERR "%s(5206): ERROR: Database configuration error."
-#define DB_COMPILED "%s(5207): ERROR: OSSEC not compiled with support for '%s'."
+#define DB_COMPILED "%s(5207): ERROR: OSSEC not compiled with support for '%s'."
#define DB_MAINERROR "%s(5208): ERROR: Multiple database errors. Exiting."
#define DB_CLOSING "%s(5209): INFO: Closing connection to database."
#define DB_ATTEMPT "%s(5210): INFO: Attempting to reconnect to database."
#define CONN_TO "%s: INFO: Connected to '%s' (%s queue)"
#define MAIL_DIS "%s: INFO: E-Mail notification disabled. Clean Exit."
-
+
/* Debug Messages */
#define STARTED_MSG "%s: DEBUG: Starting ..."
#define FOUND_USER "%s: DEBUG: Found user/group ..."
* For conditions of distribution and use, see copyright notice in zlib.h
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/external/zlib-1.2.3/adler32.c, 2011/09/08 dcid Exp $
+ */
#define ZLIB_INTERNAL
#include "zlib.h"
* For conditions of distribution and use, see copyright notice in zlib.h
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/external/zlib-1.2.3/compress.c, 2011/09/08 dcid Exp $
+ */
#define ZLIB_INTERNAL
#include "zlib.h"
* factor of two increase in speed on a Power PC G4 (PPC7455) using gcc -O3.
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/external/zlib-1.2.3/crc32.c, 2011/09/08 dcid Exp $
+ */
/*
Note on the use of DYNAMIC_CRC_TABLE: there is no mutex or semaphore
*
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/external/zlib-1.2.3/deflate.c, 2011/09/08 dcid Exp $
+ */
#include "deflate.h"
subject to change. Applications should only use zlib.h.
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/external/zlib-1.2.3/deflate.h, 2011/09/08 dcid Exp $
+ */
#ifndef DEFLATE_H
#define DEFLATE_H
* Compile this file with -DNO_GZCOMPRESS to avoid the compression code.
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/external/zlib-1.2.3/gzio.c, 2011/09/08 dcid Exp $
+ */
#include <stdio.h>
s->transparent = 0;
path_size = strlen(path) +1;
-
+
s->path = (char*)ALLOC(path_size +1);
if (s->path == NULL) {
return destroy(s), (gzFile)Z_NULL;
TRYFREE(s->msg);
msg_size = strlen(s->path) + strlen(m) + 4;
-
+
s->msg = (char*)ALLOC(msg_size +1);
if (s->msg == Z_NULL) return (const char*)ERR_MSG(Z_MEM_ERROR);
* Addison-Wesley, 1983. ISBN 0-201-06672-6.
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/external/zlib-1.2.3/trees.c, 2011/09/08 dcid Exp $
+ */
/* #define GEN_TREES_H */
* For conditions of distribution and use, see copyright notice in zlib.h
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/external/zlib-1.2.3/uncompr.c, 2011/09/08 dcid Exp $
+ */
#define ZLIB_INTERNAL
#include "zlib.h"
* For conditions of distribution and use, see copyright notice in zlib.h
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/external/zlib-1.2.3/zconf.h, 2011/09/08 dcid Exp $
+ */
#ifndef ZCONF_H
#define ZCONF_H
* For conditions of distribution and use, see copyright notice in zlib.h
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/external/zlib-1.2.3/zconf.in.h, 2011/09/08 dcid Exp $
+ */
#ifndef ZCONF_H
#define ZCONF_H
* For conditions of distribution and use, see copyright notice in zlib.h
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/external/zlib-1.2.3/zutil.c, 2011/09/08 dcid Exp $
+ */
#include "zutil.h"
subject to change. Applications should only use zlib.h.
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/external/zlib-1.2.3/zutil.h, 2011/09/08 dcid Exp $
+ */
#ifndef ZUTIL_H
#define ZUTIL_H
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/agent_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
#ifndef __AGENT_OP_H
-#define __AGENT_OP_H
+#define __AGENT_OP_H
*/
char *os_read_agent_id();
+/* cmoraes: added */
+
+/** char *os_read_agent_profile()
+ * Reads the agent profile name for the current agent.
+ * Returns NULL on error.
+ */
+char *os_read_agent_profile();
+
/** int os_write_agent_info(char *agent_name, char *agent_ip, char *agent_id)
* Writes the agent info inside the queue, for the other processes to read.
* Returns 1 on success or <= 0 on failure.
*/
-int os_write_agent_info(char *agent_name, char *agent_ip, char *agent_id);
+int os_write_agent_info(char *agent_name, char *agent_ip, char *agent_id,
+ char *cfg_profile_name); /*cmoraes*/
int os_agent_config_changed();
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/ar.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/debug_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int isChroot();
/* Debug analysisd */
-#ifdef DEBUGAD
+#ifdef DEBUGAD
#define DEBUG_MSG(x,y,z) verbose(x,y,z)
#else
#define DEBUG_MSG(x,y,z)
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/defs.h, 2012/08/11 dcid Exp $
+ */
-/* Copyright (C) 2009 Trend Micro Inc.
+/* Copyright (C) 2009-2012 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#define __OS_HEADERS
+/* TRUE / FALSE definitions
+ */
+#define TRUE 1
+#define FALSE 0
+
/* Read / Write definitions
*/
#define READ 1
/* Some Global names */
#define __name "OSSEC HIDS"
-#define __version "v2.5.1"
+#define __version "v2.7"
#define __author "Trend Micro Inc."
#define __contact "contact@ossec.net"
#define __site "http://www.ossec.net"
#define MAX_PID 32768
#endif
-
+
/* Max limit of 256 agents */
#ifndef MAX_AGENTS
#define MAX_AGENTS 256
-#endif
+#endif
/* manager notification */
#define NOTIFY_TIME 600 /* every 10 minutes */
-
+
/* User Configuration */
#ifndef MAILUSER
#define MAILUSER "ossecm"
#ifndef USER
#define USER "ossec"
#endif
-
+
#ifndef REMUSER
#define REMUSER "ossecr"
#endif
-
+
#ifndef GROUPGLOBAL
#define GROUPGLOBAL "ossec"
-#endif
-
+#endif
+
#ifndef DEFAULTDIR
#define DEFAULTDIR "/var/ossec"
#endif
#define AR_BINDIR "active-response/bin"
#define AGENTCONFIG "shared/agent.conf"
#define AGENTCONFIGINT "shared/agent.conf"
-#endif
+#endif
/* Exec queue */
#define XML_DECODER "/etc/decoder.xml"
#define XML_LDECODER "/etc/local_decoder.xml"
-
+
/* Agent information location */
#define AGENTINFO_DIR "/queue/agent-info"
#else
#define SYSCHECK_RESTART "syscheck/.syscheck_run"
#define SYSCHECK_RESTART_PATH "syscheck/.syscheck_run"
-#endif
+#endif
+
-
-/* Agentless directories. */
+/* Agentless directories. */
#define AGENTLESSDIR "/agentless"
#define AGENTLESSPASS "/agentless/.passlist"
#define AGENTLESS_ENTRYDIR "/queue/agentless"
-
+
/* Internal definitions files */
#ifndef WIN32
#ifndef WIN32
#define SHAREDCFG_DIR "/etc/shared"
#else
- #define SHAREDCFG_DIR "shared"
-#endif
+ #define SHAREDCFG_DIR "shared"
+#endif
/* Built in defines */
#define DEFAULTQPATH DEFAULTDIR DEFAULTQUEUE
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/dirtree_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-
+
/* Common API for dealing with directory trees */
-
+
#ifndef _OS_DIRTREE
#define _OS_DIRTREE
{
struct _OSTreeNode *next;
void *child;
-
+
char *value;
void *data;
}OSTreeNode;
OSDirTree *OSDirTree_Create();
void OSDirTree_AddToTree(OSDirTree *tree, char *str, void *data, char sep);
void *OSDirTree_SearchTree(OSDirTree *tree, char *str, char sep);
-
+
#endif
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/file-queue.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int year;
int day;
int flags;
-
+
char mon[4];
char file_name[MAX_FQUEUE +1];
-
+
FILE *fp;
struct stat f_status;
}file_queue;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/file_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/hash_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-
+
/* Common API for dealing with directory trees */
-
+
#ifndef _OS_HASHOP
#define _OS_HASHOP
typedef struct _OSHashNode
{
struct _OSHashNode *next;
-
+
void *key;
- void *data;
+ void *data;
}OSHashNode;
unsigned int rows;
unsigned int initial_seed;
unsigned int constant;
-
+
OSHashNode **table;
}OSHash;
* Frees the memory used by the hash.
*/
void *OSHash_Free(OSHash *self);
-
+
/** void OSHash_Add(OSHash *hash, char *key, void *data)
* Key must not be NULL.
*/
int OSHash_Add(OSHash *hash, char *key, void *data);
+int OSHash_Update(OSHash *hash, char *key, void *data);
/** void *OSHash_Get(OSHash *self, char *key)
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/help.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/list_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
OSListNode *first_node;
OSListNode *last_node;
OSListNode *cur_node;
-
+
int currently_size;
int max_size;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/math_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* Get the first available prime after the provided value.
* Returns 0 on error.
*/
-int os_getprime(int val);
+int os_getprime(int val);
#endif
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/mem_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/mq_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/os_err.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/privsep_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/pthreads_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/rc.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#define IsValidHeader(str) ((str[0] == '#') && \
(str[1] == '!') && \
(str[2] == '-') && \
- (str+=3) )
+ (str+=3) )
/* Exec message */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/read-agents.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/* Print syscheck db (of modified files). */
-int print_syscheck(char *sk_name, char *sk_ip, char *fname, int print_registry,
+int print_syscheck(char *sk_name, char *sk_ip, char *fname, int print_registry,
int all_files, int csv_output, int update_counter);
/* Print rootcheck db. */
/* Free the agent list */
void free_agents(char **agent_list);
-/** char *print_agent_status(int status)
+/** char *print_agent_status(int status)
* Prints the text representation of the agent status.
*/
char *print_agent_status(int status);
* Get information from an agent.
*/
agent_info *get_agent_info(char *agent_name, char *agent_ip);
-
+
/** int connect_to_remoted()
* Connects to remoted to be able to send messages to the agents.
/** int send_msg_to_agent(int socket, char *msg)
* Sends a message to an agent.
* returns -1 on error.
- */
+ */
int send_msg_to_agent(int msocket, char *msg, char *agt_id, char *exec);
-
+
#define GA_NOTACTIVE 2
#define GA_ACTIVE 3
-#define GA_ALL 5
+#define GA_ALL 5
#define GA_ALL_WSTATUS 7
/* Status */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/read-alert.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#ifndef __CRALERT_H
#define __CRALERT_H
-#define CRALERT_MAIL_SET 0x001
+#define CRALERT_MAIL_SET 0x001
#define CRALERT_EXEC_SET 0x002
#define CRALERT_READ_ALL 0x004
#define CRALERT_FP_SET 0x010
{
int rule;
int level;
+ char *alertid;
char *date;
char *location;
char *comment;
char *group;
char *srcip;
+ int srcport;
+ char *dstip;
+ int dstport;
char *user;
+ char *filename;
+ char *old_md5;
+ char *new_md5;
+ char *old_sha1;
+ char *new_sha1;
char **log;
+#ifdef GEOIP
+ char *geoipdatasrc;
+ char *geoipdatadst;
+#endif
}alert_data;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/regex_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/report_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
#define __REPORT_OP_H
-#define REPORT_RELATED 1
+#define REPORT_RELATED 1
#define REPORT_FILTER 2
-
+
#define REPORT_REL_USER 0x001
#define REPORT_REL_SRCIP 0x002
#define REPORT_REL_LEVEL 0x004
#define REPORT_REL_GROUP 0x020
#define REPORT_REL_LOCATION 0x040
#define REPORT_TYPE_DAILY 0x100
-
+#define REPORT_REL_FILE 0x200
+
typedef struct _report_filter
char *location;
char *user;
char *srcip;
+ char *files;
char *filename;
void *top_user;
void *top_rule;
void *top_group;
void *top_location;
+ void *top_files;
int related_user;
+ int related_file;
int related_srcip;
int related_level;
int related_rule;
int report_type;
int show_alerts;
void *fp;
-
+
}report_filter;
-int os_report_configfilter(char *filter_by, char *filter_value,
+int os_report_configfilter(char *filter_by, char *filter_value,
report_filter *r_filter, int arg_type);
void os_report_printtop(void *topstore, char *hname, int print_related);
void os_ReportdStart(report_filter *r_filter);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/rules_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-
+
/* Common API for dealing with directory trees */
-
+
#ifndef _OS_RULESOP_H
#define _OS_RULESOP_H
int __frequency;
char **last_events;
-
+
/* Not an option in the rule */
u_int16_t alert_opts;
/* category */
u_int8_t category;
-
+
/* Decoded as */
u_int16_t decoded_as;
/* Function pointer to the event_search. */
void *(*event_search)(void *lf, void *rule);
-
+
char *group;
OSMatch *match;
OSMatch *program_name;
OSMatch *extra_data;
char *action;
-
+
char *comment; /* description in the xml */
char *info;
char *cve;
-
+
char *if_sid;
char *if_level;
char *if_group;
OSRegex *if_matched_regex;
OSMatch *if_matched_group;
int if_matched_sid;
-
+
void **ar;
}RuleInfo;
/** Prototypes **/
-int OS_ReadXMLRules(char *rulefile,
+int OS_ReadXMLRules(char *rulefile,
void *(*ruleact_function)(RuleInfo *rule, void *data),
void *data);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/sec.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
unsigned int local;
unsigned int keyid;
unsigned int global;
-
+
char *id;
char *key;
char *name;
{
/* Array with all the keys */
keyentry **keyentries;
-
-
+
+
/* Hashes, based on the id/ip to lookup the keys. */
void *keyhash_id;
void *keyhash_ip;
/* Checks if key changed. */
int OS_CheckUpdateKeys(keystore *keys);
-
+
/* Update the keys if they changed on the system. */
int OS_UpdateKeys(keystore *keys);
/** Function prototypes -- send/recv messages **/
/* Decrypt and decompress a remote message. */
-char *ReadSecMSG(keystore *keys, char *buffer, char *cleartext,
+char *ReadSecMSG(keystore *keys, char *buffer, char *cleartext,
int id, int buffer_size);
/* Creates an ossec message (encrypts and compress) */
#endif
#define SENDER_COUNTER "sender_counter"
-#define KEYSIZE 128
+#define KEYSIZE 128
#endif
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/shared.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* The stack smashing protector defeats some BoF via: gcc -fstack-protector
* Reference: http://gcc.gnu.org/onlinedocs/gcc-4.1.2/cpp.pdf
*/
-
+
#if defined(__GNUC__) && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 1) && (__GNUC_PATCHLEVEL__ >= 2)) || \
((__GNUC__ == 4) && (__GNUC_MINOR__ >= 2)) || \
(__GNUC__ >= 5))
#include <windows.h>
#include <winsock.h>
#include <io.h>
+#include <winsock2.h>
+#include <ws2tcpip.h>
#endif
#include <time.h>
/*** These functions will exit on error. No need to check return code ***/
/* for calloc: x = calloc(4,sizeof(char)) -> os_calloc(4,sizeof(char),x) */
-#define os_calloc(x,y,z) (z = calloc(x,y))?(void)1:ErrorExit(MEM_ERROR, ARGV0)
+#define os_calloc(x,y,z) (z = calloc(x,y))?(void)1:ErrorExit(MEM_ERROR, ARGV0)
#define os_strdup(x,y) (y = strdup(x))?(void)1:ErrorExit(MEM_ERROR, ARGV0)
#ifdef CLIENT
#define isAgent 1
#else
- #define isAgent 0
+ #define isAgent 0
#endif
-
+
#include "debug_op.h"
#include "file-queue.h"
#include "read-agents.h"
#include "report_op.h"
+#include "string_op.h"
#include "os_xml/os_xml.h"
#include "os_regex/os_regex.h"
#endif /* __SHARED_H */
-
+
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/sig_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/store_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
OSStore *OSStore_Create();
OSStore *OSStore_Free(OSStore *list);
-
+
int OSStore_Put(OSStore *list, char *key, void *data);
int OSStore_Check(OSStore *list, char *key);
int OSStore_NCheck(OSStore *list, char *key);
void *OSStore_Get(OSStore *list, char *key);
OSStoreNode *OSStore_GetFirstNode(OSStore *list);
int OSStore_Sort(OSStore *list, void*(sort_data_function)(void *d1, void *d2));
-
+
#endif
--- /dev/null
+/* @(#) $Id: ./src/headers/string_op.h, 2011/09/08 dcid Exp $
+ */
+
+/* Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is a free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ *
+ * License details at the LICENSE file included with OSSEC or
+ * online at: http://www.ossec.net/en/licensing.html
+ */
+
+
+#ifndef H_STRINGOP_OS
+#define H_STRINGOP_OS
+
+
+/** os_trimcrlf
+ * Trims the cr and/or LF from the last positions of a string
+ */
+void os_trimcrlf(char *str);
+
+/* Similiar to Perl's substr() function */
+int os_substr(char *dest, const char *src, int position, int length);
+
+/* Remove a character from a string */
+char *os_strip_char(char *source, char remove);
+
+#endif
+
+/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/validate_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*/
int OS_IPFound(char *ip_address, os_ip *that_ip);
-
+
/** int OS_IPFoundList(char *ip_address, char **list_of_ips)
* Checks if ip_address is present on the "list_of_ips".
* ** On success this function may modify the value of ip_address
*/
int OS_IsValidIP(char *ip_address, os_ip *final_ip);
-
-
+
+
/** Time range validations **/
/** char *OS_IsValidTime(char *time_str)
* hh:mm am - hh:mm pm (12 hour format)
* hh am - hh pm (12 hour format)
*/
-char *OS_IsValidTime(char *time_str);
+char *OS_IsValidTime(char *time_str);
-/* Same as above, but only accepts a unique time, not a range. */
+/* Same as above, but only accepts a unique time, not a range. */
char *OS_IsValidUniqueTime(char *time_str);
* range.
*/
int OS_IsonDay(int week_day, char *ossec_day);
-
+
/** char *OS_IsValidDay(char *day_str)
* Validates if an day is in an acceptable format
/* Checks if the ip is a single host, not a network with a netmask */
#define isSingleHost(x) (x->netmask == 0xFFFFFFFF)
-
+
#endif
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/headers/wait_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*/
#ifndef __WAIT_OP_H
-#define __WAIT_OP_H
+#define __WAIT_OP_H
void os_setwait();
elif [ -d "/etc/init.d" -a -f "/usr/sbin/update-rc.d" ]; then
echo " - ${systemis} Debian (Ubuntu or derivative)."
echo " - ${modifiedinit}"
- cp -pr ./src/init/ossec-hids.init /etc/init.d/ossec
+ cp -pr ./src/init/ossec-hids-debian.init /etc/init.d/ossec
chmod +x /etc/init.d/ossec
chmod go-w /etc/init.d/ossec
chown root:ossec /etc/init.d/ossec
### Do not modify bellow here ###
NAME="OSSEC HIDS"
-VERSION="v2.5.1"
+VERSION="v2.7"
AUTHOR="Trend Micro Inc."
DAEMONS="ossec-logcollector ossec-syscheckd ossec-agentd ossec-execd"
restart)
testconfig
stopa
+ sleep 1;
+ start
+ ;;
+ reload)
+ DAEMONS="ossec-logcollector ossec-syscheckd ossec-agentd"
+ stopa
start
;;
status)
*)
help
esac
+
--- /dev/null
+#!/bin/sh
+# OSSEC Controls OSSEC HIDS
+# Author: Daniel B. Cid <dcid@ossec.net>
+# Modified for Debian by Michael Starks (patch by Costas Drogos)
+
+### BEGIN INIT INFO
+# Provides: ossec
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Should-Start: $network
+# Should-Stop: $network
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Start and stop OSSEC HIDS
+# Description: Controls OSSEC HIDS daemons
+#
+### END INIT INFO
+
+. /etc/ossec-init.conf
+if [ "X${DIRECTORY}" = "X" ]; then
+ DIRECTORY="/var/ossec"
+fi
+
+
+start() {
+ ${DIRECTORY}/bin/ossec-control start
+}
+
+stop() {
+ ${DIRECTORY}/bin/ossec-control stop
+}
+
+status() {
+ ${DIRECTORY}/bin/ossec-control status
+}
+
+
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ stop
+ start
+ ;;
+ status)
+ status
+ ;;
+ *)
+ echo "*** Usage: $0 {start|stop|restart|status}"
+ exit 1
+esac
+
+exit 0
status() {
${DIRECTORY}/bin/ossec-control status
+ RETVAL=$?
+ return $RETVAL
}
NAME="OSSEC HIDS"
-VERSION="v2.5.1"
+VERSION="v2.7"
AUTHOR="Trend Micro Inc."
DAEMONS="ossec-monitord ossec-logcollector ossec-syscheckd ossec-analysisd ossec-maild ossec-execd ${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON}"
# Status function
status()
{
+ RETVAL=0
for i in ${DAEMONS}; do
pstatus ${i};
if [ $? = 0 ]; then
+ RETVAL=1
echo "${i} not running..."
else
echo "${i} is running..."
fi
- done
+ done
+ exit $RETVAL
}
testconfig()
SDAEMONS="${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON} ossec-maild ossec-execd ossec-analysisd ossec-logcollector ossec-syscheckd ossec-monitord"
echo "Starting $NAME $VERSION (by $AUTHOR)..."
- ${DIR}/bin/ossec-logtest -t
+ echo | ${DIR}/bin/ossec-logtest > /dev/null 2>&1;
if [ ! $? = 0 ]; then
echo "ossec-analysisd: Configuration error. Exiting."
+ exit 1;
fi
lock;
# to internally create their PID files.
sleep 2;
unlock;
+
+ ls -la "${DIR}/ossec-agent/" >/dev/null 2>&1
+ if [ $? = 0 ]; then
+ echo ""
+ echo "Starting sub agent directory (for hybrid mode)"
+ ${DIR}/ossec-agent/bin/ossec-control start
+ fi
+
echo "Completed."
}
done
unlock;
+
+ ls -la "${DIR}/ossec-agent/" >/dev/null 2>&1
+ if [ $? = 0 ]; then
+ echo ""
+ echo "Stopping sub agent directory (for hybrid mode)"
+ ${DIR}/ossec-agent/bin/ossec-control stop
+ fi
echo "$NAME $VERSION Stopped"
}
restart)
testconfig
stopa
+ sleep 1;
start
;;
status)
NAME="OSSEC HIDS"
-VERSION="v2.5.1"
+VERSION="v2.7"
AUTHOR="Trend Micro Inc."
DAEMONS="ossec-monitord ossec-logcollector ossec-remoted ossec-syscheckd ossec-analysisd ossec-maild ossec-execd ${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON}"
# Status function
status()
{
+ RETVAL=0
for i in ${DAEMONS}; do
pstatus ${i};
if [ $? = 0 ]; then
echo "${i} not running..."
+ RETVAL=1
else
echo "${i} is running..."
fi
- done
+ done
+ exit $RETVAL
}
testconfig()
SDAEMONS="${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON} ossec-maild ossec-execd ossec-analysisd ossec-logcollector ossec-remoted ossec-syscheckd ossec-monitord"
echo "Starting $NAME $VERSION (by $AUTHOR)..."
- ${DIR}/bin/ossec-logtest -t
+ echo | ${DIR}/bin/ossec-logtest > /dev/null 2>&1;
if [ ! $? = 0 ]; then
- echo "ossec-analysisd: Configuration error. Exiting."
+ echo "OSSEC analysisd: Testing rules failed. Configuration error. Exiting."
+ exit 1;
fi
lock;
checkpid;
restart)
testconfig
stopa
+ sleep 1;
start
;;
+ reload)
+ DAEMONS="ossec-monitord ossec-logcollector ossec-remoted ossec-syscheckd ossec-analysisd ossec-maild ${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON}"
+ stopa
+ start
+ ;;
status)
status
;;
if [ $? = 0 ]; then
. ${OSSEC_INIT}
if [ "X$DIRECTORY" = "X" ]; then
+ echo "# ($FUNCNAME) ERROR: The variable DIRECTORY wasn't set" 1>&2
echo "${FALSE}"
return 1;
fi
if [ $? = 0 ]; then
echo "${TRUE}"
return 0;
- fi
+ fi
fi
-
echo "${FALSE}"
- return 1;
+ return 1;
}
##########
-# doUpdatecleanup
+# doUpdatecleanup
##########
doUpdatecleanup()
{
. ${OSSEC_INIT}
if [ "X$DIRECTORY" = "X" ]; then
- # Invalid ossec init file. Unable to update
+ echo "# ($FUNCNAME) ERROR: The variable DIRECTORY wasn't set." 1>&2
echo "${FALSE}"
return 1;
fi
-
+
# Checking if the directory is valid.
- echo $DIRECTORY | grep -E "^/[a-zA-Z0-9/-]{3,128}$" > /dev/null 2>&1
+ local _dir_pattern="^/[-a-zA-Z0-9/\.-]{3,128}$"
+ echo $DIRECTORY | grep -E "$_dir_pattern" > /dev/null 2>&1
if [ ! $? = 0 ]; then
+ echo "# ($FUNCNAME) ERROR: directory name ($DIRECTORY) doesn't match the pattern $_dir_pattern" 1>&2
echo "${FALSE}"
return 1;
fi
##########
-# getPreinstalled
+# getPreinstalled
##########
getPreinstalled()
{
echo "agent"
return 0;
fi
-
+
cat $DIRECTORY/etc/ossec.conf | grep "<remote>" > /dev/null 2>&1
if [ $? = 0 ]; then
echo "server"
return 0;
fi
-
+
echo "local"
- return 0;
+ return 0;
}
UpdateStartOSSEC()
{
. ${OSSEC_INIT}
-
- $DIRECTORY/bin/ossec-control start
+
+ $DIRECTORY/bin/ossec-control start
}
UpdateStopOSSEC()
{
. ${OSSEC_INIT}
-
- $DIRECTORY/bin/ossec-control stop
+
+ $DIRECTORY/bin/ossec-control stop
# We also need to remove all syscheck queue file (format changed)
if [ "X$VERSION" = "X0.9-3" ]; then
rm -f $DIRECTORY/queue/syscheck/.* > /dev/null 2>&1
}
-
##########
-# UpdateOSSECRules
+# UpdateOSSECRules
##########
UpdateOSSECRules()
{
# Backing up the old config
cp -pr ${OSSEC_CONF_FILE} "${OSSEC_CONF_FILE}.$$.bak"
-
- cat ${OSSEC_CONF_FILE}|grep -v "<rules>" |grep -v "</rules>" |grep -v "<include>" > "${OSSEC_CONF_FILE}.$$.tmp"
+ # Getting rid of old rules entries
+ grep -Ev "</*rules>|<include>|<list>|<decoder>|<decoder_dir|<rule_dir>|rules global entry" ${OSSEC_CONF_FILE} > "${OSSEC_CONF_FILE}.$$.tmp"
+
+ # Customer decoder, decoder_dir, rule_dir are carried over during upgrade
+ grep -E '<decoder>|<decoder_dir|<rule_dir>' ${OSSEC_CONF_FILE} | grep -v '<!--' >> "${OSSEC_CONF_FILE}.$$.tmp2"
+
+ # Check for custom files that may have been added in <rules> element
+ for i in $(grep -E '<include>|<list>' ${OSSEC_CONF_FILE} | grep -v '<!--')
+ do
+ grep "$i" ${RULES_TEMPLATE}>/dev/null || echo " $i" >> "${OSSEC_CONF_FILE}.$$.tmp2"
+ done
+
+ # Putting everything back together
cat "${OSSEC_CONF_FILE}.$$.tmp" > ${OSSEC_CONF_FILE}
rm "${OSSEC_CONF_FILE}.$$.tmp"
echo "" >> ${OSSEC_CONF_FILE}
echo "<ossec_config> <!-- rules global entry -->" >> ${OSSEC_CONF_FILE}
- cat ${RULES_TEMPLATE} >> ${OSSEC_CONF_FILE}
+ grep -v '</rules>' ${RULES_TEMPLATE} >> ${OSSEC_CONF_FILE}
+ cat "${OSSEC_CONF_FILE}.$$.tmp2" >> ${OSSEC_CONF_FILE}
+ echo "</rules>" >> ${OSSEC_CONF_FILE}
echo "</ossec_config> <!-- rules global entry -->" >> ${OSSEC_CONF_FILE}
-}
+ rm "${OSSEC_CONF_FILE}.$$.tmp2"
+}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/config.c, 2011/10/07 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-/* v0.3 (2005/08/23): Using the new OS_XML syntax and changing some usage
+/* v0.3 (2005/08/23): Using the new OS_XML syntax and changing some usage
* v0.2 (2005/01/17)
*/
-
-#include "shared.h"
+
+#include "shared.h"
#include "logcollector.h"
* Read the config file (the localfiles)
* v0.3: Changed for the new OS_XML
*/
-int LogCollectorConfig(char * cfgfile)
+int LogCollectorConfig(char * cfgfile, int accept_remote)
{
int modules = 0;
modules|= CLOCALFILE;
log_config.config = NULL;
+ log_config.agent_cfg = 0;
+ log_config.accept_remote = accept_remote;
if(ReadConfig(modules, cfgfile, &log_config, NULL) < 0)
return(OS_INVALID);
-
+
#ifdef CLIENT
modules|= CAGENT_CONFIG;
+ log_config.agent_cfg = 1;
ReadConfig(modules, AGENTCONFIG, &log_config, NULL);
+ log_config.agent_cfg = 0;
#endif
- logff = log_config.config;
+ logff = log_config.config;
return(1);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/logcollector.c, 2012/03/28 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
char keepalive[1024];
-
+
/* To check for inode changes */
struct stat tmp_stat;
-
-
+
+
#ifndef WIN32
-
+
int int_error = 0;
struct timeval fp_timeout;
-
+
#else
-
+
/* Checking if we are on vista. */
checkVista();
{
win_read_vista_sec();
}
-
+
#endif
debug1("%s: DEBUG: Entering LogCollectorStart().", ARGV0);
-
-
+
+
/* Initializing each file and structure */
for(i = 0;;i++)
{
{
if(logff[r].file && strcmp(logff[i].file, logff[r].file) == 0)
{
- merror("%s: WARN: Duplicated log file given: '%s'.",
+ merror("%s: WARN: Duplicated log file given: '%s'.",
ARGV0, logff[i].file);
logff[i].file = NULL;
logff[i].command = NULL;
{
/* do nothing, duplicated entry. */
}
-
+
else if(strcmp(logff[i].logformat,"eventlog") == 0)
{
#ifdef WIN32
-
+
verbose(READING_EVTLOG, ARGV0, logff[i].file);
win_startel(logff[i].file);
-
+
#endif
logff[i].file = NULL;
logff[i].command = NULL;
}
else
{
- merror("%s: ERROR: Missing command argument. Ignoring it.",
+ merror("%s: ERROR: Missing command argument. Ignoring it.",
ARGV0);
}
}
else
{
merror("%s: ERROR: Missing command argument. Ignoring it.",
- ARGV0);
+ ARGV0);
}
}
-
+
else
{
logff[i].command = NULL;
- /* Initializing the files */
+ /* Initializing the files */
if(logff[i].ffile)
{
/* Day must be zero for all files to be initialized */
{
ErrorExit(PARSE_ERROR, ARGV0, logff[i].ffile);
}
-
+
}
else
{
handle_file(i, 1, 1);
}
-
+
verbose(READING_FILE, ARGV0, logff[i].file);
-
+
/* Getting the log type */
if(strcmp("snort-full", logff[i].logformat) == 0)
{
logff[i].read = (void *)read_snortfull;
}
+ #ifndef WIN32
+ if(strcmp("ossecalert", logff[i].logformat) == 0)
+ {
+ logff[i].read = (void *)read_ossecalert;
+ }
+ #endif
else if(strcmp("nmapg", logff[i].logformat) == 0)
{
logff[i].read = (void *)read_nmapg;
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
-
+
max_file = i -1;
{
max_file = 0;
}
-
-
+
+
/* Daemon loop */
while(1)
{
fp_timeout.tv_sec = loop_timeout;
fp_timeout.tv_usec = 0;
- /* Waiting for the select timeout */
+ /* Waiting for the select timeout */
if ((r = select(0, NULL, NULL, NULL, &fp_timeout)) < 0)
{
merror(SELECT_ERROR, ARGV0);
continue;
}
#else
-
+
/* Windows don't like select that way */
sleep(loop_timeout + 2);
-
+
/* Check for messages in the event viewer */
win_readel();
#endif
-
+
f_check++;
-
+
/* Checking which file is available */
for(i = 0; i <= max_file; i++)
{
logff[i].ign++;
continue;
}
-
+
#ifdef WIN32
logff[i].read(i, &r, 1);
#endif
}
}
-
+
/* Only check bellow if check > VCHECK_FILES */
if(f_check <= VCHECK_FILES)
continue;
-
+
/* Send keep alive message */
rand_keepalive_str(keepalive, 700);
SendMSG(logr_queue, keepalive, "ossec-keepalive", LOCALFILE_MQ);
- /* Zeroing f_check */
+ /* Zeroing f_check */
f_check = 0;
/* These are the windows logs or ignored files */
if(!logff[i].file)
continue;
-
-
+
+
/* Files with date -- check for day change */
if(logff[i].ffile)
{
continue;
}
}
-
-
+
+
/* Check for file change -- if the file is open already */
if(logff[i].fp)
{
{
fclose(logff[i].fp);
logff[i].fp = NULL;
-
+
merror(FILE_ERROR, ARGV0, logff[i].file);
}
snprintf(msg_alert, 512, "ossec: File rotated (inode "
"changed): '%s'.",
logff[i].file);
-
+
/* Send message about log rotated */
- SendMSG(logr_queue, msg_alert,
+ SendMSG(logr_queue, msg_alert,
"ossec-logcollector", LOCALFILE_MQ);
-
+
debug1("%s: DEBUG: File inode changed. %s",
ARGV0, logff[i].file);
-
+
fclose(logff[i].fp);
#ifdef WIN32
CloseHandle(logff[i].h);
CloseHandle(h1);
#endif
-
+
logff[i].fp = NULL;
handle_file(i, 0, 1);
continue;
snprintf(msg_alert, 512, "ossec: File size reduced "
"(inode remained): '%s'.",
logff[i].file);
-
+
/* Send message about log rotated */
- SendMSG(logr_queue, msg_alert,
+ SendMSG(logr_queue, msg_alert,
"ossec-logcollector", LOCALFILE_MQ);
-
+
debug1("%s: DEBUG: File size reduced. %s",
ARGV0, logff[i].file);
CloseHandle(logff[i].h);
CloseHandle(h1);
#endif
-
+
logff[i].fp = NULL;
handle_file(i, 1, 1);
}
}
#endif
}
-
-
- /* Too many errors for the file */
+
+
+ /* Too many errors for the file */
if(logff[i].ign > open_file_attempts)
{
/* 999 Maximum ignore */
{
continue;
}
-
+
merror(LOGC_FILE_ERROR, ARGV0, logff[i].file);
if(logff[i].fp)
{
CloseHandle(logff[i].h);
#endif
}
-
+
logff[i].fp = NULL;
logff[i].ign = 999;
continue;
}
-
-
- /* File not opened */
+
+
+ /* File not opened */
if(!logff[i].fp)
{
if(logff[i].ign >= 999)
{
struct tm *p;
time_t __ctime = time(0);
-
+
char lfile[OS_FLSIZE + 1];
size_t ret;
p = localtime(&__ctime);
-
+
/* Handle file */
if(p->tm_mday == _cday)
{
ErrorExit(PARSE_ERROR, ARGV0, logff[i].ffile);
}
-
-
+
+
/* Update the file name */
if(strcmp(lfile, logff[i].file) != 0)
{
os_free(logff[i].file);
- os_strdup(lfile, logff[i].file);
+ os_strdup(lfile, logff[i].file);
verbose(VAR_LOG_MON, ARGV0, logff[i].file);
-
+
/* Setting cday to zero because other files may need
* to be changed.
*/
{
int fd;
struct stat stat_fd;
-
+
/* We must be able to open the file, fseek and get the
* time of change from it.
*/
logff[i].fp = NULL;
return(-1);
}
-
+
logff[i].fd = stat_fd.st_ino;
logff[i].size = stat_fd.st_size;
-
+
#else
BY_HANDLE_FILE_INFORMATION lpFileInformation;
}
#endif
}
-
+
/* Setting ignore to zero */
logff[i].ign = 0;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/logcollector.h, 2012/03/28 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/* Read logcollector config */
-int LogCollectorConfig(char * cfgfile);
+int LogCollectorConfig(char * cfgfile, int accept_remote);
/* Stary log collector daemon */
void LogCollectorStart();
/* Read snort full file */
void *read_snortfull(int pos, int *rc, int drop_it);
+/* Read ossec alert file */
+void *read_ossecalert(int pos, int *rc, int drop_it);
+
/* Read nmap grepable format */
void *read_nmapg(int pos, int *rc, int drop_it);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/main.c, 2012/03/28 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/* v0.4 (2005/11/11): Some cleanup and bug fixes
- * v0.3 (2005/08/26): Reading all files in just one process
+ * v0.3 (2005/08/26): Reading all files in just one process
* v0.2 (2005/04/04):
- */
+ */
/* Logcollector daemon.
int c;
int debug_flag = 0;
int test_config = 0,run_foreground = 0;
+ int accept_manager_commands = 0;
char *cfg = DEFAULTCPATH;
char *dir = DEFAULTDIR;
/* Setting the name */
OS_SetName(ARGV0);
-
+
while((c = getopt(argc, argv, "VtdhfD:c:")) != -1)
{
break;
case 't':
test_config = 1;
- break;
+ break;
default:
help(ARGV0);
- break;
+ break;
}
}
debug1(STARTED_MSG,ARGV0);
+ accept_manager_commands = getDefine_Int("logcollector", "remote_commands",
+ 0, 1);
+
+
/* Reading config file */
- if(LogCollectorConfig(cfg) < 0)
+ if(LogCollectorConfig(cfg, accept_manager_commands) < 0)
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
-
-
+
+
/* Getting loop timeout */
loop_timeout = getDefine_Int("logcollector",
"loop_timeout",
1, 120);
-
+
open_file_attempts = getDefine_Int("logcollector", "open_attempts",
2, 998);
-
+
debug_flag = getDefine_Int("logcollector",
"debug",
0,2);
-
+ accept_manager_commands = getDefine_Int("logcollector", "remote_commands",
+ 0, 1);
+
/* Getting debug values */
while(debug_flag != 0)
{
/* Exit if test config */
if(test_config)
exit(0);
-
+
/* No file available to monitor -- continue */
if(logff == NULL)
merror(NO_FILE, ARGV0);
}
-
+
/* Starting signal handler */
StartSIG(ARGV0);
- if (!run_foreground)
+ if (!run_foreground)
{
/* Going on daemon mode */
nowDaemon();
if(CreatePID(ARGV0, getpid()) < 0)
merror(PID_ERROR, ARGV0);
-
-
+
+
/* Waiting 6 seconds for the analysisd/agentd to settle */
debug1("%s: DEBUG: Waiting main daemons to settle.", ARGV0);
sleep(6);
-
-
+
+
/* Starting the queue. */
if((logr_queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
- /* Main loop */
+ /* Main loop */
LogCollectorStart();
-
+
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/read_command.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
}
- snprintf(str, 256, "ossec: output: '%s': ",
- (NULL != logff[pos].alias)
- ? logff[pos].alias
+ snprintf(str, 256, "ossec: output: '%s': ",
+ (NULL != logff[pos].alias)
+ ? logff[pos].alias
: logff[pos].command);
cmd_size = strlen(str);
while(fgets(str + cmd_size, OS_MAXSTR - OS_LOG_HEADER - 256, cmd_output) != NULL)
{
/* Getting the last occurence of \n */
- if ((p = strrchr(str, '\n')) != NULL)
+ if ((p = strrchr(str, '\n')) != NULL)
{
*p = '\0';
}
{
continue;
}
-
-
+
+
debug2("%s: DEBUG: Reading command message: '%s'", ARGV0, str);
-
+
/* Sending message to queue */
if(drop_it == 0)
{
pclose(cmd_output);
- return(NULL);
+ return(NULL);
}
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/read_djb_multilog.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
char *(djb_month[])={"Jan","Feb","Mar","Apr","May","Jun","Jul","Aug",
"Sep","Oct","Nov","Dec"};
-char djb_host[512 +1];
-
+char djb_host[512 +1];
+
/* Initializes multilog. */
#else
strncpy(djb_host, "win32", 512 -1);
#endif
-
+
/* Multilog must be in the following format: /path/program_name/current */
if(!tmp_str)
return(0);
-
+
/* Must end with /current and must not be in the beginning of the string. */
if((strcmp(tmp_str, "/current") != 0) || (tmp_str == logff[pos].file))
{
return(0);
}
-
+
os_strdup(djbp_name+1, logff[pos].djb_program_name);
tmp_str[0] = '/';
{
return(NULL);
}
-
+
/* Getting new entry */
while(fgets(str, OS_MAXSTR - OS_LOG_HEADER, logff[pos].fp) != NULL)
{
-
+
/* Getting buffer size */
str_len = strlen(str);
-
+
/* Getting the last occurence of \n */
- if ((p = strrchr(str, '\n')) != NULL)
+ if ((p = strrchr(str, '\n')) != NULL)
{
*p = '\0';
{
need_clear = 1;
}
-
-
+
+
/* Multilog messages have the following format:
* @40000000463246020c2ca16c xx...
*/
if((str_len > 26) &&
- (str[0] == '@') &&
+ (str[0] == '@') &&
isalnum((int)str[1]) &&
isalnum((int)str[2]) &&
isalnum((int)str[3]) &&
{
p++;
}
-
-
+
+
/* If message has a valid syslog header, send as is. */
if((str_len > 44) &&
- (p[3] == ' ') &&
+ (p[3] == ' ') &&
(p[6] == ' ') &&
(p[9] == ':') &&
(p[12] == ':') &&
p);
}
}
-
-
+
+
else
{
debug2("%s: DEBUG: Invalid DJB log: '%s'", ARGV0, str);
continue;
}
-
-
+
+
debug2("%s: DEBUG: Reading DJB multilog message: '%s'", ARGV0, buffer);
-
+
/* Sending message to queue */
if(drop_it == 0)
{
}
}
}
-
+
continue;
}
- return(NULL);
+ return(NULL);
}
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/read_fullcommand.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2010 Trend Micro Inc.
* All right reserved.
snprintf(str, 256, "ossec: output: '%s':\n",
- (NULL != logff[pos].alias)
- ? logff[pos].alias
+ (NULL != logff[pos].alias)
+ ? logff[pos].alias
: logff[pos].command);
cmd_size = strlen(str);
str[cmd_size +n] = '\0';
/* Getting the last occurence of \n */
- if ((p = strrchr(str, '\n')) != NULL)
+ if ((p = strrchr(str, '\n')) != NULL)
{
*p = '\0';
}
-
+
debug2("%s: DEBUG: Reading command message: '%s'", ARGV0, str);
/* Removing empty lines. */
}
strfinal[n] = '\0';
-
+
/* Sending message to queue */
if(drop_it == 0)
{
pclose(cmd_output);
- return(NULL);
+ return(NULL);
}
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/read_mssql_log.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
-/* Send mssql message and check the return code.
+/* Send mssql message and check the return code.
*/
void __send_mssql_msg(int pos, int drop_it, char *buffer)
{
/* Zeroing buffer and str */
buffer[0] = '\0';
- buffer[OS_MAXSTR] = '\0';
+ buffer[OS_MAXSTR] = '\0';
str[OS_MAXSTR]= '\0';
*rc = 0;
/* Getting new entry */
while(fgets(str, OS_MAXSTR - OS_LOG_HEADER, logff[pos].fp) != NULL)
{
-
+
/* Getting buffer size */
str_len = strlen(str);
-
+
/* Checking str_len size. Very useless, but just to make sure.. */
if(str_len >= sizeof(buffer) -2)
{
str_len = sizeof(buffer) -10;
}
-
+
/* Getting the last occurence of \n */
- if ((p = strrchr(str, '\n')) != NULL)
+ if ((p = strrchr(str, '\n')) != NULL)
{
*p = '\0';
{
need_clear = 1;
}
-
-
+
+
#ifdef WIN32
if ((p = strrchr(str, '\r')) != NULL)
{
}
#endif
-
+
/* MSSQL messages have the following formats:
* 2009-03-25 04:47:30.01 Server
* 2009-02-06 11:48:59 Server
*/
if((str_len > 19) &&
- (str[4] == '-') &&
- (str[7] == '-') &&
- (str[10] == ' ') &&
- (str[13] == ':') &&
- (str[16] == ':') &&
+ (str[4] == '-') &&
+ (str[7] == '-') &&
+ (str[10] == ' ') &&
+ (str[13] == ':') &&
+ (str[16] == ':') &&
isdigit((int)str[0]) &&
isdigit((int)str[1]) &&
isdigit((int)str[2]) &&
isdigit((int)str[3]))
{
-
+
/* If the saved message is empty, set it and continue. */
if(buffer[0] == '\0')
{
strncpy(buffer, str, str_len + 2);
}
}
-
-
+
+
/* Query logs can be in multiple lines.
* They always start with a tab in the additional ones.
*/
{
/* Size of the buffer */
int buffer_len = strlen(buffer);
-
+
p = str;
-
+
/* Removing extra spaces and tabs */
while(*p == ' ' || *p == '\t')
{
p++;
}
-
-
+
+
/* Adding additional message to the saved buffer. */
if(sizeof(buffer) - buffer_len > str_len +256)
{
strncat(buffer, str, str_len +3);
}
}
-
+
continue;
}
{
__send_mssql_msg(pos, drop_it, buffer);
}
-
- return(NULL);
+
+ return(NULL);
}
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/read_multiline.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2010 Trend Micro Inc.
* All right reserved.
linesgot++;
/* Getting the last occurence of \n */
- if ((p = strrchr(str, '\n')) != NULL)
+ if ((p = strrchr(str, '\n')) != NULL)
{
*p = '\0';
}
-
+
/* If we didn't get the new line, because the
* size is large, send what we got so far.
*/
debug1("%s: Message not complete. Trying again: '%s'", ARGV0,str);
fsetpos(logff[pos].fp, &fp_pos);
break;
- }
-
+ }
+
#ifdef WIN32
if ((p = strrchr(str, '\r')) != NULL)
{
*p = '\0';
}
#endif
-
+
debug2("%s: DEBUG: Reading message: '%s'", ARGV0, str);
-
+
/* Adding to buffer. */
buffer_size = strlen(buffer);
strncpy(buffer + buffer_size, str, OS_MAXSTR - buffer_size -2);
-
+
if(linesgot < linecount)
{
continue;
}
-
+
/* Sending message to queue */
if(drop_it == 0)
}
__ms = 0;
}
-
+
fgetpos(logff[pos].fp, &fp_pos);
continue;
}
- return(NULL);
+ return(NULL);
}
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/read_mysql_log.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/* Getting new entry */
while(fgets(str, OS_MAXSTR - OS_LOG_HEADER, logff[pos].fp) != NULL)
{
-
+
/* Getting buffer size */
str_len = strlen(str);
-
+
/* Getting the last occurence of \n */
- if ((p = strrchr(str, '\n')) != NULL)
+ if ((p = strrchr(str, '\n')) != NULL)
{
*p = '\0';
{
need_clear = 1;
}
-
-
+
+
#ifdef WIN32
if ((p = strrchr(str, '\r')) != NULL)
{
}
#endif
-
+
/* Mysql messages have the following format:
* 070823 21:01:30 xx
*/
if((str_len > 18) &&
- (str[6] == ' ') &&
- (str[9] == ':') &&
- (str[12] == ':') &&
+ (str[6] == ' ') &&
+ (str[9] == ':') &&
+ (str[12] == ':') &&
isdigit((int)str[0]) &&
isdigit((int)str[1]) &&
isdigit((int)str[2]) &&
strncpy(__mysql_last_time, str, 16);
__mysql_last_time[15] = '\0';
-
+
/* Removing spaces and tabs */
p = str + 15;
while(*p == ' ' || *p == '\t')
{
p++;
}
-
-
+
+
/* Valid MySQL message */
- snprintf(buffer, OS_MAXSTR, "MySQL log: %s %s",
+ snprintf(buffer, OS_MAXSTR, "MySQL log: %s %s",
__mysql_last_time, p);
}
-
-
+
+
/* Multiple events at the same second share the same
* time stamp.
* 0909 2020 2020 2020 20
{
p++;
}
-
- /* Valid MySQL message */
- snprintf(buffer, OS_MAXSTR, "MySQL log: %s %s",
- __mysql_last_time, p);
+
+ /* Valid MySQL message */
+ snprintf(buffer, OS_MAXSTR, "MySQL log: %s %s",
+ __mysql_last_time, p);
}
else
{
continue;
}
-
-
+
+
debug2("%s: DEBUG: Reading mysql messages: '%s'", ARGV0, buffer);
-
+
/* Sending message to queue */
if(drop_it == 0)
{
}
}
}
-
+
continue;
}
- return(NULL);
+ return(NULL);
}
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/read_nmapg.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* Get port and protocol.
+/* Get port and protocol.
*/
static char *__get_port(char *str, char *proto, char *port, int msize)
{
str++;
}
-
+
/* Getting port */
p = strchr(str, '/');
if(!p)
*p = '\0';
p++;
-
+
/* Getting port */
strncpy(port, str, msize);
port[msize -1] = '\0';
-
-
+
+
/* Checking if the port is open */
q = __go_after(p, NMAPG_OPEN);
if(!q)
p = strchr(q, '/');
if(!p)
return(NULL);
- p++;
+ p++;
}
else
{
p = q;
}
-
-
+
+
/* Getting protocol */
str = p;
*p = '\0';
p++;
-
+
strncpy(proto, str, msize);
proto[msize -1] = '\0';
-
-
+
+
/* Setting proto to null if port is not open */
if(filtered)
- proto[0] = '\0';
-
-
+ proto[0] = '\0';
+
+
/* Removing slashes */
if(*p == '/')
{
return(q);
}
-
+
return(NULL);
}
/* X and Y must be not null */
if(!x || !y)
return(NULL);
-
+
x_s = strlen(x);
y_s = strlen(y);
{
int final_msg_s;
int need_clear = 0;
-
+
char str[OS_MAXSTR + 1];
char final_msg[OS_MAXSTR + 1];
char buffer[OS_MAXSTR + 1];
char *ip = NULL;
char *p;
char *q;
-
+
*rc = 0;
str[OS_MAXSTR] = '\0';
final_msg[OS_MAXSTR] = '\0';
}
continue;
}
-
+
/* Removing \n at the end of the string */
if ((q = strchr(str, '\n')) != NULL)
{
need_clear = 1;
}
-
+
/* Do not get commented lines */
if((str[0] == '#') || (str[0] == '\0'))
{
continue;
}
-
+
/* Getting host */
q = __go_after(str, NMAPG_HOST);
if(!q)
{
goto file_error;
}
-
-
+
+
/* Getting ip/hostname */
p = strchr(q, ')');
if(!p)
goto file_error;
}
-
+
/* Setting the valid ip */
ip = q;
-
+
/* Getting the ports */
/* Now fixing p, to have the closing parenthesis */
p++;
*p = '\0';
-
-
+
+
/* q now should point to the ports */
p = __go_after(q, NMAPG_PORT);
if(!p)
snprintf(final_msg, OS_MAXSTR, "Host: %s, open ports:",
ip);
final_msg_s = OS_MAXSTR - ((strlen(final_msg) +3));
-
+
/* Getting port and protocol */
do
{
break;
}
-
+
p = __get_port(p, proto, port, 9);
if(!p)
{
break;
}
-
+
/* Port not open */
if(proto[0] == '\0')
{
continue;
}
-
+
/* Adding ports */
snprintf(buffer, OS_MAXSTR, " %s(%s)", port, proto);
strncat(final_msg, buffer, final_msg_s);
final_msg_s-=(strlen(buffer) +2);
-
+
}while(*p == ',' && (p++));
-
+
if(drop_it == 0)
- {
+ {
/* Sending message to queue */
- if(SendMSG(logr_queue, final_msg, logff[pos].file,
+ if(SendMSG(logr_queue, final_msg, logff[pos].file,
HOSTINFO_MQ) < 0)
{
merror(QUEUE_SEND, ARGV0);
}
}
-
+
/* Getting next */
continue;
-
+
/* Handling errors */
file_error:
-
+
merror("%s: Bad formated nmap grepable file.", ARGV0);
*rc = -1;
return(NULL);
-
+
}
-
+
return(NULL);
}
--- /dev/null
+/* @(#) $Id: ./src/logcollector/read_ossecalert.c, 2012/03/30 dcid Exp $
+ */
+
+/* Copyright (C) 2012 Daniel B. Cid (http://dcid.me)
+ * All right reserved.
+ *
+ * This program is a free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Read the syslog */
+
+
+#include "shared.h"
+#include "headers/read-alert.h"
+#include "logcollector.h"
+
+
+
+/* Read syslog files/snort fast/apache files */
+void *read_ossecalert(int pos, int *rc, int drop_it)
+{
+ alert_data *al_data;
+ char user_msg[256];
+ char srcip_msg[256];
+
+ char syslog_msg[OS_SIZE_2048 +1];
+
+ al_data = GetAlertData(0, logff[pos].fp);
+ if(!al_data)
+ {
+ return(NULL);
+ }
+
+
+ memset(syslog_msg, '\0', OS_SIZE_2048 +1);
+
+
+
+ /* Adding source ip. */
+ if(!al_data->srcip ||
+ ((al_data->srcip[0] == '(') &&
+ (al_data->srcip[1] == 'n') &&
+ (al_data->srcip[2] == 'o')))
+ {
+ srcip_msg[0] = '\0';
+ }
+ else
+ {
+ snprintf(srcip_msg, 255, " srcip: %s;", al_data->srcip);
+ }
+
+
+ /* Adding username. */
+ if(!al_data->user ||
+ ((al_data->user[0] == '(') &&
+ (al_data->user[1] == 'n') &&
+ (al_data->user[2] == 'o')))
+ {
+ user_msg[0] = '\0';
+ }
+ else
+ {
+ snprintf(user_msg, 255, " user: %s;", al_data->user);
+ }
+
+
+ if(al_data->log[1] == NULL)
+ {
+ /* Building syslog message. */
+ snprintf(syslog_msg, OS_SIZE_2048,
+ "ossec: Alert Level: %d; Rule: %d - %s; "
+ "Location: %s;%s%s %s",
+ al_data->level, al_data->rule, al_data->comment,
+ al_data->location,
+ srcip_msg,
+ user_msg,
+ al_data->log[0]);
+ }
+ else
+ {
+ char *tmp_msg = NULL;
+ short int j = 0;
+
+ while(al_data->log[j] != NULL)
+ {
+ tmp_msg = os_LoadString(tmp_msg, al_data->log[j]);
+ tmp_msg = os_LoadString(tmp_msg, "\n");
+ if(tmp_msg == NULL)
+ {
+ FreeAlertData(al_data);
+ return(NULL);
+ }
+ j++;
+ }
+ if(strlen(tmp_msg) > 1596)
+ {
+ tmp_msg[1594] = '.';
+ tmp_msg[1595] = '.';
+ tmp_msg[1596] = '.';
+ tmp_msg[1597] = '\0';
+ }
+ snprintf(syslog_msg, OS_SIZE_2048,
+ "ossec: Alert Level: %d; Rule: %d - %s; "
+ "Location: %s;%s%s %s",
+ al_data->level, al_data->rule, al_data->comment,
+ al_data->location,
+ srcip_msg,
+ user_msg,
+ tmp_msg);
+ }
+
+
+ /* Clearing the memory */
+ FreeAlertData(al_data);
+
+
+
+ /* Sending message to queue */
+ if(drop_it == 0)
+ {
+ if(SendMSG(logr_queue,syslog_msg,logff[pos].file, LOCALFILE_MQ) < 0)
+ {
+ merror(QUEUE_SEND, ARGV0);
+ if((logr_queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
+ {
+ ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
+ }
+ }
+ }
+
+ return(NULL);
+}
+
+
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/read_postgresql_log.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
-/* Send pgsql message and check the return code.
+/* Send pgsql message and check the return code.
*/
void __send_pgsql_msg(int pos, int drop_it, char *buffer)
{
/* Zeroing buffer and str */
buffer[0] = '\0';
- buffer[OS_MAXSTR] = '\0';
+ buffer[OS_MAXSTR] = '\0';
str[OS_MAXSTR]= '\0';
*rc = 0;
/* Getting new entry */
while(fgets(str, OS_MAXSTR - OS_LOG_HEADER, logff[pos].fp) != NULL)
{
-
+
/* Getting buffer size */
str_len = strlen(str);
-
+
/* Checking str_len size. Very useless, but just to make sure.. */
if(str_len >= sizeof(buffer) -2)
{
str_len = sizeof(buffer) -10;
}
-
+
/* Getting the last occurence of \n */
- if ((p = strrchr(str, '\n')) != NULL)
+ if ((p = strrchr(str, '\n')) != NULL)
{
*p = '\0';
{
need_clear = 1;
}
-
-
+
+
#ifdef WIN32
if ((p = strrchr(str, '\r')) != NULL)
{
}
#endif
-
+
/* PostgreSQL messages have the following format:
* [2007-08-31 19:17:32.186 ADT] 192.168.2.99:db_name
*/
if((str_len > 32) &&
- (str[0] == '[') &&
- (str[5] == '-') &&
- (str[8] == '-') &&
- (str[11] == ' ') &&
- (str[14] == ':') &&
- (str[17] == ':') &&
+ (str[0] == '[') &&
+ (str[5] == '-') &&
+ (str[8] == '-') &&
+ (str[11] == ' ') &&
+ (str[14] == ':') &&
+ (str[17] == ':') &&
isdigit((int)str[1]) &&
isdigit((int)str[12]))
{
-
+
/* If the saved message is empty, set it and continue. */
if(buffer[0] == '\0')
{
strncpy(buffer, str, str_len + 2);
}
}
-
-
+
+
/* Query logs can be in multiple lines.
* They always start with a tab in the additional ones.
*/
{
/* Size of the buffer */
int buffer_len = strlen(buffer);
-
+
p = str +1;
-
+
/* Removing extra spaces and tabs */
while(*p == ' ' || *p == '\t')
{
p++;
}
-
-
+
+
/* Adding additional message to the saved buffer. */
if(sizeof(buffer) - buffer_len > str_len +256)
{
strncat(buffer, str, str_len +3);
}
}
-
+
continue;
}
{
__send_pgsql_msg(pos, drop_it, buffer);
}
-
- return(NULL);
+
+ return(NULL);
}
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/read_snortfull.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
void *read_snortfull(int pos, int *rc, int drop_it)
{
int f_msg_size = OS_MAXSTR;
-
+
char *one = "one";
char *two = "two";
-
+
char *p = NULL;
char *q;
char str[OS_MAXSTR + 1];
char f_msg[OS_MAXSTR +1];
-
+
*rc = 0;
str[OS_MAXSTR]='\0';
f_msg[OS_MAXSTR] = '\0';
f_msg_size -= strlen(str)+1;
p = two;
}
-
+
/* If it is a preprocessor message, it will not have
* the classification.
*/
strncat(f_msg, "[Classification: Preprocessor] "
"[Priority: 3] ", f_msg_size);
strncat(f_msg, ++q, f_msg_size -40);
-
+
/* Cleaning for next event */
p = NULL;
-
+
/* Sending the message */
if(drop_it == 0)
{
}
}
}
-
+
f_msg[0] = '\0';
f_msg_size = OS_MAXSTR;
str[0] = '\0';
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/read_syslog.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
while(fgets(str, OS_MAXSTR - OS_LOG_HEADER, logff[pos].fp) != NULL)
{
/* Getting the last occurence of \n */
- if ((p = strrchr(str, '\n')) != NULL)
+ if ((p = strrchr(str, '\n')) != NULL)
{
*p = '\0';
}
-
+
/* If we didn't get the new line, because the
* size is large, send what we got so far.
*/
debug1("%s: Message not complete. Trying again: '%s'", ARGV0,str);
fsetpos(logff[pos].fp, &fp_pos);
break;
- }
-
+ }
+
#ifdef WIN32
if ((p = strrchr(str, '\r')) != NULL)
{
continue;
}
#endif
-
+
debug2("%s: DEBUG: Reading syslog message: '%s'", ARGV0, str);
-
+
/* Sending message to queue */
if(drop_it == 0)
{
/* Incorrectly message size */
if(__ms)
{
- merror("%s: Large message size: '%s'", ARGV0, str);
+ // strlen(str) >= (OS_MAXSTR - OS_LOG_HEADER - 2)
+ // truncate str before logging to ossec.log
+#define OUTSIZE 4096
+ char buf[OUTSIZE + 1];
+ buf[OUTSIZE] = '\0';
+ snprintf(buf, OUTSIZE, "%s", str);
+ merror("%s: Large message size(length=%d): '%s...'", ARGV0, (int)strlen(str), buf);
while(fgets(str, OS_MAXSTR - 2, logff[pos].fp) != NULL)
{
/* Getting the last occurence of \n */
}
__ms = 0;
}
-
+
fgetpos(logff[pos].fp, &fp_pos);
continue;
}
- return(NULL);
+ return(NULL);
}
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/logcollector/read_win_el.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#include "shared.h"
-#include "logcollector.h"
+#include "logcollector.h"
/* This is only for windows */
/** int startEL(char *app, os_el *el)
- * Starts the event logging for each el
+ * Starts the event logging for each el
*/
int startEL(char *app, os_el *el)
{
DWORD NumberOfRecords = 0;
-
+
/* Opening the event log */
el->h = OpenEventLog(NULL, app);
if(!el->h)
{
merror(EVTLOG_OPEN, ARGV0, app);
- return(-1);
+ return(-1);
}
el->name = app;
el->h = NULL;
return(-1);
}
-
+
if(NumberOfRecords <= 0)
{
return(0);
}
-
+
return((int)NumberOfRecords);
}
-/** char *el_getCategory(int category_id)
+/** char *el_getCategory(int category_id)
* Returns a string related to the category id of the log.
*/
char *el_getCategory(int category_id)
/** char *el_getEventDLL(char *evt_name, char *source, char *event)
* Returns the event.
*/
-char *el_getEventDLL(char *evt_name, char *source, char *event)
+char *el_getEventDLL(char *evt_name, char *source, char *event)
{
char *ret_str;
HKEY key;
keyname[511] = '\0';
- snprintf(keyname, 510,
- "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s",
- evt_name,
+ snprintf(keyname, 510,
+ "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s",
+ evt_name,
source);
}
- /* Opening registry */
- if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, keyname, 0,
+ /* Opening registry */
+ if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, keyname, 0,
KEY_ALL_ACCESS, &key) != ERROR_SUCCESS)
{
- return(NULL);
+ return(NULL);
}
ret = MAX_PATH -1;
- if (RegQueryValueEx(key, "EventMessageFile", NULL,
+ if (RegQueryValueEx(key, "EventMessageFile", NULL,
NULL, (LPBYTE)event, &ret) != ERROR_SUCCESS)
{
event[0] = '\0';
skey = strdup(keyname + 42);
sval = strdup(event);
-
+
if(skey && sval)
{
- OSHash_Add(dll_hash, skey, sval);
+ OSHash_Add(dll_hash, skey, sval);
}
else
{
merror(MEM_ERROR, ARGV0);
}
}
-
+
RegCloseKey(key);
return(event);
}
-/** char *el_vista_getmessage()
+/** char *el_vista_getmessage()
* Returns a descriptive message of the event - Vista only.
*/
char *el_vista_getMessage(int evt_id_int, LPTSTR *el_sstring)
/* Getting descriptive message. */
evt_id[15] = '\0';
snprintf(evt_id, 15, "%d", evt_id_int);
-
+
desc_string = OSHash_Get(vista_sec_id_hash, evt_id);
if(!desc_string)
{
return(NULL);
}
-
- if(!FormatMessage(fm_flags, desc_string, 0, 0,
+
+ if(!FormatMessage(fm_flags, desc_string, 0, 0,
(LPTSTR) &message, 0, el_sstring))
{
return(NULL);
-/** char *el_getmessage()
+/** char *el_getmessage()
* Returns a descriptive message of the event.
*/
-char *el_getMessage(EVENTLOGRECORD *er, char *name,
- char * source, LPTSTR *el_sstring)
+char *el_getMessage(EVENTLOGRECORD *er, char *name,
+ char * source, LPTSTR *el_sstring)
{
DWORD fm_flags = 0;
char tmp_str[257];
/* Get the file name from the registry (stored on event) */
if(!(curr_str = el_getEventDLL(name, source, event)))
{
- return(NULL);
- }
+ return(NULL);
+ }
- /* If our event has multiple libraries, try each one of them */
+ /* If our event has multiple libraries, try each one of them */
while((next_str = strchr(curr_str, ';')))
{
*next_str = '\0';
/* Reverting back old value. */
*next_str = ';';
-
+
/* Loading library. */
- hevt = LoadLibraryEx(tmp_str, NULL,
+ hevt = LoadLibraryEx(tmp_str, NULL,
DONT_RESOLVE_DLL_REFERENCES |
LOAD_LIBRARY_AS_DATAFILE);
if(hevt)
if(!FormatMessage(fm_flags, hevt, er->EventID, 0,
(LPTSTR) &message, 0, el_sstring))
{
- message = NULL;
+ message = NULL;
}
FreeLibrary(hevt);
curr_str = next_str +1;
}
-
+
/* Getting last value. */
ExpandEnvironmentStrings(curr_str, tmp_str, 255);
- hevt = LoadLibraryEx(tmp_str, NULL,
+ hevt = LoadLibraryEx(tmp_str, NULL,
DONT_RESOLVE_DLL_REFERENCES |
LOAD_LIBRARY_AS_DATAFILE);
if(hevt)
{
- int hr;
- if(!(hr = FormatMessage(fm_flags, hevt, er->EventID,
+ int hr;
+ if(!(hr = FormatMessage(fm_flags, hevt, er->EventID,
0,
(LPTSTR) &message, 0, el_sstring)))
{
- message = NULL;
+ message = NULL;
}
FreeLibrary(hevt);
/** void readel(os_el *el)
* Reads the event log.
- */
+ */
void readel(os_el *el, int printit)
{
DWORD _evtid = 65535;
LPSTR el_sstring[OS_FLSIZE +1];
/* Er must point to the mbuffer */
- el->er = (EVENTLOGRECORD *) &mbuffer;
+ el->er = (EVENTLOGRECORD *) &mbuffer;
/* Zeroing the values */
el_string[OS_MAXSTR] = '\0';
return;
}
- /* Reading the event log */
- while(ReadEventLog(el->h,
+ /* Reading the event log */
+ while(ReadEventLog(el->h,
EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
0,
el->er, BUFFER_SIZE -1, &read, &needed))
continue;
}
-
+
while(read > 0)
{
/* Getting event id. */
id = (int)el->er->EventID & _evtid;
-
+
/* Initialing domain/user size */
else
{
merror("%s: Invalid application string (size+)",
- ARGV0);
+ ARGV0);
}
size_left-=str_size + 2;
if(sstr)
sstr++;
else
- break;
+ break;
}
/* Get a more descriptive message (if available) */
else
{
- descriptive_msg = el_getMessage(el->er,
- el->name,
- source,
+ descriptive_msg = el_getMessage(el->er,
+ el->name,
+ source,
el_sstring);
}
-
+
if(descriptive_msg != NULL)
{
/* Remove any \n or \r */
* So whenever we have option:\tvalue\t, it will
* become option: value\t
*/
- tmp_str = descriptive_msg;
+ tmp_str = descriptive_msg;
while(*tmp_str != '\0')
{
if(*tmp_str == '\n')
tmp_str[1] = ' ';
tmp_str++;
}
-
+
tmp_str++;
}
}
if(el->er->UserSidLength)
{
SID_NAME_USE account_type;
- if(!LookupAccountSid(NULL,
- (SID *)((LPSTR)el->er +
+ if(!LookupAccountSid(NULL,
+ (SID *)((LPSTR)el->er +
el->er->UserSidOffset),
- el_user,
- &user_size,
- el_domain,
- &domain_size,
+ el_user,
+ &user_size,
+ el_domain,
+ &domain_size,
&account_type))
{
strncpy(el_user, "(no user)", 255);
break;
case 4634:
uid_array_id = 1;
- break;
+ break;
case 4647:
uid_array_id = 1;
- break;
+ break;
case 4769:
uid_array_id = 0;
break;
}
- if((uid_array_id >= 0) &&
+ if((uid_array_id >= 0) &&
el_sstring[uid_array_id] &&
el_sstring[uid_array_id +1])
{
strncpy(el_domain, "no domain", 255);
}
}
-
+
else
{
strncpy(el_user, "(no user)", 255);
if(printit)
{
DWORD _evtid = 65535;
- int id = (int)el->er->EventID & _evtid;
-
- final_msg[OS_MAXSTR - OS_LOG_HEADER] = '\0';
- final_msg[OS_MAXSTR - OS_LOG_HEADER -1] = '\0';
-
- snprintf(final_msg, OS_MAXSTR - OS_LOG_HEADER -1,
- "WinEvtLog: %s: %s(%d): %s: %s: %s: %s: %s",
+ int id = (int)el->er->EventID & _evtid;
+
+ final_msg[OS_MAXSTR - OS_LOG_HEADER] = '\0';
+ final_msg[OS_MAXSTR - OS_LOG_HEADER -1] = '\0';
+
+ snprintf(final_msg, OS_MAXSTR - OS_LOG_HEADER -1,
+ "WinEvtLog: %s: %s(%d): %s: %s: %s: %s: %s",
el->name,
- category,
+ category,
id,
source,
el_user,
el_domain,
computer_name,
descriptive_msg != NULL?descriptive_msg:el_string);
-
+
if(SendMSG(logr_queue, final_msg, "WinEvtLog",
LOCALFILE_MQ) < 0)
{
char msg_alert[512 +1];
msg_alert[512] = '\0';
merror("%s: WARN: Event log cleared: '%s'", ARGV0, el->name);
-
+
/* Send message about cleared */
snprintf(msg_alert, 512, "ossec: Event log cleared: '%s'", el->name);
/* Reopening. */
if(startEL(el->name, el) < 0)
{
- merror("%s: ERROR: Unable to reopen event log '%s'",
+ merror("%s: ERROR: Unable to reopen event log '%s'",
ARGV0, el->name);
}
}
exit(1);
}
-
+
/* Reading the whole file and adding to memory. */
while(fgets(buf, OS_MAXSTR, fp) != NULL)
{
char *key;
char *desc;
-
+
/* Getting the last occurence of \n */
if ((p = strrchr(buf, '\n')) != NULL)
{
while(*p == ' ')
p++;
-
+
/* Allocating memory. */
desc = strdup(p);
key = strdup(buf);
"description.", ARGV0);
continue;
}
-
-
- /* Inserting on hash. */
+
+
+ /* Inserting on hash. */
OSHash_Add(vista_sec_id_hash, key, desc);
}
void win_startel(char *evt_log)
{
int entries_count = 0;
-
+
/* Maximum size */
if(el_last == 9)
{
}
}
-
+
/* Starting event log -- going to last available record */
if((entries_count = startEL(evt_log, &el[el_last])) < 0)
{
}
-/** void win_readel()
+/** void win_readel()
* Reads the event logging for windows
*/
void win_readel()
{
int i = 0;
-
+
/* Sleep plus 2 seconds before reading again */
Sleep(2000);
-
+
for(;i<el_last;i++)
readel(&el[i],1);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/monitord/compress_log.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
{
FILE *log;
gzFile *zlog;
-
+
char logfileGZ[OS_FLSIZE + 1];
int len, err;
-
+
char buf[OS_MAXSTR + 1];
-
+
/* Do not compress */
if(mond.compress == 0)
return;
-
-
+
+
/* Clearing the memory */
memset(logfileGZ,'\0',OS_FLSIZE +1);
memset(buf, '\0', OS_MAXSTR + 1);
/* Do not warn in here, since the alert file may not exist. */
return;
}
-
+
/* Opening compressed file */
zlog = gzopen(logfileGZ, "w");
if(!zlog)
merror(FOPEN_ERROR, ARGV0, logfileGZ);
return;
}
-
+
for(;;)
{
len = fread(buf, 1, OS_MAXSTR, log);
return;
}
-
+
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/monitord/generate_reports.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2010 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
{
merror("%s: INFO: Report '%s' empty.", ARGV0, mond.reports[s]->title);
}
- else if(OS_SendCustomEmail(mond.reports[s]->emailto, mond.reports[s]->title,
+ else if(OS_SendCustomEmail(mond.reports[s]->emailto, mond.reports[s]->title,
mond.smtpserver, mond.emailfrom, mond.reports[s]->r_filter.fp, p) != 0)
{
merror("%s: WARN: Unable to send report email.", ARGV0);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/monitord/main.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/* Setting the name */
OS_SetName(ARGV0);
-
+
while((c = getopt(argc, argv, "Vdhtfu:g:D:c:")) != -1){
switch(c){
if(!optarg)
ErrorExit("%s: -D needs an argument",ARGV0);
dir=optarg;
+ break;
case 'c':
if(!optarg)
ErrorExit("%s: -c needs an argument",ARGV0);
cfg = optarg;
break;
case 't':
- test_config = 1;
+ test_config = 1;
break;
default:
help(ARGV0);
if(test_config)
exit(0);
-
- if (!run_foreground)
+
+ if (!run_foreground)
{
/* Going on daemon mode */
nowDaemon();
goDaemon();
}
-
+
/* Privilege separation */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR,ARGV0,group);
-
+
/* chrooting */
if(Privsep_Chroot(dir) < 0)
ErrorExit(CHROOT_ERROR,ARGV0,dir);
nowChroot();
-
- /* Changing user */
+
+ /* Changing user */
if(Privsep_SetUser(uid) < 0)
ErrorExit(SETUID_ERROR,ARGV0,user);
/* Signal manipulation */
StartSIG(ARGV0);
-
+
/* Creating PID files */
if(CreatePID(ARGV0, getpid()) < 0)
ErrorExit(PID_ERROR,ARGV0);
-
+
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
-
+
/* the real daemon now */
Monitord();
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/monitord/manage_files.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
#ifndef SOLARIS
struct tm p_old;
#endif
-
+
char elogfile[OS_FLSIZE +1];
char elogfile_old[OS_FLSIZE +1];
-
+
char alogfile[OS_FLSIZE +1];
char alogfile_old[OS_FLSIZE +1];
-
+
char flogfile[OS_FLSIZE +1];
char flogfile_old[OS_FLSIZE +1];
#else
pp_old = localtime(&tm_old);
#endif
-
+
memset(elogfile, '\0', OS_FLSIZE +1);
memset(elogfile_old, '\0', OS_FLSIZE +1);
* before compressing the file.
*/
sleep(mond.day_wait);
-
+
/* Event logfile */
snprintf(elogfile, OS_FLSIZE, "%s/%d/%s/ossec-%s-%02d.log",
months[cmon],
"alerts",
cday);
- /* alert logfile old */
+ /* alert logfile old */
snprintf(alogfile_old, OS_FLSIZE, "%s/%d/%s/ossec-%s-%02d.log",
ALERTS,
pp_old->tm_year+1900,
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/monitord/monitor_agents.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
{
int available = 0;
char **tmp_av;
-
+
tmp_av = av_agents;
while(tmp_av && *tmp_av)
{
if(available == 0)
{
char str[OS_SIZE_1024 +1];
-
+
/* Sending disconnected message */
snprintf(str, OS_SIZE_1024 -1, OS_AG_DISCON, *cr_agents);
if(SendMSG(mond.a_queue, str, ARGV0,
merror(QUEUE_SEND, ARGV0);
}
}
-
+
cr_agents++;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/monitord/monitord.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/* Real monitord global */
void Monitord()
{
- time_t tm;
- struct tm *p;
+ time_t tm;
+ struct tm *p;
- int today = 0;
+ int today = 0;
int thismonth = 0;
int thisyear = 0;
sleep(10);
memset(str, '\0', OS_SIZE_1024 +1);
-
-
+
+
/* Getting currently time before starting */
tm = time(NULL);
p = localtime(&tm);
-
+
today = p->tm_mday;
thismonth = p->tm_mon;
thisyear = p->tm_year+1900;
-
-
+
+
/* Connecting to the message queue
* Exit if it fails.
*/
merror(QUEUE_SEND, ARGV0);
}
-
+
/* Main monitor loop */
while(1)
{
{
monitor_agents();
}
-
+
/* Day changed, deal with log files */
if(today != p->tm_mday)
{
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/monitord/monitord.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/monitord/report.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2010 Trend Micro Inc.
* All rights reserved.
printf("\t-f <filter> <value> Filter the results.\n");
printf("\t-r <filter> <value> Show related entries.\n");
printf("\t-n Creates a description for the report.\n");
+ printf("\t-s Show the alert dump.\n");
+ printf("\n");
+ printf("\tFilters allowed: group, rule, level, location,\n");
+ printf("\t user, srcip, filename\n");
+ printf("\n");
printf("Examples:\n");
- printf("\t-f group authentication success (to filter on login success).\n");
+ printf("\t-f group authentication_success (to filter on login success).\n");
printf("\t-f level 10 (to filter on level >= 10).\n");
printf("\t-f group authentication -r user srcip (to show the srcip for all users).\n");
exit(1);
/* Setting the name */
OS_SetName(ARGV0);
-
+
r_filter.group = NULL;
r_filter.rule = NULL;
r_filter.level = NULL;
r_filter.location = NULL;
r_filter.srcip = NULL;
r_filter.user = NULL;
+ r_filter.files = NULL;
+ r_filter.show_alerts = 0;
r_filter.related_group = 0;
r_filter.related_rule = 0;
r_filter.related_location = 0;
r_filter.related_srcip = 0;
r_filter.related_user = 0;
-
+ r_filter.related_file = 0;
+
r_filter.report_name = NULL;
- while((c = getopt(argc, argv, "Vdhtu:g:D:c:f:v:n:r:")) != -1)
+ while((c = getopt(argc, argv, "Vdhstu:g:D:c:f:v:n:r:")) != -1)
{
switch(c){
case 'V':
break;
case 'r':
if(!optarg || !argv[optind])
- ErrorExit("%s: -r needs two argument",ARGV0);
- related_of = optarg;
+ ErrorExit("%s: -r needs two argument",ARGV0);
+ related_of = optarg;
related_values = argv[optind];
if(os_report_configfilter(related_of, related_values,
filter_by = optarg;
filter_value = argv[optind];
- if(os_report_configfilter(filter_by, filter_value,
+ if(os_report_configfilter(filter_by, filter_value,
&r_filter, REPORT_FILTER) < 0)
{
ErrorExit(CONFIG_ERROR, ARGV0, "user argument");
if(!optarg)
ErrorExit("%s: -D needs an argument",ARGV0);
dir=optarg;
+ break;
case 'c':
if(!optarg)
ErrorExit("%s: -c needs an argument",ARGV0);
cfg = optarg;
break;
case 't':
- test_config = 1;
+ test_config = 1;
+ break;
+ case 's':
+ r_filter.show_alerts = 1;
break;
default:
report_help();
if((uid < 0)||(gid < 0))
ErrorExit(USER_ERROR,ARGV0,user,group);
-
+
/* Exit here if test config is set */
if(test_config)
exit(0);
-
+
/* Privilege separation */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR,ARGV0,group);
-
+
/* chrooting */
if(Privsep_Chroot(dir) < 0)
ErrorExit(CHROOT_ERROR,ARGV0,dir);
nowChroot();
-
- /* Changing user */
+
+ /* Changing user */
if(Privsep_SetUser(uid) < 0)
ErrorExit(SETUID_ERROR,ARGV0,user);
/* Signal manipulation */
StartSIG(ARGV0);
-
+
/* Creating PID files */
if(CreatePID(ARGV0, getpid()) < 0)
ErrorExit(PID_ERROR,ARGV0);
-
+
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
-
/* the real stuff now */
os_ReportdStart(&r_filter);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/monitord/sign_log.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
/* generating sha1 of the old file. */
if(OS_SHA1_File(logfilesum_old, sf_sum_old) < 0)
{
- merror("%s: No previous sha1 checksum found: '%s'. "
+ merror("%s: No previous sha1 checksum found: '%s'. "
"Starting over.", ARGV0, logfilesum_old);
strncpy(sf_sum_old, "none", 6);
}
if(OS_MD5_File(logfile, mf_sum) < 0)
{
if(log_missing)
- merror("%s: File '%s' not found. MD5 checksum skipped.",
+ merror("%s: File '%s' not found. MD5 checksum skipped.",
ARGV0, logfile);
strncpy(mf_sum, "none", 6);
}
strncpy(sf_sum, "none", 6);
}
-
+
fp = fopen(logfilesum, "w");
if(!fp)
{
fprintf(fp, "Current checksum:\n");
fprintf(fp, "MD5 (%s) = %s\n", logfile, mf_sum);
fprintf(fp, "SHA1 (%s) = %s\n\n", logfile, sf_sum);
-
+
fprintf(fp, "Chained checksum:\n");
fprintf(fp, "MD5 (%s) = %s\n", logfilesum_old, mf_sum_old);
fprintf(fp, "SHA1 (%s) = %s\n\n", logfilesum_old, sf_sum_old);
return;
}
-
+
/* EOF */
--- /dev/null
+# Makefile for authd
+# Daniel B. Cid <dcid@ossec.net>
+
+PT=../
+NAME=ossec-authd
+
+include ../Config.Make
+
+LOCAL = ssl.c
+
+OBJS = ${OS_CONFIG} ${OS_SHARED} ${OS_NET} ${OS_REGEX} ${OS_CRYPTO} ${OS_ZLIB} ${OPENSSLCMD}
+
+auth1:
+ ${CC} ${CFLAGS} ${OS_LINK} main-server.c ${LOCAL} ../addagent/validate.c ${OBJS} -o ${NAME}
+ ${CC} ${CFLAGS} ${OS_LINK} main-client.c ${LOCAL} ../addagent/validate.c ${OBJS} -o agent-auth
+clean:
+ ${CLEAN}
+ rm -f ossec-authd
+ rm -f agent-auth
+build:
+ ${BUILD}
+ cp -pr agent-auth ossec-authd ${PT}../bin
--- /dev/null
+/* @(#) $Id: ./src/os_auth/auth.h, 2011/09/08 dcid Exp $
+ */
+
+/* Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is a free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ *
+ */
+
+
+#ifndef _AUTHD_H
+#define _AUTHD_H
+
+#ifndef ARGV0
+ #define ARGV0 "ossec-authd"
+#endif
+
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#ifdef USE_OPENSSL
+
+void *os_ssl_keys(int isclient, char *dir);
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/bio.h>
+#include "os_net/os_net.h"
+#include "addagent/manage_agents.h"
+
+BIO *bio_err;
+#define KEYFILE "/etc/sslmanager.key"
+#define CERTFILE "/etc/sslmanager.cert"
+
+#endif
+
+#endif
--- /dev/null
+/* @(#) $Id: ./src/os_auth/main-client.c, 2012/02/07 dcid Exp $
+ */
+
+/* Copyright (C) 2010 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is a free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ *
+ */
+
+#include "shared.h"
+
+#ifndef USE_OPENSSL
+
+int main()
+{
+ printf("ERROR: Not compiled. Missing OpenSSL support.\n");
+ exit(0);
+}
+
+
+#else
+
+#include <openssl/ssl.h>
+#include "auth.h"
+
+
+
+void report_help()
+{
+ printf("\nOSSEC HIDS %s: Connects to the manager to extract the agent key.\n", ARGV0);
+ printf("Available options:\n");
+ printf("\t-h This help message.\n");
+ printf("\t-m <manager ip> Manager IP Address.\n");
+ printf("\t-p <port> Manager port (default 1515).\n");
+ printf("\t-A <agent name> Agent name (default is the hostname).\n");
+ printf("\t-D <OSSEC Dir> Location where OSSEC is installed.\n");
+ exit(1);
+}
+
+
+
+int main(int argc, char **argv)
+{
+ int c, test_config = 0;
+ #ifndef WIN32
+ int gid = 0;
+ #endif
+
+ int sock = 0, port = 1515, ret = 0;
+ char *dir = DEFAULTDIR;
+ char *user = USER;
+ char *group = GROUPGLOBAL;
+ char *cfg = DEFAULTCPATH;
+ char *manager = NULL;
+ char *agentname = NULL;
+ char lhostname[512 + 1];
+ char buf[2048 +1];
+ SSL_CTX *ctx;
+ SSL *ssl;
+ BIO *sbio;
+
+
+ bio_err = 0;
+ buf[2048] = '\0';
+
+
+ /* Setting the name */
+ OS_SetName(ARGV0);
+
+ while((c = getopt(argc, argv, "Vdhu:g:D:c:m:p:A:")) != -1)
+ {
+ switch(c){
+ case 'V':
+ print_version();
+ break;
+ case 'h':
+ report_help();
+ break;
+ case 'd':
+ nowDebug();
+ break;
+ case 'u':
+ if(!optarg)
+ ErrorExit("%s: -u needs an argument",ARGV0);
+ user=optarg;
+ break;
+ case 'g':
+ if(!optarg)
+ ErrorExit("%s: -g needs an argument",ARGV0);
+ group=optarg;
+ break;
+ case 'D':
+ if(!optarg)
+ ErrorExit("%s: -D needs an argument",ARGV0);
+ dir=optarg;
+ break;
+ case 'c':
+ if(!optarg)
+ ErrorExit("%s: -c needs an argument",ARGV0);
+ cfg = optarg;
+ break;
+ case 't':
+ test_config = 1;
+ break;
+ case 'm':
+ if(!optarg)
+ ErrorExit("%s: -%c needs an argument",ARGV0, c);
+ manager = optarg;
+ break;
+ case 'A':
+ if(!optarg)
+ ErrorExit("%s: -%c needs an argument",ARGV0, c);
+ agentname = optarg;
+ break;
+ case 'p':
+ if(!optarg)
+ ErrorExit("%s: -%c needs an argument",ARGV0, c);
+ port = atoi(optarg);
+ if(port <= 0 || port >= 65536)
+ {
+ ErrorExit("%s: Invalid port: %s", ARGV0, optarg);
+ }
+ break;
+ default:
+ report_help();
+ break;
+ }
+ }
+
+ /* Starting daemon */
+ debug1(STARTED_MSG,ARGV0);
+
+
+ #ifndef WIN32
+ /* Check if the user/group given are valid */
+ gid = Privsep_GetGroup(group);
+ if(gid < 0)
+ ErrorExit(USER_ERROR,ARGV0,user,group);
+
+
+
+ /* Privilege separation */
+ if(Privsep_SetGroup(gid) < 0)
+ ErrorExit(SETGID_ERROR,ARGV0,group);
+
+
+
+ /* Signal manipulation */
+ StartSIG(ARGV0);
+
+
+
+ /* Creating PID files */
+ if(CreatePID(ARGV0, getpid()) < 0)
+ ErrorExit(PID_ERROR,ARGV0);
+ #endif
+
+
+ /* Start up message */
+ verbose(STARTUP_MSG, ARGV0, (int)getpid());
+
+
+ if(agentname == NULL)
+ {
+ lhostname[512] = '\0';
+ if(gethostname(lhostname, 512 -1) != 0)
+ {
+ merror("%s: ERROR: Unable to extract hostname. Custom agent name not set.", ARGV0);
+ exit(1);
+ }
+ agentname = lhostname;
+ }
+
+
+
+ /* Starting SSL */
+ ctx = os_ssl_keys(1, NULL);
+ if(!ctx)
+ {
+ merror("%s: ERROR: SSL error. Exiting.", ARGV0);
+ exit(1);
+ }
+
+ if(!manager)
+ {
+ merror("%s: ERROR: Manager IP not set.", ARGV0);
+ exit(1);
+ }
+
+
+ /* Connecting via TCP */
+ sock = OS_ConnectTCP(port, manager, 0);
+ if(sock <= 0)
+ {
+ merror("%s: Unable to connect to %s:%d", ARGV0, manager, port);
+ exit(1);
+ }
+
+
+ /* Connecting the SSL socket */
+ ssl = SSL_new(ctx);
+ sbio = BIO_new_socket(sock, BIO_NOCLOSE);
+ SSL_set_bio(ssl, sbio, sbio);
+
+
+ ret = SSL_connect(ssl);
+ if(ret <= 0)
+ {
+ ERR_print_errors_fp(stderr);
+ merror("%s: ERROR: SSL error (%d). Exiting.", ARGV0, ret);
+ exit(1);
+ }
+
+
+ printf("INFO: Connected to %s:%d\n", manager, port);
+ printf("INFO: Using agent name as: %s\n", agentname);
+
+
+ snprintf(buf, 2048, "OSSEC A:'%s'\n", agentname);
+ ret = SSL_write(ssl, buf, strlen(buf));
+ if(ret < 0)
+ {
+ printf("SSL write error (unable to send message.)\n");
+ ERR_print_errors_fp(stderr);
+ exit(1);
+ }
+
+ printf("INFO: Send request to manager. Waiting for reply.\n");
+
+ while(1)
+ {
+ ret = SSL_read(ssl,buf,sizeof(buf) -1);
+ switch(SSL_get_error(ssl,ret))
+ {
+ case SSL_ERROR_NONE:
+ buf[ret] = '\0';
+ if(strncmp(buf, "ERROR", 5) == 0)
+ {
+ char *tmpstr;
+ tmpstr = strchr(buf, '\n');
+ if(tmpstr) *tmpstr = '\0';
+ printf("%s (from manager)\n", buf);
+ }
+ else if(strncmp(buf, "OSSEC K:'",9) == 0)
+ {
+ char *key;
+ char *tmpstr;
+ char **entry;
+ printf("INFO: Received response with agent key\n");
+
+ key = buf;
+ key += 9;
+ tmpstr = strchr(key, '\'');
+ if(!tmpstr)
+ {
+ printf("ERROR: Invalid key received. Closing connection.\n");
+ exit(1);
+ }
+ *tmpstr = '\0';
+ entry = OS_StrBreak(' ', key, 4);
+ if(!OS_IsValidID(entry[0]) || !OS_IsValidName(entry[1]) ||
+ !OS_IsValidName(entry[2]) || !OS_IsValidName(entry[3]))
+ {
+ printf("ERROR: Invalid key received (2). Closing connection.\n");
+ exit(1);
+ }
+
+ {
+ FILE *fp;
+ fp = fopen(KEYSFILE_PATH,"w");
+ if(!fp)
+ {
+ printf("ERROR: Unable to open key file: %s", KEYSFILE_PATH);
+ exit(1);
+ }
+ fprintf(fp, "%s\n", key);
+ fclose(fp);
+ }
+ printf("INFO: Valid key created. Finished.\n");
+ }
+ break;
+ case SSL_ERROR_ZERO_RETURN:
+ case SSL_ERROR_SYSCALL:
+ printf("INFO: Connection closed.\n");
+ exit(0);
+ break;
+ default:
+ printf("ERROR: SSL read (unable to receive message)\n");
+ exit(1);
+ break;
+ }
+
+ }
+
+
+
+ /* Shutdown the socket */
+ SSL_CTX_free(ctx);
+ close(sock);
+
+ exit(0);
+}
+
+#endif
+/* EOF */
--- /dev/null
+/* @(#) $Id$ */
+
+/* Copyright (C) 2010 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is a free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ *
+ */
+
+
+#include "shared.h"
+#include "auth.h"
+
+/* TODO: Pulled this value out of the sky, may or may not be sane */
+int POOL_SIZE = 512;
+
+/* ossec-reportd - Runs manual reports. */
+void report_help()
+{
+}
+
+#ifndef USE_OPENSSL
+int main()
+{
+ printf("ERROR: Not compiled. Missing OpenSSL support.\n");
+ exit(0);
+}
+#else
+
+
+int main(int argc, char **argv)
+{
+ FILE *fp;
+ // Bucket to keep pids in.
+ int process_pool[POOL_SIZE];
+ // Count of pids we are wait()ing on.
+ int c = 0, test_config = 0, use_ip_address = 0, pid = 0, status, i = 0, active_processes = 0;
+ int gid = 0, client_sock = 0, sock = 0, port = 1515, ret = 0;
+ char *dir = DEFAULTDIR;
+ char *user = USER;
+ char *group = GROUPGLOBAL;
+ char *cfg = DEFAULTCPATH;
+ char buf[4096 +1];
+ SSL_CTX *ctx;
+ SSL *ssl;
+ char srcip[IPSIZE +1];
+ struct sockaddr_in _nc;
+ socklen_t _ncl;
+
+
+ /* Initializing some variables */
+ memset(srcip, '\0', IPSIZE + 1);
+ memset(process_pool, 0x0, POOL_SIZE);
+
+ bio_err = 0;
+
+
+ /* Setting the name */
+ OS_SetName(ARGV0);
+ /* add an option to use the ip on the socket to tie the name to a
+ specific address */
+ while((c = getopt(argc, argv, "Vdhiu:g:D:c:m:p:")) != -1)
+ {
+ switch(c){
+ case 'V':
+ print_version();
+ break;
+ case 'h':
+ report_help();
+ break;
+ case 'd':
+ nowDebug();
+ break;
+ case 'i':
+ use_ip_address = 1;
+ break;
+ case 'u':
+ if(!optarg)
+ ErrorExit("%s: -u needs an argument",ARGV0);
+ user = optarg;
+ break;
+ case 'g':
+ if(!optarg)
+ ErrorExit("%s: -g needs an argument",ARGV0);
+ group = optarg;
+ break;
+ case 'D':
+ if(!optarg)
+ ErrorExit("%s: -D needs an argument",ARGV0);
+ dir = optarg;
+ break;
+ case 'c':
+ if(!optarg)
+ ErrorExit("%s: -c needs an argument",ARGV0);
+ cfg = optarg;
+ break;
+ case 't':
+ test_config = 1;
+ break;
+ case 'p':
+ if(!optarg)
+ ErrorExit("%s: -%c needs an argument",ARGV0, c);
+ port = atoi(optarg);
+ if(port <= 0 || port >= 65536)
+ {
+ ErrorExit("%s: Invalid port: %s", ARGV0, optarg);
+ }
+ break;
+ default:
+ report_help();
+ break;
+ }
+
+ }
+
+ /* Starting daemon -- NB: need to double fork and setsid */
+ debug1(STARTED_MSG,ARGV0);
+
+ /* Check if the user/group given are valid */
+ gid = Privsep_GetGroup(group);
+ if(gid < 0)
+ ErrorExit(USER_ERROR,ARGV0,user,group);
+
+
+
+ /* Exit here if test config is set */
+ if(test_config)
+ exit(0);
+
+
+ /* Privilege separation */
+ if(Privsep_SetGroup(gid) < 0)
+ ErrorExit(SETGID_ERROR,ARGV0,group);
+
+
+ /* chrooting -- TODO: this isn't a chroot. Should also close
+ unneeded open file descriptors (like stdin/stdout)*/
+ chdir(dir);
+
+
+
+ /* Signal manipulation */
+ StartSIG(ARGV0);
+
+
+ /* Creating PID files */
+ if(CreatePID(ARGV0, getpid()) < 0)
+ ErrorExit(PID_ERROR,ARGV0);
+
+ /* Start up message */
+ verbose(STARTUP_MSG, ARGV0, (int)getpid());
+
+
+ fp = fopen(KEYSFILE_PATH,"a");
+ if(!fp)
+ {
+ merror("%s: ERROR: Unable to open %s (key file)", ARGV0, KEYSFILE_PATH);
+ exit(1);
+ }
+
+
+ /* Starting SSL */
+ ctx = os_ssl_keys(0, dir);
+ if(!ctx)
+ {
+ merror("%s: ERROR: SSL error. Exiting.", ARGV0);
+ exit(1);
+ }
+
+
+ /* Connecting via TCP */
+ sock = OS_Bindporttcp(port, NULL, 0);
+ if(sock <= 0)
+ {
+ merror("%s: Unable to bind to port %d", ARGV0, port);
+ exit(1);
+ }
+ fcntl(sock, F_SETFL, O_NONBLOCK);
+
+ debug1("%s: DEBUG: Going into listening mode.", ARGV0);
+ while(1)
+ {
+
+ // no need to completely pin the cpu
+ usleep(0);
+ for (i = 0; i < POOL_SIZE; i++)
+ {
+ int rv = 0;
+ status = 0;
+ if (process_pool[i])
+ {
+ rv = waitpid(process_pool[i], &status, WNOHANG);
+ if (rv != 0){
+ debug1("%s: DEBUG: Process %d exited", ARGV0, process_pool[i]);
+ process_pool[i] = 0;
+ active_processes = active_processes - 1;
+ }
+ }
+ }
+ memset(&_nc, 0, sizeof(_nc));
+ _ncl = sizeof(_nc);
+
+ if((client_sock = accept(sock, (struct sockaddr *) &_nc, &_ncl)) > 0){
+ if (active_processes >= POOL_SIZE)
+ {
+ merror("%s: Error: Max concurrency reached. Unable to fork", ARGV0);
+ break;
+ }
+ pid = fork();
+ if(pid)
+ {
+ active_processes = active_processes + 1;
+ close(client_sock);
+ for (i = 0; i < POOL_SIZE; i++)
+ {
+ if (! process_pool[i])
+ {
+ process_pool[i] = pid;
+ break;
+ }
+ }
+ }
+ else
+ {
+ strncpy(srcip, inet_ntoa(_nc.sin_addr),IPSIZE -1);
+ char *agentname = NULL;
+ ssl = SSL_new(ctx);
+ SSL_set_fd(ssl, client_sock);
+ ret = SSL_accept(ssl);
+ if(ret <= 0)
+ {
+ merror("%s: ERROR: SSL Accept error (%d)", ARGV0, ret);
+ ERR_print_errors_fp(stderr);
+ }
+
+ verbose("%s: INFO: New connection from %s", ARGV0, srcip);
+
+ ret = SSL_read(ssl, buf, sizeof(buf));
+ sleep(1);
+ if(ret > 0)
+ {
+ int parseok = 0;
+ if(strncmp(buf, "OSSEC A:'", 9) == 0)
+ {
+ char *tmpstr = buf;
+ agentname = tmpstr + 9;
+ tmpstr += 9;
+ while(*tmpstr != '\0')
+ {
+ if(*tmpstr == '\'')
+ {
+ *tmpstr = '\0';
+ verbose("%s: INFO: Received request for a new agent (%s) from: %s", ARGV0, agentname, srcip);
+ parseok = 1;
+ break;
+ }
+ tmpstr++;
+ }
+ }
+ if(parseok == 0)
+ {
+ merror("%s: ERROR: Invalid request for new agent from: %s", ARGV0, srcip);
+ }
+ else
+ {
+ int acount = 2;
+ char fname[2048 +1];
+ char response[2048 +1];
+ char *finalkey = NULL;
+ response[2048] = '\0';
+ fname[2048] = '\0';
+ if(!OS_IsValidName(agentname))
+ {
+ merror("%s: ERROR: Invalid agent name: %s from %s", ARGV0, agentname, srcip);
+ snprintf(response, 2048, "ERROR: Invalid agent name: %s\n\n", agentname);
+ ret = SSL_write(ssl, response, strlen(response));
+ snprintf(response, 2048, "ERROR: Unable to add agent.\n\n");
+ ret = SSL_write(ssl, response, strlen(response));
+ sleep(1);
+ exit(0);
+ }
+
+
+ /* Checking for a duplicated names. */
+ strncpy(fname, agentname, 2048);
+ while(NameExist(fname))
+ {
+ snprintf(fname, 2048, "%s%d", agentname, acount);
+ acount++;
+ if(acount > 256)
+ {
+ merror("%s: ERROR: Invalid agent name %s (duplicated)", ARGV0, agentname);
+ snprintf(response, 2048, "ERROR: Invalid agent name: %s\n\n", agentname);
+ ret = SSL_write(ssl, response, strlen(response));
+ snprintf(response, 2048, "ERROR: Unable to add agent.\n\n");
+ ret = SSL_write(ssl, response, strlen(response));
+ sleep(1);
+ exit(0);
+ }
+ }
+ agentname = fname;
+
+
+ /* Adding the new agent. */
+ if (use_ip_address)
+ {
+ finalkey = OS_AddNewAgent(agentname, srcip, NULL, NULL);
+ }
+ else
+ {
+ finalkey = OS_AddNewAgent(agentname, NULL, NULL, NULL);
+ }
+ if(!finalkey)
+ {
+ merror("%s: ERROR: Unable to add agent: %s (internal error)", ARGV0, agentname);
+ snprintf(response, 2048, "ERROR: Internal manager error adding agent: %s\n\n", agentname);
+ ret = SSL_write(ssl, response, strlen(response));
+ snprintf(response, 2048, "ERROR: Unable to add agent.\n\n");
+ ret = SSL_write(ssl, response, strlen(response));
+ sleep(1);
+ exit(0);
+ }
+
+
+ snprintf(response, 2048,"OSSEC K:'%s'\n\n", finalkey);
+ verbose("%s: INFO: Agent key generated for %s (requested by %s)", ARGV0, agentname, srcip);
+ ret = SSL_write(ssl, response, strlen(response));
+ if(ret < 0)
+ {
+ merror("%s: ERROR: SSL write error (%d)", ARGV0, ret);
+ merror("%s: ERROR: Agen key not saved for %s", ARGV0, agentname);
+ ERR_print_errors_fp(stderr);
+ }
+ else
+ {
+ verbose("%s: INFO: Agent key created for %s (requested by %s)", ARGV0, agentname, srcip);
+ }
+ }
+ }
+ else
+ {
+ merror("%s: ERROR: SSL read error (%d)", ARGV0, ret);
+ ERR_print_errors_fp(stderr);
+ }
+ SSL_CTX_free(ctx);
+ close(client_sock);
+ exit(0);
+ }
+ }
+ }
+
+
+ /* Shutdown the socket */
+ SSL_CTX_free(ctx);
+ close(sock);
+
+ exit(0);
+}
+
+
+#endif
+/* EOF */
--- /dev/null
+/*
+ *
+ * Copyright (C) 2011 Trend Micro Inc. All rights reserved.
+ *
+ * OSSEC HIDS is a free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License (version 2) as
+ * published by the FSF - Free Software Foundation.
+ *
+ * Note that this license applies to the source code, as well as
+ * decoders, rules and any other data file included with OSSEC (unless
+ * otherwise specified).
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * is provided AS IS, WITHOUT ANY WARRANTY; without even the implied
+ * warranty of MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, and
+ * NON-INFRINGEMENT. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ *
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/param.h>
+
+
+#include <sys/wait.h>
+#include <sys/select.h>
+#include <sys/utsname.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <fcntl.h>
+#include <dirent.h>
+#include <ctype.h>
+#include <signal.h>
+
+#include <netdb.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/bio.h>
+
+
+#define TEST "GET / HTTP/1.0\r\n\r\n\r\n"
+
+int main(int argc, char **argv)
+{
+ int c;
+ int sock = 0, port = 443, ret = 0;
+ char *host = NULL;
+ SSL_CTX *ctx;
+ SSL *ssl;
+ SSL_METHOD *sslmeth;
+ BIO *sbio;
+ BIO *bio_err = 0;
+ struct sockaddr_in addr;
+
+
+ while((c = getopt(argc, argv, "h:p:")) != -1)
+ {
+ switch(c){
+ case 'h':
+ host = optarg;
+ break;
+ case 'p':
+ port = atoi(optarg);
+ if(port <= 0 || port >= 65536)
+ {
+ exit(1);
+ }
+ break;
+ default:
+ exit(1);
+ break;
+ }
+ }
+
+ if(!bio_err)
+ {
+ SSL_library_init();
+ SSL_load_error_strings();
+ OpenSSL_add_all_algorithms();
+ bio_err = BIO_new_fp(stderr,BIO_NOCLOSE);
+ }
+
+ sslmeth = SSLv23_method();
+ ctx = SSL_CTX_new(sslmeth);
+ if(!ctx)
+ {
+ printf("CTX ERROR\n");
+ exit(1);
+ }
+
+ if(!host)
+ {
+ printf("ERROR - host not set.\n");
+ exit(1);
+ }
+
+ /* Connecting via TCP */
+ sock = socket(AF_INET,SOCK_STREAM, IPPROTO_TCP);
+ if(sock < 0)
+ {
+ printf("sock error\n");
+ exit(1);
+ }
+
+ memset(&addr,0,sizeof(addr));
+ addr.sin_addr.s_addr = inet_addr(host);
+ addr.sin_family=AF_INET;
+ addr.sin_port=htons(port);
+ if(connect(sock,(struct sockaddr *)&addr, sizeof(addr)) < 0)
+ {
+ printf("connect error\n");
+ exit(1);
+ }
+
+
+
+ /* Connecting the SSL socket */
+ ssl = SSL_new(ctx);
+ sbio = BIO_new_socket(sock, BIO_NOCLOSE);
+ SSL_set_bio(ssl, sbio, sbio);
+ ret = SSL_connect(ssl);
+ if(ret <= 0)
+ {
+ printf("SSL connect error\n");
+ ERR_print_errors_fp(stderr);
+ exit(1);
+ }
+
+ printf("Connected!\n");
+
+
+ ret=SSL_write(ssl,TEST, sizeof(TEST));
+ if(ret < 0)
+ {
+ printf("SSL write error\n");
+ ERR_print_errors_fp(stderr);
+ exit(1);
+ }
+
+ while(1)
+ {
+ char buf[2048];
+ ret = SSL_read(ssl,buf,sizeof(buf) -1);
+ printf("ret: %d\n", ret);
+ switch(SSL_get_error(ssl,ret))
+ {
+ case SSL_ERROR_NONE:
+ buf[ret] = '\0';
+ printf("no error: %s\n", buf);
+ break;
+ case SSL_ERROR_ZERO_RETURN:
+ printf("no returen\n");
+ exit(1);
+ break;
+ case SSL_ERROR_SYSCALL:
+ fprintf(stderr,
+ "SSL Error: Premature close\n");
+ exit(1);
+ break;
+ default:
+ printf("default error\n");
+ exit(1);
+ break;
+ }
+
+ }
+
+ exit(0);
+}
--- /dev/null
+/* @(#) $Id: ./src/os_auth/ssl.c, 2011/09/08 dcid Exp $
+ */
+
+/* Copyright (C) 2010 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is a free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ *
+ */
+
+
+#ifdef USE_OPENSSL
+
+#include "shared.h"
+#include "auth.h"
+
+
+void *os_ssl_keys(int isclient, char *dir)
+{
+ SSL_METHOD *sslmeth;
+ SSL_CTX *ctx;
+ char certf[1024 +1];
+ char keyf[1024 +1];
+
+ SSL_library_init();
+ SSL_load_error_strings();
+ OpenSSL_add_all_algorithms();
+ bio_err = BIO_new_fp(stderr,BIO_NOCLOSE);
+
+
+ /* Create our context */
+ sslmeth = (SSL_METHOD *)SSLv23_method();
+ ctx = SSL_CTX_new(sslmeth);
+
+ if(isclient)
+ {
+ debug1("%s: DEBUG: Returning CTX for client.", ARGV0);
+ return(ctx);
+ }
+
+ if(!dir)
+ {
+ return(NULL);
+ }
+
+
+ /* Setting final cert/key files */
+ certf[1024] = '\0';
+ keyf[1024] = '\0';
+ snprintf(certf, 1023, "%s%s", dir, CERTFILE);
+ snprintf(keyf, 1023, "%s%s", dir, KEYFILE);
+
+
+ if(File_DateofChange(certf) <= 0)
+ {
+ merror("%s: ERROR: Unable to read certificate file (not found): %s", ARGV0, certf);
+ return(NULL);
+ }
+
+ /* Load our keys and certificates*/
+ if(!(SSL_CTX_use_certificate_chain_file(ctx, certf)))
+ {
+ merror("%s: ERROR: Unable to read certificate file: %s", ARGV0, certf);
+ ERR_print_errors_fp(stderr);
+ return(NULL);
+ }
+
+ if(!(SSL_CTX_use_PrivateKey_file(ctx, keyf, SSL_FILETYPE_PEM)))
+ {
+ merror("%s: ERROR: Unable to read private key file: %s", ARGV0, keyf);
+ return(NULL);
+ }
+
+ if (!SSL_CTX_check_private_key(ctx))
+ {
+ merror("%s: ERROR: Unable to verify private key file", ARGV0);
+ return(NULL);
+ }
+
+
+ #if(OPENSSL_VERSION_NUMBER < 0x00905100L)
+ SSL_CTX_set_verify_depth(ctx,1);
+ #endif
+
+ return ctx;
+}
+
+
+#endif
+
+/* EOF */
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
typedef unsigned char uchar;
-int OS_BF_Str(char *input, char *output, char *charkey,
+int OS_BF_Str(char *input, char *output, char *charkey,
long size, short int action)
{
BF_KEY key;
#define OS_DECRYPT 0
-int OS_BF_Str(char * input, char *output, char *charkey,
+int OS_BF_Str(char * input, char *output, char *charkey,
long size, short int action);
#endif
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
0xc0ac29b7L, 0xc97c50ddL, 0x3f84d5b5L, 0xb5470917L,
0x9216d5d9L, 0x8979fb1b
},{
- 0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L,
- 0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L,
- 0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L,
- 0x636920d8L, 0x71574e69L, 0xa458fea3L, 0xf4933d7eL,
- 0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL,
- 0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L,
- 0xc5d1b023L, 0x286085f0L, 0xca417918L, 0xb8db38efL,
- 0x8e79dcb0L, 0x603a180eL, 0x6c9e0e8bL, 0xb01e8a3eL,
- 0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, 0x55605c60L,
- 0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L,
- 0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL,
- 0xa15486afL, 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL,
- 0x2ba9c55dL, 0x741831f6L, 0xce5c3e16L, 0x9b87931eL,
- 0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, 0x28958677L,
- 0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L,
- 0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L,
- 0xef845d5dL, 0xe98575b1L, 0xdc262302L, 0xeb651b88L,
- 0x23893e81L, 0xd396acc5L, 0x0f6d6ff3L, 0x83f44239L,
- 0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, 0x9e1f9b5eL,
- 0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L,
- 0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L,
- 0x6eef0b6cL, 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L,
- 0xa1f1651dL, 0x39af0176L, 0x66ca593eL, 0x82430e88L,
- 0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, 0x3b8b5ebeL,
- 0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L,
- 0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL,
- 0x37d0d724L, 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL,
- 0x075372c9L, 0x80991b7bL, 0x25d479d8L, 0xf6e8def7L,
- 0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, 0x04c006baL,
- 0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L,
- 0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL,
- 0x6dfc511fL, 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L,
- 0xbee3d004L, 0xde334afdL, 0x660f2807L, 0x192e4bb3L,
- 0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, 0xb9d3fbdbL,
- 0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L,
- 0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L,
- 0x3c7516dfL, 0xfd616b15L, 0x2f501ec8L, 0xad0552abL,
- 0x323db5faL, 0xfd238760L, 0x53317b48L, 0x3e00df82L,
- 0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, 0xdf1769dbL,
- 0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L,
- 0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L,
- 0x10fa3d98L, 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL,
- 0x9a53e479L, 0xb6f84565L, 0xd28e49bcL, 0x4bfb9790L,
- 0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, 0xcee4c6e8L,
- 0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L,
- 0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L,
- 0xd08ed1d0L, 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L,
- 0x8ff6e2fbL, 0xf2122b64L, 0x8888b812L, 0x900df01cL,
- 0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, 0xb3a8c1adL,
- 0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L,
- 0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L,
- 0xb4a84fe0L, 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L,
- 0x165fa266L, 0x80957705L, 0x93cc7314L, 0x211a1477L,
- 0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, 0xfb9d35cfL,
- 0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L,
- 0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL,
- 0x2464369bL, 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL,
- 0x78c14389L, 0xd95a537fL, 0x207d5ba2L, 0x02e5b9c5L,
- 0x83260376L, 0x6295cfa9L, 0x11c81968L, 0x4e734a41L,
- 0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L,
- 0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L,
- 0x08ba6fb5L, 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L,
- 0xb6636521L, 0xe7b9f9b6L, 0xff34052eL, 0xc5855664L,
- 0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, 0x6e85076aL,
- 0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L,
- 0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L,
- 0xecaa8c71L, 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L,
- 0x193602a5L, 0x75094c29L, 0xa0591340L, 0xe4183a3eL,
- 0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, 0x99f73fd6L,
- 0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L,
- 0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL,
- 0x09686b3fL, 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L,
- 0x687f3584L, 0x52a0e286L, 0xb79c5305L, 0xaa500737L,
- 0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, 0x5716f2b8L,
- 0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL,
- 0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL,
- 0xd19113f9L, 0x7ca92ff6L, 0x94324773L, 0x22f54701L,
- 0x3ae5e581L, 0x37c2dadcL, 0xc8b57634L, 0x9af3dda7L,
- 0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, 0xa4751e41L,
- 0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L,
- 0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL,
- 0x2cb81290L, 0x24977c79L, 0x5679b072L, 0xbcaf89afL,
- 0xde9a771fL, 0xd9930810L, 0xb38bae12L, 0xdccf3f2eL,
- 0x5512721fL, 0x2e6b7124L, 0x501adde6L, 0x9f84cd87L,
- 0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL,
- 0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L,
- 0xef1c1847L, 0x3215d908L, 0xdd433b37L, 0x24c2ba16L,
- 0x12a14d43L, 0x2a65c451L, 0x50940002L, 0x133ae4ddL,
- 0x71dff89eL, 0x10314e55L, 0x81ac77d6L, 0x5f11199bL,
- 0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L,
- 0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL,
- 0x86e34570L, 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L,
- 0x771fe71cL, 0x4e3d06faL, 0x2965dcb9L, 0x99e71d0fL,
- 0x803e89d6L, 0x5266c825L, 0x2e4cc978L, 0x9c10b36aL,
- 0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L,
- 0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L,
- 0x5223a708L, 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L,
- 0xe3bc4595L, 0xa67bc883L, 0xb17f37d1L, 0x018cff28L,
- 0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, 0x68ab9802L,
- 0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L,
- 0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L,
- 0x13cca830L, 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL,
- 0xb5735c90L, 0x4c70a239L, 0xd59e9e0bL, 0xcbaade14L,
- 0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, 0xb2f3846eL,
- 0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L,
- 0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L,
- 0x9b540b19L, 0x875fa099L, 0x95f7997eL, 0x623d7da8L,
- 0xf837889aL, 0x97e32d77L, 0x11ed935fL, 0x16681281L,
- 0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, 0x7858ba99L,
- 0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L,
- 0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L,
- 0x58ebf2efL, 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L,
- 0x5d4a14d9L, 0xe864b7e3L, 0x42105d14L, 0x203e13e0L,
- 0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, 0xfacb4fd0L,
- 0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L,
- 0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L,
- 0xcf62a1f2L, 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L,
- 0x7f1524c3L, 0x69cb7492L, 0x47848a0bL, 0x5692b285L,
- 0x095bbf00L, 0xad19489dL, 0x1462b174L, 0x23820e00L,
- 0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L,
- 0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL,
- 0x7cde3759L, 0xcbee7460L, 0x4085f2a7L, 0xce77326eL,
- 0xa6078084L, 0x19f8509eL, 0xe8efd855L, 0x61d99735L,
- 0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, 0x800bcadcL,
- 0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L,
- 0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L,
- 0xc5c43465L, 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L,
- 0x153e21e7L, 0x8fb03d4aL, 0xe6e39f2bL, 0xdb83adf7L,
- 0xe93d5a68L, 0x948140f7L, 0xf64c261cL, 0x94692934L,
- 0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L,
- 0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL,
- 0x1e39f62eL, 0x97244546L, 0x14214f74L, 0xbf8b8840L,
- 0x4d95fc1dL, 0x96b591afL, 0x70f4ddd3L, 0x66a02f45L,
- 0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, 0x31cb8504L,
- 0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL,
- 0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL,
- 0x68dc1462L, 0xd7486900L, 0x680ec0a4L, 0x27a18deeL,
- 0x4f3ffea2L, 0xe887ad8cL, 0xb58ce006L, 0x7af4d6b6L,
- 0xaace1e7cL, 0xd3375fecL, 0xce78a399L, 0x406b2a42L,
- 0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL,
- 0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L,
- 0x3a6efa74L, 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL,
- 0xfb0af54eL, 0xd8feb397L, 0x454056acL, 0xba489527L,
- 0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, 0xd096954bL,
- 0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L,
- 0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL,
- 0xfdf8e802L, 0x04272f70L, 0x80bb155cL, 0x05282ce3L,
- 0x95c11548L, 0xe4c66d22L, 0x48c1133fL, 0xc70f86dcL,
- 0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, 0x5d886e17L,
- 0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L,
- 0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL,
- 0x0e12b4c2L, 0x02e1329eL, 0xaf664fd1L, 0xcad18115L,
- 0x6b2395e0L, 0x333e92e1L, 0x3b240b62L, 0xeebeb922L,
- 0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, 0x2da2f728L,
- 0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L,
- 0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL,
- 0x0a476341L, 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L,
- 0xa812dc60L, 0xa1ebddf8L, 0x991be14cL, 0xdb6e6b0dL,
- 0xc67b5510L, 0x6d672c37L, 0x2765d43bL, 0xdcd0e804L,
- 0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL,
- 0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L,
- 0xbb132f88L, 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL,
- 0x37392eb3L, 0xcc115979L, 0x8026e297L, 0xf42e312dL,
- 0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, 0x782ef11cL,
- 0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L,
- 0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L,
- 0x44421659L, 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL,
- 0x64af674eL, 0xda86a85fL, 0xbebfe988L, 0x64e4c3feL,
- 0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, 0x6003604dL,
- 0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL,
- 0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL,
- 0x77a057beL, 0xbde8ae24L, 0x55464299L, 0xbf582e61L,
- 0x4e58f48fL, 0xf2ddfda2L, 0xf474ef38L, 0x8789bdc2L,
- 0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, 0x46fcd9b9L,
- 0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L,
- 0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL,
- 0xb90bace1L, 0xbb8205d0L, 0x11a86248L, 0x7574a99eL,
- 0xb77f19b6L, 0xe0a9dc09L, 0x662d09a1L, 0xc4324633L,
- 0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, 0x1d6efe10L,
- 0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L,
- 0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L,
- 0x50115e01L, 0xa70683faL, 0xa002b5c4L, 0x0de6d027L,
- 0x9af88c27L, 0x773f8641L, 0xc3604c06L, 0x61a806b5L,
- 0xf0177a28L, 0xc0f586e0L, 0x006058aaL, 0x30dc7d62L,
- 0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L,
- 0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L,
- 0x6f05e409L, 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L,
- 0x86e3725fL, 0x724d9db9L, 0x1ac15bb4L, 0xd39eb8fcL,
- 0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, 0x4dad0fc4L,
- 0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL,
- 0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L,
- 0xd79a3234L, 0x92638212L, 0x670efa8eL, 0x406000e0L,
- 0x3a39ce37L, 0xd3faf5cfL, 0xabc27737L, 0x5ac52d1bL,
- 0x5cb0679eL, 0x4fa33742L, 0xd3822740L, 0x99bc9bbeL,
- 0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL,
- 0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L,
- 0x5748ab2fL, 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L,
- 0x530ff8eeL, 0x468dde7dL, 0xd5730a1dL, 0x4cd04dc6L,
- 0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, 0xbe5ee304L,
- 0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L,
- 0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L,
- 0x83c061baL, 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L,
- 0x2826a2f9L, 0xa73a3ae1L, 0x4ba99586L, 0xef5562e9L,
- 0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, 0x77fa0a59L,
- 0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L,
- 0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L,
- 0x96d5ac3aL, 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L,
- 0x1f9f25cfL, 0xadf2b89bL, 0x5ad6b472L, 0x5a88f54cL,
- 0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, 0xed93fa9bL,
- 0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L,
- 0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL,
- 0x15056dd4L, 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL,
- 0xc3eb9e15L, 0x3c9057a2L, 0x97271aecL, 0xa93a072aL,
- 0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, 0x26dcf319L,
- 0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL,
- 0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL,
- 0x4de81751L, 0x3830dc8eL, 0x379d5862L, 0x9320f991L,
- 0xea7a90c2L, 0xfb3e7bceL, 0x5121ce64L, 0x774fbe32L,
- 0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, 0x6413e680L,
- 0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L,
- 0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL,
- 0x5bbef7ddL, 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL,
- 0xdda26a7eL, 0x3a59ff45L, 0x3e350a44L, 0xbcb4cdd5L,
- 0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, 0xbf3c6f47L,
- 0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L,
- 0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL,
- 0x4040cb08L, 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L,
- 0xe1b00428L, 0x95983a1dL, 0x06b89fb4L, 0xce6ea048L,
- 0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, 0x277227f8L,
- 0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL,
- 0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L,
- 0xe01cc87eL, 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L,
- 0x1a908749L, 0xd44fbd9aL, 0xd0dadecbL, 0xd50ada38L,
- 0x0339c32aL, 0xc6913667L, 0x8df9317cL, 0xe0b12b4fL,
- 0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL,
- 0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L,
- 0xfae59361L, 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L,
- 0xb6c1075eL, 0xe3056a0cL, 0x10d25065L, 0xcb03a442L,
- 0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, 0x3278e964L,
- 0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL,
- 0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L,
- 0xdf359f8dL, 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL,
- 0xe54cda54L, 0x1edad891L, 0xce6279cfL, 0xcd3e7e6fL,
- 0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, 0xf6fb2299L,
- 0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L,
- 0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL,
- 0xde966292L, 0x81b949d0L, 0x4c50901bL, 0x71c65614L,
- 0xe6c6c7bdL, 0x327a140aL, 0x45e1d006L, 0xc3f27b9aL,
- 0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, 0x35bdd2f6L,
- 0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL,
- 0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L,
- 0xba38209cL, 0xf746ce76L, 0x77afa1c5L, 0x20756060L,
- 0x85cbfe4eL, 0x8ae88dd8L, 0x7aaaf9b0L, 0x4cf9aa7eL,
- 0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, 0xd6ebe1f9L,
- 0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL,
- 0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L,
+ 0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L,
+ 0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L,
+ 0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L,
+ 0x636920d8L, 0x71574e69L, 0xa458fea3L, 0xf4933d7eL,
+ 0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL,
+ 0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L,
+ 0xc5d1b023L, 0x286085f0L, 0xca417918L, 0xb8db38efL,
+ 0x8e79dcb0L, 0x603a180eL, 0x6c9e0e8bL, 0xb01e8a3eL,
+ 0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, 0x55605c60L,
+ 0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L,
+ 0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL,
+ 0xa15486afL, 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL,
+ 0x2ba9c55dL, 0x741831f6L, 0xce5c3e16L, 0x9b87931eL,
+ 0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, 0x28958677L,
+ 0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L,
+ 0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L,
+ 0xef845d5dL, 0xe98575b1L, 0xdc262302L, 0xeb651b88L,
+ 0x23893e81L, 0xd396acc5L, 0x0f6d6ff3L, 0x83f44239L,
+ 0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, 0x9e1f9b5eL,
+ 0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L,
+ 0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L,
+ 0x6eef0b6cL, 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L,
+ 0xa1f1651dL, 0x39af0176L, 0x66ca593eL, 0x82430e88L,
+ 0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, 0x3b8b5ebeL,
+ 0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L,
+ 0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL,
+ 0x37d0d724L, 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL,
+ 0x075372c9L, 0x80991b7bL, 0x25d479d8L, 0xf6e8def7L,
+ 0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, 0x04c006baL,
+ 0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L,
+ 0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL,
+ 0x6dfc511fL, 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L,
+ 0xbee3d004L, 0xde334afdL, 0x660f2807L, 0x192e4bb3L,
+ 0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, 0xb9d3fbdbL,
+ 0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L,
+ 0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L,
+ 0x3c7516dfL, 0xfd616b15L, 0x2f501ec8L, 0xad0552abL,
+ 0x323db5faL, 0xfd238760L, 0x53317b48L, 0x3e00df82L,
+ 0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, 0xdf1769dbL,
+ 0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L,
+ 0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L,
+ 0x10fa3d98L, 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL,
+ 0x9a53e479L, 0xb6f84565L, 0xd28e49bcL, 0x4bfb9790L,
+ 0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, 0xcee4c6e8L,
+ 0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L,
+ 0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L,
+ 0xd08ed1d0L, 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L,
+ 0x8ff6e2fbL, 0xf2122b64L, 0x8888b812L, 0x900df01cL,
+ 0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, 0xb3a8c1adL,
+ 0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L,
+ 0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L,
+ 0xb4a84fe0L, 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L,
+ 0x165fa266L, 0x80957705L, 0x93cc7314L, 0x211a1477L,
+ 0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, 0xfb9d35cfL,
+ 0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L,
+ 0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL,
+ 0x2464369bL, 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL,
+ 0x78c14389L, 0xd95a537fL, 0x207d5ba2L, 0x02e5b9c5L,
+ 0x83260376L, 0x6295cfa9L, 0x11c81968L, 0x4e734a41L,
+ 0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L,
+ 0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L,
+ 0x08ba6fb5L, 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L,
+ 0xb6636521L, 0xe7b9f9b6L, 0xff34052eL, 0xc5855664L,
+ 0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, 0x6e85076aL,
+ 0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L,
+ 0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L,
+ 0xecaa8c71L, 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L,
+ 0x193602a5L, 0x75094c29L, 0xa0591340L, 0xe4183a3eL,
+ 0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, 0x99f73fd6L,
+ 0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L,
+ 0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL,
+ 0x09686b3fL, 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L,
+ 0x687f3584L, 0x52a0e286L, 0xb79c5305L, 0xaa500737L,
+ 0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, 0x5716f2b8L,
+ 0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL,
+ 0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL,
+ 0xd19113f9L, 0x7ca92ff6L, 0x94324773L, 0x22f54701L,
+ 0x3ae5e581L, 0x37c2dadcL, 0xc8b57634L, 0x9af3dda7L,
+ 0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, 0xa4751e41L,
+ 0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L,
+ 0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL,
+ 0x2cb81290L, 0x24977c79L, 0x5679b072L, 0xbcaf89afL,
+ 0xde9a771fL, 0xd9930810L, 0xb38bae12L, 0xdccf3f2eL,
+ 0x5512721fL, 0x2e6b7124L, 0x501adde6L, 0x9f84cd87L,
+ 0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL,
+ 0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L,
+ 0xef1c1847L, 0x3215d908L, 0xdd433b37L, 0x24c2ba16L,
+ 0x12a14d43L, 0x2a65c451L, 0x50940002L, 0x133ae4ddL,
+ 0x71dff89eL, 0x10314e55L, 0x81ac77d6L, 0x5f11199bL,
+ 0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L,
+ 0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL,
+ 0x86e34570L, 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L,
+ 0x771fe71cL, 0x4e3d06faL, 0x2965dcb9L, 0x99e71d0fL,
+ 0x803e89d6L, 0x5266c825L, 0x2e4cc978L, 0x9c10b36aL,
+ 0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L,
+ 0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L,
+ 0x5223a708L, 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L,
+ 0xe3bc4595L, 0xa67bc883L, 0xb17f37d1L, 0x018cff28L,
+ 0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, 0x68ab9802L,
+ 0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L,
+ 0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L,
+ 0x13cca830L, 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL,
+ 0xb5735c90L, 0x4c70a239L, 0xd59e9e0bL, 0xcbaade14L,
+ 0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, 0xb2f3846eL,
+ 0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L,
+ 0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L,
+ 0x9b540b19L, 0x875fa099L, 0x95f7997eL, 0x623d7da8L,
+ 0xf837889aL, 0x97e32d77L, 0x11ed935fL, 0x16681281L,
+ 0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, 0x7858ba99L,
+ 0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L,
+ 0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L,
+ 0x58ebf2efL, 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L,
+ 0x5d4a14d9L, 0xe864b7e3L, 0x42105d14L, 0x203e13e0L,
+ 0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, 0xfacb4fd0L,
+ 0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L,
+ 0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L,
+ 0xcf62a1f2L, 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L,
+ 0x7f1524c3L, 0x69cb7492L, 0x47848a0bL, 0x5692b285L,
+ 0x095bbf00L, 0xad19489dL, 0x1462b174L, 0x23820e00L,
+ 0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L,
+ 0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL,
+ 0x7cde3759L, 0xcbee7460L, 0x4085f2a7L, 0xce77326eL,
+ 0xa6078084L, 0x19f8509eL, 0xe8efd855L, 0x61d99735L,
+ 0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, 0x800bcadcL,
+ 0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L,
+ 0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L,
+ 0xc5c43465L, 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L,
+ 0x153e21e7L, 0x8fb03d4aL, 0xe6e39f2bL, 0xdb83adf7L,
+ 0xe93d5a68L, 0x948140f7L, 0xf64c261cL, 0x94692934L,
+ 0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L,
+ 0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL,
+ 0x1e39f62eL, 0x97244546L, 0x14214f74L, 0xbf8b8840L,
+ 0x4d95fc1dL, 0x96b591afL, 0x70f4ddd3L, 0x66a02f45L,
+ 0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, 0x31cb8504L,
+ 0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL,
+ 0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL,
+ 0x68dc1462L, 0xd7486900L, 0x680ec0a4L, 0x27a18deeL,
+ 0x4f3ffea2L, 0xe887ad8cL, 0xb58ce006L, 0x7af4d6b6L,
+ 0xaace1e7cL, 0xd3375fecL, 0xce78a399L, 0x406b2a42L,
+ 0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL,
+ 0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L,
+ 0x3a6efa74L, 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL,
+ 0xfb0af54eL, 0xd8feb397L, 0x454056acL, 0xba489527L,
+ 0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, 0xd096954bL,
+ 0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L,
+ 0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL,
+ 0xfdf8e802L, 0x04272f70L, 0x80bb155cL, 0x05282ce3L,
+ 0x95c11548L, 0xe4c66d22L, 0x48c1133fL, 0xc70f86dcL,
+ 0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, 0x5d886e17L,
+ 0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L,
+ 0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL,
+ 0x0e12b4c2L, 0x02e1329eL, 0xaf664fd1L, 0xcad18115L,
+ 0x6b2395e0L, 0x333e92e1L, 0x3b240b62L, 0xeebeb922L,
+ 0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, 0x2da2f728L,
+ 0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L,
+ 0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL,
+ 0x0a476341L, 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L,
+ 0xa812dc60L, 0xa1ebddf8L, 0x991be14cL, 0xdb6e6b0dL,
+ 0xc67b5510L, 0x6d672c37L, 0x2765d43bL, 0xdcd0e804L,
+ 0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL,
+ 0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L,
+ 0xbb132f88L, 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL,
+ 0x37392eb3L, 0xcc115979L, 0x8026e297L, 0xf42e312dL,
+ 0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, 0x782ef11cL,
+ 0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L,
+ 0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L,
+ 0x44421659L, 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL,
+ 0x64af674eL, 0xda86a85fL, 0xbebfe988L, 0x64e4c3feL,
+ 0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, 0x6003604dL,
+ 0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL,
+ 0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL,
+ 0x77a057beL, 0xbde8ae24L, 0x55464299L, 0xbf582e61L,
+ 0x4e58f48fL, 0xf2ddfda2L, 0xf474ef38L, 0x8789bdc2L,
+ 0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, 0x46fcd9b9L,
+ 0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L,
+ 0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL,
+ 0xb90bace1L, 0xbb8205d0L, 0x11a86248L, 0x7574a99eL,
+ 0xb77f19b6L, 0xe0a9dc09L, 0x662d09a1L, 0xc4324633L,
+ 0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, 0x1d6efe10L,
+ 0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L,
+ 0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L,
+ 0x50115e01L, 0xa70683faL, 0xa002b5c4L, 0x0de6d027L,
+ 0x9af88c27L, 0x773f8641L, 0xc3604c06L, 0x61a806b5L,
+ 0xf0177a28L, 0xc0f586e0L, 0x006058aaL, 0x30dc7d62L,
+ 0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L,
+ 0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L,
+ 0x6f05e409L, 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L,
+ 0x86e3725fL, 0x724d9db9L, 0x1ac15bb4L, 0xd39eb8fcL,
+ 0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, 0x4dad0fc4L,
+ 0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL,
+ 0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L,
+ 0xd79a3234L, 0x92638212L, 0x670efa8eL, 0x406000e0L,
+ 0x3a39ce37L, 0xd3faf5cfL, 0xabc27737L, 0x5ac52d1bL,
+ 0x5cb0679eL, 0x4fa33742L, 0xd3822740L, 0x99bc9bbeL,
+ 0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL,
+ 0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L,
+ 0x5748ab2fL, 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L,
+ 0x530ff8eeL, 0x468dde7dL, 0xd5730a1dL, 0x4cd04dc6L,
+ 0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, 0xbe5ee304L,
+ 0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L,
+ 0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L,
+ 0x83c061baL, 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L,
+ 0x2826a2f9L, 0xa73a3ae1L, 0x4ba99586L, 0xef5562e9L,
+ 0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, 0x77fa0a59L,
+ 0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L,
+ 0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L,
+ 0x96d5ac3aL, 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L,
+ 0x1f9f25cfL, 0xadf2b89bL, 0x5ad6b472L, 0x5a88f54cL,
+ 0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, 0xed93fa9bL,
+ 0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L,
+ 0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL,
+ 0x15056dd4L, 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL,
+ 0xc3eb9e15L, 0x3c9057a2L, 0x97271aecL, 0xa93a072aL,
+ 0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, 0x26dcf319L,
+ 0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL,
+ 0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL,
+ 0x4de81751L, 0x3830dc8eL, 0x379d5862L, 0x9320f991L,
+ 0xea7a90c2L, 0xfb3e7bceL, 0x5121ce64L, 0x774fbe32L,
+ 0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, 0x6413e680L,
+ 0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L,
+ 0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL,
+ 0x5bbef7ddL, 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL,
+ 0xdda26a7eL, 0x3a59ff45L, 0x3e350a44L, 0xbcb4cdd5L,
+ 0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, 0xbf3c6f47L,
+ 0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L,
+ 0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL,
+ 0x4040cb08L, 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L,
+ 0xe1b00428L, 0x95983a1dL, 0x06b89fb4L, 0xce6ea048L,
+ 0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, 0x277227f8L,
+ 0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL,
+ 0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L,
+ 0xe01cc87eL, 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L,
+ 0x1a908749L, 0xd44fbd9aL, 0xd0dadecbL, 0xd50ada38L,
+ 0x0339c32aL, 0xc6913667L, 0x8df9317cL, 0xe0b12b4fL,
+ 0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL,
+ 0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L,
+ 0xfae59361L, 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L,
+ 0xb6c1075eL, 0xe3056a0cL, 0x10d25065L, 0xcb03a442L,
+ 0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, 0x3278e964L,
+ 0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL,
+ 0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L,
+ 0xdf359f8dL, 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL,
+ 0xe54cda54L, 0x1edad891L, 0xce6279cfL, 0xcd3e7e6fL,
+ 0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, 0xf6fb2299L,
+ 0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L,
+ 0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL,
+ 0xde966292L, 0x81b949d0L, 0x4c50901bL, 0x71c65614L,
+ 0xe6c6c7bdL, 0x327a140aL, 0x45e1d006L, 0xc3f27b9aL,
+ 0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, 0x35bdd2f6L,
+ 0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL,
+ 0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L,
+ 0xba38209cL, 0xf746ce76L, 0x77afa1c5L, 0x20756060L,
+ 0x85cbfe4eL, 0x8ae88dd8L, 0x7aaaf9b0L, 0x4cf9aa7eL,
+ 0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, 0xd6ebe1f9L,
+ 0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL,
+ 0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L,
}
};
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
BF_LONG S[4*256];
} BF_KEY;
-
+
void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
void BF_encrypt(BF_LONG *data,const BF_KEY *key);
printf("%s: string key\n", argv[0]);
exit(1);
}
-
+
if((strlen(argv[1]) > 1020) || (strlen(argv[2]) > 512))
{
printf("%s: size err\n", argv[0]);
exit(1);
}
-
+
/* Encrypt */
OS_BF_Str(argv[1], output, argv[2], strlen(argv[1]), OS_ENCRYPT);
if(argc < 3)
usage(argv);
-
-
+
+
if(strcmp(argv[1],"file") == 0)
{
OS_MD5_File(argv[2], filesum);
}
-
+
else if(strcmp(argv[1],"str") == 0)
{
OS_MD5_Str(argv[2], filesum);
}
-
+
else
usage(argv);
-
+
printf("MD5Sum for \"%s\" is: %s\n",argv[2],filesum);
return(0);
}
#ifdef __BYTE_ORDER
#if __BYTE_ORDER == __BIG_ENDIAN
#define HIGHFIRST
-#endif /* BIG ENDIAN */
+#endif /* BIG ENDIAN */
#endif /* byte order */
}
/*
- * Final wrapup - pad to 64-byte boundary with the bit pattern
+ * Final wrapup - pad to 64-byte boundary with the bit pattern
* 1 0* (64-bit count of bits processed, MSB-first)
*/
void MD5Final(unsigned char digest[16], struct MD5Context *ctx)
unsigned char buf[1024 +1];
unsigned char digest[16];
int n;
-
+
memset(output,0, 33);
buf[1024] = '\0';
-
+
fp = fopen(fname,"r");
if(!fp)
{
return(-1);
}
-
+
MD5Init(&ctx);
while((n = fread(buf, 1, sizeof(buf) -1, fp)) > 0)
{
buf[n] = '\0';
MD5Update(&ctx,buf,n);
}
-
+
MD5Final(digest, &ctx);
-
+
for(n = 0;n < 16; n++)
{
snprintf(output, 3, "%02x", digest[n]);
/* Closing it */
fclose(fp);
-
+
return(0);
}
int OS_MD5_Str(char * str, char * output)
{
unsigned char digest[16];
-
+
int n;
-
+
MD5_CTX ctx;
MD5Init(&ctx);
-
+
MD5Update(&ctx,(unsigned char *)str,strlen(str));
-
+
MD5Final(digest, &ctx);
-
+
output[32] = '\0';
for(n = 0;n < 16;n++)
{
void usage(char **argv)
{
- printf("%s file str\n%s str string\n",argv[0],argv[0]);
+ printf("%s prefilter_cmd file str\n%s str string\n",argv[0],argv[0]);
exit(1);
}
os_md5 filesum1;
os_sha1 filesum2;
- if(argc < 3)
+ if(argc < 4)
usage(argv);
-
-
- if(strcmp(argv[1],"file") == 0)
+
+
+ if(strcmp(argv[2],"file") == 0)
{
- OS_MD5_SHA1_File(argv[2], filesum1, filesum2);
+ OS_MD5_SHA1_File(argv[3], argv[1], filesum1, filesum2);
}
-
+
else
usage(argv);
-
+
printf("MD5Sha1Sum for \"%s\" is: %s - %s\n",argv[2], filesum1, filesum2);
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_crypto/md5_sha1/md5_sha1_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#include "../md5/md5.h"
#include "../sha1/sha.h"
+#include "headers/defs.h"
+
-
-int OS_MD5_SHA1_File(char * fname, char *md5output, char *sha1output)
+int OS_MD5_SHA1_File(char *fname, char *prefilter_cmd, char *md5output, char *sha1output)
{
int n;
FILE *fp;
unsigned char sha1_digest[SHA_DIGEST_LENGTH];
unsigned char md5_digest[16];
+ char cmd[OS_MAXSTR];
+
SHA_CTX sha1_ctx;
MD5_CTX md5_ctx;
-
+
/* Clearing the memory. */
md5output[0] = '\0';
sha1output[0] = '\0';
buf[2048 +1] = '\0';
- fp = fopen(fname,"r");
- if(!fp)
- return(-1);
-
+ /* Use prefilter_cmd if set */
+ if (prefilter_cmd == NULL) {
+ fp = fopen(fname,"r");
+ if(!fp)
+ return(-1);
+ } else {
+ strncpy(cmd, prefilter_cmd, sizeof(cmd) - 1);
+ strcat(cmd, " ");
+ strncat(cmd, fname, sizeof(cmd) - strlen(cmd) - 1);
+ fp = popen(cmd, "r");
+ if(!fp)
+ return(-1);
+ }
/* Initializing both hashes */
MD5Init(&md5_ctx);
/* Closing it */
- fclose(fp);
+ if (prefilter_cmd == NULL) {
+ fclose(fp);
+ } else {
+ pclose(fp);
+ }
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_crypto/md5_sha1/md5_sha1_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#define __MD5SHA1_OP_H
-int OS_MD5_SHA1_File(char *fname, char *md5output, char *sha1output);
+int OS_MD5_SHA1_File(char *fname, char *prefilter_cmd, char *md5output, char *sha1output);
#endif
if(argc < 2)
usage(argv);
-
-
+
+
if(OS_SHA1_File(argv[1], filesum) == 0)
{
printf("SHA1Sum for \"%s\" is: %s\n",argv[1],filesum);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_crypto/sha1/md32_common.h, 2011/09/08 dcid Exp $
+ */
/* Included on ossec */
/* crypto/md32_common.h */
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* *either* case. Now declaring 'em long excuses the compiler
* from keeping 32 MSBs zeroed resulting in 13% performance
* improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
- * Well, to be honest it should say that this *prevents*
+ * Well, to be honest it should say that this *prevents*
* performance degradation.
* <appro@fy.chalmers.se>
* Apparently there're LP64 compilers that generate better
#endif
-#endif /* _MD32_COMMON__H */
+#endif /* _MD32_COMMON__H */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_crypto/sha1/sha.h, 2011/09/08 dcid Exp $
+ */
/* Included on ossec */
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_crypto/sha1/sha1_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#include <string.h>
#include "sha1_op.h"
-/* Openssl sha1
+/* Openssl sha1
* Only use if open ssl is not available.
#ifndef USE_OPENSSL
#include "sha.h"
#include "sha_locl.h"
#else
-#include <openssl/sha.h>
+#include <openssl/sha.h>
#endif
*/
#include "sha_locl.h"
-
+
int OS_SHA1_File(char * fname, char * output)
{
SHA_CTX c;
unsigned char buf[2048 +2];
unsigned char md[SHA_DIGEST_LENGTH];
int n;
-
+
memset(output,0, 65);
buf[2049] = '\0';
-
+
fp = fopen(fname,"r");
if(!fp)
return(-1);
-
+
SHA1_Init(&c);
while((n = fread(buf, 1, 2048, fp)) > 0)
{
buf[n] = '\0';
SHA1_Update(&c,buf,(unsigned long)n);
}
-
+
SHA1_Final(&(md[0]),&c);
-
+
for (n=0; n<SHA_DIGEST_LENGTH; n++)
{
snprintf(output, 3, "%02x", md[n]);
output+=2;
}
-
+
/* Closing it */
fclose(fp);
-
+
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_crypto/sha1/sha1_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_crypto/sha1/sha_locl.h, 2011/09/08 dcid Exp $
+ */
/* Included on ossec */
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* I've just become aware of another tweak to be made, again from Wei Dai,
* in F_40_59, (x&a)|(y&a) -> (x|y)&a
*/
-#define F_00_19(b,c,d) ((((c) ^ (d)) & (b)) ^ (d))
+#define F_00_19(b,c,d) ((((c) ^ (d)) & (b)) ^ (d))
#define F_20_39(b,c,d) ((b) ^ (c) ^ (d))
-#define F_40_59(b,c,d) (((b) & (c)) | (((b)|(c)) & (d)))
+#define F_40_59(b,c,d) (((b) & (c)) | (((b)|(c)) & (d)))
#define F_60_79(b,c,d) F_20_39(b,c,d)
#ifndef OPENSSL_SMALL_FOOTPRINT
BODY_60_79(78,A,B,C,D,E,T,X(14),X( 0),X( 6),X(11));
BODY_60_79(79,T,A,B,C,D,E,X(15),X( 1),X( 7),X(12));
- c->h0=(c->h0+E)&0xffffffffL;
+ c->h0=(c->h0+E)&0xffffffffL;
c->h1=(c->h1+T)&0xffffffffL;
c->h2=(c->h2+A)&0xffffffffL;
c->h3=(c->h3+B)&0xffffffffL;
BODY_60_79(78,A,B,C,D,E,T,X(14),X( 0),X( 6),X(11));
BODY_60_79(79,T,A,B,C,D,E,X(15),X( 1),X( 7),X(12));
- c->h0=(c->h0+E)&0xffffffffL;
+ c->h0=(c->h0+E)&0xffffffffL;
c->h1=(c->h1+T)&0xffffffffL;
c->h2=(c->h2+A)&0xffffffffL;
c->h3=(c->h3+B)&0xffffffffL;
for (i=4;i<24;i++)
{ BODY_60_79(X[(i+8)&15],X[(i+10)&15],X[i&15], X[(i+5)&15]); }
- c->h0=(c->h0+A)&0xffffffffL;
+ c->h0=(c->h0+A)&0xffffffffL;
c->h1=(c->h1+B)&0xffffffffL;
c->h2=(c->h2+C)&0xffffffffL;
c->h3=(c->h3+D)&0xffffffffL;
for (i=4;i<24;i++)
{ BODY_60_79(X[(i+8)&15],X[(i+10)&15],X[i&15], X[(i+5)&15]); }
- c->h0=(c->h0+A)&0xffffffffL;
+ c->h0=(c->h0+A)&0xffffffffL;
c->h1=(c->h1+B)&0xffffffffL;
c->h2=(c->h2+C)&0xffffffffL;
c->h3=(c->h3+D)&0xffffffffL;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_crypto/shared/keys.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-/* __memclear: Clears keys entries.
+/* __memclear: Clears keys entries.
*/
void __memclear(char *id, char *name, char *ip, char *key, int size)
{
{
os_md5 filesum1;
os_md5 filesum2;
-
- char *tmp_str;
+
+ char *tmp_str;
char _finalstr[KEYSIZE];
-
+
/* Allocating for the whole structure */
keys->keyentries =(keyentry **)realloc(keys->keyentries,
ErrorExit(MEM_ERROR, __local_name);
}
os_calloc(1, sizeof(keyentry), keys->keyentries[keys->keysize]);
-
-
+
+
/* Setting configured values for id */
os_strdup(id, keys->keyentries[keys->keysize]->id);
- OSHash_Add(keys->keyhash_id,
- keys->keyentries[keys->keysize]->id,
+ OSHash_Add(keys->keyhash_id,
+ keys->keyentries[keys->keysize]->id,
keys->keyentries[keys->keysize]);
-
-
+
+
/* agent ip */
os_calloc(1, sizeof(os_ip), keys->keyentries[keys->keysize]->ip);
if(OS_IsValidIP(ip, keys->keyentries[keys->keysize]->ip) == 0)
{
ErrorExit(INVALID_IP, __local_name, ip);
}
-
+
/* We need to remove the "/" from the cidr */
if((tmp_str = strchr(keys->keyentries[keys->keysize]->ip->ip, '/')) != NULL)
{
*tmp_str = '\0';
}
- OSHash_Add(keys->keyhash_ip,
- keys->keyentries[keys->keysize]->ip->ip,
+ OSHash_Add(keys->keyhash_ip,
+ keys->keyentries[keys->keysize]->ip->ip,
keys->keyentries[keys->keysize]);
-
+
/* agent name */
os_strdup(name, keys->keyentries[keys->keysize]->name);
keys->keyentries[keys->keysize]->fp = NULL;
-
+
/** Generating final symmetric key **/
-
+
/* MD5 from name, id and key */
OS_MD5_Str(name, filesum1);
OS_MD5_Str(id, filesum2);
- /* Generating new filesum1 */
+ /* Generating new filesum1 */
snprintf(_finalstr, sizeof(_finalstr)-1, "%s%s", filesum1, filesum2);
/* Second md is just the key */
OS_MD5_Str(key, filesum2);
-
+
/* Generating final key */
memset(_finalstr,'\0', sizeof(_finalstr));
snprintf(_finalstr, 49, "%s%s", filesum2, filesum1);
/* ready for next */
keys->keysize++;
-
-
+
+
return;
}
-/* int OS_CheckKeys():
- * Checks if the authentication key file is present
+/* int OS_CheckKeys():
+ * Checks if the authentication key file is present
*/
int OS_CheckKeys()
{
void OS_ReadKeys(keystore *keys)
{
FILE *fp;
-
+
char buffer[OS_BUFFER_SIZE +1];
-
+
char name[KEYSIZE +1];
char ip[KEYSIZE +1];
char id[KEYSIZE +1];
char key[KEYSIZE +1];
-
-
+
+
/* Checking if the keys file is present and we can read it. */
if((keys->file_change = File_DateofChange(KEYS_FILE)) < 0)
{
{
char *tmp_str;
char *valid_str;
-
+
if((buffer[0] == '#') || (buffer[0] == ' '))
continue;
{
continue;
}
-
+
/* Getting name */
valid_str = tmp_str;
tmp_str = strchr(tmp_str, ' ');
tmp_str++;
strncpy(name, valid_str, KEYSIZE -1);
-
+
/* Getting ip address */
valid_str = tmp_str;
tmp_str = strchr(tmp_str, ' ');
tmp_str++;
strncpy(ip, valid_str, KEYSIZE -1);
-
+
/* Getting key */
valid_str = tmp_str;
tmp_str = strchr(tmp_str, '\n');
/* Clearing the memory */
- __memclear(id, name, ip, key, KEYSIZE +1);
-
+ __memclear(id, name, ip, key, KEYSIZE +1);
+
/* Checking for maximum agent size */
if(keys->keysize >= (MAX_AGENTS -2))
merror(AG_MAX_ERROR, __local_name, MAX_AGENTS -2);
ErrorExit(CONFIG_ERROR, __local_name, KEYS_FILE);
}
-
+
continue;
}
-
-
+
+
/* Closing key file. */
fclose(fp);
keys->keysize = 0;
keys->keyhash_id =NULL;
keys->keyhash_ip = NULL;
-
-
+
+
/* Sleeping to give time to other threads to stop using them. */
sleep(1);
-
-
+
+
/* Freeing the hashes */
OSHash_Free(hashid);
OSHash_Free(haship);
free(keys->keyentries[i]->ip->ip);
free(keys->keyentries[i]->ip);
}
-
- if(keys->keyentries[i]->id)
+
+ if(keys->keyentries[i]->id)
free(keys->keyentries[i]->id);
-
+
if(keys->keyentries[i]->key)
free(keys->keyentries[i]->key);
if(keys->keyentries[i]->name)
free(keys->keyentries[i]->name);
-
+
/* Closing counter */
if(keys->keyentries[i]->fp)
fclose(keys->keyentries[i]->fp);
keys->keyentries[i] = NULL;
}
}
-
+
/* Freeing structure */
free(keys->keyentries);
keys->keyentries = NULL;
{
merror(ENCFILE_CHANGED, __local_name);
debug1("%s: DEBUG: Freekeys", __local_name);
-
+
OS_FreeKeys(keys);
debug1("%s: DEBUG: OS_ReadKeys", __local_name);
-
+
/* Reading keys */
verbose(ENC_READ, __local_name);
-
+
OS_ReadKeys(keys);
debug1("%s: DEBUG: OS_StartCounter", __local_name);
-
+
OS_StartCounter(keys);
debug1("%s: DEBUG: OS_UpdateKeys completed", __local_name);
-
+
return(1);
}
return(0);
/* OS_IsAllowedIP()
- * Checks if an IP address is allowed to connect.
+ * Checks if an IP address is allowed to connect.
*/
int OS_IsAllowedIP(keystore *keys, char *srcip)
{
if(srcip == NULL)
return(-1);
-
+
entry = OSHash_Get(keys->keyhash_ip, srcip);
if(entry)
{
if(id == NULL)
return(-1);
-
+
entry = OSHash_Get(keys->keyhash_id, id);
if(entry)
{
int OS_IsAllowedDynamicID(keystore *keys, char *id, char *srcip)
{
keyentry *entry;
-
+
if(id == NULL)
return(-1);
-
+
entry = OSHash_Get(keys->keyhash_id, id);
if(entry)
{
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_crypto/shared/msgs.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
char rids_file[OS_FLSIZE +1];
rids_file[OS_FLSIZE] = '\0';
-
+
debug1("%s: OS_StartCounter: keysize: %d", __local_name, keys->keysize);
-
-
+
+
/* Starting receiving counter */
for(i = 0; i<=keys->keysize; i++)
{
if(!keys->keyentries[i]->fp)
{
int my_error = errno;
-
+
/* Just in case we run out of file descriptiors */
if((keys->keyentries[i -1]->fp) && (i > 10))
{
}
}
- merror("%s: Unable to open agent file. errno: %d",
+ merror("%s: Unable to open agent file. errno: %d",
__local_name, my_error);
ErrorExit(FOPEN_ERROR, __local_name, rids_file);
}
else
{
verbose("%s: INFO: No previous counter available for '%s'.",
- __local_name,
+ __local_name,
keys->keyentries[i]->name);
}
-
+
g_c = 0;
l_c = 0;
}
{
verbose("%s: INFO: Assigning counter for agent %s: '%d:%d'.",
__local_name, keys->keyentries[i]->name, g_c, l_c);
-
+
keys->keyentries[i]->global = g_c;
keys->keyentries[i]->local = l_c;
}
}
-/* CheckSum v0.1: 2005/02/15
+/* CheckSum v0.1: 2005/02/15
* Verify the checksum of the message.
* Returns NULL on error or the message on success.
*/
{
return(NULL);
}
-
+
return(msg);
}
/* ReadSecMSG v0.2: 2005/02/10 */
-char *ReadSecMSG(keystore *keys, char *buffer, char *cleartext,
+char *ReadSecMSG(keystore *keys, char *buffer, char *cleartext,
int id, int buffer_size)
{
int cmp_size;
- unsigned int msg_global;
- unsigned int msg_local;
+ unsigned int msg_global = 0;
+ unsigned int msg_local = 0;
char *f_msg;
-
-
+
+
if(*buffer == ':')
{
buffer++;
merror(ENCFORMAT_ERROR, __local_name, keys->keyentries[id]->ip->ip);
return(NULL);
}
-
+
/* Decrypting message */
- if(!OS_BF_Str(buffer, cleartext, keys->keyentries[id]->key,
- buffer_size, OS_DECRYPT))
+ if(!OS_BF_Str(buffer, cleartext, keys->keyentries[id]->key,
+ buffer_size, OS_DECRYPT))
{
merror(ENCKEY_ERROR, __local_name, keys->keyentries[id]->ip->ip);
return(NULL);
cleartext++;
buffer_size--;
}
-
+
/* Uncompressing */
cmp_size = os_uncompress(cleartext, buffer, buffer_size, OS_MAXSTR);
if(!cmp_size)
msg_local = atoi(f_msg);
f_msg+=5;
-
+
/* Returning the message if we don't need to verify the counbter. */
if(!_s_verify_counter)
{
if(rcv_count >= _s_recv_flush)
{
StoreCounter(keys, id, msg_global, msg_local);
- rcv_count = 0;
+ rcv_count = 0;
}
rcv_count++;
return(f_msg);
if((msg_global > keys->keyentries[id]->global)||
- ((msg_global == keys->keyentries[id]->global) &&
+ ((msg_global == keys->keyentries[id]->global) &&
(msg_local > keys->keyentries[id]->local)))
{
/* Updating currently counts */
}
/* Checking if it is a duplicated message */
- if((msg_count == keys->keyentries[id]->local) &&
+ if((msg_count == keys->keyentries[id]->local) &&
(msg_time == keys->keyentries[id]->global))
{
return(NULL);
merror(ENCTIME_ERROR, __local_name, keys->keyentries[id]->name);
return(NULL);
}
-
+
merror(ENCFORMAT_ERROR, __local_name, keys->keyentries[id]->ip->ip);
return(NULL);
}
int bfsize;
int msg_size;
int cmp_size;
-
+
u_int16_t rand1;
-
+
char _tmpmsg[OS_MAXSTR + 2];
char _finmsg[OS_MAXSTR + 2];
-
+
os_md5 md5sum;
-
+
msg_size = strlen(msg);
-
-
+
+
/* Checking for invalid msg sizes */
if((msg_size > (OS_MAXSTR - OS_HEADER_SIZE))||(msg_size < 1))
{
merror(ENCSIZE_ERROR, __local_name, msg);
return(0);
}
-
+
/* Random number */
rand1 = (u_int16_t)random();
_tmpmsg[OS_MAXSTR +1] = '\0';
_finmsg[OS_MAXSTR +1] = '\0';
msg_encrypted[OS_MAXSTR] = '\0';
-
+
/* Increasing local and global counters */
if(local_count >= 9997)
global_count++;
}
local_count++;
-
-
+
+
snprintf(_tmpmsg, OS_MAXSTR,"%05hu%010u:%04hu:%s",
rand1, global_count, local_count,
msg);
-
+
/* Generating md5sum of the unencrypted string */
OS_MD5_Str(_tmpmsg, md5sum);
-
+
/* Generating final msg to be compressed */
snprintf(_finmsg, OS_MAXSTR,"%s%s",md5sum,_tmpmsg);
msg_size = strlen(_finmsg);
/* Compressing message.
- * We assing the first 8 bytes for padding.
+ * We assing the first 8 bytes for padding.
*/
cmp_size = os_compress(_finmsg, _tmpmsg + 8, msg_size, OS_MAXSTR - 12);
if(!cmp_size)
return(0);
}
cmp_size++;
-
+
/* Padding the message (needs to be div by 8) */
bfsize = 8 - (cmp_size % 8);
if(bfsize == 8)
{
verbose("%s: INFO: Event count after '%u': %u->%u (%d%%)", __local_name,
evt_count,
- c_orig_size,
+ c_orig_size,
c_comp_size,
(c_comp_size * 100)/c_orig_size);
evt_count = 0;
c_comp_size = 0;
}
evt_count++;
-
+
/* If the ip is dynamic (not single host, append agent id
* to the message.
- */
+ */
if(!isSingleHost(keys->keyentries[id]->ip) && isAgent)
{
snprintf(msg_encrypted, 16, "!%s!:", keys->keyentries[id]->id);
* appended to the buffer. On dynamic ips, it will
* include the agent id.
*/
-
+
/* Encrypting everything */
- OS_BF_Str(_tmpmsg + (7 - bfsize), msg_encrypted + msg_size,
- keys->keyentries[id]->key,
- cmp_size,
+ OS_BF_Str(_tmpmsg + (7 - bfsize), msg_encrypted + msg_size,
+ keys->keyentries[id]->key,
+ cmp_size,
OS_ENCRYPT);
-
+
/* Storing before leaving */
StoreSenderCounter(keys, global_count, local_count);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_csyslogd/alert.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
#include "config/config.h"
#include "os_net/os_net.h"
-
-
-
-
/** int OS_Alert_SendSyslog
* Sends an alert via syslog.
* Returns 1 on success or 0 on error.
int OS_Alert_SendSyslog(alert_data *al_data, SyslogConfig *syslog_config)
{
char *tstamp;
- char user_msg[256];
- char srcip_msg[256];
-
- char syslog_msg[OS_SIZE_2048 +1];
+ char syslog_msg[OS_SIZE_2048];
+
+ /* These will be Malloc'd, so no need to predeclare size, just remember to free! */
+ char *json_safe_comment;
+ char *json_safe_message;
+ /* padding value */
+ int padding = 0;
/* Invalid socket. */
if(syslog_config->socket < 0)
{
return(0);
}
-
+
/* Clearing the memory before insert */
- memset(syslog_msg, '\0', OS_SIZE_2048 +1);
+ memset(syslog_msg, '\0', OS_SIZE_2048);
/* Looking if location is set */
}
- /* Fixing the timestamp to be syslog compatible.
+ /* Fixing the timestamp to be syslog compatible.
* We have 2008 Jul 10 10:11:23
* Should be: Jul 10 10:11:23
*/
{
tstamp+=5;
- /* Fixing first digit if the day is < 10 */
+ /* Fixing first digit if the day is < 10 */
if(tstamp[4] == '0')
tstamp[4] = ' ';
}
-
- /* Adding source ip. */
- if(!al_data->srcip ||
- ((al_data->srcip[0] == '(') &&
- (al_data->srcip[1] == 'n') &&
- (al_data->srcip[2] == 'o')))
- {
- srcip_msg[0] = '\0';
+
+ /* Remove the double quotes from "dangerous" fields */
+ if( (json_safe_comment = os_strip_char(al_data->comment, '"')) == NULL ) {
+ return(0);
}
- else
- {
- snprintf(srcip_msg, 255, " srcip: %s;", al_data->srcip);
+ if( (json_safe_message = os_strip_char(al_data->log[0], '"')) == NULL ) {
+ return(0);
}
-
- /* Adding username. */
- if(!al_data->user ||
- ((al_data->user[0] == '(') &&
- (al_data->user[1] == 'n') &&
- (al_data->user[2] == 'o')))
+ /* Inserting data */
+ if(syslog_config->format == DEFAULT_CSYSLOG)
{
- user_msg[0] = '\0';
+ /* Building syslog message. */
+ snprintf(syslog_msg, OS_SIZE_2048,
+ "<%d>%s %s ossec: Alert Level: %d; Rule: %d - %s; Location: %s;",
+ syslog_config->priority, tstamp, __shost,
+ al_data->level,
+ al_data->rule, al_data->comment,
+ al_data->location
+ );
+ field_add_string(syslog_msg, OS_SIZE_2048, " srcip: %s;", al_data->srcip );
+#ifdef GEOIP
+ field_add_string(syslog_msg, OS_SIZE_2048, " srccity: %s;", al_data->geoipdatasrc );
+ field_add_string(syslog_msg, OS_SIZE_2048, " dstcity: %s;", al_data->geoipdatadst );
+#endif
+ field_add_string(syslog_msg, OS_SIZE_2048, " dstip: %s;", al_data->dstip );
+ field_add_string(syslog_msg, OS_SIZE_2048, " user: %s;", al_data->user );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Previous MD5: %s;", al_data->old_md5 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Current MD5: %s;", al_data->new_md5 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Previous SHA1: %s;", al_data->old_sha1 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Current SHA1: %s;", al_data->new_sha1 );
+ field_add_truncated(syslog_msg, OS_SIZE_2048, " %s", al_data->log[0], 2 );
}
- else
+ else if(syslog_config->format == CEF_CSYSLOG)
{
- snprintf(user_msg, 255, " user: %s;", al_data->user);
+ snprintf(syslog_msg, OS_SIZE_2048,
+
+ "<%d>%s CEF:0|%s|%s|%s|%d|%s|%d|dvc=%s cs2=%s cs2Label=Location",
+ syslog_config->priority,
+ tstamp,
+ __author,
+ __name,
+ __version,
+ al_data->rule,
+ al_data->comment,
+ (al_data->level > 10) ? 10 : al_data->level,
+ __shost, al_data->location);
+
+ field_add_string(syslog_msg, OS_SIZE_2048, " src=%s", al_data->srcip );
+#ifdef GEOIP
+ field_add_string(syslog_msg, OS_SIZE_2048, " cs3Label=SrcCity cs3=%s", al_data->geoipdatasrc );
+ field_add_string(syslog_msg, OS_SIZE_2048, " cs4Label=DstCity cs4=%s", al_data->geoipdatadst );
+#endif
+ field_add_string(syslog_msg, OS_SIZE_2048, " suser=%s", al_data->user );
+ field_add_string(syslog_msg, OS_SIZE_2048, " dst=%s", al_data->dstip );
+ field_add_truncated(syslog_msg, OS_SIZE_2048, " msg=%s", al_data->log[0], 2 );
+ if (al_data->new_md5 && al_data->new_sha1) {
+ field_add_string(syslog_msg, OS_SIZE_2048, " Previous MD5: %s", al_data->old_md5 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Current MD5: %s", al_data->new_md5 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Previous SHA1: %s", al_data->old_sha1 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Current SHA1: %s", al_data->new_sha1 );
+ }
}
+ else if(syslog_config->format == JSON_CSYSLOG)
+ {
+ // Padding is two to make sure we can fit closign bracket
+ padding = 2;
+ /* Build a JSON Object for logging */
+ snprintf(syslog_msg, OS_SIZE_2048 - padding,
+ "<%d>%s %s ossec: { \"crit\": %d, \"id\": %d, \"description\": \"%s\", \"component\": \"%s\",",
+ /* syslog header */
+ syslog_config->priority, tstamp, __shost,
- /* Inserting data */
- if(syslog_config->format == DEFAULT_CSYSLOG)
+ /* OSSEC metadata */
+ al_data->level, al_data->rule, json_safe_comment,
+ al_data->location
+ );
+ /* Event specifics */
+ field_add_string(syslog_msg, OS_SIZE_2048 - padding, " \"classification\": \"%s\",", al_data->group );
+
+ if( field_add_string(syslog_msg, OS_SIZE_2048 - padding, " \"src_ip\": \"%s\",", al_data->srcip ) > 0 )
+ field_add_int(syslog_msg, OS_SIZE_2048 - padding, " \"src_port\": %d,", al_data->srcport );
+
+#ifdef GEOIP
+ field_add_string(syslog_msg, OS_SIZE_2048 - padding, " \"src_city\": \"%s\",", al_data->geoipdatasrc );
+ field_add_string(syslog_msg, OS_SIZE_2048 - padding, " \"dst_city\": \"%s\",", al_data->geoipdatadst );
+#endif
+
+ if ( field_add_string(syslog_msg, OS_SIZE_2048 - padding, " \"dst_ip\": \"%s\",", al_data->dstip ) > 0 )
+ field_add_int(syslog_msg, OS_SIZE_2048 - padding, " \"dst_port\": %d,", al_data->dstport );
+
+ field_add_string(syslog_msg, OS_SIZE_2048 - padding, " \"file\": \"%s\",", al_data->filename );
+ field_add_string(syslog_msg, OS_SIZE_2048 - padding, " \"acct\": \"%s\",", al_data->user );
+ field_add_string(syslog_msg, OS_SIZE_2048 - padding, " \"md5_old\": \"%s\",", al_data->old_md5 );
+ field_add_string(syslog_msg, OS_SIZE_2048 - padding, " \"md5_new\": \"%s\",", al_data->new_md5 );
+ field_add_string(syslog_msg, OS_SIZE_2048 - padding, " \"sha1_old\": \"%s\",", al_data->old_sha1 );
+ field_add_string(syslog_msg, OS_SIZE_2048 - padding, " \"sha1_new\": \"%s\",", al_data->new_sha1 );
+ /* Message */
+ field_add_truncated(syslog_msg, OS_SIZE_2048 - padding, " \"message\": \"%s\"", json_safe_message, 2 );
+ /* Closing brace */
+ field_add_string(syslog_msg, OS_SIZE_2048, " }", "" );
+ }
+ else if(syslog_config->format == SPLUNK_CSYSLOG)
{
- /* Building syslog message. */
+ /* Build a Splunk Style Key/Value string for logging */
snprintf(syslog_msg, OS_SIZE_2048,
- "<%d>%s %s ossec: Alert Level: %d; Rule: %d - %s; "
- "Location: %s;%s%s %s",
+ "<%d>%s %s ossec: crit=%d id=%d description=\"%s\" component=\"%s\",",
+
+ /* syslog header */
syslog_config->priority, tstamp, __shost,
- al_data->level, al_data->rule, al_data->comment,
- al_data->location,
- /* Source ip. */
- srcip_msg,
- user_msg,
- al_data->log[0]);
+ /* OSSEC metadata */
+ al_data->level, al_data->rule, json_safe_comment,
+ al_data->location
+ );
+ /* Event specifics */
+ field_add_string(syslog_msg, OS_SIZE_2048, " classification=\"%s\",", al_data->group );
+
+ if( field_add_string(syslog_msg, OS_SIZE_2048, " src_ip=\"%s\",", al_data->srcip ) > 0 )
+ field_add_int(syslog_msg, OS_SIZE_2048, " src_port=%d,", al_data->srcport );
+
+#ifdef GEOIP
+ field_add_string(syslog_msg, OS_SIZE_2048, " src_city=\"%s\",", al_data->geoipdatasrc );
+ field_add_string(syslog_msg, OS_SIZE_2048, " dst_city=\"%s\",", al_data->geoipdatadst );
+#endif
+
+ if( field_add_string(syslog_msg, OS_SIZE_2048, " dst_ip=\"%s\",", al_data->dstip ) > 0 )
+ field_add_int(syslog_msg, OS_SIZE_2048, " dst_port=%d,", al_data->dstport );
+
+ field_add_string(syslog_msg, OS_SIZE_2048, " file=\"%s\",", al_data->filename );
+ field_add_string(syslog_msg, OS_SIZE_2048, " acct=\"%s\",", al_data->user );
+ field_add_string(syslog_msg, OS_SIZE_2048, " md5_old=\"%s\",", al_data->old_md5 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " md5_new=\"%s\",", al_data->new_md5 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " sha1_old=\"%s\",", al_data->old_sha1 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " sha1_new=\"%s\",", al_data->new_sha1 );
+ /* Message */
+ field_add_truncated(syslog_msg, OS_SIZE_2048, " message=\"%s\"", json_safe_message, 2 );
}
OS_SendUDPbySize(syslog_config->socket, strlen(syslog_msg), syslog_msg);
-
+ /* Free the malloc'd variables */
+ free(json_safe_comment);
+ free(json_safe_message);
+
return(1);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_csyslogd/config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
#include "config/config.h"
-/** void *OS_SyslogConf(int test_config, char *cfgfile,
+/** void *OS_SyslogConf(int test_config, char *cfgfile,
SyslogConfig **syslog_config)
* Reads configuration.
*/
-void *OS_ReadSyslogConf(int test_config, char *cfgfile,
+void *OS_ReadSyslogConf(int test_config, char *cfgfile,
SyslogConfig **syslog_config)
{
int modules = 0;
modules|= CSYSLOGD;
gen_config.data = syslog_config;
-
+
/* Reading configuration */
if(ReadConfig(modules, cfgfile, &gen_config, NULL) < 0)
{
ErrorExit(CONFIG_ERROR, ARGV0, cfgfile);
return(NULL);
- }
+ }
+
-
syslog_config = gen_config.data;
return(syslog_config);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_csyslogd/csyslogd.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
+/* strnlen is a GNU extension */
+#ifdef __linux__
+ #define _GNU_SOURCE
+ #include <string.h>
+#endif
#include "csyslogd.h"
#include "os_net/os_net.h"
void OS_CSyslogD(SyslogConfig **syslog_config)
{
int s = 0;
- time_t tm;
- struct tm *p;
+ time_t tm;
+ struct tm *p;
+ int tries = 0;
file_queue *fileq;
alert_data *al_data;
/* Getting currently time before starting */
tm = time(NULL);
- p = localtime(&tm);
+ p = localtime(&tm);
/* Initating file queue - to read the alerts */
os_calloc(1, sizeof(file_queue), fileq);
- Init_FileQueue(fileq, p, 0);
+ while( (Init_FileQueue(fileq, p, 0) ) < 0 ) {
+ tries++;
+ if( tries > OS_CSYSLOGD_MAX_TRIES ) {
+ merror("%s: ERROR: Could not open queue after %d tries, exiting!",
+ ARGV0, tries
+ );
+ exit(1);
+ }
+ sleep(1);
+ }
+ merror("%s: INFO: File queue connected.", ARGV0 );
/* Connecting to syslog. */
while(syslog_config[s])
{
syslog_config[s]->socket = OS_ConnectUDP(syslog_config[s]->port,
- syslog_config[s]->server);
+ syslog_config[s]->server, 0);
if(syslog_config[s]->socket < 0)
{
merror(CONNS_ERROR, ARGV0, syslog_config[s]->server);
}
else
{
- merror("%s: INFO: Forwarding alerts via syslog to: '%s:%d'.",
- ARGV0, syslog_config[s]->server, syslog_config[s]->port);
+ merror("%s: INFO: Forwarding alerts via syslog to: '%s:%d'.",
+ ARGV0, syslog_config[s]->server, syslog_config[s]->port);
}
s++;
}
-
+
/* Infinite loop reading the alerts and inserting them. */
while(1)
{
}
}
+/* Format Field for output */
+int field_add_string(char *dest, int size, const char *format, const char *value ) {
+ char buffer[OS_SIZE_2048];
+ int len = 0;
+ int dest_sz = size - strnlen(dest, OS_SIZE_2048);
+
+ if(dest_sz <= 0 ) {
+ // Not enough room in the buffer
+ return -1;
+ }
+
+ if(value != NULL &&
+ (
+ ((value[0] != '(') && (value[1] != 'n') && (value[2] != 'o')) ||
+ ((value[0] != '(') && (value[1] != 'u') && (value[2] != 'n')) ||
+ ((value[0] != 'u') && (value[1] != 'n') && (value[4] != 'k'))
+ )
+ ) {
+ len = snprintf(buffer, sizeof(buffer) - dest_sz - 1, format, value);
+ strncat(dest, buffer, dest_sz);
+ }
+
+ return len;
+}
+
+/* Add a field, but truncate if too long */
+int field_add_truncated(char *dest, int size, const char *format, const char *value, int fmt_size ) {
+ char buffer[OS_SIZE_2048];
+
+ int available_sz = size - strnlen(dest, OS_SIZE_2048);
+ int total_sz = strlen(value) + strlen(format) - fmt_size;
+ int field_sz = available_sz - strlen(format) + fmt_size;
+
+ int len = 0;
+ char trailer[] = "...";
+ char *truncated;
+
+ if(available_sz <= 0 ) {
+ // Not enough room in the buffer
+ return -1;
+ }
+
+ if(value != NULL &&
+ (
+ ((value[0] != '(') && (value[1] != 'n') && (value[2] != 'o')) ||
+ ((value[0] != '(') && (value[1] != 'u') && (value[2] != 'n')) ||
+ ((value[0] != 'u') && (value[1] != 'n') && (value[4] != 'k'))
+ )
+ ) {
+
+ if( (truncated=malloc(field_sz + 1)) != NULL ) {
+ if( total_sz > available_sz ) {
+ // Truncate and add a trailer
+ os_substr(truncated, value, 0, field_sz - strlen(trailer));
+ strcat(truncated, trailer);
+ }
+ else {
+ strncpy(truncated,value,field_sz);
+ }
+
+ len = snprintf(buffer, available_sz, format, truncated);
+ strncat(dest, buffer, available_sz);
+ }
+ else {
+ // Memory Error
+ len = -3;
+ }
+ }
+ // Free the temporary pointer
+ free(truncated);
+
+ return len;
+}
+
+/* Handle integers in the second position */
+int field_add_int(char *dest, int size, const char *format, const int value ) {
+ char buffer[255];
+ int len = 0;
+ int dest_sz = size - strnlen(dest, OS_SIZE_2048);
+
+ if(dest_sz <= 0 ) {
+ // Not enough room in the buffer
+ return -1;
+ }
+
+ if( value > 0 ) {
+ len = snprintf(buffer, sizeof(buffer), format, value);
+ strncat(dest, buffer, dest_sz);
+ }
+
+ return len;
+}
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_csyslogd/csyslogd.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#include "config/csyslogd-config.h"
+#define OS_CSYSLOGD_MAX_TRIES 10
/** Prototypes **/
/* Database inserting main function */
void OS_CSyslogD(SyslogConfig **syslog_config);
+/* Conditional Field Formatting */
+int field_add_int(char *dest, int size, const char *format, const int value );
+int field_add_string(char *dest, int size, const char *format, const char *value );
+int field_add_truncated(char *dest, int size, const char *format, const char *value, int fmt_size );
/** Global vars **/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_csyslogd/main.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* Setting the name */
OS_SetName(ARGV0);
-
+
while((c = getopt(argc, argv, "vVdhtfu:g:D:c:")) != -1){
switch(c){
break;
case 'v':
print_version();
- break;
+ break;
case 'h':
help(ARGV0);
break;
if(!optarg)
ErrorExit("%s: -D needs an argument",ARGV0);
dir=optarg;
+ break;
case 'c':
if(!optarg)
ErrorExit("%s: -c needs an argument",ARGV0);
cfg = optarg;
break;
case 't':
- test_config = 1;
+ test_config = 1;
break;
default:
help(ARGV0);
if(ltmp)
*ltmp = '\0';
}
-
+
/* Exit here if test config is set */
if(test_config)
exit(0);
-
-
- if (!run_foreground)
+
+
+ if (!run_foreground)
{
/* Going on daemon mode */
nowDaemon();
}
-
+
/* Not configured */
if(!syslog_config || !syslog_config[0])
{
exit(0);
}
-
+
/* Privilege separation */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR,ARGV0,group);
-
+
/* chrooting */
if(Privsep_Chroot(dir) < 0)
ErrorExit(CHROOT_ERROR,ARGV0,dir);
nowChroot();
-
- /* Changing user */
+
+ /* Changing user */
if(Privsep_SetUser(uid) < 0)
ErrorExit(SETUID_ERROR,ARGV0,user);
/* Signal manipulation */
StartSIG(ARGV0);
-
+
/* Creating PID files */
if(CreatePID(ARGV0, getpid()) < 0)
ErrorExit(PID_ERROR, ARGV0);
-
+
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
-
+
/* the real daemon now */
OS_CSyslogD(syslog_config);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_dbd/alert.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
int __DBInsertLocation(char *location, DBConfig *db_config)
{
char sql_query[OS_SIZE_1024];
-
+
memset(sql_query, '\0', OS_SIZE_1024);
/* Generating SQL */
{
int i;
unsigned int s_ip = 0, d_ip = 0, location_id = 0;
+ unsigned short s_port = 0, d_port = 0;
int *loc_id;
char sql_query[OS_SIZE_8192 +1];
char *fulllog = NULL;
/* Clearing the memory before insert */
sql_query[0] = '\0';
sql_query[OS_SIZE_8192] = '\0';
-
+
/* Converting srcip to int */
if(al_data->srcip)
s_ip = net.s_addr;
}
}
- d_ip = 0;
+
+ /* Converting dstip to int */
+ if(al_data->dstip)
+ {
+ struct in_addr net;
+
+ /* Extracting ip address */
+ if(inet_aton(al_data->dstip, &net))
+ {
+ d_ip = net.s_addr;
+ }
+ }
+
+ /* Source Port */
+ s_port = al_data->srcport;
+
+ /* Destination Port */
+ d_port = al_data->dstport;
/* Escaping strings */
/* We first need to insert the location */
loc_id = OSHash_Get(db_config->location_hash, al_data->location);
-
-
+
+
/* If we dont have location id, we must select and/or insert in the db */
if(!loc_id)
{
if(!location_id)
{
- merror("%s: Unable to insert location: '%s'.",
+ merror("%s: Unable to insert location: '%s'.",
ARGV0, al_data->location);
return(0);
}
*loc_id = location_id;
OSHash_Add(db_config->location_hash, al_data->location, loc_id);
}
-
+
i = 0;
while(al_data->log[i])
{
- fulllog = os_LoadString(fulllog, al_data->log[i]);
+ long len = strlen(al_data->log[i]);
+ char templog[len+2];
+ if (al_data->log[i+1]) {
+ snprintf(templog, len, "%s\n", al_data->log[i]);
+ }
+ else {
+ snprintf(templog, len, "%s", al_data->log[i]);
+ }
+ fulllog = os_LoadString(fulllog, templog);
+// fulllog = os_LoadString(fulllog, al_data->log[i]);
i++;
}
osdb_escapestr(fulllog);
+ if(strlen(fulllog) > 7456)
+ {
+ fulllog[7454] = '.';
+ fulllog[7455] = '.';
+ fulllog[7456] = '\0';
+ }
/* Inserting data */
"INSERT INTO "
"data(id, server_id, \"user\", full_log) "
"VALUES ('%u', '%u', '%s', '%s') ",
- db_config->alert_id, db_config->server_id,
+ db_config->alert_id, db_config->server_id,
al_data->user, fulllog);
}
else
"INSERT INTO "
"data(id, server_id, user, full_log) "
"VALUES ('%u', '%u', '%s', '%s') ",
- db_config->alert_id, db_config->server_id,
+ db_config->alert_id, db_config->server_id,
al_data->user, fulllog);
}
free(fulllog);
fulllog = NULL;
-
-
+
+
/* Inserting into the db */
if(!osdb_query_insert(db_config->conn, sql_query))
{
merror(DB_GENERROR, ARGV0);
}
-
+
/* Generating final SQL */
snprintf(sql_query, OS_SIZE_8192,
"INSERT INTO "
- "alert(id,server_id,rule_id,timestamp,location_id,src_ip) "
- "VALUES ('%u', '%u', '%u','%u', '%u', '%lu')",
+ "alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid) "
+ "VALUES ('%u', '%u', '%u','%u', '%u', '%lu', '%u', '%lu', '%u', '%s')",
db_config->alert_id, db_config->server_id, al_data->rule,
- (unsigned int)time(0), *loc_id, (unsigned long)ntohl(s_ip));
+ (unsigned int)time(0), *loc_id,
+ (unsigned long)ntohl(s_ip), (unsigned short)s_port,
+ (unsigned long)ntohl(d_ip), (unsigned short)d_port,
+ al_data->alertid);
/* Inserting into the db */
merror(DB_GENERROR, ARGV0);
}
-
+
db_config->alert_id++;
return(1);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_dbd/config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
modules|= CDBD;
modules|= CRULES;
-
+
/* Allocating config just to get the rules. */
os_calloc(1, sizeof(_Config), tmp_config);
if(ReadConfig(modules, cfgfile, tmp_config, db_config) < 0)
return(OS_INVALID);
-
+
/* Here, we assign the rules to db_config and free the rest
* of the Config.
*/
{
return(0);
}
-
+
/* Checking for a valid config. */
if(!db_config->host ||
osdb_close = mysql_osdb_close;
}
#endif
-
+
#ifdef UPOSTGRES
if(db_config->db_type == POSTGDB)
{
{
#ifndef UMYSQL
merror(DB_COMPILED, ARGV0, "mysql");
- return(OS_INVALID);
+ return(OS_INVALID);
#endif
}
else if(db_config->db_type == POSTGDB)
{
#ifndef UPOSTGRES
merror(DB_COMPILED, ARGV0, "postgresql");
- return(OS_INVALID);
+ return(OS_INVALID);
#endif
}
-
+
if(osdb_connect == NULL)
{
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_dbd/db_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-
+
/* Common lib for dealing with databases */
{
return;
}
-
+
while(*str)
{
if(*str == '\'')
ErrorExit(DB_MAINERROR, ARGV0);
}
-
+
/* If error count is too large, we try to reconnect. */
if(db_config_pt->error_count > 0)
{
int i = 0;
if(db_config_pt->conn)
{
- osdb_close(db_config_pt->conn);
+ osdb_close(db_config_pt->conn);
db_config_pt->conn = NULL;
}
while(i <= db_config_pt->maxreconnect)
{
merror(DB_ATTEMPT, ARGV0);
- db_config_pt->conn = osdb_connect(db_config_pt->host,
+ db_config_pt->conn = osdb_connect(db_config_pt->host,
db_config_pt->user,
- db_config_pt->pass,
+ db_config_pt->pass,
db_config_pt->db,
db_config_pt->port,
db_config_pt->sock);
-
+
/* If we were able to reconnect, keep going. */
if(db_config_pt->conn)
{
{
ErrorExit(DB_MAINERROR, ARGV0);
}
-
-
+
+
verbose("%s: Connected to database '%s' at '%s'.",
ARGV0, db_config_pt->db, db_config_pt->host);
-
+
}
}
unsigned int p_type = MYSQL_PROTOCOL_TCP;
mysql_options(conn, MYSQL_OPT_PROTOCOL, (char *)&p_type);
}
- }
- if(mysql_real_connect(conn, host, user, pass, db,
+ }
+ if(mysql_real_connect(conn, host, user, pass, db,
port, sock, 0) == NULL)
{
merror(DBCONN_ERROR, ARGV0, host, db, mysql_error(conn));
/** int mysql_osdb_query_insert(void *db_conn, char *query)
- * Sends insert query to database.
+ * Sends insert query to database.
*/
int mysql_osdb_query_insert(void *db_conn, char *query)
{
int result_int = 0;
MYSQL_RES *result_data;
MYSQL_ROW result_row;
-
+
/* Sending the query. It can not fail. */
if(mysql_query(db_conn, query) != 0)
return(0);
}
-
+
/* Getting result */
result_data = mysql_use_result(db_conn);
if(result_data == NULL)
osdb_seterror();
return(0);
}
-
+
/* Getting row. We only care about the first result. */
result_row = mysql_fetch_row(result_data);
{
result_int = atoi(result_row[0]);
}
-
+
mysql_free_result(result_data);
#if defined UPOSTGRES
-/** void *postgresql_osdb_connect(char *host, char *user, char *pass, char *db)
- * Create the PostgreSQL database connection.
+/** void *postgresql_osdb_connect(char *host, char *user, char *pass, char *db)
+ * Create the PostgreSQL database connection.
* Return NULL on error
*/
-void *postgresql_osdb_connect(char *host, char *user, char *pass, char *db,
+void *postgresql_osdb_connect(char *host, char *user, char *pass, char *db,
int port, char *sock)
{
PGconn *conn;
/** int postgresql_osdb_query_insert(void *db_conn, char *query)
- * Sends insert query to database.
+ * Sends insert query to database.
*/
int postgresql_osdb_query_insert(void *db_conn, char *query)
{
PGresult *result;
-
-
+
+
result = PQexec(db_conn,query);
if(!result)
{
osdb_seterror();
return(0);
}
-
-
+
+
if(PQresultStatus(result) != PGRES_COMMAND_OK)
{
merror(DBQUERY_ERROR, ARGV0, query, PQerrorMessage(db_conn));
return(0);
}
-
+
PQclear(result);
return(1);
}
osdb_seterror();
return(0);
}
-
+
if((PQresultStatus(result) == PGRES_TUPLES_OK))
{
if(PQntuples(result) == 1)
-void *none_osdb_connect(char *host, char *user, char *pass, char *db,
+void *none_osdb_connect(char *host, char *user, char *pass, char *db,
int port, char *sock)
{
char *tmp;
/* Just to avoid warnings. */
tmp = host; tmp = user; tmp = pass; tmp = db;
-
-
+
+
merror("%s: ERROR: Database support not enabled. Exiting.", ARGV0);
return(NULL);
}
void *tmp;
tmp = db_conn; tmp = query;
-
+
merror("%s: ERROR: Database support not enabled. Exiting.", ARGV0);
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_dbd/db_op.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-
+
/* Common API for dealing with databases */
* Available chars: a-z, A-Z, 0-9, -, _, ., %, $, @, (, ), +, *, <space> /
* Basically: 040-046 (oct)
* 050-176 (oct)
+ * 8/27/2012: Modified to allow new lines - \012
*/
static const unsigned char insert_map[] =
{
'\000', '\000', '\002', '\003', '\004', '\005', '\006', '\007',
- '\010', '\011', '\012', '\013', '\014', '\015', '\016', '\017',
+ '\010', '\011', '\001', '\013', '\014', '\015', '\016', '\017',
'\020', '\021', '\022', '\023', '\024', '\025', '\026', '\027',
'\030', '\031', '\032', '\033', '\034', '\035', '\036', '\037',
'\001', '\001', '\001', '\001', '\001', '\001', '\001', '\047',
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_dbd/dbd.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
*/
void OS_DBD(DBConfig *db_config)
{
- time_t tm;
- struct tm *p;
+ time_t tm;
+ struct tm *p;
file_queue *fileq;
alert_data *al_data;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_dbd/dbd.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* Inserts server info to the db. */
int OS_Server_ReadInsertDB(void *db_config);
-
+
/* Insert rules in to the database */
int OS_InsertRulesDB(DBConfig *db_config);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_dbd/main.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
{
print_out(" ");
print_out("%s %s - %s", __name, __version, __author);
-
+
#ifdef UMYSQL
print_out("Compiled with MySQL support.");
#endif
#if !defined(UMYSQL) && !defined(UPOSTGRES)
print_out("Compiled without any Database support.");
#endif
-
+
print_out(" ");
print_out("%s",__license);
/* Setting the name */
OS_SetName(ARGV0);
-
+
while((c = getopt(argc, argv, "vVdhtfu:g:D:c:")) != -1){
switch(c){
break;
case 'v':
db_info();
- break;
+ break;
case 'h':
help(ARGV0);
break;
if(!optarg)
ErrorExit("%s: -D needs an argument",ARGV0);
dir=optarg;
+ break;
case 'c':
if(!optarg)
ErrorExit("%s: -c needs an argument",ARGV0);
cfg = optarg;
break;
case 't':
- test_config = 1;
+ test_config = 1;
break;
default:
help(ARGV0);
/* Exit here if test config is set */
if(test_config)
exit(0);
-
-
- if(!run_foreground)
+
+
+ if(!run_foreground)
{
/* Going on daemon mode */
nowDaemon();
}
-
+
/* Not configured */
if(c == 0)
{
exit(0);
}
-
+
/* Maybe disable this debug? */
debug1("%s: DEBUG: Connecting to '%s', using '%s', '%s', '%s', %d,'%s'.",
- ARGV0, db_config.host, db_config.user,
+ ARGV0, db_config.host, db_config.user,
db_config.pass, db_config.db,db_config.port,db_config.sock);
/* Getting maximum reconned attempts */
db_config.maxreconnect = getDefine_Int("dbd",
"reconnect_attempts", 1, 9999);
-
-
+
+
/* Connecting to the database */
c = 0;
while(c <= (db_config.maxreconnect * 10))
{
- db_config.conn = osdb_connect(db_config.host, db_config.user,
+ db_config.conn = osdb_connect(db_config.host, db_config.user,
db_config.pass, db_config.db,
db_config.port,db_config.sock);
c++;
sleep(c * 60);
-
+
}
merror(DB_CONFIGERR, ARGV0);
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
}
-
+
/* We must notify that we connected -- easy debugging */
- verbose("%s: Connected to database '%s' at '%s'.",
+ verbose("%s: Connected to database '%s' at '%s'.",
ARGV0, db_config.db, db_config.host);
-
+
/* Privilege separation */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR,ARGV0,group);
-
+
/* chrooting */
if(Privsep_Chroot(dir) < 0)
ErrorExit(CHROOT_ERROR,ARGV0,dir);
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
}
-
- /* Changing user */
+
+ /* Changing user */
if(Privsep_SetUser(uid) < 0)
ErrorExit(SETUID_ERROR,ARGV0,user);
/* Signal manipulation */
StartSIG(ARGV0);
-
+
/* Creating PID files */
if(CreatePID(ARGV0, getpid()) < 0)
ErrorExit(PID_ERROR,ARGV0);
-
+
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
-
+
/* the real daemon now */
OS_DBD(&db_config);
-# @(#) $Id$ */
+# @(#) $Id: ./src/os_dbd/mysql.schema, 2011/09/08 dcid Exp $
#
# Copyright (C) 2009 Trend Micro Inc.
# All rights reserved.
dst_ip INT UNSIGNED,
src_port SMALLINT UNSIGNED,
dst_port SMALLINT UNSIGNED,
+ alertid TINYTEXT DEFAULT NULL,
PRIMARY KEY (id, server_id),
INDEX time (timestamp),
INDEX (rule_id),
--- @(#) $Id$ */
+-- @(#) $Id: ./src/os_dbd/postgresql.schema, 2011/09/08 dcid Exp $
--
-- Copyright (C) 2009 Trend Micro Inc.
-- All rights reserved.
dst_ip INT8,
src_port INT4,
dst_port INT4,
+ alertid TEXT DEFAULT NULL,
PRIMARY KEY (id, server_id)
);
CREATE INDEX time on alert(timestamp);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_dbd/rules.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
int __Groups_InsertGroup(char *group, DBConfig *db_config)
{
char sql_query[OS_SIZE_1024];
-
+
memset(sql_query, '\0', OS_SIZE_1024);
/* Generating SQL */
char *tmp_group;
char *tmp_str;
-
+
debug1("%s: DEBUG: entering _Groups_ReadInsertDB", ARGV0);
{
return;
}
-
+
tmp_str = strchr(rule->group, ',');
tmp_group = rule->group;
while(*tmp_group == ' ')
tmp_group++;
-
+
/* Checking for empty group */
if(*tmp_group == '\0')
{
}
}
-
+
/* Getting next category */
tmp_group = tmp_str;
if(tmp_group)
tmp_str = strchr(tmp_group, ',');
}
}
-
+
return;
}
char sql_query[OS_SIZE_1024];
memset(sql_query, '\0', OS_SIZE_1024);
-
+
/* Escaping strings */
osdb_escapestr(rule->group);
osdb_escapestr(rule->comment);
rule->level = 20;
if(rule->level < 0)
rule->level = 0;
-
-
+
+
debug1("%s: DEBUG: entering _Rules_ReadInsertDB()", ARGV0);
-
-
+
+
/* Checking rule limit */
if(rule->sigid < 0 || rule->sigid > 9999999)
{
/* Inserting group into the signature mapping */
_Groups_ReadInsertDB(rule, db_config);
-
-
-
+
+
+
debug2("%s: DEBUG: Inserting: %d", ARGV0, rule->sigid);
-
+
/* Generating SQL */
snprintf(sql_query, OS_SIZE_1024 -1,
"SELECT id FROM signature "
"where rule_id = %u",
rule->sigid);
-
+
if(osdb_query_select(dbc->conn, sql_query) == 0)
{
snprintf(sql_query, OS_SIZE_1024 -1,
rule->level, rule->comment,rule->sigid);
}
-
+
/* Checking return code. */
if(!osdb_query_insert(dbc->conn, sql_query))
{
int OS_InsertRulesDB(DBConfig *db_config)
{
char **rulesfiles;
-
+
rulesfiles = db_config->includes;
while(rulesfiles && *rulesfiles)
{
debug1("%s: Reading rules file: '%s'", ARGV0, *rulesfiles);
-
+
if(OS_ReadXMLRules(*rulesfiles, _Rules_ReadInsertDB, db_config) < 0)
{
merror(RULES_ERROR, ARGV0, *rulesfiles);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_dbd/server.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
int __DBInsertServer(char *server, char *info, DBConfig *db_config)
{
char sql_query[OS_SIZE_1024];
-
+
memset(sql_query, '\0', OS_SIZE_1024);
/* Checking if the server is present */
snprintf(sql_query, OS_SIZE_1024 -1,
"SELECT id from server where hostname = '%s'",
server);
-
+
/* If not present, we insert */
if(osdb_query_select(db_config->conn, sql_query) == 0)
{
int server_id = 0;
char *info;
-
+
debug1("%s: DEBUG: entering OS_Server_ReadInsertDB()", ARGV0);
-
+
/* Getting servers hostname */
memset(__shost, '\0', 512);
if(gethostname(__shost, 512 -1) != 0)
/* Getting server id */
server_id = __DBSelectServer(__shost, (DBConfig *)db_config);
-
-
+
+
return(server_id);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_execd/config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*/
-#include "shared.h"
+#include "shared.h"
+#include "execd.h"
/* ExecdConfig v0.1, 2006/03/24
*/
int ExecdConfig(char * cfgfile)
{
+ extern int repeated_offenders_timeout[];
#ifdef WIN32
int is_disabled = 1;
#else
int is_disabled = 0;
#endif
char *(xmlf[]) = {"ossec_config", "active-response", "disabled", NULL};
+ char *(blocks[]) = {"ossec_config", "active-response", "repeated_offenders", NULL};
char *disable_entry;
+ char *repeated_t;
+ char **repeated_a;
OS_XML xml;
else
{
merror(XML_VALUEERR, ARGV0,
- "disabled",
- disable_entry);
+ "disabled",
+ disable_entry);
return(-1);
}
}
-
+
+ repeated_t = OS_GetOneContentforElement(&xml, blocks);
+ if(repeated_t)
+ {
+ int i = 0;
+ int j = 0;
+ repeated_a = OS_StrBreak(',', repeated_t, 5);
+ if(!repeated_a)
+ {
+ merror(XML_VALUEERR, ARGV0,
+ "repeated_offenders",
+ disable_entry);
+ return(-1);
+ }
+
+ while(repeated_a[i] != NULL)
+ {
+ char *tmpt = repeated_a[i];
+ while(*tmpt != '\0')
+ {
+ if(*tmpt == ' ' || *tmpt == '\t')
+ tmpt++;
+ else
+ break;
+ }
+
+ if(*tmpt == '\0')
+ {
+ i++;
+ continue;
+ }
+
+ repeated_offenders_timeout[j] = atoi(tmpt);
+ verbose("%s: INFO: Adding offenders timeout: %d (for #%d)",
+ ARGV0, repeated_offenders_timeout[j], j+1);
+ j++;
+ repeated_offenders_timeout[j] = 0;
+ if(j >= 6) break;
+ i++;
+ }
+ }
+
+
OS_ClearXML(&xml);
return(is_disabled);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_execd/exec.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
int f_time_reading = 1;
-/** int ReadExecConfig() v0.1:
+/** int ReadExecConfig() v0.1:
* Reads the shared exec config.
- * Returns 1 on success or 0 on failure.
+ * Returns 1 on success or 0 on failure.
* Format of the file is 'name - command - timeout'
*/
int ReadExecConfig()
exec_timeout[i] = 0;
}
exec_size = 0;
-
-
+
+
/* Opening file */
fp = fopen(DEFAULTARPATH, "r");
if(!fp)
*tmp_str = '\0';
tmp_str++;
-
+
/* Searching for ' ' and - */
if(*tmp_str == '-')
{
}
-
+
/* Setting the name */
strncpy(exec_names[exec_size], str_pt, OS_FLSIZE);
exec_names[exec_size][OS_FLSIZE] = '\0';
-
+
str_pt = tmp_str;
tmp_str = strchr(tmp_str, ' ');
}
*tmp_str = '\0';
-
+
/* Writting the full command path */
- snprintf(exec_cmd[exec_size], OS_FLSIZE,
- "%s/%s",
- AR_BINDIRPATH,
+ snprintf(exec_cmd[exec_size], OS_FLSIZE,
+ "%s/%s",
+ AR_BINDIRPATH,
str_pt);
process_file = fopen(exec_cmd[exec_size], "r");
if(!process_file)
ARGV0, exec_cmd[exec_size]);
}
- exec_cmd[exec_size][0] = '\0';
+ exec_cmd[exec_size][0] = '\0';
}
else
{
fclose(process_file);
}
-
+
/* Searching for ' ' and - */
tmp_str++;
if(*tmp_str == '-')
merror(EXEC_INV_CONF, ARGV0, DEFAULTARPATH);
continue;
}
-
-
- str_pt = tmp_str;
+
+
+ str_pt = tmp_str;
tmp_str = strchr(tmp_str, '\n');
if(tmp_str)
*tmp_str = '\0';
-
+
/* Getting the exec timeout */
exec_timeout[exec_size] = atoi(str_pt);
}
}
}
-
+
if(dup_entry)
{
exec_cmd[exec_size][0] = '\0';
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_execd/execd.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/* Timeout list */
OSList *timeout_list;
OSListNode *timeout_node;
-
+OSHash *repeated_hash;
+int repeated_offenders_timeout[] = {0,0,0,0,0,0,0};
+
-/**
+/**
* Shudowns execd properly.
*/
void execd_shutdown()
{
/* Removing pending active responses. */
merror(EXEC_SHUTDOWN, ARGV0);
-
+
timeout_node = OSList_GetFirstNode(timeout_list);
while(timeout_node)
{
/* Setting the name */
OS_SetName(ARGV0);
-
+
while((c = getopt(argc, argv, "Vtdhfu:g:D:c:")) != -1){
switch(c){
if(!optarg)
ErrorExit("%s: -D needs an argument.",ARGV0);
dir = optarg;
+ break;
case 'c':
if(!optarg)
ErrorExit("%s: -c needs an argument.",ARGV0);
break;
case 't':
test_config = 1;
- break;
+ break;
default:
help(ARGV0);
break;
ErrorExit(USER_ERROR,ARGV0,"",group);
- /* Privilege separation */
+ /* Privilege separation */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR,ARGV0,group);
/* Exit if test_config */
if(test_config)
exit(0);
-
-
+
+
/* Signal manipulation */
StartSIG2(ARGV0, execd_shutdown);
-
- if (!run_foreground)
+
+ if (!run_foreground)
{
/* Going daemon */
nowDaemon();
goDaemon();
- }
+ }
/* Active response disabled */
verbose(EXEC_DISABLED, ARGV0);
exit(0);
}
-
+
/* Creating the PID file */
if(CreatePID(ARGV0, getpid()) < 0)
merror(PID_ERROR, ARGV0);
-
+
/* Starting queue (exec queue) */
if((m_queue = StartMQ(EXECQUEUEPATH,READ)) < 0)
ErrorExit(QUEUE_ERROR, ARGV0, EXECQUEUEPATH, strerror(errno));
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
-
- /* The real daemon Now */
+
+ /* The real daemon Now */
ExecdStart(m_queue);
-
+
exit(0);
}
{
return;
}
-
+
tmp_str = timeout_entry->command;
/* Clearing the command arguments */
{
int i, childcount = 0;
time_t curr_time;
-
+
char buffer[OS_MAXSTR + 1];
char *tmp_msg = NULL;
char *name;
fd_set fdset;
struct timeval socket_timeout;
-
+
/* Clearing the buffer */
memset(buffer, '\0', OS_MAXSTR +1);
-
-
+
+
/* Initializing the cmd arguments */
for(i = 0; i<= MAX_ARGS +1; i++)
{
cmd_args[i] = NULL;
}
-
-
+
+
/* Creating list for timeout */
- timeout_list = OSList_Create();
+ timeout_list = OSList_Create();
if(!timeout_list)
{
ErrorExit(LIST_ERROR, ARGV0);
}
-
-
+
+
+ if(repeated_offenders_timeout[0] != 0)
+ {
+ repeated_hash = OSHash_Create();
+ }
+ else
+ {
+ repeated_hash = NULL;
+ }
+
+
+
/* Main loop. */
while(1)
{
int timeout_value;
int added_before = 0;
-
+
char **timeout_args;
timeout_data *timeout_entry;
if (wp < 0)
{
merror(WAITPID_ERROR, ARGV0);
+ break;
}
/* if = 0, we still need to wait for the child process */
timeout_data *list_entry;
list_entry = (timeout_data *)timeout_node->data;
-
+
/* Timeouted */
- if((curr_time - list_entry->time_of_addition) >
+ if((curr_time - list_entry->time_of_addition) >
list_entry->time_to_block)
{
ExecCmd(list_entry->command);
-
+
/* Deletecurrently node already sets the pointer to next */
OSList_DeleteCurrentlyNode(timeout_list);
timeout_node = OSList_GetCurrentlyNode(timeout_list);
}
}
-
+
/* Setting timeout to EXECD_TIMEOUT */
socket_timeout.tv_sec = EXECD_TIMEOUT;
socket_timeout.tv_usec= 0;
/* Getting application name */
name = buffer;
-
-
+
+
/* Zeroing the name */
tmp_msg = strchr(buffer, ' ');
if(!tmp_msg)
/* Allocating memory for the timeout argument */
os_calloc(MAX_ARGS+2, sizeof(char *), timeout_args);
-
+
/* Adding initial variables to the cmd_arg and to the timeout cmd */
- cmd_args[0] = command;
+ cmd_args[0] = command;
cmd_args[1] = ADD_ENTRY;
os_strdup(command, timeout_args[0]);
os_strdup(DELETE_ENTRY, timeout_args[1]);
i++;
}
-
+
/* Check this command was already executed. */
timeout_node = OSList_GetFirstNode(timeout_list);
added_before = 1;
merror("%s: Invalid number of arguments.", ARGV0);
}
-
+
+
+
while(timeout_node)
{
timeout_data *list_entry;
list_entry = (timeout_data *)timeout_node->data;
if((strcmp(list_entry->command[3], timeout_args[3]) == 0) &&
- (strcmp(list_entry->command[0], timeout_args[0]) == 0))
+ (strcmp(list_entry->command[0], timeout_args[0]) == 0))
{
/* Means we executed this command before
* and we don't need to add it again.
/* updating the timeout */
list_entry->time_of_addition = curr_time;
+
+ if(repeated_offenders_timeout[0] != 0 &&
+ repeated_hash != NULL &&
+ strncmp(timeout_args[3],"-", 1) != 0)
+ {
+ char *ntimes = NULL;
+ char rkey[256];
+ rkey[255] = '\0';
+ snprintf(rkey, 255, "%s%s", list_entry->command[0],
+ timeout_args[3]);
+
+ if((ntimes = OSHash_Get(repeated_hash, rkey)))
+ {
+ int ntimes_int = 0;
+ int i2 = 0;
+ int new_timeout = 0;
+ ntimes_int = atoi(ntimes);
+ while(repeated_offenders_timeout[i2] != 0)
+ {
+ i2++;
+ }
+ if(ntimes_int >= i2)
+ {
+ new_timeout = repeated_offenders_timeout[i2 - 1]*60;
+ }
+ else
+ {
+ os_calloc(10, sizeof(char), ntimes);
+ new_timeout = repeated_offenders_timeout[ntimes_int]*60;
+ ntimes_int++;
+ snprintf(ntimes, 9, "%d", ntimes_int);
+ OSHash_Update(repeated_hash,rkey,ntimes);
+ }
+ list_entry->time_to_block = new_timeout;
+ }
+ }
break;
}
/* We don't need to add to the list if the timeout_value == 0 */
if(timeout_value)
{
+ char *ntimes;
+ char rkey[256];
+ rkey[255] = '\0';
+ snprintf(rkey, 255, "%s%s", timeout_args[0],
+ timeout_args[3]);
+
+ if(repeated_hash != NULL)
+ {
+ if((ntimes = OSHash_Get(repeated_hash, rkey)))
+ {
+ int ntimes_int = 0;
+ int i2 = 0;
+ int new_timeout = 0;
+
+ ntimes_int = atoi(ntimes);
+ while(repeated_offenders_timeout[i2] != 0)
+ {
+ i2++;
+ }
+ if(ntimes_int >= i2)
+ {
+ new_timeout = repeated_offenders_timeout[i2 - 1]*60;
+ }
+ else
+ {
+ os_calloc(10, sizeof(char), ntimes);
+ new_timeout = repeated_offenders_timeout[ntimes_int]*60;
+ ntimes_int++;
+ snprintf(ntimes, 9, "%d", ntimes_int);
+ OSHash_Update(repeated_hash, rkey, ntimes);
+ }
+ timeout_value = new_timeout;
+ }
+ else
+ {
+ /* Adding to the repeated offenders list. */
+ OSHash_Add(repeated_hash,
+ strdup(rkey),strdup("0"));
+ }
+ }
+
+
/* Creating the timeout entry */
os_calloc(1, sizeof(timeout_data), timeout_entry);
timeout_entry->command = timeout_args;
{
merror(LIST_ADD_ERROR, ARGV0);
FreeTimeoutEntry(timeout_entry);
- }
+ }
}
-
+
/* If no timeout, we still need to free it in here */
else
{
childcount++;
}
-
+
/* We didn't add it to the timeout list */
else
{
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_execd/execd.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
#ifndef _EXECD_H
+#define _EXECD_H
#ifndef ARGV0
#define ARGV0 "ossec-execd"
/* Maximum number of command arguments */
-#define MAX_ARGS 32
+#define MAX_ARGS 32
/* Execd select timeout -- in seconds */
+
#define _EXECD_H
#endif
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_execd/win_execd.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#ifdef ARGV0
#undef ARGV0
#endif
-
+
#define ARGV0 "ossec-execd"
-
+
/* Timeout list */
OSList *timeout_list;
OSListNode *timeout_node;
-
+
/* Exit if test_config */
if(test_config)
return(0);
-
-
+
+
/* Active response disabled */
if(c == 1)
{
verbose(EXEC_DISABLED, ARGV0);
return(0);
}
-
+
/* Creating list for timeout */
timeout_list = OSList_Create();
{
ErrorExit(LIST_ERROR, ARGV0);
}
-
-
+
+
/* Start up message */
verbose(STARTUP_MSG, ARGV0, getpid());
-
+
return(1);
}
list_entry = (timeout_data *)timeout_node->data;
/* Timeouted */
- if((curr_time - list_entry->time_of_addition) >
+ if((curr_time - list_entry->time_of_addition) >
list_entry->time_to_block)
{
ExecCmd_Win32(list_entry->command[0]);
char *cmd_user;
char *cmd_ip;
char buffer[OS_MAXSTR + 1];
-
+
timeout_data *timeout_entry;
}
*tmp_msg = '\0';
tmp_msg++;
-
+
/* Getting the command to execute (valid name) */
command = GetCommandbyName(name, &timeout_value);
/* Adding initial variables to the timeout cmd */
- snprintf(buffer, OS_MAXSTR, "\"%s\" %s \"%s\" \"%s\" \"%s\"",
- command, DELETE_ENTRY, cmd_user, cmd_ip, tmp_msg);
+ snprintf(buffer, OS_MAXSTR, "\"%s\" %s \"%s\" \"%s\" \"%s\"",
+ command, DELETE_ENTRY, cmd_user, cmd_ip, tmp_msg);
os_strdup(buffer, timeout_args[0]);
timeout_args[1] = NULL;
-
+
/* Getting size for the strncmp */
{
if(buffer[i] == ' ')
j++;
-
+
i++;
if(j == 4)
break;
}
-
+
/* Check this command was already executed. */
timeout_node = OSList_GetFirstNode(timeout_list);
/* If it wasn't added before, do it now */
if(!added_before)
{
- snprintf(buffer, OS_MAXSTR, "\"%s\" %s \"%s\" \"%s\" \"%s\"", command,
+ snprintf(buffer, OS_MAXSTR, "\"%s\" %s \"%s\" \"%s\" \"%s\"", command,
ADD_ENTRY, cmd_user, cmd_ip, tmp_msg);
/* executing command */
{
merror(LIST_ADD_ERROR, ARGV0);
FreeTimeoutEntry(timeout_entry);
- }
+ }
}
/* If no timeout, we still need to free it in here */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_maild/config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
Mail->gran_format = NULL;
Mail->groupping = 1;
Mail->strict_checking = 0;
+#ifdef GEOIP
+ Mail->geoip = 0;
+#endif
if(ReadConfig(modules, cfgfile, NULL, Mail) < 0)
return(OS_INVALID);
{
verbose(MAIL_DIS, ARGV0);
}
- exit(0);
+ exit(0);
}
return(0);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_maild/mail_list.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* Foundation
*/
-
+
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
_memorymaxsize = maxsize;
_memoryused = 0;
-
+
return;
}
n_node = NULL;
return(NULL);
}
-
+
_memoryused--;
-
+
lastnode = lastnode->prev;
/* Remove the last */
- return(oldlast);
+ return(oldlast);
}
{
if(ml == NULL)
return;
-
+
if(ml->subject)
free(ml->subject);
-
+
if(ml->body)
free(ml->body);
-
- free(ml);
+
+ free(ml);
}
return;
if(ml->mail->subject)
free(ml->mail->subject);
-
+
if(ml->mail->body)
free(ml->mail->body);
- free(ml->mail);
+ free(ml->mail);
free(ml);
}
void OS_AddMailtoList(MailMsg *ml)
{
MailNode *tmp_node = n_node;
-
+
if(tmp_node)
{
MailNode *new_node;
new_node = (MailNode *)calloc(1,sizeof(MailNode));
-
+
if(new_node == NULL)
{
ErrorExit(MEM_ERROR,ARGV0);
}
- /* Always adding to the beginning of the list
+ /* Always adding to the beginning of the list
* The new node will become the first node and
* new_node->next will be the previous first node
*/
new_node->next = tmp_node;
new_node->prev = NULL;
tmp_node->prev = new_node;
-
+
n_node = new_node;
/* Adding the event to the node */
new_node->mail = ml;
_memoryused++;
-
+
/* Need to remove the last node */
if(_memoryused > _memorymaxsize)
{
oldlast = lastnode;
lastnode = lastnode->prev;
-
+
/* free last node */
FreeMail(oldlast);
-
+
_memoryused--;
}
}
-
+
else
{
/* Adding first node */
n_node->prev = NULL;
n_node->next = NULL;
n_node->mail = ml;
-
- lastnode = n_node;
+
+ lastnode = n_node;
}
return;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_maild/mail_list.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
-
+
+
#ifndef _MAILIST__H
#define _MAILIST__H
/* Add an email to the list */
void OS_AddMailtoList(MailMsg *ml);
-/* Return the last event from the Event list
+/* Return the last event from the Event list
* removing it from there
*/
MailNode *OS_PopLastMail();
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_maild/maild.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#include "maild.h"
#include "mail_list.h"
-
void OS_Run(MailConfig *mail);
int main(int argc, char **argv)
/* Setting the name */
OS_SetName(ARGV0);
-
+
while((c = getopt(argc, argv, "Vdhtfu:g:D:c:")) != -1){
switch(c){
if(!optarg)
ErrorExit("%s: -D needs an argument",ARGV0);
dir=optarg;
+ break;
case 'c':
if(!optarg)
ErrorExit("%s: -c needs an argument",ARGV0);
cfg = optarg;
break;
case 't':
- test_config = 1;
+ test_config = 1;
break;
default:
help(ARGV0);
if((uid < 0)||(gid < 0))
ErrorExit(USER_ERROR,ARGV0,user,group);
-
/* Reading configuration */
if(MailConf(test_config, cfg, &mail) < 0)
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
mail.strict_checking = getDefine_Int("maild",
"strict_checking",
0, 1);
-
+
/* Get groupping */
mail.groupping = getDefine_Int("maild",
"groupping",
0, 1);
-
+
/* Getting subject type */
mail.subject_full = getDefine_Int("maild",
"full_subject",
0, 1);
-
-
+
+#ifdef GEOIP
+ /* Get GeoIP */
+ mail.geoip = getDefine_Int("maild",
+ "geoip",
+ 0, 1);
+#endif
+
+
/* Exit here if test config is set */
if(test_config)
exit(0);
-
- if(!run_foreground)
+
+ if(!run_foreground)
{
nowDaemon();
goDaemon();
}
-
+
/* Privilege separation */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR,ARGV0,group);
-
+
/* chrooting */
if(Privsep_Chroot(dir) < 0)
ErrorExit(CHROOT_ERROR,ARGV0,dir);
nowChroot();
-
- /* Changing user */
+
+ /* Changing user */
if(Privsep_SetUser(uid) < 0)
ErrorExit(SETUID_ERROR,ARGV0,user);
/* Signal manipulation */
StartSIG(ARGV0);
-
+
/* Creating PID files */
if(CreatePID(ARGV0, getpid()) < 0)
ErrorExit(PID_ERROR, ARGV0);
-
+
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
-
+
/* the real daemon now */
OS_Run(&mail);
MailMsg *s_msg = NULL;
MailMsg *msg_sms = NULL;
- time_t tm;
- struct tm *p;
+ time_t tm;
+ struct tm *p;
int i = 0;
int mailtosend = 0;
int childcount = 0;
- int today = 0;
+ int today = 0;
int thishour = 0;
int n_errs = 0;
/* Creating the list */
- OS_CreateMailList(MAIL_LIST_SIZE);
-
-
+ OS_CreateMailList(MAIL_LIST_SIZE);
+
+
/* Setting default timeout */
mail_timeout = DEFAULT_TIMEOUT;
-
+
/* Clearing global vars */
_g_subject_level = 0;
memset(_g_subject, '\0', SUBJECT_SIZE +2);
tm = time(NULL);
p = localtime(&tm);
-
+
/* SMS messages are sent without delay */
if(msg_sms)
{
pid_t pid;
-
+
pid = fork();
-
+
if(pid < 0)
{
merror("%s: Fork failed. cause: %d - %s", ARGV0, errno, strerror(errno));
/* Increasing child count */
childcount++;
}
-
+
/* If mail_timeout == NEXTMAIL_TIMEOUT, we will try to get
* more messages, before sending anything
{
/* getting more messages */
}
-
-
- /* Hour changed. Send all supressed mails */
+
+
+ /* Hour changed. Send all supressed mails */
else if(((mailtosend < mail->maxperhour) && (mailtosend != 0))||
((p->tm_hour != thishour) && (childcount < MAXCHILDPROCESS)))
{
{
if(OS_Sendmail(mail, p) < 0)
merror(SNDMAIL_ERROR,ARGV0,mail->smtpserver);
-
- exit(0);
+
+ exit(0);
}
-
+
/* Cleaning the memory */
- mailmsg = OS_PopLastMail();
+ mailmsg = OS_PopLastMail();
do
{
- FreeMail(mailmsg);
+ FreeMail(mailmsg);
mailmsg = OS_PopLastMail();
}while(mailmsg);
-
-
- /* Increasing child count */
- childcount++;
+
+
+ /* Increasing child count */
+ childcount++;
/* Clearing global vars */
_g_subject[0] = '\0';
_g_subject[SUBJECT_SIZE -1] = '\0';
_g_subject_level = 0;
-
-
+
+
/* Cleaning up set values */
if(mail->gran_to)
{
/* If we sent everything */
if(p->tm_hour != thishour)
{
- thishour = p->tm_hour;
+ thishour = p->tm_hour;
mailtosend = 0;
}
}
-
+
/* Saved message for the do_not_group option.
*/
if(s_msg)
i++;
}
}
-
+
OS_AddMailtoList(s_msg);
s_msg = NULL;
mailtosend++;
continue;
}
-
-
+
+
/* Receive message from queue */
if((msg = OS_RecvMailQ(fileq, p, mail, &msg_sms)) != NULL)
{
{
OS_AddMailtoList(msg);
}
-
+
/* Change timeout to see if any new message is coming shortly */
if(mail->groupping)
/* Waiting for the childs .. */
- while (childcount)
+ while (childcount)
{
int wp;
int p_status;
wp = waitpid((pid_t) -1, &p_status, WNOHANG);
if (wp < 0)
{
- merror(WAITPID_ERROR, ARGV0);
+ merror(WAITPID_ERROR, ARGV0);
n_errs++;
}
- /* if = 0, we still need to wait for the child process */
- else if (wp == 0)
+ /* if = 0, we still need to wait for the child process */
+ else if (wp == 0)
break;
else
{
if(p_status != 0)
{
+ merror(CHLDWAIT_ERROR,ARGV0,p_status);
merror(SNDMAIL_ERROR,ARGV0,mail->smtpserver);
n_errs++;
}
/* Too many errors */
if(n_errs > 6)
{
+ merror(TOOMANY_WAIT_ERROR,ARGV0);
merror(SNDMAIL_ERROR,ARGV0,mail->smtpserver);
exit(1);
}
}
-
+
}
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_maild/maild.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* Each timeout is x * 5 */
#define NEXTMAIL_TIMEOUT 2 /* Time to check for next msg - 5 */
-#define DEFAULT_TIMEOUT 18 /* socket read timeout - 18 (*5)*/
+#define DEFAULT_TIMEOUT 18 /* socket read timeout - 18 (*5)*/
#define SUBJECT_SIZE 128 /* Maximum subject size */
/* Maximum body size */
#define MAIL_SUBJECT_FULL2 "%d - %s - %s"
#endif
+#ifdef GEOIP
#define MAIL_BODY "\r\nOSSEC HIDS Notification.\r\n" \
"%s\r\n\r\n" \
"Received From: %s\r\n" \
"Rule: %d fired (level %d) -> \"%s\"\r\n" \
+ "%s" \
+ "%s" \
"Portion of the log(s):\r\n\r\n%s\r\n" \
"\r\n\r\n --END OF NOTIFICATION\r\n\r\n\r\n"
-
+#else
+#define MAIL_BODY "\r\nOSSEC HIDS Notification.\r\n" \
+ "%s\r\n\r\n" \
+ "Received From: %s\r\n" \
+ "Rule: %d fired (level %d) -> \"%s\"\r\n" \
+ "Portion of the log(s):\r\n\r\n%s\r\n" \
+ "\r\n\r\n --END OF NOTIFICATION\r\n\r\n\r\n"
+#endif
/* Mail msg structure */
typedef struct _MailMsg
#include "config/mail-config.h"
-/* Config function */
+/* Config function */
int MailConf(int test_config, char *cfgfile, MailConfig *Mail);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_maild/os_maild_client.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
#include "shared.h"
#include "maild.h"
+/* GeoIP Stuff */
+#ifdef GEOIP
+#include "config/config.h"
+#endif
-/* OS_RecvMailQ,
+/* OS_RecvMailQ,
* v0.1, 2005/03/15
* Receive a Message on the Mail queue
* v0,2: Using the new file-queue.
*/
-MailMsg *OS_RecvMailQ(file_queue *fileq, struct tm *p,
+MailMsg *OS_RecvMailQ(file_queue *fileq, struct tm *p,
MailConfig *Mail, MailMsg **msg_sms)
{
int i = 0, body_size = OS_MAXSTR -3, log_size, sms_set = 0,donotgroup = 0;
char logs[OS_MAXSTR + 1];
char *subject_host;
-
+#ifdef GEOIP
+ char geoip_msg_src[OS_SIZE_1024 +1];
+ char geoip_msg_dst[OS_SIZE_1024 +1];
+#endif
+
MailMsg *mail;
alert_data *al_data;
/* Generating the logs */
logs[0] = '\0';
logs[OS_MAXSTR] = '\0';
-
+
while(al_data->log[i])
{
log_size = strlen(al_data->log[i]) + 4;
-
+
/* If size left is small than the size of the log, stop it */
if(body_size <= log_size)
{
break;
}
-
+
strncat(logs, al_data->log[i], body_size);
strncat(logs, "\r\n", body_size);
body_size -= log_size;
i++;
}
+ if (al_data->old_md5)
+ {
+ log_size = strlen(al_data->old_md5) + 16 + 4;
+ if(body_size > log_size)
+ {
+ strncat(logs, "Old md5sum was: ", 16);
+ strncat(logs, al_data->old_md5, body_size);
+ strncat(logs, "\r\n", 4);
+ body_size -= log_size;
+ }
+ }
+ if (al_data->new_md5)
+ {
+ log_size = strlen(al_data->new_md5) + 16 + 4;
+ if(body_size > log_size)
+ {
+ strncat(logs, "New md5sum is : ", 16);
+ strncat(logs, al_data->new_md5, body_size);
+ strncat(logs, "\r\n", 4);
+ body_size -= log_size;
+ }
+ }
+ if (al_data->old_sha1)
+ {
+ log_size = strlen(al_data->old_sha1) + 17 + 4;
+ if(body_size > log_size)
+ {
+ strncat(logs, "Old sha1sum was: ", 17);
+ strncat(logs, al_data->old_sha1, body_size);
+ strncat(logs, "\r\n", 4);
+ body_size -= log_size;
+ }
+ }
+ if (al_data->new_sha1)
+ {
+ log_size = strlen(al_data->new_sha1) + 17 + 4;
+ if(body_size > log_size)
+ {
+ strncat(logs, "New sha1sum is : ", 17);
+ strncat(logs, al_data->new_sha1, body_size);
+ strncat(logs, "\r\n", 4);
+ body_size -= log_size;
+ }
+ }
+
/* Subject */
subject_host = strchr(al_data->location, '>');
{
/* Option for a clean full subject (without ossec in the name) */
#ifdef CLEANFULL
- snprintf(mail->subject, SUBJECT_SIZE -1, MAIL_SUBJECT_FULL2,
+ snprintf(mail->subject, SUBJECT_SIZE -1, MAIL_SUBJECT_FULL2,
al_data->level,
al_data->comment,
al_data->location);
#else
- snprintf(mail->subject, SUBJECT_SIZE -1, MAIL_SUBJECT_FULL,
+ snprintf(mail->subject, SUBJECT_SIZE -1, MAIL_SUBJECT_FULL,
al_data->location,
al_data->level,
al_data->comment);
}
else
{
- snprintf(mail->subject, SUBJECT_SIZE -1, MAIL_SUBJECT,
+ snprintf(mail->subject, SUBJECT_SIZE -1, MAIL_SUBJECT,
al_data->location,
al_data->level);
}
-
+
/* fixing subject back */
if(subject_host)
{
*subject_host = '-';
}
-
+#ifdef GEOIP
+ /* Get GeoIP information */
+ if (Mail->geoip) {
+ if (al_data->geoipdatasrc) {
+ snprintf(geoip_msg_src, OS_SIZE_1024, "Src Location: %s\r\n", al_data->geoipdatasrc);
+ } else {
+ geoip_msg_src[0] = '\0';
+ }
+ if (al_data->geoipdatadst) {
+ snprintf(geoip_msg_dst, OS_SIZE_1024, "Dst Location: %s\r\n", al_data->geoipdatadst);
+ } else {
+ geoip_msg_dst[0] = '\0';
+ }
+ }
+ else {
+ geoip_msg_src[0] = '\0';
+ geoip_msg_dst[0] = '\0';
+ }
+#endif
+
/* Body */
+#ifdef GEOIP
snprintf(mail->body, BODY_SIZE -1, MAIL_BODY,
al_data->date,
al_data->location,
al_data->rule,
al_data->level,
al_data->comment,
+ geoip_msg_src,
+ geoip_msg_dst,
logs);
-
+#else
+ snprintf(mail->body, BODY_SIZE -1, MAIL_BODY,
+ al_data->date,
+ al_data->location,
+ al_data->rule,
+ al_data->level,
+ al_data->comment,
+ logs);
+#endif
+ debug2("OS_RecvMailQ: mail->body[%s]", mail->body);
/* Checking for granular email configs */
if(Mail->gran_to)
while(Mail->gran_to[i] != NULL)
{
int gr_set = 0;
-
+
/* Looking if location is set */
if(Mail->gran_location[i])
{
continue;
}
}
-
+
/* Looking for the level */
if(Mail->gran_level[i])
{
continue;
}
}
-
+
/* Looking for the group */
if(Mail->gran_group[i])
_g_subject_level = al_data->level;
}
}
-
-
+
+
/* If sms is set, create the sms output */
if(sms_set)
{
MailMsg *msg_sms_tmp;
-
+
/* Allocate memory for sms */
os_calloc(1,sizeof(MailMsg), msg_sms_tmp);
os_calloc(BODY_SIZE, sizeof(char), msg_sms_tmp->body);
strncpy(msg_sms_tmp->body, logs, 128);
msg_sms_tmp->body[127] = '\0';
-
+
/* Assigning msg_sms */
*msg_sms = msg_sms_tmp;
}
-
-
-
+
+
+
/* Clearing the memory */
FreeAlertData(al_data);
-
+
return(mail);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_maild/sendcustomemail.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
/* Connecting to the smtp server */
- socket = OS_ConnectTCP(SMTP_DEFAULT_PORT, smtpserver);
+ socket = OS_ConnectTCP(SMTP_DEFAULT_PORT, smtpserver, 0);
if(socket < 0)
{
return(socket);
if(msg)
free(msg);
close(socket);
- return(OS_INVALID);
+ return(OS_INVALID);
}
}
else
{
break;
}
-
+
memset(snd_msg,'\0',128);
snprintf(snd_msg,127, TO, to[i]);
OS_SendTCP(socket,snd_msg);
#else
strftime(snd_msg, 127, "Date: %a, %d %b %Y %T %z\r\n",p);
#endif
-
+
OS_SendTCP(socket,snd_msg);
while(fgets(buffer, 2048, fp) != NULL)
{
OS_SendTCP(socket,buffer);
- }
+ }
/* Sending end of data \r\n.\r\n */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_maild/sendmail.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
/* Connecting to the smtp server */
- socket = OS_ConnectTCP(SMTP_DEFAULT_PORT, mail->smtpserver);
+ socket = OS_ConnectTCP(SMTP_DEFAULT_PORT, mail->smtpserver, 0);
if(socket < 0)
{
return(socket);
if(msg)
free(msg);
close(socket);
- return(OS_INVALID);
+ return(OS_INVALID);
}
}
else
/* Additional RCPT to */
final_to[0] = '\0';
final_to_sz = sizeof(final_to) -2;
-
+
if(mail->gran_to)
{
i = 0;
snprintf(snd_msg,127, TO, mail->gran_to[i]);
strncat(final_to, snd_msg, final_to_sz);
final_to_sz -= strlen(snd_msg) +2;
-
+
i++;
continue;
}
/* Sending date */
memset(snd_msg,'\0',128);
-
+
/* Solaris doesn't have the "%z", so we set the timezone to 0. */
#ifdef SOLARIS
#else
strftime(snd_msg, 127, "Date: %a, %d %b %Y %T %z\r\n",p);
#endif
-
+
OS_SendTCP(socket,snd_msg);
MailNode *mailmsg;
additional_to[0] = '\0';
-
+
/* If there is no sms message, we attempt to get from the
* email list.
*/
{
merror("%s: No email to be sent. Inconsistent state.",ARGV0);
}
-
+
/* Connecting to the smtp server */
- socket = OS_ConnectTCP(SMTP_DEFAULT_PORT, mail->smtpserver);
+ socket = OS_ConnectTCP(SMTP_DEFAULT_PORT, mail->smtpserver, 0);
if(socket < 0)
{
return(socket);
if(msg)
free(msg);
close(socket);
- return(OS_INVALID);
+ return(OS_INVALID);
}
}
else
free(msg);
i++;
- continue;
+ continue;
}
-
+
MAIL_DEBUG("DEBUG: Sent '%s', received: '%s'", snd_msg, msg);
free(msg);
i++;
{
break;
}
-
+
memset(snd_msg,'\0',128);
snprintf(snd_msg,127, TO, mail->to[i]);
OS_SendTCP(socket,snd_msg);
#else
strftime(snd_msg, 127, "Date: %a, %d %b %Y %T %z\r\n",p);
#endif
-
+
OS_SendTCP(socket,snd_msg);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_net/os_err.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_net/os_net.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-/* OS_net Library.
+/* OS_net Library.
* APIs for many network operations.
*/
-
-
+
+
#include "shared.h"
#include "os_net.h"
-struct sockaddr_in _c; /* Client socket */
-socklen_t _cl; /* Client socket length */
/* Unix socket -- not for windows */
* Bind a specific port
* v0.2: Added REUSEADDR.
*/
-int OS_Bindport(unsigned int _port, unsigned int _proto, char *_ip)
+int OS_Bindport(unsigned int _port, unsigned int _proto, char *_ip, int ipv6)
{
int ossock;
struct sockaddr_in server;
-
+ #ifndef WIN32
+ struct sockaddr_in6 server6;
+ #else
+ ipv6 = 0;
+ #endif
+
+
if(_proto == IPPROTO_UDP)
{
- if((ossock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
+ if((ossock = socket(ipv6 == 1?PF_INET6:PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
{
return OS_SOCKTERR;
}
else if(_proto == IPPROTO_TCP)
{
int flag = 1;
- if((ossock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
+ if((ossock = socket(ipv6 == 1?PF_INET6:PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
return(int)(OS_SOCKTERR);
}
-
- if(setsockopt(ossock, SOL_SOCKET, SO_REUSEADDR,
+
+ if(setsockopt(ossock, SOL_SOCKET, SO_REUSEADDR,
(char *)&flag, sizeof(flag)) < 0)
{
return(OS_SOCKTERR);
return(OS_INVALID);
}
- memset(&server, 0, sizeof(server));
- server.sin_family = AF_INET;
- server.sin_port = htons( _port );
+ if(ipv6)
+ {
+ #ifndef WIN32
+ memset(&server6, 0, sizeof(server6));
+ server6.sin6_family = AF_INET6;
+ server6.sin6_port = htons( _port );
+ server6.sin6_addr = in6addr_any;
- if((_ip == NULL)||(_ip[0] == '\0'))
- server.sin_addr.s_addr = htonl(INADDR_ANY);
- else
- server.sin_addr.s_addr = inet_addr(_ip);
- if(bind(ossock, (struct sockaddr *) &server, sizeof(server)) < 0)
+ if(bind(ossock, (struct sockaddr *) &server6, sizeof(server6)) < 0)
+ {
+ return(OS_SOCKTERR);
+ }
+ #endif
+ }
+ else
{
- return(OS_SOCKTERR);
+ memset(&server, 0, sizeof(server));
+ server.sin_family = AF_INET;
+ server.sin_port = htons( _port );
+
+
+ if((_ip == NULL)||(_ip[0] == '\0'))
+ server.sin_addr.s_addr = htonl(INADDR_ANY);
+ else
+ server.sin_addr.s_addr = inet_addr(_ip);
+
+
+ if(bind(ossock, (struct sockaddr *) &server, sizeof(server)) < 0)
+ {
+ return(OS_SOCKTERR);
+ }
}
+
+
if(_proto == IPPROTO_TCP)
{
if(listen(ossock, 32) < 0)
return(OS_SOCKTERR);
}
}
-
-
- _cl = sizeof(_c);
+
+
return(ossock);
}
/* OS_Bindporttcp v 0.1
* Bind a TCP port, using the OS_Bindport
*/
-int OS_Bindporttcp(unsigned int _port, char *_ip)
+int OS_Bindporttcp(unsigned int _port, char *_ip, int ipv6)
{
- return(OS_Bindport(_port, IPPROTO_TCP, _ip));
+ return(OS_Bindport(_port, IPPROTO_TCP, _ip, ipv6));
}
/* OS_Bindportudp v 0.1
* Bind a UDP port, using the OS_Bindport
*/
-int OS_Bindportudp(unsigned int _port, char *_ip)
+int OS_Bindportudp(unsigned int _port, char *_ip, int ipv6)
{
- return(OS_Bindport(_port, IPPROTO_UDP, _ip));
+ return(OS_Bindport(_port, IPPROTO_UDP, _ip, ipv6));
}
#ifndef WIN32
/* Making sure the path isn't there */
unlink(path);
-
+
memset(&n_us, 0, sizeof(n_us));
n_us.sun_family = AF_UNIX;
strncpy(n_us.sun_path, path, sizeof(n_us.sun_path)-1);
close(ossock);
return(OS_SOCKTERR);
}
-
+
/* Changing permissions */
chmod(path,mode);
-
-
+
+
/* Getting current maximum size */
if(getsockopt(ossock, SOL_SOCKET, SO_RCVBUF, &len, &optlen) == -1)
return(OS_SOCKTERR);
-
-
+
+
/* Setting socket opt */
if(len < max_msg_size)
{
len = max_msg_size;
setsockopt(ossock, SOL_SOCKET, SO_RCVBUF, &len, optlen);
}
-
+
return(ossock);
}
len = max_msg_size;
setsockopt(ossock, SOL_SOCKET, SO_SNDBUF, &len, optlen);
}
-
-
+
+
/* Returning the socket */
return(ossock);
}
/* Getting current maximum size */
if(getsockopt(ossock, SOL_SOCKET, SO_SNDBUF, &len, &optlen) == -1)
return(OS_SOCKTERR);
-
- return(len);
+
+ return(len);
}
#endif
/* OS_Connect v 0.1, 2004/07/21
- * Open a TCP/UDP client socket
+ * Open a TCP/UDP client socket
*/
-int OS_Connect(unsigned int _port, unsigned int protocol, char *_ip)
+int OS_Connect(unsigned int _port, unsigned int protocol, char *_ip, int ipv6)
{
int ossock;
struct sockaddr_in server;
+ #ifndef WIN32
+ struct sockaddr_in6 server6;
+ #else
+ ipv6 = 0;
+ #endif
+
if(protocol == IPPROTO_TCP)
{
- if((ossock = socket(PF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0)
+ if((ossock = socket(ipv6 == 1?PF_INET6:PF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0)
return(OS_SOCKTERR);
}
else if(protocol == IPPROTO_UDP)
{
- if((ossock = socket(PF_INET,SOCK_DGRAM,IPPROTO_UDP)) < 0)
+ if((ossock = socket(ipv6 == 1?PF_INET6:PF_INET,SOCK_DGRAM,IPPROTO_UDP)) < 0)
return(OS_SOCKTERR);
}
else
return(OS_INVALID);
- _cl = sizeof(server);
- memset(&server, 0, _cl);
- server.sin_family = AF_INET;
- server.sin_port = htons( _port );
+
+ #ifdef HPUX
+ {
+ int flags;
+ flags = fcntl(ossock,F_GETFL,0);
+ fcntl(ossock, F_SETFL, flags | O_NONBLOCK);
+ }
+ #endif
+
+
if((_ip == NULL)||(_ip[0] == '\0'))
- return(OS_INVALID);
+ return(OS_INVALID);
- server.sin_addr.s_addr = inet_addr(_ip);
- if(connect(ossock,(struct sockaddr *)&server, _cl) < 0)
- return(OS_SOCKTERR);
+ if(ipv6 == 1)
+ {
+ #ifndef WIN32
+ memset(&server6, 0, sizeof(server6));
+ server6.sin6_family = AF_INET6;
+ server6.sin6_port = htons( _port );
+ inet_pton(AF_INET6, _ip, &server6.sin6_addr.s6_addr);
+
+ if(connect(ossock,(struct sockaddr *)&server6, sizeof(server6)) < 0)
+ return(OS_SOCKTERR);
+ #endif
+ }
+ else
+ {
+ memset(&server, 0, sizeof(server));
+ server.sin_family = AF_INET;
+ server.sin_port = htons( _port );
+ server.sin_addr.s_addr = inet_addr(_ip);
+
+
+ if(connect(ossock,(struct sockaddr *)&server, sizeof(server)) < 0)
+ return(OS_SOCKTERR);
+ }
+
return(ossock);
}
/* OS_ConnectTCP, v0.1
* Open a TCP socket
*/
-int OS_ConnectTCP(unsigned int _port, char *_ip)
+int OS_ConnectTCP(unsigned int _port, char *_ip, int ipv6)
{
- return(OS_Connect(_port, IPPROTO_TCP,_ip));
+ return(OS_Connect(_port, IPPROTO_TCP, _ip, ipv6));
}
/* OS_ConnectUDP, v0.1
- * Open a UDP socket
+ * Open a UDP socket
*/
-int OS_ConnectUDP(unsigned int _port, char *_ip)
+int OS_ConnectUDP(unsigned int _port, char *_ip, int ipv6)
{
- return(OS_Connect(_port, IPPROTO_UDP,_ip));
+ return(OS_Connect(_port, IPPROTO_UDP, _ip, ipv6));
}
/* OS_SendTCP v0.1, 2004/07/21
{
if((send(socket, msg, size, 0)) < size)
return (OS_SOCKTERR);
-
+
return(0);
}
return(OS_SOCKTERR);
}
- i++;
+ i++;
merror("%s: INFO: Remote socket busy, waiting %d s.", __local_name, i);
- sleep(i);
+ sleep(i);
}
-
+
return(0);
}
int clientsocket;
struct sockaddr_in _nc;
socklen_t _ncl;
-
+
memset(&_nc, 0, sizeof(_nc));
_ncl = sizeof(_nc);
ret = (char *) calloc((sizet), sizeof(char));
if(ret == NULL)
return(NULL);
-
+
if((retsize = recv(socket, ret, sizet-1,0)) <= 0)
return(NULL);
char *OS_RecvUDP(int socket, int sizet)
{
char *ret;
-
+
ret = (char *) calloc((sizet), sizeof(char));
if(ret == NULL)
return(NULL);
- if((recvfrom(socket,ret,sizet-1,0,(struct sockaddr *)&_c,&_cl))<0)
+ if((recv(socket,ret,sizet-1,0))<0)
return(NULL);
return(ret);
recv_b = recv(socket, buffer, buffer_size, 0);
if(recv_b < 0)
return(0);
-
- return(recv_b);
+
+ return(recv_b);
}
int OS_RecvUnix(int socket, int sizet, char *ret)
{
ssize_t recvd;
- if((recvd = recvfrom(socket, ret, sizet -1, 0,
+ if((recvd = recvfrom(socket, ret, sizet -1, 0,
(struct sockaddr*)&n_us,&us_l)) < 0)
return(0);
/* OS_SendUnix, v0.1, 2004/07/29
* Send a message using a Unix socket.
- * Returns the OS_SOCKETERR if it
- */
+ * Returns the OS_SOCKETERR if it
+ */
int OS_SendUnix(int socket, char * msg, int size)
{
if(size == 0)
size = strlen(msg)+1;
-
+
if(send(socket, msg, size,0) < size)
{
if(errno == ENOBUFS)
return(OS_SOCKTERR);
}
-
+
return(OS_SUCCESS);
}
#endif
{
int i = 0;
int sz;
-
+
char *ip;
struct hostent *h;
if(host == NULL)
return(NULL);
-
+
while(i <= attempts)
{
if((h = gethostbyname(host)) == NULL)
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_net/os_net.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* If the IP is not set, it is going to use ADDR_ANY
* Return the socket.
*/
-int OS_Bindporttcp(unsigned int _port, char *_ip);
-int OS_Bindportudp(unsigned int _port, char *_ip);
+int OS_Bindporttcp(unsigned int _port, char *_ip, int ipv6);
+int OS_Bindportudp(unsigned int _port, char *_ip, int ipv6);
/* OS_BindUnixDomain
* Bind to a specific file, using the "mode" permissions in
* a Unix Domain socket.
- */
+ */
int OS_BindUnixDomain(char * path, int mode, int max_msg_size);
-int OS_ConnectUnixDomain(char * path, int max_msg_size);
+int OS_ConnectUnixDomain(char * path, int max_msg_size);
int OS_getsocketsize(int ossock);
/* OS_Connect
* Connect to a TCP/UDP socket
*/
-int OS_ConnectTCP(unsigned int _port, char *_ip);
-int OS_ConnectUDP(unsigned int _port, char *_ip);
+int OS_ConnectTCP(unsigned int _port, char *_ip, int ipv6);
+int OS_ConnectUDP(unsigned int _port, char *_ip, int ipv6);
/* OS_RecvUDP
* Receive a UDP packet. Return NULL if failed
/* OS_RecvUnix
* Receive a message via a Unix socket
*/
-int OS_RecvUnix(int socket, int sizet, char *ret);
+int OS_RecvUnix(int socket, int sizet, char *ret);
/* OS_RecvTCP
int OS_AcceptTCP(int socket, char *srcip, int addrsize);
char *OS_RecvTCP(int socket, int sizet);
int OS_RecvTCPBuffer(int socket, char *buffer, int sizet);
-
-/* OS_SendTCP
+
+/* OS_SendTCP
* Send a TCP/UDP/UnixSocket packet (in a open socket)
*/
int OS_SendTCP(int socket, char *msg);
int OS_SendUDP(int socket, char *msg);
int OS_SendUDPbySize(int socket, int size, char *msg);
-
+
/* OS_GetHost
* Calls gethostbyname
* Under the public domain. It is just an example.
* Some examples of the usage for the os_regex library.
*/
-
+
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
* Under the public domain. It is just an example.
* Some examples of the usage for the os_regex library.
*/
-
+
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
* Under the public domain. It is just an example.
* Some examples of usage for the os_regex library.
*/
-
+
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
-
-/* Must be included */
+
+/* Must be included */
#include "os_regex.h"
int main(int argc,char **argv)
/* OSRegex structure */
OSRegex reg;
-
+
/* checking for arguments */
if(argc != 3)
{
if(OSRegex_Compile(argv[1], ®, OS_RETURN_SUBSTRING))
{
char *retv;
- /* If the execution succeeds, the substrings will be
+ /* If the execution succeeds, the substrings will be
* at reg.sub_strings
*/
if((retv = OSRegex_Execute(argv[2], ®)))
printf("next pt: '%s'\n", retv);
/* Assigning reg.sub_strings to ret */
ret = reg.sub_strings;
-
+
printf("substrings:\n");
while(*ret)
{
OSRegex_FreePattern(®);
}
-
+
/* Compilation error */
else
{
printf("Error: Regex Compile Error: %d\n", reg.error);
}
-
+
return(r_code);
}
/* EOF */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
-
#include "os_regex.h"
+
/** int OS_Match2(char *pattern, char *str) v0.4
*
* This function is a wrapper around the compile/execute
OSMatch_FreePattern(®);
}
-
+
+ return(r_code);
+}
+
+
+#ifdef NOTHINGEMPTY
+/** int OS_Match3(char *pattern, char *str) v2.6
+ *
+ * This function is used
+ * to match any values from a delimited string
+ * e.g. match pattern "abc" from string "123,abc,xyz"
+ */
+int OS_Match3(char *pattern, char *str, char *delimiter)
+{
+ int r_code = 0;
+ char *token = NULL;
+ char *dupstr = NULL;
+ char *saveptr = NULL;
+
+ /* debug2("1. str [%s], dupstr [%s], token[%s], delim [%s]", str, dupstr, token, delimiter); */
+
+ os_strdup(str, dupstr);
+ /* debug2("2. str [%s], dupstr [%s], token[%s], delim [%s]", str, dupstr, token, delimiter); */
+
+ token = strtok_r(dupstr, delimiter, &saveptr);
+ /* debug2("3. str [%s], dupstr [%s], token[%s], delim [%s]", str, dupstr, token, delimiter); */
+
+ while (token != NULL)
+ {
+ debug2("Matching [%s] with [%s]", pattern, token);
+ if (!strcmp(pattern, token))
+ {
+ r_code = 1;
+ break;
+ }
+
+ token = strtok_r(NULL, delimiter, &saveptr);
+ }
+
+ /* debug2("4. str [%s], dupstr [%s], token[%s], delim [%s]", str, dupstr, token, delimiter); */
+ free(dupstr);
return(r_code);
}
+#endif
/* EOF */
int i = 0;
int count = 0;
int end_of_string = 0;
-
+
char *pt;
char *new_str;
char *new_str_free = NULL;
-
+
/* Checking for references not initialized */
if(reg == NULL)
{
return(0);
}
-
+
/* Initializing OSRegex structure */
reg->error = 0;
reg->error = OS_REGEX_MAXSIZE;
goto compile_error;
}
-
-
+
+
/* Duping the pattern for our internal work */
new_str = strdup(pattern);
if(!new_str)
}
new_str_free = new_str;
pt = new_str;
-
-
+
+
/* Getting the number of sub patterns */
while(*pt != '\0')
{
- /* The pattern must be always lower case if
+ /* The pattern must be always lower case if
* case sensitive is set
*/
if(!(flags & OS_CASE_SENSITIVE))
{
*pt = charmap[(uchar)*pt];
}
-
- /* Number of sub patterns */
+
+ /* Number of sub patterns */
if(*pt == OR)
{
count++;
{
usstrstr = 1;
}
- pt++;
+ pt++;
}
-
-
+
+
/* For the last pattern */
count++;
reg->patterns = calloc(count +1, sizeof(char *));
reg->size = calloc(count +1, sizeof(int));
reg->match_fp = calloc(count +1, sizeof(void *));
-
-
+
+
/* Memory allocation error check */
if(!reg->patterns || !reg->size || !reg->match_fp)
{
reg->size[i] = 0;
}
i = 0;
-
-
+
+
/* Reassigning pt to the beginning of the string */
pt = new_str;
-
+
/* Getting the sub patterns */
do
{
/* Dupping the string */
if(*new_str == BEGINREGEX)
reg->patterns[i] = strdup(new_str +1);
- else
+ else
reg->patterns[i] = strdup(new_str);
/* Memory error */
reg->match_fp[i] = _os_strstr;
reg->size[i] = strlen(reg->patterns[i]);
}
-
+
else
{
reg->match_fp[i] = _OS_Match;
/* Success return */
free(new_str_free);
return(1);
-
-
+
+
/* Error handling */
compile_error:
-
+
if(new_str_free)
{
free(new_str_free);
}
-
+
OSMatch_FreePattern(reg);
return(0);
{
if(str[j] == '\0')
return(FALSE);
-
+
else if(*pt != charmap[(uchar)str[j]])
{
- pt = pattern;
+ pt = pattern;
goto nnext;
}
j++;pt++;
{
if(strncasecmp(pattern, str, size) == 0)
return(TRUE);
-
- return(FALSE);
+
+ return(FALSE);
}
/** Internal matching **/
{
if(strcasecmp(pattern, str) == 0)
return(TRUE);
-
- return(FALSE);
+
+ return(FALSE);
}
int _os_strmatch(char *pattern, char *str, int str_len, int size)
/* Size of the string must be bigger */
if((str_len - size) < 0)
return(FALSE);
-
+
if(strcasecmp(pattern, str + (str_len - size)) == 0)
return(TRUE);
-
- return(FALSE);
+
+ return(FALSE);
}
int OSMatch_Execute(char *str, int str_len, OSMatch *reg)
{
short int i = 0;
-
+
/* The string can't be NULL */
if(str == NULL)
{
/* Looping on all sub patterns */
while(reg->patterns[i])
{
- if(reg->match_fp[i](reg->patterns[i],
- str,
- str_len,
+ if(reg->match_fp[i](reg->patterns[i],
+ str,
+ str_len,
reg->size[i]) == TRUE)
{
return(1);
}
return(0);
-}
+}
/* EOF */
{
if(*pattern)
free(*pattern);
- pattern++;
+ pattern++;
}
free(reg->patterns);
OSRegex_FreePattern(®);
}
-
+
return(r_code);
}
/* Pattern maximum size */
-#define OS_PATTERN_MAXSIZE 2048
+#define OS_PATTERN_MAXSIZE 2048
/* Error codes */
#define OS_REGEX_REG_NULL 1
-#define OS_REGEX_PATTERN_NULL 2
+#define OS_REGEX_PATTERN_NULL 2
#define OS_REGEX_MAXSIZE 3
#define OS_REGEX_OUTOFMEMORY 4
#define OS_REGEX_STR_NULL 5
* The error code is set on reg->error.
*/
int OSRegex_Compile(char *pattern, OSRegex *reg, int flags);
-
+
/** char *OSRegex_Execute(char *str, OSRegex *reg) v0.1
* Compare an already compiled regular expression with
* Release all the memory created to store the sub strings.
* Returns void.
*/
-void OSRegex_FreeSubStrings(OSRegex *reg);
+void OSRegex_FreeSubStrings(OSRegex *reg);
/** int OS_Regex(char *pattern, char *str) v0.4
int OS_Regex(char *pattern, char *str);
-
+
/** int OSMatch_Compile(char *pattern, OSMatch *reg, int flags) v0.1
* Compile a pattern to be used later.
* Allowed flags are:
int OS_Match2(char *pattern, char *str);
-
+int OS_Match3(char *pattern, char *str, char* delimiter);
+
+
/* OS_WordMatch v0.3:
* Searches for pattern in the string
*/
* Returns a NULL terminated array on success or NULL on error.
*/
char **OS_StrBreak(char match, char *str, int size);
-
+
/** int OS_StrHowClosedMatch(char *str1, char *str2) v0.1
* Returns the number of characters that both strings
*/
int OS_StrHowClosedMatch(char *str1, char *str2);
-
+
/** Inline prototypes **/
* Checks if a specified char is in the following range:
* a-z, A-Z, 0-9, _-.
*/
-#include "os_regex_maps.h"
+#include "os_regex_maps.h"
#define isValidChar(x) (hostname_map[(unsigned char)x])
int parenthesis = 0;
int prts_size = 0;
int max_prts_size = 0;
-
+
char *pt;
char *new_str;
char *new_str_free = NULL;
-
+
/* Checking for references not initialized */
if(reg == NULL)
{
return(0);
}
-
+
/* Initializing OSRegex structure */
reg->error = 0;
reg->error = OS_REGEX_MAXSIZE;
goto compile_error;
}
-
-
+
+
/* Duping the pattern for our internal work */
new_str = strdup(pattern);
if(!new_str)
}
new_str_free = new_str;
pt = new_str;
-
-
+
+
/* Getting the number of sub patterns */
do
{
{
pt++;
if(!((*pt == 'w') ||
- (*pt == 'W') ||
- (*pt == 's') ||
- (*pt == 'S') ||
- (*pt == 'd') ||
- (*pt == 'D') ||
- (*pt == '.') ||
+ (*pt == 'W') ||
+ (*pt == 's') ||
+ (*pt == 'S') ||
+ (*pt == 'd') ||
+ (*pt == 'D') ||
+ (*pt == '.') ||
(*pt == '(') ||
(*pt == ')') ||
(*pt == 'p') ||
parenthesis--;
prts_size++;
}
-
+
/* We only allow one level of parenthesis */
if(parenthesis != 0 && parenthesis != 1)
{
reg->error = OS_REGEX_BADPARENTHESIS;
goto compile_error;
}
-
- /* The pattern must be always lower case if
+
+ /* The pattern must be always lower case if
* case sensitive is set
*/
if(!(flags & OS_CASE_SENSITIVE))
{
*pt = charmap[(uchar)*pt];
}
-
+
if(*pt == OR)
{
/* Each sub pattern must be closed on parenthesis */
}
count++;
}
- pt++;
+ pt++;
}while(*pt != '\0');
-
+
/* After the whole pattern is read, the parenthesis must all be closed */
if(parenthesis != 0)
reg->error = OS_REGEX_BADPARENTHESIS;
goto compile_error;
}
-
-
+
+
/* Allocating the memory for the sub patterns */
count++;
reg->patterns = calloc(count +1, sizeof(char *));
reg->flags = calloc(count +1, sizeof(int));
-
-
+
+
/* For the substrings */
if((prts_size > 0) && (flags & OS_RETURN_SUBSTRING))
{
goto compile_error;
}
}
-
-
+
+
/* Memory allocation error check */
if(!reg->patterns || !reg->flags)
{
}
}
i = 0;
-
-
+
+
/* Reassigning pt to the beginning of the string */
pt = new_str;
-
+
/* Getting the sub patterns */
do
{
{
max_prts_size = prts_size;
}
-
+
/* Allocating the memory */
reg->prts_closure[i] = calloc(prts_size + 1, sizeof(char *));
reg->prts_str[i] = calloc(prts_size + 1, sizeof(char *));
reg->error = OS_REGEX_OUTOFMEMORY;
goto compile_error;
}
-
+
/* Success return */
free(new_str_free);
return(1);
-
-
+
+
/* Error handling */
compile_error:
-
+
if(new_str_free)
{
free(new_str_free);
}
-
+
OSRegex_FreePattern(reg);
return(0);
{
char *ret;
int i = 0;
-
+
/* The string can't be NULL */
if(str == NULL)
{
while(reg->patterns[i])
{
/* Cleaning the prts_str */
+ j = 0;
while(reg->prts_closure[i][j])
{
reg->prts_str[i][j] = NULL;
OSRegex_FreeSubStrings(reg);
return(NULL);
}
-
+
/* Set the next one to null */
reg->prts_str[i][j+1][0] = str_char;
k++;
return(0);
}
-
+
/* If we don't need the sub strings */
-
+
/* Looping on all sub patterns */
while(reg->patterns[i])
{
- if((ret = _OS_Regex(reg->patterns[i], str, NULL, NULL, reg->flags[i])))
+ if((ret = _OS_Regex(reg->patterns[i], str, NULL, NULL, reg->flags[i])))
{
return(ret);
}
}
return(NULL);
-}
+}
#define PRTS(x) ((prts(*x) && x++) || 1)
#define ENDOFFILE(x) ( PRTS(x) && (*x == '\0'))
* Returns 1 on success and 0 on failure.
* If prts_closure is set, the parenthesis locations will be
* written on prts_str (which must not be NULL)
- */
-char *_OS_Regex(char *pattern, char *str, char **prts_closure,
+ */
+char *_OS_Regex(char *pattern, char *str, char **prts_closure,
char **prts_str, int flags)
{
char *r_code = NULL;
-
+
int ok_here;
int _regex_matched = 0;
-
+
int prts_int;
char *st = str;
char *st_error = NULL;
-
+
char *pt = pattern;
char *next_pt;
char *pt_error[4] = {NULL, NULL, NULL, NULL};
char *pt_error_str[4];
-
+
/* Will loop the whole string, trying to find a match */
do
if(Regex((uchar)*(pt+1), (uchar)*st))
{
next_pt = pt+2;
-
+
/* If we don't have a '+' or '*', we should skip
* searching using this pattern.
*/
r_code = st;
continue;
}
-
+
/* If it is a '*', we need to set the _regex_matched
* for the first pattern even.
*/
/* If our regex matches and we have a "+" set, we will
- * try the next one to see if it matches. If yes, we
+ * try the next one to see if it matches. If yes, we
* can jump to it, but saving our currently location
* in case of error.
* _regex_matched will set set to true after the first
{
next_pt++;
}
-
+
if(*next_pt == '\0')
{
ok_here = 1;
{
if(*(st+1) == '\0')
prts_str[prts_int] = st+1;
- else
+ else
prts_str[prts_int] = st;
break;
}
continue;
}
-
+
/* Each "if" will increment the amount
* necessary for the next pattern in ok_here
*/
- if(ok_here)
+ if(ok_here)
next_pt+=ok_here;
-
-
+
+
if(!pt_error[0])
{
pt_error[0] = pt;
_regex_matched = 1;
}
-
+
r_code = st;
continue;
}
-
+
else if((*(pt+3) == '\0') && (_regex_matched == 1)&&(r_code))
{
r_code = st;
if(!(flags & END_SET) || (flags & END_SET && (*st == '\0')))
return(r_code);
}
-
+
/* If we didn't match regex, but _regex_matched == 1, jump
* to the next available pattern
*/
}
pt = pattern;
r_code = NULL;
-
+
}while(*(++st) != '\0');
if(*pt == BACKSLASH && *(pt+2) == '*')
pt+=3;
else
- break;
+ break;
}
-
+
if(prts(*pt))
{
prts_int = 0;
}
/* Cleaning up */
- if(ENDOFFILE(pt) ||
- (*pt == BACKSLASH &&
- _regex_matched &&
- (pt+=2) &&
- isPlus(*pt) &&
+ if(ENDOFFILE(pt) ||
+ (*pt == BACKSLASH &&
+ _regex_matched &&
+ (pt+=2) &&
+ isPlus(*pt) &&
+ (pt++) &&
+ ((ENDOFFILE(pt)) ||
+ ((*pt == BACKSLASH) &&
+ (pt+=2) &&
+ (*pt == '*') &&
(pt++) &&
- ((ENDOFFILE(pt)) ||
- ((*pt == BACKSLASH) &&
- (pt+=2) &&
- (*pt == '*') &&
- (pt++) &&
(ENDOFFILE(pt)) ))) ||
(*pt == BACKSLASH &&
(pt+=2) &&
(*pt == '*') &&
(pt++) &&
ENDOFFILE(pt))
- )
+ )
{
return(r_code);
}
-
+
return(NULL);
}
{
if(*pattern)
free(*pattern);
- pattern++;
+ pattern++;
}
free(reg->patterns);
/* Freeing the sub strings */
if(reg->sub_strings)
{
- OSRegex_FreeSubStrings(reg);
+ OSRegex_FreeSubStrings(reg);
free(reg->sub_strings);
reg->sub_strings = NULL;
}
#define OR '|'
#define AND '&'
-#define TRUE 1
+#define TRUE 1
#define FALSE 0
/* Pattern flags */
#define BEGIN_SET 0000200
-#define END_SET 0000400
+#define END_SET 0000400
/* uchar */
*/
#define _IsW(x) ((x >= 48 && x <= 57 )|| \
(x >= 65 && x <= 90 )|| \
- (x >= 97 && x <= 122))
+ (x >= 97 && x <= 122))
/* Is it a ' ' (blank)
-/* Regex mapping
+/* Regex mapping
* 0 = none
* 1 = \d
* 2 = \w
* 3 = \s
* 4 = \p
- * 5 = \(
+ * 5 = \(
* 6 = \)
* 7 = \\
* 8 = \D
* 9 = \W
* 10 = \S
- * 11 = \.
+ * 11 = \.
* 12 = \t
* 13 = \$
* 14 = |
* 15 = <
*/
-static const uchar regexmap[][256] =
+static const uchar regexmap[][256] =
{
{
'\000', '\000', '\000', '\000', '\000', '\000', '\000', '\000',
'\330', '\331', '\332', '\333', '\334', '\335', '\336', '\337',
'\340', '\341', '\342', '\343', '\344', '\345', '\346', '\347',
'\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357',
- '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
- '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
+ '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
+ '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
},
{
'\000', '\000', '\002', '\003', '\004', '\005', '\006', '\007',
'\010', '\011', '\012', '\013', '\014', '\015', '\016', '\017',
'\020', '\021', '\022', '\023', '\024', '\025', '\026', '\027',
'\030', '\031', '\032', '\033', '\034', '\035', '\036', '\037',
- '\040', '\041', '\042', '\043', '\044', '\045', '\046', '\047',
+ '\040', '\001', '\001', '\001', '\001', '\001', '\001', '\001',
'\001', '\001', '\001', '\001', '\001', '\001', '\001', '\057',
'\060', '\061', '\062', '\063', '\064', '\065', '\066', '\067',
'\070', '\071', '\001', '\001', '\001', '\001', '\001', '\001',
'\140', '\141', '\142', '\143', '\144', '\145', '\146', '\147',
'\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157',
'\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167',
- '\170', '\171', '\172', '\173', '\174', '\175', '\176', '\177',
+ '\170', '\171', '\172', '\001', '\001', '\001', '\176', '\177',
'\200', '\201', '\202', '\203', '\204', '\205', '\206', '\207',
'\210', '\211', '\212', '\213', '\214', '\215', '\216', '\217',
'\220', '\221', '\222', '\223', '\224', '\225', '\226', '\227',
#endif
-/* EOF */
+/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_regex/os_regex_maps.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
'\330', '\331', '\332', '\333', '\334', '\335', '\336', '\337',
'\340', '\341', '\342', '\343', '\344', '\345', '\346', '\347',
'\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357',
- '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
- '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
+ '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
+ '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
};
#endif
-/* EOF */
+/* EOF */
/* Algorithm:
* Go as faster as you can :)
- *
+ *
* Supports:
* '|' to separate multiple OR patterns
* '^' to match the begining of a string
int _InternalMatch(char *pattern, char *str,int count);
-/* OS_WordMatch v0.3:
- * Searches for pattern in the string
+/* OS_WordMatch v0.3:
+ * Searches for pattern in the string
*/
int OS_WordMatch(char *pattern, char *str)
{
continue;
}
}
-
+
count++;
-
+
}while(pattern[count] != '\0');
/* Last check until end of string */
uchar *st = (uchar *)str;
uchar last_char = pattern[pattern_size];
-
- /* Return true for some odd expressions */
+
+ /* Return true for some odd expressions */
if(*pattern == '\0')
return(TRUE);
-
+
/* If '^' specified, just do a strncasecmp */
else if(*pattern == '^')
{
pattern++;
pattern_size --;
-
+
/* Compare two string */
if(strncasecmp(pattern,str,pattern_size) == 0)
return(TRUE);
/* Null line */
else if(*st == '\0')
return(FALSE);
-
-
+
+
/* Look to match the first pattern */
do
{
{
str = (char *)st++;
pt++;
-
+
while(*pt != last_char)
{
if(*st == '\0')
return(FALSE);
-
+
else if(charmap[*pt] != charmap[*st])
goto error;
-
- st++;pt++;
+
+ st++;pt++;
}
/* Return here if pt == last_char */
return(TRUE);
-
+
error:
st = (uchar *)str;
pt = (uchar *)pattern;
-
+
}
-
+
st++;
}while(*st != '\0');
{
if(str == NULL)
return(FALSE);
-
+
while(*str != '\0')
{
if(!_IsD(*str))
return(FALSE); /* 0 */
- str++;
+ str++;
}
return(TRUE);
/** int OS_StrHowClosedMatch(char *str1, char *str2) v0.1
* Returns the number of characters that both strings
- * have in similar.
+ * have in similar.
*/
int OS_StrHowClosedMatch(char *str1, char *str2)
{
int count = 0;
-
+
/* They don't match if any of them is null */
if(!str1 || !str2)
{
count++;
}while((str1[count] != '\0') && (str2[count] != '\0'));
-
+
return(count);
}
* Verifies if a string starts with the provided pattern.
* Returns 1 on success or 0 on failure.
*/
-#define startswith(x,y) (strncmp(x,y,strlen(y)) == 0?1:0)
-#define OS_StrStartsWith startswith
+#define startswith(x,y) (strncmp(x,y,strlen(y)) == 0?1:0)
+#define OS_StrStartsWith startswith
/* EOF */
{
int count = 0;
int i = 0;
-
+
char *tmp_str = str;
char **ret;
/* Memory error. Should provice a better way to detect it */
return(NULL);
}
-
+
/* Allocating memory to null */
while(i <= size)
{
goto error;
}
- /* Copying the string */
+ /* Copying the string */
ret[count][i-1] = '\0';
strncpy(ret[count],tmp_str,i-1);
tmp_str = ++str;
count++;
- i=0;
+ i=0;
continue;
}
printf("usage: %s file\n",argv[0]);
return(-1);
}
-
+
while(1)
{
usleep(10);
printf(".");
fflush(stdout);
-
+
if(OS_ReadXML(argv[1],&xml) < 0)
{
printf("Error reading XML!%s\n",xml.err);
}
i = 0;
-
+
while(node[i])
{
xml_node **cnode = NULL;
/* */
j++;
}
-
+
OS_ClearNode(cnode);
i++;
}
-
+
OS_ClearNode(node);
-
+
node = NULL;
-
+
OS_ClearXML(&xml);
}
return(0);
OS_XML xml;
XML_NODE node = NULL;
-
+
/* File name must be given */
if(argc < 2)
{
return(-1);
}
-
- /* Reading the XML. Printing error and line number */
+
+ /* Reading the XML. Printing error and line number */
if(OS_ReadXML(argv[1],&xml) < 0)
{
printf("OS_ReadXML error: %s, line :%d\n",xml.err, xml.err_line);
{
int j = 0;
XML_NODE cnode;
-
+
cnode = OS_GetElementsbyNode(&xml, node[i]);
if(cnode == NULL)
{
i++;
continue;
}
-
+
while(cnode[j])
{
- printf("Element: %s -> %s\n",
+ printf("Element: %s -> %s\n",
cnode[j]->element,
cnode[j]->content);
if(cnode[j]->attributes && cnode[j]->values)
if(c == '\n') /* add new line */
_line++;
-
- return(c);
+
+ return(c);
}
#define FGETC(fp) _xml_fgetc(fp)
vfprintf(stderr, msg, args);
fprintf(stderr, "\n\n");
#endif
-
+
memset(_lxml->err,'\0', 128);
vsnprintf(_lxml->err,127,msg,args);
va_end(args);
free(_lxml->ck);
free(_lxml->ln);
memset(_lxml->err,'\0', 128);
-
+
return;
-
+
}
return(-1);
}
}
-
+
fclose(fp);
return(0);
}
char closedelem[XML_MAXSIZE +1];
-
+
memset(elem,'\0',XML_MAXSIZE +1);
memset(cont,'\0',XML_MAXSIZE +1);
memset(closedelem,'\0',XML_MAXSIZE +1);
else if(r == 1)
continue;
}
-
+
/* real checking */
if((location == -1) && (prevv == 0))
{
else
continue;
}
-
+
else if((location == 0) && ((c == _R_CONFE) || (c == ' ')))
{
int _ge = 0;
_ge = '/';
elem[count -1] = '\0';
}
-
+
_writememory(elem, XML_ELEM, count+1, parent, _lxml);
_currentlycont=_lxml->cur-1;
if(c == ' ')
_currentlycont = 0;
count = 0;
location = -1;
-
+
memset(elem,'\0',XML_MAXSIZE);
memset(closedelem,'\0',XML_MAXSIZE);
memset(cont,'\0',XML_MAXSIZE);
-
+
if(parent > 0)
return(0);
}
{
count = 0;
location = 1;
- }
+ }
}
-
+
else if((location == 2) &&(c == _R_CONFE))
{
closedelem[count]='\0';
/* Allocating for the line */
_lxml->ln = realloc(_lxml->ln,(_lxml->cur+1)*sizeof(int));
_lxml->ln[_lxml->cur] = _line;
-
+
/* Attributes does not need to be closed */
if(type == XML_ATTR)
_lxml->ck[_lxml->cur] = 1;
int count = 0;
int c;
int c_to_match = 0;
-
+
char attr[XML_MAXSIZE+1];
char value[XML_MAXSIZE+1];
if(count >= XML_MAXSIZE)
{
attr[count-1] = '\0';
- xml_error(_lxml,
+ xml_error(_lxml,
"XMLERR: Overflow attempt at attribute '%s'.",attr);
return(-1);
}
else if((location == 1)&&(c == c_to_match))
{
value[count]='\0';
-
+
location = 0;
c_to_match = 0;
-
- _writememory(attr, XML_ATTR, strlen(attr)+1,
+
+ _writememory(attr, XML_ATTR, strlen(attr)+1,
parent, _lxml);
_writecontent(value,count+1,_lxml->cur-1,_lxml);
c = FGETC(fp);
value[count++]=c;
}
-
+
xml_error(_lxml, "XMLERR: End of file while reading an attribute.");
return(-1);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_xml/os_xml.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/* OS_ElementExist: v1.0: 2005/02/26
- * Check if a element exists
+ * Check if a element exists
* The element_name must be NULL terminated (last char)
*/
int OS_ElementExist(OS_XML *_lxml, char **element_name)
/* RootElementExist: v1.0: 2005/02/26
- * Check if a root element exists
+ * Check if a root element exists
*/
int OS_RootElementExist(OS_XML *_lxml, char *element_name)
{
{
uniqret = ret[0];
}
-
+
/* Freeing memory */
while(ret[i])
{
i++;
}
free(ret);
-
+
return(uniqret);
}
/* OS_GetAttributeContent: v0.1: 2005/03/01
- * Get one value for a specific attribute
+ * Get one value for a specific attribute
*/
char *OS_GetAttributeContent(OS_XML *_lxml, char **element_name,
char *attribute_name)
}
if(success)
return(uniqret);
-
+
return(NULL);
}
}
i = _lxml->fol;
}
- else
+ else
{
i = 0;
}
if(matched !=1)
break;
}
-
+
/* Setting maximum depth of 16. */
if(j > 16)
return(NULL);
}
}
-
+
/* If the element name matches what we are looking for. */
else if(strcmp(_lxml->el[i], element_name[j]) == 0)
{
{
break;
}
-
+
if(strcmp(attr, _lxml->el[k]) == 0)
{
i = k;
{
return(NULL);
}
-
+
/* Adding new entry. */
ret[k] = strdup(_lxml->ct[i]);
ret[k + 1] = NULL;
free(ret);
return(NULL);
}
-
+
matched = 1;
k++;
-
+
if(attr != NULL)
{
- break;
+ break;
}
-
+
else if(_lxml->fol != 0)
{
_lxml->fol = i+1;
matched = 0;
}
}
-
+
if(ret == NULL)
return(NULL);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_xml/os_xml_node_access.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/* OS_ClearNode v0,1
- * Clear the Node structure
+ * Clear the Node structure
*/
void OS_ClearNode(xml_node **node)
{
if(node)
- {
+ {
int i=0;
while(node[i])
{
node[i]->values=NULL;
free(node[i]);
node[i]=NULL;
- i++;
+ i++;
}
free(node);
node=NULL;
i = node->key;
j = _lxml->rl[i++];
}
-
-
+
+
for(;i<_lxml->cur;i++)
{
if(_lxml->tp[i] == XML_ELEM)
ret = (xml_node**)realloc(ret,(k+1)*sizeof(xml_node*));
if(ret == NULL)
return(NULL);
-
+
/* Allocating for the xml_node * */
ret[k] = (xml_node *)calloc(1,sizeof(xml_node));
if(ret[k] == NULL)
return(NULL);
-
+
ret[k]->element = NULL;
ret[k]->content = NULL;
ret[k]->attributes = NULL;
ret[k]->values = NULL;
-
+
/* Getting the element */
ret[k]->element=strdup(_lxml->el[i]);
if(ret[k]->element == NULL)
free(ret);
return(NULL);
}
-
+
/* Getting the content */
if(_lxml->ct[i])
{
if((_lxml->tp[l] == XML_ATTR)&&(_lxml->rl[l] == j+1)&&
(_lxml->el[l]) && (_lxml->ct[l]))
{
- ret[k]->attributes =
+ ret[k]->attributes =
(char**)realloc(ret[k]->attributes,
(l-i+1)*sizeof(char*));
- ret[k]->values =
+ ret[k]->values =
(char**)realloc(ret[k]->values,
(l-i+1)*sizeof(char*));
- if(!(ret[k]->attributes) ||
+ if(!(ret[k]->attributes) ||
!(ret[k]->values))
return(NULL);
ret[k]->attributes[l-i-1]=strdup(_lxml->el[l]);
if(!(ret[k]->attributes[l-i-1]) ||
!(ret[k]->values[l-i-1]))
return(NULL);
- l++;
+ l++;
}
else
{
break;
}
}
-
+
if(ret ==NULL)
return(NULL);
{
if(!_lxml->ct[j])
break;
-
- /* If not used, it will be cleaned latter */
+
+ /* If not used, it will be cleaned latter */
snprintf(_lxml->err, 128, "XML_ERR: Memory error");
-
+
var = (char**)realloc(var,(s+1)*sizeof(char *));
if(var == NULL)
return (-1);
-
+
var[s] = strdup(_lxml->ct[j]);
if(var[s] == NULL)
return(-1);
-
- /* Cleaning the lxml->err */
+
+ /* Cleaning the lxml->err */
strncpy(_lxml->err," ", 3);
_found_var = 1;
}
else
{
- snprintf(_lxml->err, 128,
+ snprintf(_lxml->err, 128,
"XML_ERR: Only \"name\" is allowed"
" as an attribute for a variable");
return(-1);
}
}
} /* Attribute FOR */
-
-
+
+
if((_found_var == 0)||(!_lxml->ct[i]))
{
- snprintf(_lxml->err,128,
+ snprintf(_lxml->err,128,
"XML_ERR: Bad formed variable. No value set");
return(-1);
}
-
-
+
+
snprintf(_lxml->err,128, "XML_ERR: Memory error");
-
+
value = (char**)realloc(value,(s+1)*sizeof(char *));
if (value == NULL)
return(-1);
-
+
value[s] = strdup(_lxml->ct[i]);
if(value[s] == NULL)
- return(-1);
-
+ return(-1);
+
strncpy(_lxml->err," ", 3);
s++;
}
} /* initial FOR to get the variables */
-
-
+
+
/* No variable */
if(s == 0)
return(0);
/* Looping again and modifying where found the variables */
- i = 0;
+ i = 0;
for(;i<_lxml->cur;i++)
{
if(((_lxml->tp[i] == XML_ELEM) || (_lxml->tp[i] == XML_ATTR))&&
char *p = NULL;
char *p2= NULL;
char lvar[256]; /* MAX Var size */
-
-
+
+
if(strlen(_lxml->ct[i]) <= 2)
continue;
-
-
- /* Duplicating string */
+
+
+ /* Duplicating string */
p = strdup(_lxml->ct[i]);
p2= p;
-
+
if(p == NULL)
{
snprintf(_lxml->err, 128, "XML_ERR: Memory error");
return(-1);
}
-
-
+
+
/* Reading the whole string */
while(*p != '\0')
{
tp = 0;
p++;
memset(lvar, '\0', 256);
-
+
while(1)
{
if((*p == XML_VARIABLE_BEGIN)
lvar[tp]='\0';
final = init+tp;
-
+
/* Looking for var */
for(j=0; j<s; j++)
{
}
- tsize = strlen(_lxml->ct[i]) +
+ tsize = strlen(_lxml->ct[i]) +
strlen(value[j]) - tp + 1;
var_placeh = strdup(_lxml->ct[i]);
free(_lxml->ct[i]);
- _lxml->ct[i] = (char*)calloc(tsize +2,
+ _lxml->ct[i] = (char*)calloc(tsize +2,
sizeof(char));
-
+
if(_lxml->ct[i] == NULL || var_placeh == NULL)
{
snprintf(_lxml->err,128, "XML_ERR: Memory "
strncpy(_lxml->ct[i], var_placeh, tsize);
-
+
_lxml->ct[i][init] = '\0';
strncat(_lxml->ct[i], value[j],tsize - init);
init = strlen(_lxml->ct[i]);
- strncat(_lxml->ct[i], p,
+ strncat(_lxml->ct[i], p,
tsize - strlen(_lxml->ct[i]));
-
+
free(var_placeh);
break;
}
-
+
/* Variale not found */
if((j == s) && (strlen(lvar) >= 1))
{
- snprintf(_lxml->err,128,
+ snprintf(_lxml->err,128,
"XML_ERR: Unknown variable"
": %s", lvar);
return(-1);
{
init++;
}
-
+
goto go_next;
}
-
+
/* Maximum size for a variable */
if(tp >= 255)
{
return(-1);
}
-
+
lvar[tp] = *p;
tp++;
p++;
}
} /* IF XML_VAR_BEGIN */
-
+
p++;
init++;
go_next:
continue;
-
+
} /* WHILE END */
-
+
if(p2 != NULL)
{
free(p2);
}
if((value)&&(value[i]))
{
- free(value[i]);
+ free(value[i]);
value[i] = NULL;
}
}
-
+
if(var != NULL)
{
free(var);
}
if(value != NULL)
{
- free(value);
+ free(value);
value = NULL;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_xml/os_xml_writer.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/* Internal functions */
int _oswcomment(FILE *fp_in, FILE *fp_out);
-int _WReadElem(FILE *fp_in, FILE *fp_out, int position, int parent,
+int _WReadElem(FILE *fp_in, FILE *fp_out, int position, int parent,
char **node, char *value, int node_pos);
if(c == '\n') /* add new line */
_line++;
-
- return(c);
+
+ return(c);
}
#define FWGETC(fp_in, fp_out) _xml_wfgetc(fp_in, fp_out)
{
int r = 0;
int rwidth = 0;
-
+
fseek(fp_out, 0, SEEK_END);
fprintf(fp_out, "\n");
-
+
/* Printing each node. */
while(nodes[r])
{
if(nodes[r])
fprintf(fp_out, "\n");
}
-
+
/* Printing val. */
r--;
rwidth -=6;
fprintf(fp_out, "%s</%s>\n", newval, nodes[r]);
r--;
-
+
/* Closing each node. */
while(r >= 0)
rwidth -= 3;
}
}
-
+
fclose(fp_in);
fclose(fp_out);
return(0);
-int _WReadElem(FILE *fp_in, FILE *fp_out,
+int _WReadElem(FILE *fp_in, FILE *fp_out,
int position, int parent, char **nodes, char *val, int node_pos)
{
int c;
continue;
}
}
-
-
+
+
/* Real checking */
if(location == -1)
{
continue;
}
}
-
+
/* Looking for the closure */
else if((location == 0) && ((c == _R_CONFE) || (c == ' ')))
_ge = '/';
elem[count -1] = '\0';
}
-
+
/* If we may have more attributes */
if(c == ' ')
{
count = 0;
location = -1;
-
+
memset(elem,'\0',XML_MAXSIZE);
memset(closedelem,'\0',XML_MAXSIZE);
memset(cont,'\0',XML_MAXSIZE);
-
+
if(parent > 0)
{
return(ret_code);
{
count = 0;
location = 1;
- }
+ }
/* Checking position of the node */
}
/* Checking if the element name matches */
- if(node_pos == position &&
+ if(node_pos == position &&
nodes[node_pos] && strcmp(elem, nodes[node_pos]) == 0)
{
node_pos++;
}
}
}
-
+
else if((location == 2) &&(c == _R_CONFE))
{
closedelem[count]='\0';
memset(elem,'\0',XML_MAXSIZE);
memset(closedelem,'\0',XML_MAXSIZE);
memset(cont,'\0',XML_MAXSIZE);
-
+
count = 0;
location = -1;
if(parent > 0)
{
ret_code = 1;
}
-
+
count = 0;
}
}
}
}
}
-
+
if(location == -1)
{
return(ret_code);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_xml/os_xml_writer.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*/
int OS_WriteXML(char *infile, char *outfile, char **nodes, char *attr,
char *oldval, char *newval, int type);
-
+
#endif
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_zlib/os_zlib.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#include "shared.h"
#include "os_zlib.h"
int os_compress(char *src, char *dst, int src_size, int dst_size)
{
unsigned long int zl_dst = dst_size;
-
+
/* We make sure to do not allow long sizes */
- if(compress2((unsigned char *)dst,
- &zl_dst,
+ if(compress2((unsigned char *)dst,
+ &zl_dst,
(unsigned char *)src,
(unsigned long int)src_size, 9) == Z_OK)
{
int os_uncompress(char *src, char *dst, int src_size, int dst_size)
{
unsigned long int zl_dst = dst_size;
-
- if(uncompress((unsigned char *)dst,
+
+ if(uncompress((unsigned char *)dst,
&zl_dst,
- (unsigned char *)src,
+ (unsigned char *)src,
(unsigned long int)src_size) == Z_OK)
{
dst[zl_dst] = '\0';
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_zlib/os_zlib.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#ifndef __OS_ZLIB_H
#define __OS_ZLIB_H
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/os_zlib/zlib-test.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* Foundation
*/
-
+
#include "shared.h"
#include "os_zlib.h"
/* Zlib test */
int main(int argc, char **argv)
{
- int ret, srcsize, dstsize = 2010;
+ int ret, srcsize, dstsize = 2010;
char dst[2048];
char dst2[2048];
printf("%s: string\n", argv[0]);
exit(1);
}
-
+
srcsize = strlen(argv[1]);
if(srcsize > 2000)
{
exit(1);
}
-
+
if((ret = os_compress(argv[1], dst, srcsize, dstsize)))
{
printf("Compressed, from %d->%d\n",srcsize, ret);
/* Setting new srcsize for decompression */
srcsize = ret;
-
+
if((ret = os_uncompress(dst, dst2, srcsize, dstsize)))
{
- printf("Uncompressed ok. String: '%s', size %d->%d\n",
- dst2, srcsize, ret);
+ printf("Uncompressed ok. String: '%s', size %d->%d\n",
+ dst2, srcsize, ret);
}
else
{
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/remoted/ar-forward.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int arq = 0;
int agent_id = 0;
int ar_location = 0;
-
+
char msg_to_send[OS_SIZE_1024 +1];
-
+
char msg[OS_SIZE_1024 +1];
char *location = NULL;
char *ar_location_str = NULL;
{
/* Always zeroing the location */
ar_location = 0;
-
-
+
+
/* Getting the location */
location = msg;
{
ar_location|=SPECIFIC_AGENT;
}
-
-
+
+
/*** Extracting the active response location ***/
tmp_str = strchr(ar_location_str, ' ');
if(!tmp_str)
}
*tmp_str = '\0';
tmp_str++;
-
-
+
+
/*** Creating the new message ***/
if(ar_location & NO_AR_MSG)
{
- snprintf(msg_to_send, OS_SIZE_1024, "%s%s",
+ snprintf(msg_to_send, OS_SIZE_1024, "%s%s",
CONTROL_HEADER,
tmp_str);
}
else
{
- snprintf(msg_to_send, OS_SIZE_1024, "%s%s%s",
+ snprintf(msg_to_send, OS_SIZE_1024, "%s%s%s",
CONTROL_HEADER,
EXECD_HEADER,
tmp_str);
}
-
+
/* Lock use of keys */
key_lock();
-
-
+
+
/* Sending to ALL agents */
if(ar_location & ALL_AGENTS)
{
merror(AR_NOAGENT_ERROR, ARGV0, location);
continue;
}
-
+
send_msg(agent_id, msg_to_send);
}
ar_location++;
agent_id = OS_IsAllowedID(&keys, ar_agent_id);
-
+
if(agent_id < 0)
{
key_unlock();
}
}
-
+
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/remoted/config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* v0.2: New OS_XML
* v0.3: Some improvements and cleanup
* v0.4: Move everything to the global config validator.
- */
+ */
int RemotedConfig(char *cfgfile, remoted *logr)
{
int modules = 0;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/remoted/main.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int i = 0,c = 0;
int uid = 0, gid = 0;
int test_config = 0,run_foreground = 0;
-
+
char *cfg = DEFAULTCPATH;
char *dir = DEFAULTDIR;
char *user = REMUSER;
char *group = GROUPGLOBAL;
-
+
/* Setting the name -- must be done ASAP */
OS_SetName(ARGV0);
-
+
while((c = getopt(argc, argv, "Vdthfu:g:c:D:")) != -1){
switch(c){
case 'V':
group = optarg;
break;
case 't':
- test_config = 1;
+ test_config = 1;
break;
case 'c':
if (!optarg)
}
debug1(STARTED_MSG,ARGV0);
-
-
+
+
/* Return 0 if not configured */
if(RemotedConfig(cfg, &logr) < 0)
{
if(test_config)
exit(0);
-
+ if(logr.conn == NULL)
+ {
+ /* Not configured. */
+ exit(0);
+ }
+
/* Check if the user and group given are valid */
uid = Privsep_GetUser(user);
gid = Privsep_GetGroup(group);
i = getpid();
- if(!run_foreground)
+ if(!run_foreground)
{
nowDaemon();
goDaemon();
}
-
+
/* Setting new group */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR, ARGV0, group);
#else
srandom( time(0) + getpid()+ i);
#endif
-
+
random();
-
+
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
/* Really starting the program. */
- i = 0;
+ i = 0;
while(logr.conn[i] != 0)
{
/* Forking for each connection handler */
if(fork() == 0)
- {
+ {
/* On the child */
debug1("%s: DEBUG: Forking remoted: '%d'.",ARGV0, i);
HandleRemote(i, uid);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/remoted/manager.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
{
char msg_ack[OS_FLSIZE +1];
-
+
/* Replying to the agent. */
snprintf(msg_ack, OS_FLSIZE, "%s%s", CONTROL_HEADER, HC_ACK);
send_msg(agentid, msg_ack);
{
utimes(_keep_alive[agentid], NULL);
}
-
+
else if(strcmp(r_msg, HC_STARTUP) == 0)
{
return;
}
-
+
else
{
FILE *fp;
char *uname = r_msg;
+ char *random_leftovers;
/* locking mutex. */
*r_msg = '\0';
+ random_leftovers = strchr(r_msg, '\n');
+ if(random_leftovers)
+ {
+ *random_leftovers = '\0';
+ }
/* Updating the keep alive. */
os_strdup(agent_file, _keep_alive[agentid]);
}
-
+
/* Writing to the file. */
fp = fopen(_keep_alive[agentid], "w");
}
}
-
+
/* Locking now to notify of change. */
if(pthread_mutex_lock(&lastmsg_mutex) != 0)
{
return;
}
-
+
/* Assign new values */
_changed[agentid] = 1;
modified_agentid = agentid;
/* Signal that new data is available */
pthread_cond_signal(&awake_mutex);
-
+
/* Unlocking mutex */
if(pthread_mutex_unlock(&lastmsg_mutex) != 0)
{
return;
}
-
+
return;
-}
+}
int i;
if(!f_sum)
return;
- for(i = 0;;i++)
+ for(i = 0;;i++)
{
if(f_sum[i] == NULL)
break;
-
+
if(f_sum[i]->name)
free(f_sum[i]->name);
-
+
free(f_sum[i]);
f_sum[i] = NULL;
}
DIR *dp;
struct dirent *entry;
-
+
os_md5 md5sum;
-
+
int f_size = 0;
/* Opening the directory given */
dp = opendir(SHAREDCFG_DIR);
- if(!dp)
+ if(!dp)
{
merror("%s: Error opening directory: '%s': %s ",
ARGV0,
SHAREDCFG_DIR,
strerror(errno));
return;
- }
+ }
/* Reading directory */
while((entry = readdir(dp)) != NULL)
{
char tmp_dir[512];
-
+
/* Just ignore . and .. */
if((strcmp(entry->d_name,".") == 0) ||
(strcmp(entry->d_name,"..") == 0))
continue;
}
-
+
if(OS_MD5_File(tmp_dir, md5sum) != 0)
{
merror("%s: Error accessing file '%s'",ARGV0, tmp_dir);
continue;
}
-
-
+
+
f_sum = (file_sum **)realloc(f_sum, (f_size +2) * sizeof(file_sum *));
if(!f_sum)
{
ErrorExit(MEM_ERROR,ARGV0);
}
-
+
strncpy(f_sum[f_size]->sum, md5sum, 32);
os_strdup(entry->d_name, f_sum[f_size]->name);
f_sum[f_size]->mark = 0;
MergeAppendFile(SHAREDCFG_FILE, tmp_dir);
f_size++;
}
-
+
if(f_sum != NULL)
f_sum[f_size] = NULL;
merror("%s: Error accessing file '%s'",ARGV0, SHAREDCFG_FILE);
f_sum[0]->sum[0] = '\0';
}
- strncpy(f_sum[0]->sum, md5sum, 32);
+ strncpy(f_sum[0]->sum, md5sum, 32);
os_strdup(SHAREDCFG_FILENAME, f_sum[0]->name);
- return;
+ return;
}
-
+
/* send_file_toagent: Sends a file to the agent.
* Returns -1 on error
int i = 0, n = 0;
char file[OS_SIZE_1024 +1];
char buf[OS_SIZE_1024 +1];
-
+
FILE *fp;
-
+
snprintf(file, OS_SIZE_1024, "%s/%s",SHAREDCFG_DIR, name);
fp = fopen(file, "r");
if(!fp)
/* Sending the file name first */
- snprintf(buf, OS_SIZE_1024, "%s%s%s %s\n",
+ snprintf(buf, OS_SIZE_1024, "%s%s%s %s\n",
CONTROL_HEADER, FILE_UPDATE_HEADER, sum, name);
if(send_msg(agentid, buf) == -1)
i++;
}
-
+
/* Sending the message to close the file */
snprintf(buf, OS_SIZE_1024, "%s%s", CONTROL_HEADER, FILE_CLOSE_HEADER);
if(send_msg(agentid, buf) == -1)
fclose(fp);
return(-1);
}
-
+
fclose(fp);
-
+
return(0);
}
* the agent.
*/
void read_controlmsg(int agentid, char *msg)
-{
+{
int i;
}
- /* Parse message */
+ /* Parse message */
while(*msg != '\0')
{
char *md5;
if(!msg)
{
merror("%s: Invalid message from '%s' (strchr \\n)",
- ARGV0,
+ ARGV0,
keys.keyentries[agentid]->ip->ip);
break;
}
if(!file)
{
merror("%s: Invalid message from '%s' (strchr ' ')",
- ARGV0,
+ ARGV0,
keys.keyentries[agentid]->ip->ip);
break;
}
{
if(strcmp(f_sum[0]->sum, md5) != 0)
{
- debug1("%s: DEBUG Sending file '%s' to agent.", ARGV0,
+ debug1("%s: DEBUG Sending file '%s' to agent.", ARGV0,
f_sum[0]->name);
if(send_file_toagent(agentid,f_sum[0]->name,f_sum[0]->sum)<0)
{
i = 0;
while(f_sum[i])
{
- f_sum[i]->mark = 0;
+ f_sum[i]->mark = 0;
i++;
}
{
f_sum[i]->mark = 2;
}
- break;
+ break;
}
}
if((f_sum[i]->mark == 1) ||
(f_sum[i]->mark == 0))
{
-
+
debug1("%s: Sending file '%s' to agent.", ARGV0, f_sum[i]->name);
if(send_file_toagent(agentid,f_sum[i]->name,f_sum[i]->sum) < 0)
{
}
}
- f_sum[i]->mark = 0;
+ f_sum[i]->mark = 0;
}
-
- return;
+
+ return;
}
{
int id, i;
char msg[OS_SIZE_1024 +2];
-
+
/* Initializing the memory */
memset(msg, '\0', OS_SIZE_1024 +2);
-
+
/* should never leave this loop */
while(1)
{
/* Every NOTIFY * 30 minutes, re read the files.
- * If something changed, notify all agents
+ * If something changed, notify all agents
*/
_ctime = time(0);
if((_ctime - _stime) > (NOTIFY_TIME*30))
_stime = _ctime;
}
-
-
+
+
/* locking mutex */
if(pthread_mutex_lock(&lastmsg_mutex) != 0)
{
{
continue;
}
-
+
id = 0;
-
+
/* locking mutex */
if(pthread_mutex_lock(&lastmsg_mutex) != 0)
{
id = 1;
}
-
+
/* Unlocking mutex */
if(pthread_mutex_unlock(&lastmsg_mutex) != 0)
{
pthread_mutex_init(&lastmsg_mutex, NULL);
pthread_cond_init(&awake_mutex, NULL);
}
-
+
modified_agentid = -1;
return;
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/remoted/remoted.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* remote daemon.
- * Listen to remote packets and forward them to the analysis
+ * Listen to remote packets and forward them to the analysis
* system
*/
}
}
}
-
- /* Bind TCP */
+
+ /* Bind TCP */
if(logr.proto[position] == TCP_PROTO)
{
- if((logr.sock =
- OS_Bindporttcp(logr.port[position],logr.lip[position])) < 0)
+ if((logr.sock =
+ OS_Bindporttcp(logr.port[position],logr.lip[position], logr.ipv6[position])) < 0)
{
ErrorExit(BIND_ERROR, ARGV0, logr.port[position]);
}
else
{
/* Using UDP. Fast, unreliable.. perfect */
- if((logr.sock =
- OS_Bindportudp(logr.port[position], logr.lip[position])) < 0)
+ if((logr.sock =
+ OS_Bindportudp(logr.port[position], logr.lip[position], logr.ipv6[position])) < 0)
{
ErrorExit(BIND_ERROR, ARGV0, logr.port[position]);
}
}
-
-
+
+
/* Revoking the privileges */
if(Privsep_SetUser(uid) < 0)
{
ErrorExit(SETUID_ERROR,ARGV0, REMUSER);
}
-
-
+
+
/* Creating PID */
if(CreatePID(ARGV0, getpid()) < 0)
{
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
-
+
/* If Secure connection, deal with it */
if(logr.conn[position] == SECURE_CONN)
{
HandleSecure();
}
-
+
else if(logr.proto[position] == TCP_PROTO)
{
HandleSyslogTCP();
}
-
+
/* If not, deal with syslog */
else
{
HandleSyslog();
}
-
+
return;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/remoted/remoted.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int RemotedConfig(char *cfgfile, remoted *logr);
/* Handle Remote connections */
-void HandleRemote(int position, int uid);
+void HandleRemote(int position, int uid);
/* Handle Syslog */
void HandleSyslog();
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/remoted/secure.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int agentid;
char buffer[OS_MAXSTR +1];
- char cleartext_msg[OS_MAXSTR +1];
+ char cleartext_msg[OS_MAXSTR +1];
char srcip[IPSIZE +1];
char *tmp_msg;
char srcmsg[OS_FLSIZE +1];
{
ErrorExit(THREAD_ERROR, ARGV0);
}
-
+
/* Creating wait_for_msgs thread */
if(CreateThread(wait_for_msgs, (void *)NULL) != 0)
{
{
ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQUEUE);
}
-
-
- verbose(AG_AX_AGENTS, ARGV0, MAX_AGENTS);
-
+
+ verbose(AG_AX_AGENTS, ARGV0, MAX_AGENTS);
+
+
/* Reading authentication keys */
verbose(ENC_READ, ARGV0);
-
+
OS_ReadKeys(&keys);
-
+
debug1("%s: DEBUG: OS_StartCounter.", ARGV0);
OS_StartCounter(&keys);
debug1("%s: DEBUG: OS_StartCounter completed.", ARGV0);
memset(cleartext_msg, '\0', OS_MAXSTR +1);
memset(srcmsg, '\0', OS_FLSIZE +1);
tmp_msg = NULL;
-
-
-
+
+
+
/* loop in here */
while(1)
{
/* Receiving message */
- recv_b = recvfrom(logr.sock, buffer, OS_MAXSTR, 0,
+ recv_b = recvfrom(logr.sock, buffer, OS_MAXSTR, 0,
(struct sockaddr *)&peer_info, &peer_size);
- /* Getting a valid agentid */
+ /* Getting a valid agentid */
if(buffer[0] == '!')
{
tmp_msg = buffer;
tmp_msg++;
-
-
+
+
/* We need to make sure that we have a valid id
* and that we reduce the recv buffer size.
*/
}
else
{
- agentid = OS_IsAllowedIP(&keys, srcip);
+ agentid = OS_IsAllowedIP(&keys, srcip);
if(agentid < 0)
{
if(check_keyupdate())
}
tmp_msg = buffer;
}
-
- /* Decrypting the message */
+
+ /* Decrypting the message */
tmp_msg = ReadSecMSG(&keys, tmp_msg, cleartext_msg,
agentid, recv_b -1);
if(tmp_msg == NULL)
}
- /* Check if it is a control message */
+ /* Check if it is a control message */
if(IsValidHeader(tmp_msg))
{
/* We need to save the peerinfo if it is a control msg */
/* Generating srcmsg */
- snprintf(srcmsg, OS_FLSIZE,"(%s) %s",keys.keyentries[agentid]->name,
+ snprintf(srcmsg, OS_FLSIZE,"(%s) %s",keys.keyentries[agentid]->name,
keys.keyentries[agentid]->ip->ip);
-
+
/* If we can't send the message, try to connect to the
* socket again. If it not exit.
*/
- if(SendMSG(logr.m_queue, tmp_msg, srcmsg,
+ if(SendMSG(logr.m_queue, tmp_msg, srcmsg,
SECURE_MQ) < 0)
{
merror(QUEUE_ERROR, ARGV0, DEFAULTQUEUE, strerror(errno));
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/remoted/sendmsg.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
{
return(0);
}
-
+
key_lock();
-
+
/* Locking before using */
if(pthread_mutex_lock(&sendmsg_mutex) != 0)
{
merror(MUTEX_ERROR, ARGV0);
return(0);
}
-
+
if(OS_UpdateKeys(&keys))
{
if(pthread_mutex_unlock(&sendmsg_mutex) != 0)
merror(MUTEX_ERROR, ARGV0);
}
key_unlock();
-
+
return(0);
}
}
-/* send_msg()
+/* send_msg()
* Send message to an agent.
* Returns -1 on error
*/
return(-1);
}
-
+
msg_size = CreateSecMSG(&keys, msg, crypt_msg, agentid);
if(msg_size == 0)
{
return(-1);
}
-
+
/* Locking before using */
if(pthread_mutex_lock(&sendmsg_mutex) != 0)
{
/* Sending initial message */
if(sendto(logr.sock, crypt_msg, msg_size, 0,
(struct sockaddr *)&keys.keyentries[agentid]->peer_info,
- logr.peer_size) < 0)
+ logr.peer_size) < 0)
{
merror(SEND_ERROR,ARGV0, keys.keyentries[agentid]->id);
}
-
-
+
+
/* Unlocking mutex */
if(pthread_mutex_unlock(&sendmsg_mutex) != 0)
{
merror(MUTEX_ERROR, ARGV0);
return(-1);
}
-
+
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/remoted/syslog.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* OS_IPNotAllowed, v0.1, 2005/02/11
+/* OS_IPNotAllowed, v0.1, 2005/02/11
* Checks if an IP is not allowed.
*/
static int OS_IPNotAllowed(char *srcip)
/* Initializing some variables */
memset(buffer, '\0', OS_SIZE_1024 +2);
-
+
/* Connecting to the message queue
* Exit if it fails.
*/
{
ErrorExit(QUEUE_FATAL,ARGV0, DEFAULTQUEUE);
}
-
+
/* Infinite loop in here */
while(1)
{
/* Receiving message */
- recv_b = recvfrom(logr.sock, buffer, OS_SIZE_1024, 0,
+ recv_b = recvfrom(logr.sock, buffer, OS_SIZE_1024, 0,
(struct sockaddr *)&peer_info, &peer_size);
/* Nothing received */
else
{
buffer_pt = buffer;
- }
+ }
/* Checking if IP is allowed here */
if(OS_IPNotAllowed(srcip))
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/remoted/syslogtcp.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
-/* OS_IPNotAllowed, v0.1, 2005/02/11
+/* OS_IPNotAllowed, v0.1, 2005/02/11
* Checks if an IP is not allowed.
*/
static int OS_IPNotAllowed(char *srcip)
{
int sb_size = OS_MAXSTR;
int r_sz = 0;
-
+
char buffer[OS_MAXSTR +2];
char storage_buffer[OS_MAXSTR +2];
char tmp_buffer[OS_MAXSTR +2];
char *buffer_pt = NULL;
-
+
/* Initializing some variables */
memset(buffer, '\0', OS_MAXSTR +2);
memset(storage_buffer, '\0', OS_MAXSTR +2);
storage_buffer[0] = '\0';
continue;
}
-
+
strncat(storage_buffer, buffer, sb_size);
sb_size -= r_sz;
- continue;
+ continue;
}
-
+
/* Seeing if we received more then just one message */
if(*(buffer_pt +1) != '\0')
{
}
strncat(storage_buffer, buffer, sb_size);
-
+
/* Removing carriage returns too */
buffer_pt = strchr(storage_buffer, '\r');
if(buffer_pt)
*buffer_pt = '\0';
-
+
/* Removing syslog header */
if(storage_buffer[0] == '<')
{
int client_socket = 0;
int st_errors = 0;
int childcount = 0;
-
+
char srcip[IPSIZE +1];
/* Initializing some variables */
memset(srcip, '\0', IPSIZE + 1);
-
+
/* Connecting to the message queue
* Exit if it fails.
*/
{
ErrorExit(QUEUE_FATAL,ARGV0, DEFAULTQUEUE);
}
-
+
/* Infinit loop in here */
while(1)
}
- /* Forking to deal with new client */
+ /* Forking to deal with new client */
if(fork() == 0)
{
HandleClient(client_socket, srcip);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/check_open_ports.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#include "shared.h"
#include "headers/defs.h"
#include "headers/debug_op.h"
int connect_to_port(int proto, int port)
{
int rc = 0;
-
+
int ossock;
struct sockaddr_in server;
{
rc = 1;
}
-
- close(ossock);
- return(rc);
+ close(ossock);
+
+ return(rc);
}
/* try_to_access_ports */
snprintf(port_proto, 64, "%d (tcp),", i);
}
strncat(open_ports_str, port_proto, open_ports_size);
- open_ports_size -= strlen(port_proto) +1;
+ open_ports_size -= strlen(port_proto) +1;
_ports_open++;
}
memset(open_ports_str, '\0', OS_SIZE_1024 +1);
open_ports_size = OS_SIZE_1024 - 1;
_ports_open = 0;
-
+
#ifndef OSSECHIDS
snprintf(open_ports_str, OS_SIZE_1024, "The following ports are open:");
open_ports_size-=strlen(open_ports_str) +1;
-
- /* Testing All ports */
+
+ /* Testing All ports */
try_to_access_ports();
open_ports_str[strlen(open_ports_str) -1] = '\0';
notify_rk(ALERT_OK, open_ports_str);
-
+
#endif
return;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/check_rc_dev.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#ifndef WIN32
#include "shared.h"
#include "rootcheck.h"
int read_dev_file(char *file_name)
{
struct stat statbuf;
-
+
if(lstat(file_name, &statbuf) < 0)
{
return(-1);
}
-
+
if(S_ISDIR(statbuf.st_mode))
{
#ifdef DEBUG
return(read_dev_dir(file_name));
}
-
+
else if(S_ISREG(statbuf.st_mode))
{
char op_msg[OS_SIZE_1024 +1];
int read_dev_dir(char *dir_name)
{
int i;
-
+
DIR *dp;
-
+
struct dirent *entry;
-
+
/* when will these people learn that dev is not
* meant to store log files or other kind of texts..
*/
"MAKEDEV.README", ".udevdb",
".udev.tdb", ".initramfs-tools",
"MAKEDEV.local", ".udev", ".initramfs",
- "oprofile","fd",
- #ifdef SOLARIS
+ "oprofile","fd","cgroup",
+ #ifdef SOLARIS
".devfsadm_dev.lock",
".devlink_db_lock",
".devlink_db",
".devfsadm_synch_door",
".zone_reg_door",
#endif
- NULL};
-
+ NULL};
+
/* Full path ignore */
char *(ignore_dev_full_path[]) = {"/dev/shm/sysconfig",
- "/dev/bus/usb/.usbfs",
+ "/dev/bus/usb/.usbfs",
"/dev/shm",
"/dev/gpmctl",
NULL};
-
+
if((dir_name == NULL)||(strlen(dir_name) > PATH_MAX))
{
merror("%s: Invalid directory given.",ARGV0);
return(-1);
}
-
+
/* Opening the directory given */
dp = opendir(dir_name);
if(!dp)
/* Just ignore . and .. */
if((strcmp(entry->d_name,".") == 0) ||
- (strcmp(entry->d_name,"..") == 0))
+ (strcmp(entry->d_name,"..") == 0))
continue;
-
+
_dev_total++;
-
+
/* Do not look for the ignored files */
for(i = 0;ignore_dev[i] != NULL;i++)
{
if(strcmp(ignore_dev[i], entry->d_name) == 0)
break;
}
-
+
if(ignore_dev[i] != NULL)
continue;
-
- f_name[PATH_MAX +1] = '\0';
+
+ f_name[PATH_MAX +1] = '\0';
snprintf(f_name, PATH_MAX +1, "%s/%s",dir_name, entry->d_name);
-
+
/* Do not look for the full ignored files */
for(i = 0;ignore_dev_full_path[i] != NULL;i++)
break;
}
-
+
/* Checking against the full path. */
if(ignore_dev_full_path[i] != NULL)
{
continue;
}
-
+
read_dev_file(f_name);
}
closedir(dp);
-
+
return(0);
}
void check_rc_dev(char *basedir)
{
char file_path[OS_SIZE_1024 +1];
-
+
_dev_total = 0, _dev_errors = 0;
debug1("%s: DEBUG: Starting on check_rc_dev", ARGV0);
{
char op_msg[OS_SIZE_1024 +1];
snprintf(op_msg, OS_SIZE_1024, "No problem detected on the /dev "
- "directory. Analyzed %d files",
+ "directory. Analyzed %d files",
_dev_total);
notify_rk(ALERT_OK, op_msg);
}
-
+
return;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/check_rc_files.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#include "shared.h"
#include "rootcheck.h"
char *file;
char *name;
char *link;
-
+
int _errors = 0;
int _total = 0;
-
-
+
+
debug1("%s: DEBUG: Starting on check_rc_files", ARGV0);
-
+
while(fgets(buf, OS_SIZE_1024, fp) != NULL)
{
char *nbuf;
-
+
/* Removing end of line */
nbuf = strchr(buf, '\n');
if(nbuf)
/* Assigning buf to be used */
nbuf = buf;
-
- /* Excluding commented lines or blanked ones */
+
+ /* Excluding commented lines or blanked ones */
while(*nbuf != '\0')
{
if(*nbuf == ' ' || *nbuf == '\t')
else
break;
}
-
+
if(*nbuf == '\0')
goto newline;
-
+
/* File now may be valid */
file = nbuf;
- name = nbuf;
-
-
+ name = nbuf;
+
+
/* Getting the file and the rootkit name */
while(*nbuf != '\0')
{
nbuf++;
}
}
-
+
if(*nbuf == '\0')
goto newline;
-
-
- /* Some ugly code to remove spaces and \t */
+
+
+ /* Some ugly code to remove spaces and \t */
while(*nbuf != '\0')
{
if(*nbuf == '!')
}
}
-
+
/* Getting the link (if present) */
link = strchr(nbuf, ':');
if(link)
{
*link = '\0';
-
- link++;
+
+ link++;
if(*link == ':')
{
link++;
}
}
-
-
+
+
/* Cleaning any space of \t at the end */
nbuf = strchr(nbuf, ' ');
if(nbuf)
{
*nbuf = '\0';
}
-
+
_total++;
{
merror(MAX_RK_MSG, ARGV0, MAX_RK_SYS);
}
-
+
else
{
/* Removing * / from the file */
file++;
if(*file == '/')
file++;
-
- /* Memory assignment */
+
+ /* Memory assignment */
rk_sys_file[rk_sys_count] = strdup(file);
rk_sys_name[rk_sys_count] = strdup(name);
!rk_sys_file[rk_sys_count] )
{
merror(MEM_ERROR, ARGV0);
-
+
if(rk_sys_file[rk_sys_count])
free(rk_sys_file[rk_sys_count]);
if(rk_sys_name[rk_sys_count])
free(rk_sys_name[rk_sys_count]);
-
+
rk_sys_file[rk_sys_count] = NULL;
- rk_sys_name[rk_sys_count] = NULL;
+ rk_sys_name[rk_sys_count] = NULL;
}
-
+
rk_sys_count++;
/* Always assigning the last as NULL */
}
continue;
}
-
+
snprintf(file_path, OS_SIZE_1024, "%s/%s",basedir, file);
-
- /* Checking if file exists */
+
+ /* Checking if file exists */
if(is_file(file_path))
{
char op_msg[OS_SIZE_1024 +1];
-
+
_errors = 1;
snprintf(op_msg, OS_SIZE_1024, "Rootkit '%s' detected "
"by the presence of file '%s'.",name, file_path);
-
+
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
}
-
+
newline:
- continue;
+ continue;
}
if(_errors == 0)
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/check_rc_if.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#include <sys/types.h>
#include <sys/socket.h>
-#include <sys/ioctl.h>
+#include <sys/ioctl.h>
#include <net/if.h>
#include <stdio.h>
if(system(nt) == 0)
return(1);
- return(0);
+ return(0);
}
-
+
/* check_rc_if: v0.1
* Check all interfaces for promiscuous mode
{
int _fd, _errors = 0, _total = 0;
struct ifreq tmp_str[16];
-
+
struct ifconf _if;
struct ifreq *_ir;
struct ifreq *_ifend;
return;
}
-
+
memset(tmp_str, 0, sizeof(struct ifreq)*16);
_if.ifc_len = sizeof(tmp_str);
_if.ifc_buf = (caddr_t)(tmp_str);
-
+
if (ioctl(_fd, SIOCGIFCONF, &_if) < 0)
{
close(_fd);
merror("%s: Error checking interfaces (ioctl)", ARGV0);
return;
}
-
+
_ifend = (struct ifreq*) ((char*)tmp_str + _if.ifc_len);
_ir = tmp_str;
/* Looping on all interfaces */
- for (; _ir < _ifend; _ir++)
+ for (; _ir < _ifend; _ir++)
{
strncpy(_ifr.ifr_name, _ir->ifr_name, sizeof(_ifr.ifr_name));
/* Getting information from each interface */
- if (ioctl(_fd, SIOCGIFFLAGS, (char*)&_ifr) == -1)
+ if (ioctl(_fd, SIOCGIFFLAGS, (char*)&_ifr) == -1)
{
continue;
}
_total++;
-
+
if ((_ifr.ifr_flags & IFF_PROMISC) )
{
}
_errors++;
}
- }
+ }
close(_fd);
if(_errors == 0)
" Analyzed %d interfaces.", _total);
notify_rk(ALERT_OK, op_msg);
}
-
+
return;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/check_rc_pids.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
if(noproc)
return(0);
-
+
snprintf(dir, OS_SIZE_1024, "%d", pid);
if(isfile_ondir(dir, "/proc"))
{
if(noproc)
return(0);
-
+
if(!getcwd(curr_dir, OS_SIZE_1024))
{
return(0);
}
-
+
if(chdir("/proc") == -1)
- return(0);
-
+ return(0);
+
snprintf(dir, OS_SIZE_1024, "/proc/%d", pid);
if(chdir(dir) == 0)
{
/* Returning to the previous directory */
chdir(curr_dir);
-
- return(ret);
+
+ return(ret);
}
int proc_stat(int pid)
{
char proc_dir[OS_SIZE_1024 + 1];
-
+
if(noproc)
return(0);
-
+
snprintf(proc_dir, OS_SIZE_1024, "%s/%d", "/proc", pid);
-
+
if(is_file(proc_dir))
{
return(1);
int _proc_stat = 0;
int _proc_read = 0;
int _proc_chdir = 0;
-
+
pid_t i = 1;
pid_t my_pid;
char command[OS_SIZE_1024 +1];
my_pid = getpid();
-
+
for(;;i++)
{
if((i <= 0)||(i > max_pid))
break;
(*_total)++;
-
+
_kill0 = 0;
_kill1 = 0;
_gsid0 = 0;
_proc_stat = 0;
_proc_read = 0;
_proc_chdir = 0;
-
+
/* kill test */
if(!((kill(i, 0) == -1)&&(errno == ESRCH)))
{
_kill0 = 1;
}
-
- /* getsid to test */
+
+ /* getsid to test */
if(!((getsid(i) == -1)&&(errno == ESRCH)))
{
_gsid0 = 1;
{
_gpid0 = 1;
}
-
+
/* proc stat */
_proc_stat = proc_stat(i);
-
+
/* proc readdir */
_proc_read = proc_read(i);
/* proc chdir */
- _proc_chdir = proc_chdir(i);
-
-
+ _proc_chdir = proc_chdir(i);
+
+
/* IF PID does not exist, keep going */
- if(!_kill0 && !_gsid0 && !_gpid0 &&
+ if(!_kill0 && !_gsid0 && !_gpid0 &&
!_proc_stat && !_proc_read && !_proc_chdir)
{
continue;
{
continue;
}
-
- /* Checking the number of errors */
+
+ /* Checking the number of errors */
if((*_errors) > 15)
{
char op_msg[OS_SIZE_1024 +1];
notify_rk(ALERT_SYSTEM_CRIT, op_msg);
return;
}
-
-
+
+
/* checking if process appears on ps */
if(*ps)
{
- snprintf(command, OS_SIZE_1024, "%s -p %d > /dev/null 2>&1",
- ps,
+ snprintf(command, OS_SIZE_1024, "%s -p %d > /dev/null 2>&1",
+ ps,
(int)i);
/* Found PID on ps */
if(system(command) == 0)
_ps0 = 1;
}
-
+
/* If we are being run by the ossec hids, sleep here (no rush) */
#ifdef OSSECHIDS
sleep(2);
#endif
-
+
/* Everyone returned ok */
if(_ps0 && _kill0 && _gsid0 && _gpid0 && _proc_stat && _proc_read)
{
continue;
}
-
-
-
+
+
+
/* If our kill or getsid system call, got the
* PID , but ps didn't, we need to find if it was a problem
* with a PID being deleted (not used anymore)
{
_gsid1 = 1;
}
-
+
if(!((kill(i, 0) == -1)&&(errno == ESRCH)))
{
_kill1 = 1;
{
_gpid1 = 1;
}
-
+
_proc_stat = proc_stat(i);
-
+
_proc_read = proc_read(i);
_proc_chdir = proc_chdir(i);
-
+
/* If it matches, process was terminated */
if(!_gsid1 &&!_kill1 &&!_gpid1 &&!_proc_stat &&
!_proc_read &&!_proc_chdir)
continue;
}
}
-
+
#ifdef AIX
/* Ignoring AIX wait and sched programs. */
if((_gsid0 == _gsid1) &&
(_kill0 == _kill1) &&
(_gpid0 == _gpid1) &&
- (_ps0 == 1) &&
- (_gsid0 == 1) &&
+ (_ps0 == 1) &&
+ (_gsid0 == 1) &&
(_kill0 == 0))
{
/* The wait and sched programs do not respond to kill 0.
}
#endif
-
+
if((_gsid0 == _gsid1)&&
(_kill0 == _kill1)&&
(_gsid0 != _kill0))
snprintf(op_msg, OS_SIZE_1024, "Process '%d' hidden from "
"ps. Possible trojaned version installed.",
(int)i);
-
- notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+
+ notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
(*_errors)++;
}
}
{
int _total = 0;
int _errors = 0;
-
+
char ps[OS_SIZE_1024 +1];
-
+
char proc_0[] = "/proc";
char proc_1[] = "/proc/1";
pid_t max_pid = MAX_PID;
noproc = 1;
-
+
/* Checking where ps is */
memset(ps, '\0', OS_SIZE_1024 +1);
strncpy(ps, "/bin/ps", OS_SIZE_1024);
if(!is_file(ps))
ps[0] = '\0';
}
-
-
+
+
/* Proc is mounted */
if(is_file(proc_0) && is_file(proc_1))
{
noproc = 0;
}
-
+
loop_all_pids(ps, max_pid, &_errors, &_total);
if(_errors == 0)
"Analyzed %d processes.", ps, _total);
notify_rk(ALERT_OK, op_msg);
}
-
+
return;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/check_rc_policy.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#include "shared.h"
#include "rootcheck.h"
-
+
/* check_rc_unixaudit:
* Read the file pointer specified
* and check if the configured file is there
void check_rc_unixaudit(FILE *fp, void *p_list)
{
debug1("%s: DEBUG: Starting on check_rc_unixaudit", ARGV0);
-
+
rkcl_get_entry(fp, "System Audit:", p_list);
-
+
}
void check_rc_winaudit(FILE *fp, void *p_list)
{
debug1("%s: DEBUG: Starting on check_rc_winaudit", ARGV0);
-
+
rkcl_get_entry(fp, "Windows Audit:", p_list);
-
+
}
/* check_rc_winmalware:
void check_rc_winmalware(FILE *fp, void *p_list)
{
debug1("%s: DEBUG: Starting on check_rc_winmalware", ARGV0);
-
+
rkcl_get_entry(fp, "Windows Malware:", p_list);
-
+
}
/* check_rc_winapps:
void check_rc_winapps(FILE *fp, void *p_list)
{
debug1("%s: DEBUG: Starting on check_rc_winapps", ARGV0);
-
+
rkcl_get_entry(fp, "Application Found:", p_list);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/check_rc_ports.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#ifndef WIN32
-
+
#include "shared.h"
#include "rootcheck.h"
#define NETSTAT_LIST "netstat -an | grep \"^%s\" | "\
"cut -d ':' -f 2 | cut -d ' ' -f 1"
#define NETSTAT "netstat -an | grep \"^%s\" | " \
- "grep \"[^0-9]%d \" > /dev/null 2>&1"
+ "grep \"[^0-9]%d \" > /dev/null 2>&1"
#endif
#ifndef NETSTAT
int run_netstat(int proto, int port)
{
+ int ret;
char nt[OS_SIZE_1024 +1];
if(proto == IPPROTO_TCP)
return(0);
}
- if(system(nt) == 0)
+ ret = system(nt);
+
+ if(ret == 0)
return(1);
-
- return(0);
+
+ else if(ret == 1)
+ {
+ return(0);
+ }
+
+ return(1);
}
server.sin_port = htons( port );
server.sin_addr.s_addr = htonl(INADDR_ANY);
-
+
/* If we can't bind, it means the port is open */
if(bind(ossock, (struct sockaddr *) &server, sizeof(server)) < 0)
{
{
total_ports_udp[port] = rc;
}
-
- close(ossock);
- return(rc);
+ close(ossock);
+
+ return(rc);
}
if(run_netstat(proto, i))
{
continue;
-
+
#ifdef OSSECHIDS
sleep(2);
#endif
snprintf(op_msg, OS_SIZE_1024, "Port '%d'(%s) hidden. "
"Kernel-level rootkit or trojaned "
- "version of netstat.", i,
+ "version of netstat.", i,
(proto == IPPROTO_UDP)? "udp" : "tcp");
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
total_ports_udp[i] = 0;
i++;
}
-
- /* Trsting TCP ports */
+
+ /* Trsting TCP ports */
test_ports(IPPROTO_TCP, &_errors, &_total);
/* Testing UDP ports */
" Analyzed %d ports.", _total);
notify_rk(ALERT_OK, op_msg);
}
-
+
return;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/check_rc_readproc.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#ifndef WIN32
#include "shared.h"
#include "rootcheck.h"
int read_proc_file(char *file_name, char *pid, int position)
{
struct stat statbuf;
-
+
if(lstat(file_name, &statbuf) < 0)
{
return(-1);
}
-
+
/* If directory, read the directory */
else if(S_ISDIR(statbuf.st_mode))
{
return(read_proc_dir(file_name, pid, position));
}
-
+
return(0);
}
int read_proc_dir(char *dir_name, char *pid, int position)
{
DIR *dp;
-
+
struct dirent *entry;
-
+
if((dir_name == NULL)||(strlen(dir_name) > PATH_MAX))
{
merror("%s: Invalid directory given",ARGV0);
return(-1);
}
-
+
/* Opening the directory given */
dp = opendir(dir_name);
if(!dp)
/* Just ignore . and .. */
if((strcmp(entry->d_name,".") == 0) ||
- (strcmp(entry->d_name,"..") == 0))
+ (strcmp(entry->d_name,"..") == 0))
continue;
if(position == PROC)
if(*tmp_str != '\0')
continue;
-
-
+
+
snprintf(f_name, PATH_MAX +1, "%s/%s",dir_name, entry->d_name);
read_proc_file(f_name, pid, position+1);
}
closedir(dp);
-
+
return(0);
}
char char_pid[32];
proc_pid_found = 0;
-
- /* NL threads */
+
+ /* NL threads */
snprintf(char_pid, 31, "/proc/.%d", pid);
if(is_file(char_pid))
return(1);
-
-
+
+
snprintf(char_pid, 31, "%d", pid);
-
+
read_proc_dir("/proc", char_pid, PROC);
-
+
return(proc_pid_found);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/check_rc_sys.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*/
-#include "shared.h"
+#include "shared.h"
#include "rootcheck.h"
int _sys_errors;
int read_sys_file(char *file_name, int do_read)
{
struct stat statbuf;
-
+
_sys_total++;
#endif
return(-1);
}
-
+
/* If directory, read the directory */
else if(S_ISDIR(statbuf.st_mode))
{
}
}
}
-
-
+
+
/* If has OTHER write and exec permission, alert */
#ifndef WIN32
- if(((statbuf.st_mode & S_IWOTH) == S_IWOTH) &&
+ if(((statbuf.st_mode & S_IWOTH) == S_IWOTH) &&
(S_ISREG(statbuf.st_mode)))
{
if((statbuf.st_mode & S_IXUSR) == S_IXUSR)
{
if(_wx)
fprintf(_wx, "%s\n",file_name);
-
- _sys_errors++;
+
+ _sys_errors++;
}
else
{
unsigned int entry_count = 0;
int did_changed = 0;
DIR *dp;
-
+
struct dirent *entry;
struct stat statbuf;
-
+
#ifndef WIN32
char *(dirs_to_doread[]) = { "/bin", "/sbin", "/usr/bin",
- "/usr/sbin", "/dev", "/etc",
+ "/usr/sbin", "/dev", "/etc",
"/boot", NULL };
#endif
-
+
if((dir_name == NULL)||(strlen(dir_name) > PATH_MAX))
{
merror("%s: Invalid directory given.",ARGV0);
i = 0;
}
-
-
+
+
/* Getting the number of nodes. The total number on opendir
* must be the same
*/
{
return(-1);
}
-
-
+
+
/* Currently device id */
if(did != statbuf.st_dev)
{
did_changed = 1;
did = statbuf.st_dev;
}
-
-
+
+
if(!S_ISDIR(statbuf.st_mode))
{
return(-1);
}
-
+
#ifndef WIN32
/* Check if the do_read is valid for this directory */
#else
do_read = 0;
#endif
-
-
+
+
/* Opening the directory given */
dp = opendir(dir_name);
if(!dp)
{
if((strcmp(dir_name, "") == 0)&&
- (dp = opendir("/")))
+ (dp = opendir("/")))
{
/* ok */
}
/* Just ignore . and .. */
if((strcmp(entry->d_name,".") == 0) ||
- (strcmp(entry->d_name,"..") == 0))
+ (strcmp(entry->d_name,"..") == 0))
{
entry_count++;
continue;
#ifndef Darwin
if(S_ISDIR(statbuf_local.st_mode))
#else
- if(S_ISDIR(statbuf_local.st_mode) ||
+ if(S_ISDIR(statbuf_local.st_mode) ||
S_ISREG(statbuf_local.st_mode) ||
S_ISLNK(statbuf_local.st_mode))
#endif
}
}
-
+
/* Checking every file against the rootkit database */
for(i = 0; i<= rk_sys_count; i++)
{
/* Entry count for directory different than the actual
* link count from stats.
*/
- if((entry_count != statbuf.st_nlink) &&
+ if((entry_count != statbuf.st_nlink) &&
((did_changed == 0) || ((entry_count + 1) != statbuf.st_nlink)))
{
#ifndef WIN32
struct stat statbuf2;
char op_msg[OS_SIZE_1024 +1];
-
- if((lstat(dir_name, &statbuf2) == 0) &&
+
+ if((lstat(dir_name, &statbuf2) == 0) &&
(statbuf2.st_nlink != entry_count))
{
snprintf(op_msg, OS_SIZE_1024, "Files hidden inside directory "
{
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
_sys_errors++;
- }
+ }
#else
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
#endif
}
-
+
closedir(dp);
-
+
return(0);
}
_sys_errors = 0;
_sys_total = 0;
did = 0; /* device id */
-
+
snprintf(file_path, OS_SIZE_1024, "%s", basedir);
}
-
+
/* Scan the whole file system -- may be slow */
- if(rootcheck.scanall)
+ if(rootcheck.scanall)
{
#ifndef WIN32
snprintf(file_path, 3, "%s", "/");
read_sys_dir(file_path, rootcheck.readall);
}
-
+
/* Scan only specific directories */
else
{
int _i = 0;
-
+
#ifndef WIN32
char *(dirs_to_scan[]) = {"/bin", "/sbin", "/usr/bin",
"/usr/sbin", "/dev", "/lib",
"/etc", "/root", "/var/log",
"/var/mail", "/var/lib", "/var/www",
"/usr/lib", "/usr/include",
- "/tmp", "/boot", "/usr/local",
+ "/tmp", "/boot", "/usr/local",
"/var/tmp", "/sys", NULL};
#else
char *(dirs_to_scan[]) = {"C:\\WINDOWS", "C:\\Program Files", NULL};
#endif
-
+
for(_i = 0; _i <= 24; _i++)
{
if(dirs_to_scan[_i] == NULL)
break;
-
- #ifndef WIN32
- snprintf(file_path, OS_SIZE_1024, "%s%s",
- basedir,
+
+ #ifndef WIN32
+ snprintf(file_path, OS_SIZE_1024, "%s%s",
+ basedir,
dirs_to_scan[_i]);
read_sys_dir(file_path, rootcheck.readall);
#else
read_sys_dir(dirs_to_scan[_i], rootcheck.readall);
#endif
-
+
}
}
-
+
if(_sys_errors == 0)
{
char op_msg[OS_SIZE_1024 +1];
char op_msg[OS_SIZE_1024 +1];
snprintf(op_msg, OS_SIZE_1024, "Check the following files for more "
"information:\n%s%s%s",
- (ftell(_wx) == 0)?"":
+ (ftell(_wx) == 0)?"":
" rootcheck-rw-rw-rw-.txt (list of world writable files)\n",
(ftell(_ww) == 0)?"":
" rootcheck-rwxrwxrwx.txt (list of world writtable/executable files)\n",
- (ftell(_suid) == 0)?"":
+ (ftell(_suid) == 0)?"":
" rootcheck-suid-files.txt (list of suid files)");
-
+
notify_rk(ALERT_SYSTEM_ERROR, op_msg);
}
unlink("rootcheck-rw-rw-rw-.txt");
fclose(_wx);
}
-
+
if(_ww)
{
if(ftell(_ww) == 0)
unlink("rootcheck-rwxrwxrwx.txt");
fclose(_ww);
}
-
+
if(_suid)
{
if(ftell(_suid) == 0)
unlink("rootcheck-suid-files.txt");
- fclose(_suid);
+ fclose(_suid);
}
-
+
return;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/check_rc_trojans.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#include "shared.h"
#include "rootcheck.h"
/* Normalizing line */
nbuf = normalize_string(buf);
-
+
if(*nbuf == '\0' || *nbuf == '#')
{
{
continue;
}
-
+
*string_to_look = '\0';
string_to_look++;
}
*message = '\0';
message++;
-
+
string_to_look = normalize_string(string_to_look);
file = normalize_string(file);
message = normalize_string(message);
-
-
+
+
if(*file == '\0' || *string_to_look == '\0')
{
continue;
}
-
+
_total++;
-
-
+
+
/* Trying with all possible paths */
while(all_paths[i] != NULL)
{
if(*file != '/')
{
- snprintf(file_path, OS_SIZE_1024, "%s/%s/%s",basedir,
+ snprintf(file_path, OS_SIZE_1024, "%s/%s/%s",basedir,
all_paths[i],
file);
}
strncpy(file_path, file, OS_SIZE_1024);
file_path[OS_SIZE_1024 -1] = '\0';
}
-
+
/* Checking if entry is found */
if(is_file(file_path) && os_string(file_path, string_to_look))
{
char op_msg[OS_SIZE_1024 +1];
_errors = 1;
-
+
snprintf(op_msg, OS_SIZE_1024, "Trojaned version of file "
- "'%s' detected. Signature used: '%s' (%s).",
+ "'%s' detected. Signature used: '%s' (%s).",
file_path,
string_to_look,
*message == '\0'?
}
i++;
}
- continue;
+ continue;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/common.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/main/license/ .
*/
-
+
#include "shared.h"
#include "rootcheck.h"
-#include "os_regex/os_regex.h"
+#include "os_regex/os_regex.h"
{
/* Just ignore . and .. */
if((strcmp(entry->d_name,".") == 0) ||
- (strcmp(entry->d_name,"..") == 0))
+ (strcmp(entry->d_name,"..") == 0))
{
continue;
}
/* Creating new file + path string */
snprintf(f_name, PATH_MAX +1, "%s/%s",dir, entry->d_name);
-
+
/* Checking if the read entry, matches the provided file name. */
if(strncasecmp(file, "r:", 2) == 0)
{
}
}
}
-
+
/* Trying without regex. */
else
{
}
}
-
+
/* Checking if file is a directory */
if(lstat(f_name, &statbuf_local) == 0)
{
int rk_check_file(char *file, char *pattern)
{
char *split_file;
- int full_negate = 0;
- int pt_result = 0;
-
+ int full_negate = 0;
+ int pt_result = 0;
+
FILE *fp;
char buf[OS_SIZE_2048 +1];
-
-
+
+
/* If string is null, we don't match */
if(file == NULL)
{
/* Getting each file */
do
{
-
+
/* If we don't have a pattern, just check if the file/dir is there */
if(pattern == NULL)
while(rootcheck.alert_msg[i] && (i < 255))
i++;
-
+
if(!rootcheck.alert_msg[i])
os_strdup(_b_msg, rootcheck.alert_msg[i]);
else
{
- full_negate = pt_check_negate(pattern);
+ full_negate = pt_check_negate(pattern);
/* Checking for a content in the file */
- debug1("checking file: %s", file);
+ debug1("checking file: %s", file);
fp = fopen(file, "r");
if(fp)
{
- debug1(" starting new file: %s", file);
+ debug1(" starting new file: %s", file);
buf[OS_SIZE_2048] = '\0';
while(fgets(buf, OS_SIZE_2048, fp) != NULL)
{
/* Matched */
pt_result = pt_matches(buf, pattern);
- debug1("Buf == \"%s\"", buf);
+ debug1("Buf == \"%s\"", buf);
debug1("Pattern == \"%s\"", pattern);
debug1("pt_result == %d and full_negate == %d", pt_result, full_negate);
if((pt_result == 1 && full_negate == 0) )
_b_msg[OS_SIZE_1024] = '\0';
snprintf(_b_msg, OS_SIZE_1024, " File: %s.",
file);
-
+
/* Already present. */
if(_is_str_in_array(rootcheck.alert_msg, _b_msg))
{
else if((pt_result == 0 && full_negate == 1) )
{
/* found a full+negate match so no longer need to search
- * break out of loop and amke sure the full negate does
- * not alertin
+ * break out of loop and amke sure the full negate does
+ * not alertin
*/
debug1("found a complete match for full_negate");
- full_negate = 0;
- break;
+ full_negate = 0;
+ break;
}
}
fclose(fp);
- if(full_negate == 1)
+ if(full_negate == 1)
{
debug1("full_negate alerting - file %s",file);
int i = 0;
_b_msg[OS_SIZE_1024] = '\0';
snprintf(_b_msg, OS_SIZE_1024, " File: %s.",
file);
-
+
/* Already present. */
if(_is_str_in_array(rootcheck.alert_msg, _b_msg))
{
split_file++;
}
}
-
-
+
+
}while(split_file);
char *mypattern = NULL;
os_strdup(pattern, mypattern);
char *tmp_pt = mypattern;
- char *tmp_pattern = mypattern;
+ char *tmp_pattern = mypattern;
char *tmp_ret = NULL;
tmp_pt = strchr(tmp_pattern, ' ');
if(tmp_pt && tmp_pt[1] == '&' && tmp_pt[2] == '&' && tmp_pt[3] == ' ')
{
- /* Marking pointer to clean it up */
+ /* Marking pointer to clean it up */
tmp_ret = tmp_pt;
-
+
*tmp_pt = '\0';
tmp_pt += 4;
}
free(mypattern);
return 0;
}
-
+
tmp_pattern = tmp_pt;
}
* =: (for equal) - default - strcasecmp
* r: (for ossec regexes)
* >: (for strcmp greater)
- * <: (for strcmp lower)
+ * <: (for strcmp lower)
*
* Multiple patterns can be specified by using " && " between them.
* All of them must match for it to return true.
{
return(0);
}
-
+
while(tmp_pt != NULL)
{
/* We first look for " && " */
tmp_pt = strchr(pattern, ' ');
if(tmp_pt && tmp_pt[1] == '&' && tmp_pt[2] == '&' && tmp_pt[3] == ' ')
{
- /* Marking pointer to clean it up */
+ /* Marking pointer to clean it up */
tmp_ret = tmp_pt;
-
+
*tmp_pt = '\0';
tmp_pt += 4;
}
pattern++;
neg = 1;
}
-
+
/* Doing strcasecmp */
if(strncasecmp(pattern, "=:", 2) == 0)
{
#ifdef WIN32
char final_file[2048 +1];
-
+
/* Try to get Windows variable */
if(*pattern == '%')
{
{
ret_code = 1;
}
-
+
#else
if(strcasecmp(pattern, str) == 0)
{
tmp_ret = NULL;
}
-
+
/* If we have "!", return true if we don't match */
if(neg == 1)
{
break;
}
}
-
+
ret_code = 1;
pattern = tmp_pt;
}
*/
char *normalize_string(char *str)
{
- int str_sz = strlen(str) -1;
-
+ unsigned int str_sz = strlen(str);
+ // return zero-length str as is
+ if (str_sz == 0) {
+ return str;
+ } else {
+ str_sz--;
+ }
+ // remove trailing spaces
+ while(str[str_sz] == ' ' || str[str_sz] == '\t')
+ {
+ if(str_sz == 0)
+ break;
+
+ str[str_sz--] = '\0';
+ }
+ // ignore leading spaces
while(*str != '\0')
{
if(*str == ' ' || *str == '\t')
}
}
- while(str[str_sz] == ' ' || str[str_sz] == '\t')
- {
- str[str_sz] = '\0';
- str_sz--;
- }
-
return(str);
}
+
+
/** int isfile_ondir(char *file, char *dir)
* Checks is 'file' is present on 'dir' using readdir
*/
DIR *dp = NULL;
struct dirent *entry;
dp = opendir(dir);
-
+
if(!dp)
return(0);
return(1);
}
}
-
+
closedir(dp);
return(0);
}
int is_file(char *file_name)
{
int ret = 0;
-
+
struct stat statbuf;
FILE *fp = NULL;
DIR *dp = NULL;
#ifndef WIN32
-
+
char curr_dir[1024];
-
+
char *file_dirname;
char *file_basename;
-
+
curr_dir[1023] = '\0';
return(0);
}
-
+
/* If file_basename == file_name, then the file
* only has one slash at the beginning.
*/
ret = 1;
}
}
-
+
#else
dp = opendir(file_name);
if(dp)
closedir(dp);
ret = 1;
}
-
+
#endif /* WIN32 */
-
+
/* Trying other calls */
if( (stat(file_name, &statbuf) < 0) &&
#ifndef WIN32
/* must close it over here */
if(fp)
fclose(fp);
-
+
return(1);
}
{
free(pinfo->p_path);
}
-
+
free(l_node->data);
if(p_node)
char _b_msg[OS_SIZE_1024 +1];
_b_msg[OS_SIZE_1024] = '\0';
-
+
snprintf(_b_msg, OS_SIZE_1024, " Process: %s.",
pinfo->p_path);
{
return(1);
}
-
+
while(rootcheck.alert_msg[i] && (i< 255))
i++;
return(0);
}
-
-
+
+
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/common_rcl.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/main/license/
*/
-
+
#include "shared.h"
#include "rootcheck.h"
#define RKCL_COND_ALL 0x001
#define RKCL_COND_ANY 0x002
#define RKCL_COND_REQ 0x004
-#define RKCL_COND_INV 0x010
+#define RKCL_COND_INV 0x010
final_file[0] = '\0';
final_file[2048] = '\0';
-
+
ExpandEnvironmentStrings("%WINDIR%", final_file, 2047);
tmp = strchr(final_file, '\\');
strncpy(root_dir, final_file, dir_size);
return(root_dir);
}
-
+
return(NULL);
#endif
char *var_name;
char *var_value;
char *tmp;
-
+
/* If not a variable, return 0 */
if(*nbuf != '$')
{
{
return(-1);
}
-
+
/* Getting value. */
tmp = strchr(nbuf, '=');
{
char *tmp_location;
char *tmp_location2;
-
+
*condition = 0;
/* Checking if name is valid */
return(NULL);
}
*tmp_location = '\0';
-
-
+
+
/* Getting condition */
tmp_location++;
if(*tmp_location != ' ' && tmp_location[1] != '[')
}
*tmp_location2 = '\0';
tmp_location2++;
-
-
+
+
/* Getting condition */
if(strcmp(tmp_location, "all") == 0)
{
*tmp_location = '\0';
/* Copying reference */
- strncpy(ref, tmp_location2, 255);
+ strncpy(ref, tmp_location2, 255);
return(strdup(buf));
}
*value = '\0';
value++;
-
+
tmp_str = strchr(value, ';');
if(tmp_str == NULL)
{
return(NULL);
}
*tmp_str = '\0';
-
+
/* Getting types - removing negate flag (using later) */
if(*buf == '!')
{
buf++;
}
-
+
if(strcmp(buf, "f") == 0)
{
*type = RKCL_TYPE_FILE;
memset(final_file, '\0', sizeof(final_file));
memset(ref, '\0', sizeof(ref));
-
+
root_dir_len = sizeof(root_dir) -1;
_rkcl_getrootdir(root_dir, root_dir_len);
if(root_dir[0] == '\0')
{
- merror(INVALID_ROOTDIR, ARGV0);
+ merror(INVALID_ROOTDIR, ARGV0);
}
- #endif
+ #endif
/* Getting variables */
vars = OSStore_Create();
-
+
/* We first read all variables -- they must be defined at the top. */
while(1)
merror(INVALID_RKCL_NAME, ARGV0, nbuf);
goto clean_return;
}
-
+
/* Getting the real entries. */
do
{
int g_found = 0;
-
-
+
+
/* Getting entry name */
if(name == NULL)
{
int negate = 0;
int found = 0;
value = NULL;
-
+
nbuf = _rkcl_getfp(fp, buf);
if(nbuf == NULL)
{
break;
}
-
+
/* We first try to get the name, looking for new entries */
if(_rkcl_is_name(nbuf))
{
break;
}
-
-
+
+
/* Getting value to look for */
value = _rkcl_get_value(nbuf, &type);
if(value == NULL)
continue;
}
}
-
+
#ifdef WIN32
else if(value[0] == '\\')
{
final_file[0] = '\0';
final_file[sizeof(final_file) -1] = '\0';
-
- snprintf(final_file, sizeof(final_file) -2, "%s%s",
+
+ snprintf(final_file, sizeof(final_file) -2, "%s%s",
root_dir, value);
f_value = final_file;
}
{
final_file[0] = '\0';
final_file[sizeof(final_file) -1] = '\0';
-
- ExpandEnvironmentStrings(value, final_file,
+
+ ExpandEnvironmentStrings(value, final_file,
sizeof(final_file) -2);
f_value = final_file;
}
found = 1;
}
}
-
+
/* Checking for a registry entry */
else if(type == RKCL_TYPE_REGISTRY)
{
char *entry = NULL;
char *pattern = NULL;
-
-
+
+
/* Looking for additional entries in the registry
* and a pattern to match.
*/
{
pattern = _rkcl_get_pattern(entry);
}
-
-
+
+
#ifdef WIN32
debug2("%s: DEBUG: Checking registry: '%s'.", ARGV0, value);
if(is_registry(value, entry, pattern))
char *f_value = NULL;
char *dir = NULL;
-
+
file = _rkcl_get_pattern(value);
if(file)
{
f_value = value;
}
-
+
/* Checking for multiple, comma separated directories. */
dir = f_value;
f_value = strchr(dir, ',');
{
*f_value = '\0';
}
-
+
while(dir)
{
debug2("%s: DEBUG: Found dir.", ARGV0);
found = 1;
}
-
+
if(f_value)
{
*f_value = ',';
f_value++;
-
+
dir = f_value;
-
+
f_value = strchr(dir, ',');
if(f_value)
{
}
}
}
-
+
/* Checking for a process. */
else if(type == RKCL_TYPE_PROCESS)
}
}
}while(value != NULL);
-
-
+
+
/* Alerting if necessary */
if(g_found == 1)
{
char op_msg[OS_SIZE_1024 +1];
char **p_alert_msg = rootcheck.alert_msg;
- while(1)
+ while(1)
{
if(ref[0] != '\0')
{
snprintf(op_msg, OS_SIZE_1024, "%s %s.%s"
- " Reference: %s .",msg, name,
+ " Reference: %s .",msg, name,
p_alert_msg[j]?p_alert_msg[j]:"\0",
ref);
}
else
{
- snprintf(op_msg, OS_SIZE_1024, "%s %s.%s",msg,
+ snprintf(op_msg, OS_SIZE_1024, "%s %s.%s",msg,
name, p_alert_msg[j]?p_alert_msg[j]:"\0");
}
goto clean_return;
}
}
-
+
/* Ending if we don't have anything else. */
if(!nbuf)
free(name);
name = NULL;
}
-
+
/* Getting name already read */
name = _rkcl_get_name(nbuf, ref, &condition);
name = NULL;
}
vars = OSStore_Free(vars);
-
-
+
+
return(1);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
modules|= CAGENT_CONFIG;
ReadConfig(modules, AGENTCONFIG, &rootcheck, NULL);
#endif
-
+
return(0);
}
-# @(#) $Id$
+# @(#) $Id: ./src/rootcheck/db/cis_debian_linux_rcl.txt, 2011/09/08 dcid Exp $
+
#
# OSSEC Linux Audit - (C) 2008 Daniel B. Cid - dcid@ossec.net
#
# Section 2.4 Enable system accounting
-[CIS - Debian Linux 2.4 - System Accounting - Sysstat not installed] [all] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
-f:!/etc/default/sysstat;
-f:!/var/log/sysstat;
+#[CIS - Debian Linux 2.4 - System Accounting - Sysstat not installed] [all] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
+#f:!/etc/default/sysstat;
+#f:!/var/log/sysstat;
-[CIS - Debian Linux 2.4 - System Accounting - Sysstat not enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
-f:!/etc/default/sysstat;
-f:/etc/default/sysstat -> !r:^# && r:ENABLED="false";
+#[CIS - Debian Linux 2.4 - System Accounting - Sysstat not enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
+#f:!/etc/default/sysstat;
+#f:/etc/default/sysstat -> !r:^# && r:ENABLED="false";
# Section 2.5 Install and run Bastille
-[CIS - Debian Linux 2.5 - System harderning - Bastille is not installed] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
-f:!/etc/Bastille;
+#[CIS - Debian Linux 2.5 - System harderning - Bastille is not installed] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
+#f:!/etc/Bastille;
-# @(#) $Id$
+# @(#) $Id: ./src/rootcheck/db/cis_rhel5_linux_rcl.txt, 2011/09/08 dcid Exp $
+
#
# OSSEC Linux Audit - (C) 2008 Daniel B. Cid - dcid@ossec.net
#
# Section 2.4 Enable system accounting
-[CIS - RHEL5 2.4 - System Accounting - Sysstat not installed] [all] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
-f:!/var/log/sa;
+#[CIS - RHEL5 2.4 - System Accounting - Sysstat not installed] [all] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
+#f:!/var/log/sa;
-# @(#) $Id$
+# @(#) $Id: ./src/rootcheck/db/cis_rhel_linux_rcl.txt, 2011/09/08 dcid Exp $
+
#
# OSSEC Linux Audit - (C) 2008 Daniel B. Cid - dcid@ossec.net
#
# Section 1.4 Enable system accounting
-[CIS - Red Hat Linux 1.4 - System Accounting - Sysstat not installed] [all] [http://www.ossec.net/wiki/index.php/CIS_RHEL]
-f:!/var/log/sa;
+#[CIS - Red Hat Linux 1.4 - System Accounting - Sysstat not installed] [all] [http://www.ossec.net/wiki/index.php/CIS_RHEL]
+#f:!/var/log/sa;
# Section 2.5 Install and run Bastille
-[CIS - Red Hat Linux 1.5 - System harderning - Bastille is not installed] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL]
-f:!/etc/Bastille;
+#[CIS - Red Hat Linux 1.5 - System harderning - Bastille is not installed] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL]
+#f:!/etc/Bastille;
-# @(#) $Id$
+# @(#) $Id: ./src/rootcheck/db/rootkit_files.txt, 2011/09/08 dcid Exp $
+
#
# rootkit_files.txt, (C) Daniel B. Cid
# Imported from the rootcheck project.
# PHALANX rootkit
-usr/share/.home.ph1 ! PHALANX rootkit ::
-usr/share/.home.ph1/tty ! PHALANX rootkit ::
+usr/share/.home* ! PHALANX rootkit ::
+usr/share/.home*/tty ! PHALANX rootkit ::
etc/host.ph1 ! PHALANX rootkit ::
bin/host.ph1 ! PHALANX rootkit ::
-# @(#) $Id$
+# @(#) $Id: ./src/rootcheck/db/rootkit_trojans.txt, 2012/04/26 dcid Exp $
+
#
# rootkit_trojans.txt, (C) Daniel B. Cid
# Imported from the rootcheck project.
in.telnetd !cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/!
in.fingerd !bash|^/bin/sh|cterm100|/dev/!
identd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
-init !bash|/dev/h|HOME!
+init !bash|/dev/h
tcpd !bash|proc\.h|p1r0c4|hack|/dev/[^n]!
rlogin !p1r0c4|r00t|bash|/dev/[^nt]!
# Rootkit entries
-/sbin/init !HOME! Suckit rootkit
-/proc/1/maps !init.! Suckit rootkit
/etc/rc.d/rc.sysinit !enyelkmHIDE! enye-sec Rootkit
-# @(#) $Id$
+# @(#) $Id: ./src/rootcheck/db/system_audit_rcl.txt, 2012/02/13 dcid Exp $
+
#
# OSSEC Linux Audit - (C) 2007 Daniel B. Cid - dcid@ossec.net
#
f:$php.ini -> r:^allow_url_fopen = On;
-# PHP checks
-[PHP - Safe mode disabled] [any] []
-f:$php.ini -> r:^safe_mode = Off;
-
# PHP checks
[PHP - Displaying of errors is enabled] [any] []
## Looking for common web exploits (might indicate that you are owned).
## Using http://www.ossec.net/wiki/index.php/WebAttacks_links as a reference.
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^echo$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^id.txt$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^irc.txt$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^stringa.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^cmd1.gif$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^mambo1.txt$|^hai.txt$|^iyes.txt$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^57.txt$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^r57.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^evilx$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^cmd$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^root.gif -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^bn.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^kk.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^graba.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^no.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^ddos.pl -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^rox.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^lila.jpg -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^safe.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^rootlab.jpg -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^tool25.dat -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^sela.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^zero.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^paged.gif -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^hh.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^metodi.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^idpitbull.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^echo.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^ban.gif -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^c.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^gay.txt -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^genlog.txt$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^safe$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^safe3$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^tool25.txt$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^test.txt$ -> r:<?|^#!;
-
-[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
-d:$web_dirs -> ^safeon.txt$ -> r:<?|^#!;
+#[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
+#d:$web_dirs -> .txt$ -> r:^<?php|^#!;
## Looking for common web exploits files (might indicate that you are owned).
[Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
d:$web_dirs -> ^.shell$;
+
+## Looking for outdated Web applications
+## Taken from http://sucuri.net/latest-versions
+[Web vulnerability - Outdated WordPress installation] [any] [http://sucuri.net/latest-versions]
+d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:$wp_version = '3.2.1';
+
+[Web vulnerability - Outdated Joomla (v1.0) installation] [any] [http://sucuri.net/latest-versions]
+d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:'1.0';
+
+#[Web vulnerability - Outdated Joomla (v1.5) installation] [any] [http://sucuri.net/latest-versions]
+#d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:'1.5' && r:'23'
+
+[Web vulnerability - Outdated osCommerce (v2.2) installation] [any] [http://sucuri.net/latest-versions]
+d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;
+
+
+## Looking for known backdoors
+[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode] [any] []
+d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo;
+
+[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST] [any] []
+d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST;
+
+[Web vulnerability - .htaccess file compromised] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html]
+d:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google;
+
+[Web vulnerability - .htaccess file compromised - auto append] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html]
+d:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file;
+
+
# EOF #
-# @(#) $Id$
+# @(#) $Id: ./src/rootcheck/db/win_applications_rcl.txt, 2011/09/08 dcid Exp $
+
#
# OSSEC Application detection - (C) 2007 Daniel B. Cid - dcid@ossec.net
#
-# @(#) $Id$
+# @(#) $Id: ./src/rootcheck/db/win_audit_rcl.txt, 2011/09/08 dcid Exp $
+
#
# OSSEC Windows Audit - (C) 2007 Daniel B. Cid - dcid@ossec.net
#
-# @(#) $Id$
+# @(#) $Id: ./src/rootcheck/db/win_malware_rcl.txt, 2011/09/08 dcid Exp $
+
#
# OSSEC Windows Malware list - (C) 2007 Daniel B. Cid - dcid@ossec.net
#
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/os_string.c, 2011/09/08 dcid Exp $
+ */
/* Included and modified strings.c from the OpenBSD project.
* Copyright bellow.
*/
-
+
/*
* Copyright (c) 1980, 1987, 1993
* The Regents of the University of California. All rights reserved.
#ifdef AIX
-typedef struct aouthdr EXEC;
+typedef struct aouthdr EXEC;
#else
-typedef struct exec EXEC;
+typedef struct exec EXEC;
#endif
typedef struct _os_strings
int os_string(char *file, char *regex)
{
int ch, cnt;
-
+
unsigned char *C;
unsigned char *bfr;
-
+
char line[OS_SIZE_1024 +1];
char *buf;
-
+
EXEC *head;
os_strings oss;
-
+
/* Return didn't match */
if(!file || !regex)
{
return(0);
}
-
-
- /* Allocating for the buffer */
+
+
+ /* Allocating for the buffer */
bfr = calloc(STR_MINLEN + 2, sizeof(char *));
if (!bfr)
{
/* cleaning the line */
memset(line, '\0', OS_SIZE_1024 +1);
-
+
/* starting .. (from old strings.c) */
oss.foff = 0;
oss.head_len = 0;
-
+
oss.read_len = -1;
head = (EXEC *)oss.hbfr;
-
+
if ((oss.head_len = read(fileno(oss.fp), head, sizeof(EXEC))) == -1)
{
oss.head_len = 0;
oss.read_len = -1;
}
- else if (oss.head_len == sizeof(EXEC) && !N_BADMAG(*head))
+ else if (oss.head_len == sizeof(EXEC) && !N_BADMAG(*head))
{
oss.foff = N_TXTOFF(*head);
if (fseek(stdin, oss.foff, SEEK_SET) == -1)
}
/* Read the file and perform the regex comparison */
- for (cnt = 0; (ch = os_getch(&oss)) != EOF;)
+ for (cnt = 0; (ch = os_getch(&oss)) != EOF;)
{
- if (ISSTR(ch))
+ if (ISSTR(ch))
{
if (!cnt)
C = bfr;
*C++ = ch;
if (++cnt < STR_MINLEN)
continue;
-
+
strncpy(line, (char *)bfr, STR_MINLEN +1);
buf = line;
buf+=strlen(line);
-
+
while ((ch = os_getch(&oss)) != EOF && ISSTR(ch))
{
int os_getch(os_strings *oss)
{
++oss->foff;
- if (oss->head_len)
+ if (oss->head_len)
{
if (oss->hcnt < oss->head_len)
return((int)oss->hbfr[oss->hcnt++]);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/rootcheck-config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#include "rootcheck.h"
+/*evaluate boolean with two arguments
+ * str: input string, "yes"|"no"
+ * default_val: 1(yes)|0(no)
+ */
+short eval_bool2(char *str, short default_val)
+{
+ short ret = default_val;
+
+ if (str == NULL)
+ return(ret);
+ else if (strcmp(str, "yes") == 0)
+ ret = 1;
+ else if (strcmp(str, "no") == 0)
+ ret = 0;
+
+ free(str);
+ return(ret);
+}
+
+
/* Read_Rootcheck_Config: Reads the rootcheck config
*/
int Read_Rootcheck_Config(char * cfgfile)
char *(xml_readall[])={xml_rootcheck, "readall", NULL};
char *(xml_time[])={xml_rootcheck, "frequency", NULL};
+ char *(xml_check_dev[])={xml_rootcheck, "check_dev", NULL};
+ char *(xml_check_files[])={xml_rootcheck, "check_files", NULL};
+ char *(xml_check_if[])={xml_rootcheck, "check_if", NULL};
+ char *(xml_check_pids[])={xml_rootcheck, "check_pids", NULL};
+ char *(xml_check_ports[])={xml_rootcheck, "check_ports", NULL};
+ char *(xml_check_sys[])={xml_rootcheck, "check_sys", NULL};
+ char *(xml_check_trojans[])={xml_rootcheck, "check_trojans", NULL};
+
+ #ifdef WIN32
+
+ char *(xml_check_winapps[])={xml_rootcheck, "check_winapps", NULL};
+ char *(xml_check_winaudit[])={xml_rootcheck, "check_winaudit", NULL};
+ char *(xml_check_winmalware[])={xml_rootcheck, "check_winmalware", NULL};
+
+ #else
+
+ char *(xml_check_unixaudit[])={xml_rootcheck, "check_unixaudit", NULL};
+
+ #endif
+
/* :) */
xml_time[2] = NULL;
-
+
if(OS_ReadXML(cfgfile,&xml) < 0)
{
merror("config_op: XML error: %s",xml.err);
/* run as a daemon */
- str = OS_GetOneContentforElement(&xml,xml_daemon);
- if(str)
- {
- if(str[0] == 'n')
- rootcheck.daemon = 0;
- free(str);
- str = NULL;
- }
+ rootcheck.daemon = eval_bool2(OS_GetOneContentforElement(&xml,xml_daemon), rootcheck.daemon);
/* time */
#ifdef OSSECHIDS
str = NULL;
}
#endif
-
-
+
+
/* Scan all flag */
if(!rootcheck.scanall)
{
- str = OS_GetOneContentforElement(&xml,xml_scanall);
- if(str)
- {
- if(str[0] == 'y')
- rootcheck.scanall = 1;
- free(str);
- str = NULL;
- }
+ rootcheck.scanall = eval_bool2(OS_GetOneContentforElement(&xml,xml_scanall), 0);
}
/* read all flag */
if(!rootcheck.readall)
{
- str = OS_GetOneContentforElement(&xml,xml_readall);
- if(str)
- {
- if(str[0] == 'y')
- rootcheck.readall = 1;
- free(str);
- str = NULL;
- }
+ rootcheck.readall = eval_bool2(OS_GetOneContentforElement(&xml,xml_readall), 0);
}
-
-
+
+
/* Notifications type */
str = OS_GetOneContentforElement(&xml,xml_notify);
if(str)
"'syslog' or 'queue' are allowed.",ARGV0);
return(-1);
}
-
+
free(str);
- str = NULL;
+ str = NULL;
}
else
{
/* Getting work directory */
if(!rootcheck.workdir)
- rootcheck.workdir = OS_GetOneContentforElement(&xml,xml_workdir);
-
-
+ rootcheck.workdir = OS_GetOneContentforElement(&xml,xml_workdir);
+
+
rootcheck.rootkit_files = OS_GetOneContentforElement
(&xml,xml_rootkit_files);
rootcheck.rootkit_trojans = OS_GetOneContentforElement
(&xml,xml_rootkit_trojans);
-
- rootcheck.unixaudit = OS_GetContents
+
+ rootcheck.unixaudit = OS_GetContents
(&xml,xml_rootkit_unixaudit);
rootcheck.winaudit = OS_GetOneContentforElement
rootcheck.winmalware = OS_GetOneContentforElement
(&xml,xml_rootkit_winmalware);
-
+
rootcheck.basedir = OS_GetOneContentforElement(&xml, xml_base_dir);
+ rootcheck.checks.rc_dev = eval_bool2(OS_GetOneContentforElement(&xml,xml_check_dev), 1);
+ rootcheck.checks.rc_files = eval_bool2(OS_GetOneContentforElement(&xml,xml_check_files), 1);
+ rootcheck.checks.rc_if = eval_bool2(OS_GetOneContentforElement(&xml,xml_check_if), 1);
+ rootcheck.checks.rc_pids = eval_bool2(OS_GetOneContentforElement(&xml,xml_check_pids), 1);
+ rootcheck.checks.rc_ports = eval_bool2(OS_GetOneContentforElement(&xml,xml_check_ports), 1);
+ rootcheck.checks.rc_sys = eval_bool2(OS_GetOneContentforElement(&xml,xml_check_sys), 1);
+ rootcheck.checks.rc_trojans = eval_bool2(OS_GetOneContentforElement(&xml,xml_check_trojans), 1);
+
+ #ifdef WIN32
+
+ rootcheck.checks.rc_winapps = eval_bool2(OS_GetOneContentforElement(&xml,xml_check_winapps), 1);
+ rootcheck.checks.rc_winaudit = eval_bool2(OS_GetOneContentforElement(&xml,xml_check_winaudit), 1);
+ rootcheck.checks.rc_winmalware = eval_bool2(OS_GetOneContentforElement(&xml,xml_check_winmalware), 1);
+
+ #else
+
+ rootcheck.checks.rc_unixaudit = eval_bool2(OS_GetOneContentforElement(&xml,xml_check_unixaudit), 1);
+
+ #endif
OS_ClearXML(&xml);
-
+
debug1("%s: DEBUG: Daemon set to '%d'",ARGV0, rootcheck.daemon);
debug1("%s: DEBUG: alert set to '%d'",ARGV0, rootcheck.notify);
-
+
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/rootcheck.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
/*
* Rootcheck v 0.3
* Copyright (C) 2003 Daniel B. Cid <daniel@underlinux.com.br>
int rootcheck_init(int test_config)
{
int c;
-
-#endif
-
- #ifdef OSSECHIDS
+
+#endif
+
+ #ifdef OSSECHIDS
char *cfg = DEFAULTCPATH;
#else
char *cfg = "./rootcheck.conf";
#endif
-
- /* Zeroing the structure */
+
+ /* Zeroing the structure, initializing default values */
rootcheck.workdir = NULL;
rootcheck.basedir = NULL;
rootcheck.unixaudit = NULL;
rootcheck.time = ROOTCHECK_WAIT;
+ rootcheck.checks.rc_dev = 1;
+ rootcheck.checks.rc_files = 1;
+ rootcheck.checks.rc_if = 1;
+ rootcheck.checks.rc_pids = 1;
+ rootcheck.checks.rc_ports = 1;
+ rootcheck.checks.rc_sys = 1;
+ rootcheck.checks.rc_trojans = 1;
+
+ #ifdef WIN32
+
+ rootcheck.checks.rc_winaudit = 1;
+ rootcheck.checks.rc_winmalware = 1;
+ rootcheck.checks.rc_winapps = 1;
+
+ #else
+
+ rootcheck.checks.rc_unixaudit = 1;
+
+ #endif
+
/* We store up to 255 alerts in there. */
os_calloc(256, sizeof(char *), rootcheck.alert_msg);
c = 0;
rootcheck.alert_msg[c] = NULL;
c++;
}
-
+
#ifndef OSSECHIDS
rootcheck.notify = SYSLOG;
break;
case 't':
test_config = 1;
- break;
+ break;
case 'r':
rootcheck.readall = 1;
- break;
+ break;
default:
rootcheck_help();
- break;
+ break;
}
}
-
+
#ifdef WIN32
/* Starting Winsock */
{
}
}
#endif
-
-
+
+
#endif /* OSSECHIDS */
-
+
/* Staring message */
debug1(STARTED_MSG,ARGV0);
verbose("%s: Rootcheck disabled. Exiting.", ARGV0);
return(1);
}
-
-
+
+
/* Checking if Unix audit file is configured. */
if(!rootcheck.unixaudit)
{
log2file("%s: System audit file not configured.", ARGV0);
#endif
}
-
-
+
+
/* Setting default values */
if(rootcheck.workdir == NULL)
rootcheck.workdir = DEFAULTDIR;
#ifdef OSSECHIDS
-
+
/* Start up message */
#ifdef WIN32
verbose(STARTUP_MSG, "ossec-rootcheck", getpid());
#else
-
+
/* Connect to the queue if configured to do so */
if(rootcheck.notify == QUEUE)
{
debug1("%s: Starting queue ...",ARGV0);
-
+
/* Starting the queue. */
if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
- {
+ {
merror(QUEUE_ERROR,ARGV0,DEFAULTQPATH, strerror(errno));
-
+
/* 5 seconds to see if the agent starts */
sleep(5);
if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
}
#endif /* Not win32 */
-
+
#endif /* ossec hids */
#ifndef OSSECHIDS
-
+
#ifndef WIN32
/* Start the signal handling */
StartSIG(ARGV0);
#else
return(0);
-
+
#endif
-
+
debug1("%s: DEBUG: Running run_rk_check",ARGV0);
- run_rk_check();
+ run_rk_check();
-
- debug1("%s: DEBUG: Leaving...",ARGV0);
- return(0);
+ debug1("%s: DEBUG: Leaving...",ARGV0);
+
+ return(0);
}
/* EOF */
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
+
+ <check_files>yes</check_files>
+ <check_trojans>yes</check_trojans>
+
+ <check_unixaudit>yes</check_unixaudit>
+ <check_winapps>yes</check_winapps>
+ <check_winaudit>yes</check_winaudit>
+ <check_winmalware>yes</check_winmalware>
+
+ <check_dev>yes</check_dev>
+ <check_sys>yes</check_sys>
+ <check_pids>yes</check_pids>
+ <check_ports>yes</check_ports>
+ <check_if>yes</check_if>
</rootcheck>
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/rootcheck.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#ifndef __ROOTCHECK_H
#define __ROOTCHECK_H
/* rk_types */
#define ALERT_OK 0
-#define ALERT_SYSTEM_ERROR 1
+#define ALERT_SYSTEM_ERROR 1
#define ALERT_SYSTEM_CRIT 2
#define ALERT_ROOTKIT_FOUND 3
#define ALERT_POLICY_VIOLATION 4
/* int rk_check_dir(char *dir, char *file, char *pattern) */
int rk_check_dir(char *dir, char *file, char *pattern);
-
+
/* pt_matches: Checks if pattern is present on string */
int pt_matches(char *str, char *pattern);
-/* pt_check_negate: checks if the patterns is made up
+/* pt_check_negate: checks if the patterns is made up
* completely of negate matches */
int pt_check_negate(char *pattern);
/* int rkcl_get_entry: Reads cl configuration file. */
int rkcl_get_entry(FILE *fp, char *msg, void *p_list);
-
+
/** char *normalize_string
* Normalizes a string, removing white spaces and tabs
* from the begining and the end of it.
*/
char *normalize_string(char *str);
-
+
/* Check if regex is present on the file.
* Similar to `strings file | grep -r regex`
- */
+ */
int os_string(char *file, char *regex);
/* check for NTFS ADS (Windows only)
*/
int os_check_ads(char *full_path);
-/* os_get_process_list: Get list of processes
+/* os_get_process_list: Get list of processes
*/
void *os_get_process_list();
/* is_process: Check is a process is running.
*/
int is_process(char *value, void *p_list);
-
+
/* del_plist:. Deletes the process list
*/
int del_plist(void *p_list);
-
+
/* Used to report messages */
int notify_rk(int rk_type, char *msg);
void check_rc_pids();
/* Verifies if "pid" is in the proc directory */
-int check_rc_readproc(int pid);
+int check_rc_readproc(int pid);
void check_rc_ports();
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/run_rk_check.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#include "shared.h"
#include "rootcheck.h"
else if(rk_type == ALERT_SYSTEM_ERROR)
printf("[ERR]: %s\n", msg);
else if(rk_type == ALERT_POLICY_VIOLATION)
- printf("[INFO]: %s\n", msg);
+ printf("[INFO]: %s\n", msg);
else
{
printf("[FAILED]: %s\n", msg);
printf("\n");
return(0);
}
-
+
/* No need to alert on that to the server */
if(rk_type <= ALERT_SYSTEM_ERROR)
return(0);
- #ifdef OSSECHIDS
+ #ifdef OSSECHIDS
if(SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0)
{
merror(QUEUE_SEND, ARGV0);
}
#endif
- return(0);
+ return(0);
}
-
+
/* start_rk_daemon
* Start the rootkit daemon variables
*/
void start_rk_daemon()
{
return;
-
+
if(rootcheck.notify == QUEUE)
{
}
FILE *fp;
OSList *plist;
-
+
#ifndef WIN32
- /* Hard coding basedir */
+ /* Hard coding basedir */
int i;
char basedir[] = "/";
}
}
#else
-
+
/* Basedir for Windows */
char basedir[] = "C:\\";
-
+
#endif
-
-
+
+
/* Setting basedir */
if(rootcheck.basedir == NULL)
{
rootcheck.basedir = basedir;
}
-
+
time1 = time(0);
-
+
/*** Initial message ***/
if(rootcheck.notify != QUEUE)
{
printf("Be patient, it may take a few minutes to complete...\n");
printf("\n");
}
-
-
+
+
/* Cleaning the global variables */
rk_sys_count = 0;
rk_sys_file[rk_sys_count] = NULL;
rk_sys_name[rk_sys_count] = NULL;
-
-
+
+
/* Sending scan start message */
notify_rk(ALERT_POLICY_VIOLATION, "Starting rootcheck scan.");
if(rootcheck.notify == QUEUE)
/*** First check, look for rootkits ***/
/* Open rootkit_files and pass the pointer to check_rc_files */
- if(!rootcheck.rootkit_files)
+ if (rootcheck.checks.rc_files)
{
- #ifndef WIN32
- merror("%s: No rootcheck_files file configured.", ARGV0);
- #endif
- }
-
- else
- {
- fp = fopen(rootcheck.rootkit_files, "r");
- if(!fp)
+ if(!rootcheck.rootkit_files)
{
- merror("%s: No rootcheck_files file: '%s'",ARGV0,
- rootcheck.rootkit_files);
+ #ifndef WIN32
+ merror("%s: No rootcheck_files file configured.", ARGV0);
+ #endif
}
else
{
- check_rc_files(rootcheck.basedir, fp);
+ fp = fopen(rootcheck.rootkit_files, "r");
+ if(!fp)
+ {
+ merror("%s: No rootcheck_files file: '%s'",ARGV0,
+ rootcheck.rootkit_files);
+ }
- fclose(fp);
+ else
+ {
+ check_rc_files(rootcheck.basedir, fp);
+
+ fclose(fp);
+ }
}
}
-
-
+
+
/*** Second check. look for trojan entries in common binaries ***/
- if(!rootcheck.rootkit_trojans)
+ if (rootcheck.checks.rc_trojans)
{
- #ifndef WIN32
- merror("%s: No rootcheck_trojans file configured.", ARGV0);
- #endif
- }
-
- else
- {
- fp = fopen(rootcheck.rootkit_trojans, "r");
- if(!fp)
+ if(!rootcheck.rootkit_trojans)
{
- merror("%s: No rootcheck_trojans file: '%s'",ARGV0,
- rootcheck.rootkit_trojans);
+ #ifndef WIN32
+ merror("%s: No rootcheck_trojans file configured.", ARGV0);
+ #endif
}
else
{
- #ifndef HPUX
- check_rc_trojans(rootcheck.basedir, fp);
- #endif
+ fp = fopen(rootcheck.rootkit_trojans, "r");
+ if(!fp)
+ {
+ merror("%s: No rootcheck_trojans file: '%s'",ARGV0,
+ rootcheck.rootkit_trojans);
+ }
+
+ else
+ {
+ #ifndef HPUX
+ check_rc_trojans(rootcheck.basedir, fp);
+ #endif
- fclose(fp);
+ fclose(fp);
+ }
}
}
#ifdef WIN32
-
+
/*** Getting process list ***/
plist = os_get_process_list();
/*** Windows audit check ***/
- if(!rootcheck.winaudit)
+ if (rootcheck.checks.rc_winaudit)
{
- merror("%s: No winaudit file configured.", ARGV0);
- }
- else
- {
- fp = fopen(rootcheck.winaudit, "r");
- if(!fp)
+ if(!rootcheck.winaudit)
{
- merror("%s: No winaudit file: '%s'",ARGV0,
- rootcheck.winaudit);
+ merror("%s: No winaudit file configured.", ARGV0);
}
else
{
- check_rc_winaudit(fp, plist);
- fclose(fp);
+ fp = fopen(rootcheck.winaudit, "r");
+ if(!fp)
+ {
+ merror("%s: No winaudit file: '%s'",ARGV0,
+ rootcheck.winaudit);
+ }
+ else
+ {
+ check_rc_winaudit(fp, plist);
+ fclose(fp);
+ }
}
}
/* Windows malware */
- if(!rootcheck.winmalware)
+ if (rootcheck.checks.rc_winmalware)
{
- merror("%s: No winmalware file configured.", ARGV0);
- }
- else
- {
- fp = fopen(rootcheck.winmalware, "r");
- if(!fp)
+ if(!rootcheck.winmalware)
{
- merror("%s: No winmalware file: '%s'",ARGV0,
- rootcheck.winmalware);
+ merror("%s: No winmalware file configured.", ARGV0);
}
else
{
- check_rc_winmalware(fp, plist);
- fclose(fp);
+ fp = fopen(rootcheck.winmalware, "r");
+ if(!fp)
+ {
+ merror("%s: No winmalware file: '%s'",ARGV0,
+ rootcheck.winmalware);
+ }
+ else
+ {
+ check_rc_winmalware(fp, plist);
+ fclose(fp);
+ }
}
}
-
+
/* Windows Apps */
- if(!rootcheck.winapps)
- {
- merror("%s: No winapps file configured.", ARGV0);
- }
- else
+ if (rootcheck.checks.rc_winapps)
{
- fp = fopen(rootcheck.winapps, "r");
- if(!fp)
+ if(!rootcheck.winapps)
{
- merror("%s: No winapps file: '%s'",ARGV0,
- rootcheck.winapps);
+ merror("%s: No winapps file configured.", ARGV0);
}
else
{
- check_rc_winapps(fp, plist);
- fclose(fp);
+ fp = fopen(rootcheck.winapps, "r");
+ if(!fp)
+ {
+ merror("%s: No winapps file: '%s'",ARGV0,
+ rootcheck.winapps);
+ }
+ else
+ {
+ check_rc_winapps(fp, plist);
+ fclose(fp);
+ }
}
}
-
+
/* Freeing process list */
del_plist((void *)plist);
/** Checks for other non Windows. **/
#else
-
+
/*** Unix audit check ***/
- if(rootcheck.unixaudit)
+ if (rootcheck.checks.rc_unixaudit)
{
- /* Getting process list. */
- plist = os_get_process_list();
+ if(rootcheck.unixaudit)
+ {
+ /* Getting process list. */
+ plist = os_get_process_list();
- i = 0;
- while(rootcheck.unixaudit[i])
- {
- fp = fopen(rootcheck.unixaudit[i], "r");
- if(!fp)
+ i = 0;
+ while(rootcheck.unixaudit[i])
{
- merror("%s: No unixaudit file: '%s'",ARGV0,
- rootcheck.unixaudit[i]);
+ fp = fopen(rootcheck.unixaudit[i], "r");
+ if(!fp)
+ {
+ merror("%s: No unixaudit file: '%s'",ARGV0,
+ rootcheck.unixaudit[i]);
+ }
+ else
+ {
+ /* Running unix audit. */
+ check_rc_unixaudit(fp, plist);
+
+ fclose(fp);
+ }
+
+ i++;
}
- else
- {
- /* Running unix audit. */
- check_rc_unixaudit(fp, plist);
- fclose(fp);
- }
- i++;
+ /* Freeing list */
+ del_plist((void *)plist);
}
-
-
- /* Freeing list */
- del_plist((void *)plist);
}
-
+
#endif
-
-
+
+
/*** Third check, looking for files on the /dev ***/
- debug1("%s: DEBUG: Going into check_rc_dev", ARGV0);
- check_rc_dev(rootcheck.basedir);
-
+ if (rootcheck.checks.rc_dev)
+ {
+ debug1("%s: DEBUG: Going into check_rc_dev", ARGV0);
+ check_rc_dev(rootcheck.basedir);
+ }
+
/*** Fourth check, scan the whole system looking for additional issues */
- debug1("%s: DEBUG: Going into check_rc_sys", ARGV0);
- check_rc_sys(rootcheck.basedir);
-
+ if (rootcheck.checks.rc_sys)
+ {
+ debug1("%s: DEBUG: Going into check_rc_sys", ARGV0);
+ check_rc_sys(rootcheck.basedir);
+ }
+
/*** Process checking ***/
- debug1("%s: DEBUG: Going into check_rc_pids", ARGV0);
- check_rc_pids();
+ if (rootcheck.checks.rc_pids)
+ {
+ debug1("%s: DEBUG: Going into check_rc_pids", ARGV0);
+ check_rc_pids();
+ }
/*** Check all the ports ***/
- debug1("%s: DEBUG: Going into check_rc_ports", ARGV0);
- check_rc_ports();
+ if (rootcheck.checks.rc_ports)
+ {
+ debug1("%s: DEBUG: Going into check_rc_ports", ARGV0);
+ check_rc_ports();
+
+ /*** Check open ports ***/
+ debug1("%s: DEBUG: Going into check_open_ports", ARGV0);
+ check_open_ports();
+ }
- /*** Check open ports ***/
- debug1("%s: DEBUG: Going into check_open_ports", ARGV0);
- check_open_ports();
-
/*** Check interfaces ***/
- debug1("%s: DEBUG: Going into check_rc_if", ARGV0);
- check_rc_if();
-
-
- debug1("%s: DEBUG: Completed with all checks.", ARGV0);
-
-
+ if (rootcheck.checks.rc_if)
+ {
+ debug1("%s: DEBUG: Going into check_rc_if", ARGV0);
+ check_rc_if();
+ }
+
+
+ debug1("%s: DEBUG: Completed with all checks.", ARGV0);
+
+
/* Cleaning the global memory */
{
int li;
{
if(!rk_sys_file[li] ||
!rk_sys_name[li])
- break;
+ break;
free(rk_sys_file[li]);
free(rk_sys_name[li]);
/*** Final message ***/
time2 = time(0);
-
+
if(rootcheck.notify != QUEUE)
{
printf("\n");
{
merror("%s: INFO: Ending rootcheck scan.", ARGV0);
}
-
-
- debug1("%s: DEBUG: Leaving run_rk_check",ARGV0);
+
+
+ debug1("%s: DEBUG: Leaving run_rk_check",ARGV0);
return;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/unix-process.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/main/license/ .
*/
-
+
#include "shared.h"
#include "rootcheck.h"
char buf[OS_SIZE_2048 +1];
char command[OS_SIZE_1024 +1];
FILE *fp;
-
-
+
+
buf[0] = '\0';
command[0] = '\0';
- command[OS_SIZE_1024] = '\0';
-
-
+ command[OS_SIZE_1024] = '\0';
+
+
snprintf(command, OS_SIZE_1024, "%s -p %d 2> /dev/null", ps, mpid);
fp = popen(command, "r");
while(*tmp_str == ' ')
tmp_str++;
-
+
nbuf = tmp_str;
-
+
tmp_str = strchr(nbuf, '\n');
if(tmp_str)
int i = 1;
pid_t max_pid = MAX_PID;
OSList *p_list = NULL;
-
+
char ps[OS_SIZE_1024 +1];
if(!p_list)
{
merror(LIST_ERROR, ARGV0);
- return(NULL);
+ return(NULL);
}
OSList_AddData(p_list, p_info);
}
}
-
+
return((void *)p_list);
}
-
-
+
+
#endif
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/util/ads_dump.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
-#include <dirent.h>
+#include <dirent.h>
#include <windows.h>
/* Print out streams of a file */
int os_get_streams(char *full_path)
{
- HANDLE file_h;
+ HANDLE file_h;
WIN32_STREAM_ID sid;
void *context = NULL;
- char stream_name[MAX_PATH +1];
- char final_name[MAX_PATH +1];
+ char stream_name[MAX_PATH +1];
+ char final_name[MAX_PATH +1];
DWORD dwRead, shs, dw1, dw2;
/* Opening file */
- file_h = CreateFile(full_path,
+ file_h = CreateFile(full_path,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_POSIX_SEMANTICS,
NULL);
- if (file_h == INVALID_HANDLE_VALUE)
- {
+ if (file_h == INVALID_HANDLE_VALUE)
+ {
return 0;
}
while(1)
{
- if(BackupRead(file_h, (LPBYTE) &sid, shs, &dwRead,
+ if(BackupRead(file_h, (LPBYTE) &sid, shs, &dwRead,
FALSE, FALSE, &context) == 0)
{
break;
stream_name[0] = '\0';
stream_name[MAX_PATH] = '\0';
- if(BackupRead(file_h, (LPBYTE)stream_name,
- sid.dwStreamNameSize,
+ if(BackupRead(file_h, (LPBYTE)stream_name,
+ sid.dwStreamNameSize,
&dwRead, FALSE, FALSE, &context))
{
if(dwRead != 0)
{
char *tmp_pt;
- snprintf(final_name, MAX_PATH, "%s%S", full_path,
+ snprintf(final_name, MAX_PATH, "%s%S", full_path,
(WCHAR *)stream_name);
tmp_pt = strrchr(final_name, ':');
if(tmp_pt)
}
/* Getting next */
- if(!BackupSeek(file_h, sid.Size.LowPart, sid.Size.HighPart,
+ if(!BackupSeek(file_h, sid.Size.LowPart, sid.Size.HighPart,
&dw1, &dw2, &context))
{
break;
/* Getting streams */
os_get_streams(file_name);
-
+
if(stat(file_name, &statbuf) < 0)
{
return(0);
/* Just ignore . and .. */
if((strcmp(entry->d_name,".") == 0) ||
- (strcmp(entry->d_name,"..") == 0))
+ (strcmp(entry->d_name,"..") == 0))
{
continue;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/win-common.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
-
+
+
#include "shared.h"
#include "rootcheck.h"
-#ifdef WIN32
+#ifdef WIN32
/** Registry checking values **/
/* Global variables */
HKEY rk_sub_tree;
-
+
/* Default values */
#define MAX_KEY_LENGTH 255
#define MAX_KEY 2048
*/
int os_check_ads(char *full_path)
{
- HANDLE file_h;
+ HANDLE file_h;
WIN32_STREAM_ID sid;
void *context = NULL;
- char stream_name[MAX_PATH +1];
- char final_name[MAX_PATH +1];
+ char stream_name[MAX_PATH +1];
+ char final_name[MAX_PATH +1];
DWORD dwRead, shs, dw1, dw2;
/* Opening file */
- file_h = CreateFile(full_path,
+ file_h = CreateFile(full_path,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_POSIX_SEMANTICS,
NULL);
- if (file_h == INVALID_HANDLE_VALUE)
- {
+ if (file_h == INVALID_HANDLE_VALUE)
+ {
return 0;
}
while(1)
{
- if(BackupRead(file_h, (LPBYTE) &sid, shs, &dwRead,
+ if(BackupRead(file_h, (LPBYTE) &sid, shs, &dwRead,
FALSE, FALSE, &context) == 0)
{
break;
stream_name[0] = '\0';
stream_name[MAX_PATH] = '\0';
- if(BackupRead(file_h, (LPBYTE)stream_name,
- sid.dwStreamNameSize,
+ if(BackupRead(file_h, (LPBYTE)stream_name,
+ sid.dwStreamNameSize,
&dwRead, FALSE, FALSE, &context))
{
if(dwRead != 0)
char op_msg[OS_SIZE_1024 +1];
snprintf(final_name, MAX_PATH, "%s", full_path);
-
+
max_path_size = strlen(final_name);
-
+
/* Copying from wide char to char. */
while((i < dwRead) && (max_path_size < MAX_PATH))
}
/* Getting next */
- if(!BackupSeek(file_h, sid.Size.LowPart, sid.Size.HighPart,
+ if(!BackupSeek(file_h, sid.Size.LowPart, sid.Size.HighPart,
&dw1, &dw2, &context))
{
break;
/* Setting sub tree */
if((strcmp(reg_entry, "HKEY_LOCAL_MACHINE") == 0) ||
- (strcmp(reg_entry, "HKLM") == 0))
+ (strcmp(reg_entry, "HKLM") == 0))
{
rk_sub_tree = HKEY_LOCAL_MACHINE;
}
{
/* Setting sub tree to null */
rk_sub_tree = NULL;
-
+
/* Returning tmp_str to the previous value */
if(tmp_str && (*tmp_str == '\0'))
*tmp_str = '\\';
value_buffer[MAX_VALUE_NAME] = '\0';
data_buffer[MAX_VALUE_NAME] = '\0';
var_storage[MAX_VALUE_NAME] = '\0';
-
+
/* Getting each value */
for(i=0;i<value_count;i++)
var_storage[0] = '\0';
rc = RegEnumValue(hKey, i, value_buffer, &value_size,
- NULL, &data_type, data_buffer, &data_size);
+ NULL, &data_type, (LPBYTE)data_buffer, &data_size);
/* No more values available */
*/
if(!reg_value)
{
- return(1);
+ return(1);
}
-
+
/* Writing value into a string */
switch(data_type)
{
int size_available;
-
+
case REG_SZ:
case REG_EXPAND_SZ:
snprintf(var_storage, MAX_VALUE_NAME, "%s", data_buffer);
break;
case REG_MULTI_SZ:
-
+
/* Printing multiple strings */
size_available = MAX_VALUE_NAME -3;
mt_data = data_buffer;
{
strncat(var_storage, mt_data, size_available);
strncat(var_storage, " ", 2);
- size_available = MAX_VALUE_NAME -
+ size_available = MAX_VALUE_NAME -
(strlen(var_storage) +2);
}
mt_data += strlen(mt_data) +1;
}
-
+
break;
case REG_DWORD:
- snprintf(var_storage, MAX_VALUE_NAME,
+ snprintf(var_storage, MAX_VALUE_NAME,
"%x",(unsigned int)*data_buffer);
break;
default:
return(0);
}
-
+
/* int __os_winreg_open_key(char *subkey)
* Open the registry key
*/
-int __os_winreg_open_key(char *subkey, char *full_key_name,
+int __os_winreg_open_key(char *subkey, char *full_key_name,
char *reg_option, char *reg_value)
{
int ret = 1;
HKEY oshkey;
-
+
if(RegOpenKeyEx(rk_sub_tree, subkey, 0, KEY_READ,&oshkey) != ERROR_SUCCESS)
{
return(0);
ret = __os_winreg_querykey(oshkey, subkey, full_key_name,
reg_option, reg_value);
}
-
-
+
+
RegCloseKey(oshkey);
return(ret);
}
{
char *rk;
-
+
rk = __os_winreg_getkey(entry_name);
if(rk_sub_tree == NULL || rk == NULL)
{
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/rootcheck/win-process.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
LUID luid;
DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
- if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
+ if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
return(0);
}
/* If en is set to true, we enable the privilege */
- if(en)
+ if(en)
{
tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);
}
- else
+ else
{
tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED &
tpPrevious.Privileges[0].Attributes);
void *os_get_process_list()
{
OSList *p_list = NULL;
-
+
HANDLE hsnap;
HANDLE hpriv;
PROCESSENTRY32 p_entry;
/* Getting token for enable debug priv */
- if(!OpenThreadToken(GetCurrentThread(),
+ if(!OpenThreadToken(GetCurrentThread(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, FALSE, &hpriv))
{
if(GetLastError() == ERROR_NO_TOKEN)
}
if(!OpenThreadToken(GetCurrentThread(),
- TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
+ TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
FALSE, &hpriv))
{
merror("%s: ERROR: os_get_win32_process_list -> "
return(NULL);
}
}
-
+
/* Enabling debug privilege */
if(!os_win32_setdebugpriv(hpriv, 1))
merror(LIST_ERROR, ARGV0);
return(0);
}
-
+
/* Getting each process name and path */
while(Process32Next( hsnap, &p_entry))
/* Setting process name */
os_strdup(p_entry.szExeFile, p_name);
-
-
+
+
/* Getting additional information from modules */
HANDLE hmod = INVALID_HANDLE_VALUE;
MODULEENTRY32 m_entry;
m_entry.dwSize = sizeof(MODULEENTRY32);
-
+
/* Snapshot of the process */
- hmod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,
+ hmod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,
p_entry.th32ProcessID);
if(hmod == INVALID_HANDLE_VALUE)
{
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/agent_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/** Checks if syscheck is to be executed/restarted.
* Returns 1 on success or 0 on failure (shouldn't be executed now).
*/
-int os_check_restart_syscheck()
+int os_check_restart_syscheck()
{
struct stat restart_status;
{
if(stat(SYSCHECK_RESTART, &restart_status) == -1)
return(0);
-
- unlink(SYSCHECK_RESTART);
+
+ unlink(SYSCHECK_RESTART);
}
else
{
if(stat(SYSCHECK_RESTART_PATH, &restart_status) == -1)
return(0);
-
- unlink(SYSCHECK_RESTART_PATH);
+
+ unlink(SYSCHECK_RESTART_PATH);
}
-
- return(1);
+
+ return(1);
}
char buf[1024 + 1];
FILE *fp = NULL;
+ debug2("%s: calling os_read_agent_name().", ARGV0);
+
if(isChroot())
fp = fopen(AGENT_INFO_FILE, "r");
else
fp = fopen(AGENT_INFO_FILEP, "r");
-
- /* We give 1 second for the file to be created... */
+
+ /* We give 1 second for the file to be created... */
if(!fp)
{
sleep(1);
if(isChroot())
fp = fopen(AGENT_INFO_FILE, "r");
else
- fp = fopen(AGENT_INFO_FILEP, "r");
+ fp = fopen(AGENT_INFO_FILEP, "r");
}
-
+
if(!fp)
{
debug1(FOPEN_ERROR, __local_name, AGENT_INFO_FILE);
char *ret = NULL;
os_strdup(buf, ret);
fclose(fp);
-
+
+ debug2("%s: os_read_agent_name returned (%s).", __local_name, ret);
+
return(ret);
}
char buf[1024 + 1];
FILE *fp;
+ debug2("%s: calling os_read_agent_ip().", ARGV0);
+
fp = fopen(AGENT_INFO_FILE, "r");
if(!fp)
{
char buf[1024 + 1];
FILE *fp;
+ debug2("%s: calling os_read_agent_id().", ARGV0);
+
fp = fopen(AGENT_INFO_FILE, "r");
if(!fp)
{
}
+/* cmoraes: begin add */
+
+/** char *os_read_agent_profile()
+ * Reads the agent profile name for the current agent.
+ * Returns NULL on error.
+ *
+ * Description:
+ * Comma separated list of strings that used to identify what type
+ * of configuration is used for this agent.
+ * The profile name is set in the agent's etc/ossec.conf file
+ * It is matched with the ossec manager's agent.conf file to read
+ * configuration only applicable to this profile name.
+ *
+ */
+char* os_read_agent_profile()
+{
+ char buf[1024 + 1];
+ FILE *fp;
+
+ debug2("%s: calling os_read_agent_profile().", __local_name);
+
+ if(isChroot())
+ fp = fopen(AGENT_INFO_FILE, "r");
+ else
+ fp = fopen(AGENT_INFO_FILEP, "r");
+
+ if(!fp)
+ {
+ debug2("%s: Failed to open file. Errno=%d.", ARGV0, errno);
+ merror(FOPEN_ERROR, __local_name, AGENT_INFO_FILE);
+ return(NULL);
+ }
+
+ buf[1024] = '\0';
+
+
+ /* Getting profile */
+ if(fgets(buf, 1024, fp) && fgets(buf, 1024, fp) &&
+ fgets(buf, 1024, fp) && fgets(buf, 1024, fp))
+ {
+ char *ret = NULL;
+
+ /* Trim the /n and/or /r at the end of the string */
+ os_trimcrlf(buf);
+
+ os_strdup(buf, ret);
+ debug2("%s: os_read_agent_profile() = [%s]", __local_name, ret);
+
+ fclose(fp);
+
+ return(ret);
+ }
+
+ fclose(fp);
+ return(NULL);
+}
+/* cmoraes: end add */
+
/** int os_write_agent_info(char *agent_name, char *agent_ip, char *agent_id)
* Writes the agent info inside the queue, for the other processes to read.
* Returns 1 on success or <= 0 on failure.
*/
-int os_write_agent_info(char *agent_name, char *agent_ip, char *agent_id)
+/* cmoraes: changed function. added cfg_profile_name parameter */
+int os_write_agent_info(char *agent_name, char *agent_ip,
+ char *agent_id, char *cfg_profile_name)
{
FILE *fp;
return(0);
}
- fprintf(fp, "%s\n-\n%s\n", agent_name, agent_id);
+ /*cmoraes: added cfg_profile_name parameter*/
+ fprintf(fp, "%s\n-\n%s\n%s\n", agent_name, agent_id, cfg_profile_name);
fclose(fp);
return(1);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/debug_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
va_list args2;
FILE *fp;
-
+
tm = time(NULL);
p = localtime(&tm);
/* Duplicating args */
va_copy(args2, args);
-
+
/* If under chroot, log directly to /logs/ossec.log */
if(chroot_flag == 1)
if(fp)
{
(void)fprintf(fp,"%d/%02d/%02d %02d:%02d:%02d ",
- p->tm_year+1900,p->tm_mon+1,
+ p->tm_year+1900,p->tm_mon+1,
p->tm_mday,p->tm_hour,p->tm_min,p->tm_sec);
(void)vfprintf(fp, msg, args);
#ifdef WIN32
_log(msg, args);
daemon_flag = dbg_tmp;
-
+
va_end(args);
}
void ErrorExit(const char *msg, ...)
{
va_list args;
-
- #ifdef WIN32
+
+ #ifdef WIN32
/* If not MA */
#ifndef MA
WinSetError();
/* Print to stderr */
(void)vfprintf(stderr, msg, args);
-
+
#ifdef WIN32
(void)fprintf(stderr, "\r\n");
#else
(void)fprintf(stderr, "\n");
#endif
-
+
va_end(args);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/dirtree_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-
-/* Common API for dealing with directory trees */
+
+/* Common API for dealing with directory trees */
#include "shared.h"
-/* Create the tree
+/* Create the tree
* Return NULL on error
*/
OSDirTree *OSDirTree_Create()
{
return(NULL);
}
-
+
my_tree->first_node = NULL;
my_tree->last_node = NULL;
-
+
return(my_tree);
}
-/* Get first node from tree (starting from parent)
+/* Get first node from tree (starting from parent)
* Returns null on invalid tree (not initialized)
*/
OSTreeNode *OSDirTree_GetFirstNode(OSDirTree *tree)
* Internal call, looks up for an entry in the middle of the tree.
* Should not be called directly.
*/
-OSDirTree *_OSTreeNode_Add(OSDirTree *tree, char *str,
+OSDirTree *_OSTreeNode_Add(OSDirTree *tree, char *str,
void *data, char sep)
{
char *tmp_str;
tree->first_node = NULL;
tree->last_node = NULL;
}
-
+
curnode = tree->first_node;
{
os_calloc(1, sizeof(OSTreeNode), newnode);
//printf("XXXX Adding node: %s\n", str);
-
+
if(!tree->first_node && !tree->last_node)
{
{
*tmp_str = sep;
}
-
+
return(tree);
}
-
+
/** void OSDirTree_AddToTree
char *tmp_str;
OSTreeNode *newnode;
OSTreeNode *curnode;
-
-
+
+
/* First character doesn't count as a separator */
tmp_str = strchr(str +1, sep);
if(tmp_str)
{
*tmp_str = '\0';
}
-
-
+
+
curnode = tree->first_node;
while(curnode)
{
/* If we have other elements, keep going */
if(tmp_str)
{
- curnode->child = _OSTreeNode_Add(curnode->child,
+ curnode->child = _OSTreeNode_Add(curnode->child,
tmp_str +1, data, sep);
}
break;
tree->last_node->next = newnode;
tree->last_node = newnode;
}
-
+
newnode->next = NULL;
os_strdup(str, newnode->value);
/* If we have other elements, keep going */
if(tmp_str)
{
- newnode->child = _OSTreeNode_Add(newnode->child,
+ newnode->child = _OSTreeNode_Add(newnode->child,
tmp_str +1, data, sep);
newnode->data = NULL;
}
{
*tmp_str = sep;
}
-
+
return(ret);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/file-queue.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
{
#ifndef WIN32
struct timeval fp_timeout;
-
+
fp_timeout.tv_sec = FQ_TIMEOUT;
fp_timeout.tv_usec = 0;
/* Waiting for the select timeout */
select(0, NULL, NULL, NULL, &fp_timeout);
-
+
#else
/* Windows don't like select that way */
Sleep((FQ_TIMEOUT + 2) * 1000);
ALERTS,
fileq->year,
fileq->mon,
- fileq->day);
+ fileq->day);
}
}
/** int Handle_Queue(file_queue *fileq)
* Re Handle the file queue.
*/
-int Handle_Queue(file_queue *fileq, int flags)
+int Handle_Queue(file_queue *fileq, int flags)
{
/* Closing if it is open */
if(!(flags & CRALERT_FP_SET))
}
}
-
+
/* File change time */
if(fstat(fileno(fileq->fp), &fileq->f_status) < 0)
{
fileq->fp = NULL;
return(-1);
}
-
+
fileq->last_change = fileq->f_status.st_mtime;
-
+
return(1);
}
}
fileq->last_change = 0;
fileq->flags = 0;
-
+
fileq->day = p->tm_mday;
fileq->year = p->tm_year+1900;
-
+
strncpy(fileq->mon, s_month[p->tm_mon], 4);
memset(fileq->file_name, '\0',MAX_FQUEUE + 1);
/* Setting the supplied flags */
fileq->flags = flags;
-
+
/* Getting latest file */
GetFile_Queue(fileq);
-
+
/* Always seek end when starting the queue */
if(Handle_Queue(fileq, fileq->flags) < 0)
{
return(-1);
}
- return(0);
+ return(0);
}
int i = 0;
alert_data *al_data;
-
+
/* If the file queue is not available, try to access it */
if(!fileq->fp)
{
}
}
-
+
/* Getting currently file */
if(p->tm_mday != fileq->day)
{
}
}
-
+
/* Try up to timeout times to get an event */
while(i < timeout)
{
{
return(al_data);
}
-
- i++;
+
+ i++;
file_sleep();
}
-
+
/* Returning NULL if timeout expires. */
return(NULL);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/file_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*/
-/* Functions to handle operation with files
+/* Functions to handle operation with files
*/
#ifndef PRODUCT_DATACENTER_SERVER_CORE_V
#define PRODUCT_DATACENTER_SERVER_CORE_V 0x00000027
#define PRODUCT_DATACENTER_SERVER_CORE_V_C "Datacenter Edition (core) "
-#endif
+#endif
#ifndef PRODUCT_DATACENTER_SERVER_V
#define PRODUCT_DATACENTER_SERVER_V 0x00000025
{
char file[256];
FILE *fp;
-
+
if(isChroot())
{
snprintf(file,255,"%s/%s-%d.pid",OS_PIDFILE,name,pid);
fp = fopen(file,"a");
if(!fp)
return(-1);
-
+
fprintf(fp,"%d\n",pid);
-
+
+ chmod(file, 0640);
+
fclose(fp);
-
+
return(0);
}
int DeletePID(char *name)
{
char file[256];
-
+
if(isChroot())
{
snprintf(file,255,"%s/%s-%d.pid",OS_PIDFILE,name,(int)getpid());
if(File_DateofChange(file) < 0)
return(-1);
-
+
unlink(file);
-
+
return(0);
}
finalfp = fopen(finalpath, "r");
if(!finalfp)
{
- merror("%s: ERROR: Unable to read merged file: '%s'.",
+ merror("%s: ERROR: Unable to read merged file: '%s'.",
__local_name, finalpath);
return(0);
}
break;
}
-
+
/* Initiator. */
if(buf[0] != '!')
continue;
if(!fp)
{
ret = 0;
- merror("%s: ERROR: Unable to unmerge file '%s'.",
+ merror("%s: ERROR: Unable to unmerge file '%s'.",
__local_name, final_name);
}
finalfp = fopen(finalpath, "w");
if(!finalfp)
{
- merror("%s: ERROR: Unable to create merged file: '%s'.",
+ merror("%s: ERROR: Unable to create merged file: '%s'.",
__local_name, finalpath);
return(0);
}
finalfp = fopen(finalpath, "a");
if(!finalfp)
{
- merror("%s: ERROR: Unable to create merged file: '%s'.",
+ merror("%s: ERROR: Unable to create merged file: '%s'.",
__local_name, finalpath);
return(0);
}
finalfp = fopen(finalpath, "w");
if(!finalfp)
{
- merror("%s: ERROR: Unable to create merged file: '%s'.",
+ merror("%s: ERROR: Unable to create merged file: '%s'.",
__local_name, finalpath);
return(0);
}
if(ret == NULL)
return(NULL);
- snprintf(ret, 255, "%s %s %s %s %s - %s %s",
+ snprintf(ret, 255, "%s %s %s %s %s - %s %s",
uts_buf.sysname,
uts_buf.nodename,
uts_buf.release,
ret = calloc(256, sizeof(char));
if(ret == NULL)
return(NULL);
-
+
snprintf(ret, 255, "No system info available - %s %s",
- __name, __version);
+ __name, __version);
return(ret);
}
/* Going to / */
chdir("/");
-
+
return;
}
/* Going to / */
chdir("/");
-
+
/* Closing stdin, stdout and stderr */
/*
fclose(stdin);
open("/dev/null", O_RDWR);
open("/dev/null", O_RDWR);
*/
-
+
return;
}
}
- /* We check if the system is vista (most be called during the startup. */
+ /* We check if the system is vista (must be called during the startup.) */
if(strstr(m_uname, "Windows Server 2008") ||
- strstr(m_uname, "Vista"))
+ strstr(m_uname, "Vista") ||
+ strstr(m_uname, "Windows 7"))
{
isVista = 1;
- verbose("%s: INFO: System is Vista or Windows Server 2008.",
+ verbose("%s: INFO: System is Vista or Windows Server 2008.",
__local_name);
}
typedef BOOL (WINAPI *PGPI)(DWORD, DWORD, DWORD, DWORD, PDWORD);
- /* Extracted from ms web site
+ /* Extracted from ms web site
* http://msdn.microsoft.com/library/en-us/sysinfo/base/getting_the_system_version.asp
*/
OSVERSIONINFOEX osvi;
if(!(bOsVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) &osvi)))
{
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
- if (!GetVersionEx((OSVERSIONINFO *)&osvi))
+ if (!GetVersionEx((OSVERSIONINFO *)&osvi))
return(NULL);
}
/* Allocating the memory */
os_calloc(OS_SIZE_1024 +1, sizeof(char), ret);
ret[OS_SIZE_1024] = '\0';
-
+
switch(osvi.dwPlatformId)
{
/* Test for the Windows NT product family. */
case VER_PLATFORM_WIN32_NT:
- if(osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 0 )
+ if(osvi.dwMajorVersion == 6)
{
- if(osvi.wProductType == VER_NT_WORKSTATION )
- strncat(ret, "Microsoft Windows Vista ", ret_size -1);
- else
+ if(osvi.dwMinorVersion == 0)
+ {
+ if(osvi.wProductType == VER_NT_WORKSTATION )
+ strncat(ret, "Microsoft Windows Vista ", ret_size -1);
+ else
+ {
+ strncat(ret, "Microsoft Windows Server 2008 ", ret_size -1);
+ }
+ }
+ else if(osvi.dwMinorVersion == 1)
{
- strncat(ret, "Microsoft Windows Server 2008 ", ret_size -1);
+ if(osvi.wProductType == VER_NT_WORKSTATION )
+ strncat(ret, "Microsoft Windows 7 ", ret_size -1);
+ else
+ {
+ strncat(ret, "Microsoft Windows Server 2008 R2 ", ret_size -1);
+ }
}
ret_size-=strlen(ret) +1;
/* Getting product version. */
pGPI = (PGPI) GetProcAddress(
- GetModuleHandle(TEXT("kernel32.dll")),
+ GetModuleHandle(TEXT("kernel32.dll")),
"GetProductInfo");
pGPI( 6, 0, 0, 0, &dwType);
strncat(ret, PRODUCT_WEB_SERVER_CORE_C, ret_size -1);
break;
}
-
+
ret_size-=strlen(ret) +1;
}
else if(osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2)
{
pGNSI = (PGNSI) GetProcAddress(
- GetModuleHandle("kernel32.dll"),
+ GetModuleHandle("kernel32.dll"),
"GetNativeSystemInfo");
if(NULL != pGNSI)
pGNSI(&si);
if( GetSystemMetrics(89) )
- strncat(ret, "Microsoft Windows Server 2003 R2 ",
+ strncat(ret, "Microsoft Windows Server 2003 R2 ",
ret_size -1);
else if(osvi.wProductType == VER_NT_WORKSTATION &&
si.wProcessorArchitecture==PROCESSOR_ARCHITECTURE_AMD64)
{
- strncat(ret,
+ strncat(ret,
"Microsoft Windows XP Professional x64 Edition ",
ret_size -1 );
}
{
strncat(ret, "Microsoft Windows Server 2003, ",ret_size-1);
}
-
+
ret_size-=strlen(ret) +1;
}
ret_size-=strlen(ret) +1;
}
-
+
else if(osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0)
{
strncat(ret, "Microsoft Windows 2000 ", ret_size -1);
strncat(ret, "Workstation 4.0 ", ret_size -1);
else if( osvi.wSuiteMask & VER_SUITE_PERSONAL )
strncat(ret, "Home Edition ", ret_size -1);
- else
+ else
strncat(ret, "Professional ",ret_size -1);
/* Fixing size */
- ret_size-=strlen(ret) +1;
+ ret_size-=strlen(ret) +1;
}
/* Test for the server type. */
- else if( osvi.wProductType == VER_NT_SERVER ||
+ else if( osvi.wProductType == VER_NT_SERVER ||
osvi.wProductType == VER_NT_DOMAIN_CONTROLLER )
{
if(osvi.dwMajorVersion==5 && osvi.dwMinorVersion==2)
PROCESSOR_ARCHITECTURE_IA64 )
{
if( osvi.wSuiteMask & VER_SUITE_DATACENTER )
- strncat(ret,
+ strncat(ret,
"Datacenter Edition for Itanium-based Systems ",
ret_size -1);
else if( osvi.wSuiteMask & VER_SUITE_ENTERPRISE )
"Enterprise Edition for Itanium-based Systems ",
ret_size -1);
- ret_size-=strlen(ret) +1;
+ ret_size-=strlen(ret) +1;
}
else if ( si.wProcessorArchitecture==
else if( osvi.wSuiteMask & VER_SUITE_ENTERPRISE )
strncat(ret, "Enterprise x64 Edition ",
ret_size -1 );
- else
+ else
strncat(ret, "Standard x64 Edition ",
ret_size -1 );
- ret_size-=strlen(ret) +1;
+ ret_size-=strlen(ret) +1;
}
else
strncat(ret,"Enterprise Edition ",ret_size -1);
else if ( osvi.wSuiteMask == VER_SUITE_BLADE )
strncat(ret,"Web Edition ",ret_size -1 );
- else
+ else
strncat(ret, "Standard Edition ",ret_size -1);
- ret_size-=strlen(ret) +1;
+ ret_size-=strlen(ret) +1;
}
}
else if(osvi.dwMajorVersion==5 && osvi.dwMinorVersion==0)
strncat(ret, "Datacenter Server ",ret_size -1);
else if( osvi.wSuiteMask & VER_SUITE_ENTERPRISE )
strncat(ret, "Advanced Server ",ret_size -1 );
- else
+ else
strncat(ret, "Server ",ret_size -1);
- ret_size-=strlen(ret) +1;
+ ret_size-=strlen(ret) +1;
}
else if(osvi.dwMajorVersion <= 4) /* Windows NT 4.0 */
{
if( osvi.wSuiteMask & VER_SUITE_ENTERPRISE )
strncat(ret, "Server 4.0, Enterprise Edition ",
ret_size -1 );
- else
+ else
strncat(ret, "Server 4.0 ",ret_size -1);
-
+
ret_size-=strlen(ret) +1;
}
}
}
/* Test for specific product on Windows NT 4.0 SP5 and earlier */
- else
+ else
{
HKEY hKey;
char szProductType[81];
if(lRet == ERROR_SUCCESS)
{
char __wv[32];
-
+
lRet = RegQueryValueEx( hKey, "ProductType", NULL, NULL,
(LPBYTE) szProductType, &dwBufLen);
RegCloseKey( hKey );
ret_size-=strlen(ret) +1;
memset(__wv, '\0', 32);
- snprintf(__wv, 31,
+ snprintf(__wv, 31,
"%d.%d ",
(int)osvi.dwMajorVersion,
(int)osvi.dwMinorVersion);
/* Display service pack (if any) and build number. */
- if( osvi.dwMajorVersion == 4 &&
+ if( osvi.dwMajorVersion == 4 &&
lstrcmpi( osvi.szCSDVersion, "Service Pack 6" ) == 0 )
- {
+ {
HKEY hKey;
LONG lRet;
char __wp[64];
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Hotfix\\Q246009",
0, KEY_QUERY_VALUE, &hKey );
if( lRet == ERROR_SUCCESS )
- snprintf(__wp, 63, "Service Pack 6a (Build %d)",
- (int)osvi.dwBuildNumber & 0xFFFF );
+ snprintf(__wp, 63, "Service Pack 6a (Build %d)",
+ (int)osvi.dwBuildNumber & 0xFFFF );
else /* Windows NT 4.0 prior to SP6a */
{
snprintf(__wp, 63, "%s (Build %d)",
{
strncat(ret, "Microsoft Windows 95 ", ret_size -1);
ret_size-=strlen(ret) +1;
- }
+ }
if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 10)
{
strncat(ret, "Microsoft Windows 98 ", ret_size -1);
ret_size-=strlen(ret) +1;
- }
+ }
if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 90)
{
ret_size -1);
ret_size-=strlen(ret) +1;
- }
+ }
break;
case VER_PLATFORM_WIN32s:
/* Adding ossec version */
snprintf(os_v, 128, " - %s %s", __name, __version);
strncat(ret, os_v, ret_size -1);
-
-
+
+
/* Returning system information */
- return(ret);
+ return(ret);
}
#endif
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/hash_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-
-/* Common API for dealing with hashes/maps */
+
+/* Common API for dealing with hashes/maps */
#include "shared.h"
self->initial_seed = os_getprime(random() % self->rows);
self->constant = os_getprime(random() % self->rows);
-
+
return(self);
}
int i = 0;
OSHashNode *curr_node;
OSHashNode *next_node;
-
-
+
+
/* Freeing each entry */
while(i <= self->rows)
{
free(self->table);
free(self);
- return(NULL);
+ return(NULL);
}
return(1);
}
-
+
/* Getting next prime */
self->rows = os_getprime(new_size);
if(self->rows == 0)
return(0);
}
-
+
/* If we fail, the hash should not be used anymore */
self->table = realloc(self->table, (self->rows +1) * sizeof(OSHashNode *));
if(!self->table)
}
+/** int OSHash_Update(OSHash *self, char *key, void *data)
+ * Returns 0 on error (not found).
+ * Returns 1 on successduplicated key (not added)
+ * Key must not be NULL.
+ */
+int OSHash_Update(OSHash *self, char *key, void *data)
+{
+ unsigned int hash_key;
+ unsigned int index;
+
+ OSHashNode *curr_node;
+
+
+ /* Generating hash of the message */
+ hash_key = _os_genhash(self, key);
+
+
+ /* Getting array index */
+ index = hash_key % self->rows;
+
+
+ /* Checking for duplicated entries in the index */
+ curr_node = self->table[index];
+ while(curr_node)
+ {
+ /* Checking for duplicated key -- not adding */
+ if(strcmp(curr_node->key, key) == 0)
+ {
+ free(curr_node->data);
+ curr_node->data = data;
+ return(1);
+ }
+ curr_node = curr_node->next;
+ }
+ return(0);
+}
+
+
/** int OSHash_Add(OSHash *self, char *key, void *data)
* Returns 0 on error.
OSHashNode *curr_node;
OSHashNode *new_node;
-
+
/* Generating hash of the message */
hash_key = _os_genhash(self, key);
/* Getting array index */
index = hash_key % self->rows;
-
+
/* Checking for duplicated entries in the index */
curr_node = self->table[index];
curr_node = curr_node->next;
}
-
+
/* Creating new node */
new_node = calloc(1, sizeof(OSHashNode));
if(!new_node)
new_node->next = self->table[index];
self->table[index] = new_node;
}
-
+
return(2);
}
unsigned int index;
OSHashNode *curr_node;
-
+
/* Generating hash of the message */
hash_key = _os_genhash(self, key);
/* Getting array index */
index = hash_key % self->rows;
-
+
/* Getting entry */
curr_node = self->table[index];
{
return(curr_node->data);
}
-
+
curr_node = curr_node->next;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/help.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/list_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-/* Common API for dealing with lists */
+/* Common API for dealing with lists */
#include "shared.h"
-/* Create the list
+/* Create the list
* Return NULL on error
*/
OSList *OSList_Create()
my_list = calloc(1, sizeof(OSList));
if(!my_list)
return(NULL);
-
+
my_list->first_node = NULL;
my_list->last_node = NULL;
my_list->cur_node = NULL;
my_list->currently_size = 0;
my_list->max_size = 0;
my_list->free_data_function = NULL;
-
+
return(my_list);
}
{
return(0);
}
-
+
/* Minimum size is 1 */
if(max_size <= 1)
{
{
return(0);
}
-
+
list->free_data_function = free_data_function;
return(1);
}
{
if(list->cur_node == NULL)
return(NULL);
-
+
list->cur_node = list->cur_node->next;
-
+
return(list->cur_node);
}
-
+
/* Get the prev node from the list
* Returns NULL at the beginning
return(list->cur_node);
}
-
+
/* Get the currently node.
* Returns null when no currently node is available
- */
+ */
OSListNode *OSList_GetCurrentlyNode(OSList *list)
{
return(list->cur_node);
void OSList_DeleteOldestNode(OSList *list)
{
OSListNode *next;
-
+
if(list->first_node)
{
next = list->first_node->next;
if(next)
next->prev = NULL;
else
- list->last_node = next;
-
+ list->last_node = next;
+
free(list->first_node);
list->first_node = next;
}
{
OSListNode *prev;
OSListNode *next;
-
+
if(list->cur_node == NULL)
return;
-
+
prev = list->cur_node->prev;
next = list->cur_node->next;
-
+
/* Setting the previous node of the next one
* and the next node of the previous one.. :)
*/
list->last_node = NULL;
list->first_node = NULL;
}
-
+
/* Freeing the node memory */
free(list->cur_node);
*/
int OSList_AddData(OSList *list, void *data)
{
- OSListNode *newnode;
+ OSListNode *newnode;
/* Allocating memory for new node */
{
list->first_node = newnode;
}
-
+
/* If we have a last node, set the next to new node */
if(list->last_node)
{
list->last_node->next = newnode;
}
-
-
+
+
/* newnode become last node */
list->last_node = newnode;
/* Increment list size */
list->currently_size++;
-
+
/* if currently_size higher than the maximum size, remove the
* oldest node (first one)
*/
{
list->free_data_function(list->first_node->data);
}
-
+
/* Clearing the memory */
free(list->first_node);
-
+
/* First node become the ex first->next */
list->first_node = newnode;
list->currently_size--;
}
}
-
+
return(1);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/math_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
{
int i;
int max_i;
-
+
/* Value can't be even */
if((val % 2) == 0)
{
val++;
}
-
-
+
+
do
{
/* We just need to check odd numbers up until half
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/mem_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
free(ch1);
ch1 = NULL;
}
-
+
/* Cleaning chat ** */
if(ch2)
{
char **nch2 = ch2;
-
+
while(*ch2 != NULL)
{
free(*ch2);
ch2++;
}
-
+
free(nch2);
nch2 = NULL;
}
-
+
return;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/mq_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*/
int StartMQ(char * path, short int type)
{
-
+
if(type == READ)
{
return(OS_BindUnixDomain(path, 0660, OS_MAXSTR + 512));
}
-
+
/* We give up to 21 seconds for the other end to
* start
*/
sleep(2);
if((rc = OS_ConnectUnixDomain(path, OS_MAXSTR + 256)) < 0)
{
- merror(QUEUE_ERROR, __local_name, path,
+ merror(QUEUE_ERROR, __local_name, path,
strerror(errno));
return(-1);
}
/* Checking for global locks */
os_wait();
-
-
+
+
if(loc == SECURE_MQ)
{
loc = message[0];
merror(FORMAT_ERROR, __local_name);
return(0);
}
-
+
message++; /* Pointing now to the location */
-
+
+ if(strncmp(message, "keepalive",9) == 0)
+ {
+ return(0);
+ }
+
snprintf(tmpstr,OS_MAXSTR,"%c:%s->%s",loc, locmsg, message);
}
else
if(queue < 0)
return(-1);
-
+
/* We attempt 5 times to send the message if
* the receiver socket is busy.
* After the first error, we wait 1 second.
return(-1);
}
-
+
/* Unable to send. Socket busy */
sleep(1);
if(OS_SendUnix(queue, tmpstr, 0) < 0)
{
/* Message is going to be lost
* if the application does not care
- * about checking the error
- */
+ * about checking the error
+ */
close(queue);
- queue = -1;
+ queue = -1;
return(-1);
}
}
int Privsep_GetUser(char * name)
{
int os_uid = -1;
-
+
struct passwd *pw;
pw = getpwnam(name);
if(pw == NULL)
return(OS_INVALID);
os_uid = (int)pw->pw_uid;
- endpwent();
-
+ endpwent();
+
return(os_uid);
}
int Privsep_GetGroup(char * name)
{
int os_gid = -1;
-
+
struct group *grp;
grp = getgrnam(name);
if(grp == NULL)
return(OS_INVALID);
os_gid = (int)grp->gr_gid;
- endgrent();
-
+ endgrent();
+
return(os_gid);
}
int Privsep_SetGroup(gid_t gid)
{
if (setgroups(1, &gid) == -1)
- return(OS_INVALID);
-
+ return(OS_INVALID);
+
#ifndef HPUX
if(setegid(gid) < 0)
return(OS_INVALID);
#endif
-
+
if(setgid(gid) < 0)
return(OS_INVALID);
-
+
return(OS_SUCCESS);
}
{
if(chdir(path) < 0)
return(OS_INVALID);
-
+
if(chroot(path) < 0)
return(OS_INVALID);
-
+
chdir("/");
-
+
return(OS_SUCCESS);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/pthreads_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/read-agents.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int i;
if(!agent_list)
return;
-
+
for(i = 0;;i++)
{
if(agent_list[i] == NULL)
#ifndef WIN32
/* Print syscheck attributes. */
-#define sk_strchr(x,y,z) z = strchr(x, y); if(z == NULL) return(0); else { *z = '\0'; z++; }
-int _do_print_attrs_syscheck(char *prev_attrs, char *attrs, int csv_output,
+#define sk_strchr(x,y,z) z = strchr(x, y); if(z == NULL) return(0); else { *z = '\0'; z++; }
+int _do_print_attrs_syscheck(char *prev_attrs, char *attrs, int csv_output,
int is_win, int number_of_changes)
{
char *p_size, *p_perm, *p_uid, *p_gid, *p_md5, *p_sha1;
char perm_str[36];
+ /* a deleted file has no attributes */
+ if(strcmp(attrs, "-1") == 0)
+ {
+ printf("File deleted.\n");
+ return(0);
+ }
+
/* Setting each value. */
size = attrs;
sk_strchr(size, ':', perm);
sk_strchr(uid, ':', gid);
sk_strchr(gid, ':', md5);
sk_strchr(md5, ':', sha1);
-
- if(strcmp(attrs, "-1") == 0)
- {
- printf("File deleted. ");
- return(0);
- }
- else if(prev_attrs && (strcmp(prev_attrs, "-1") == 0))
+
+ p_size = size;
+ p_perm = perm;
+ p_uid = uid;
+ p_gid = gid;
+ p_md5 = md5;
+ p_sha1 = sha1;
+
+ if(prev_attrs && (strcmp(prev_attrs, "-1") == 0))
{
printf("File restored. ");
}
}
else
{
- p_size = size;
- p_perm = perm;
- p_uid = uid;
- p_gid = gid;
- p_md5 = md5;
- p_sha1 = sha1;
printf("File added to the database. ");
}
case 1:
printf("- 1st time modified.\n");
break;
- case 2:
+ case 2:
printf("- 2nd time modified.\n");
break;
- case 3:
+ case 3:
printf("- 3rd time modified.\n");
break;
default:
- printf("- Being ignored (3 or more changes).\n");
+ printf("- Being ignored (3 or more changes).\n");
}
}
else
perm_str[35] = '\0';
perm_int = atoi(perm);
- snprintf(perm_str, 35,
+ snprintf(perm_str, 35,
"%c%c%c%c%c%c%c%c%c",
(perm_int & S_IRUSR)? 'r' : '-',
(perm_int & S_IWUSR)? 'w' : '-',
-
+
(perm_int & S_ISUID)? 's' :
(perm_int & S_IXUSR)? 'x' : '-',
-
+
(perm_int & S_IRGRP)? 'r' : '-',
(perm_int & S_IWGRP)? 'w' : '-',
-
+
(perm_int & S_ISGID)? 's' :
(perm_int & S_IXGRP)? 'x' : '-',
-
-
+
+
(perm_int & S_IROTH)? 'r' : '-',
(perm_int & S_IWOTH)? 'w' : '-',
(perm_int & S_ISVTX)? 't' :
}
printf(" Md5: %s%s\n", (strcmp(md5,p_md5) == 0)? " ": " >", md5);
printf(" Sha1:%s%s\n", (strcmp(sha1,p_sha1) == 0)? " ": " >", sha1);
-
+
/* Fixing entries. */
perm[-1] = ':';
/* Print information about a specific file. */
-int _do_print_file_syscheck(FILE *fp, char *fname,
+int _do_print_file_syscheck(FILE *fp, char *fname,
int update_counter, int csv_output)
{
int f_found = 0;
struct tm *tm_time;
-
+
char read_day[24 +1];
char buf[OS_MAXSTR + 1];
OSStore *files_list;
fpos_t init_pos;
-
+
buf[OS_MAXSTR] = '\0';
read_day[24] = '\0';
printf("\n** ERROR: fgetpos failed.\n");
return(0);
}
-
-
+
+
while(fgets(buf, OS_MAXSTR, fp) != NULL)
{
- if(buf[0] == '!' || buf[0] == '#')
+ if(buf[0] == '!' || buf[0] == '#' || buf[0] == '+')
{
int number_changes = 0;
time_t change_time = 0;
char *changed_attrs;
char *prev_attrs;
-
+
if(strlen(buf) < 16)
{
fgetpos(fp, &init_pos);
continue;
}
-
- /* Removing new line. */
- buf[strlen(buf) -1] = '\0';
+
+ /* Removing new line. */
+ buf[strlen(buf) -1] = '\0';
/* with update counter, we only modify the last entry. */
changed_attrs = buf + 3;
-
+
changed_file_name = strchr(changed_attrs, '!');
if(!changed_file_name)
{
fgetpos(fp, &init_pos);
continue;
}
-
-
+
+
/* Getting time of change. */
changed_file_name[-1] = '\0';
changed_file_name++;
change_time = (time_t)atoi(changed_file_name);
-
+
changed_file_name = strchr(changed_file_name, ' ');
- changed_file_name++;
-
+ changed_file_name++;
+
/* Checking if the name should be printed. */
- if(!OSMatch_Execute(changed_file_name, strlen(changed_file_name),
+ if(!OSMatch_Execute(changed_file_name, strlen(changed_file_name),
®))
{
fgetpos(fp, &init_pos);
f_found = 1;
-
-
+
+
/* Reset the values. */
if(update_counter)
{
}
}
- printf("\n**Counter updated for file '%s'\n\n",
+ printf("\n**Counter updated for file '%s'\n\n",
changed_file_name);
return(0);
}
-
+
tm_time = localtime(&change_time);
strftime(read_day, 23, "%Y %h %d %T", tm_time);
-
- if(!csv_output)
- printf("\n%s,%d - %s\n", read_day, number_changes,
+
+ if(!csv_output)
+ printf("\n%s,%d - %s\n", read_day, number_changes,
changed_file_name);
- else
- printf("%s,%s,%d\n", read_day, changed_file_name,
+ else
+ printf("%s,%s,%d\n", read_day, changed_file_name,
number_changes);
-
-
+
+
prev_attrs = OSStore_Get(files_list, changed_file_name);
if(prev_attrs)
{
char *new_attrs;
os_strdup(changed_attrs, new_attrs);
- _do_print_attrs_syscheck(prev_attrs, changed_attrs,
- csv_output,
+ _do_print_attrs_syscheck(prev_attrs, changed_attrs,
+ csv_output,
changed_file_name[0] == '/'?0:1,
number_changes);
-
+
free(files_list->cur_node->data);
- files_list->cur_node->data = new_attrs;
+ files_list->cur_node->data = new_attrs;
}
else
{
char *new_name;
char *new_attrs;
-
+
os_strdup(changed_attrs, new_attrs);
os_strdup(changed_file_name, new_name);
OSStore_Put(files_list, new_name, new_attrs);
- _do_print_attrs_syscheck(NULL,
+ _do_print_attrs_syscheck(NULL,
changed_attrs, csv_output,
changed_file_name[0] == '/'?0:1,
number_changes);
printf("\n** No entries found.\n");
}
OSMatch_FreePattern(®);
-
+
return(0);
}
{
int f_found = 0;
struct tm *tm_time;
-
+
char read_day[24 +1];
char saved_read_day[24 +1];
char buf[OS_MAXSTR + 1];
-
+
buf[OS_MAXSTR] = '\0';
read_day[24] = '\0';
saved_read_day[0] = '\0';
saved_read_day[24] = '\0';
-
+
while(fgets(buf, OS_MAXSTR, fp) != NULL)
{
if(buf[0] == '!' || buf[0] == '#')
time_t change_time = 0;
char *changed_file_name;
-
+
if(strlen(buf) < 16)
continue;
-
- /* Removing new line. */
- buf[strlen(buf) -1] = '\0';
-
+
+ /* Removing new line. */
+ buf[strlen(buf) -1] = '\0';
+
/* Checking number of changes. */
if(buf[1] == '!')
number_changes = 4;
}
}
-
+
changed_file_name = strchr(buf +3, '!');
if(!changed_file_name)
continue;
-
-
+
+
f_found = 1;
-
-
+
+
/* Getting time of change. */
changed_file_name++;
change_time = atoi(changed_file_name);
-
+
changed_file_name = strchr(changed_file_name, ' ');
- changed_file_name++;
-
+ changed_file_name++;
+
tm_time = localtime(&change_time);
strftime(read_day, 23, "%Y %h %d", tm_time);
if(strcmp(read_day, saved_read_day) != 0)
strncpy(saved_read_day, read_day, 23);
}
strftime(read_day, 23, "%Y %h %d %T", tm_time);
-
- if(!csv_output)
- printf("%s,%d - %s\n", read_day, number_changes,
+
+ if(!csv_output)
+ printf("%s,%d - %s\n", read_day, number_changes,
changed_file_name);
- else
- printf("%s,%s,%d\n", read_day, changed_file_name,
+ else
+ printf("%s,%s,%d\n", read_day, changed_file_name,
number_changes);
}
}
{
printf("\n** No entries found.\n");
}
-
+
return(0);
}
/* Print syscheck db (of modified files. */
-int print_syscheck(char *sk_name, char *sk_ip, char *fname, int print_registry,
+int print_syscheck(char *sk_name, char *sk_ip, char *fname, int print_registry,
int all_files, int csv_output, int update_counter)
{
FILE *fp;
fp = fopen(tmp_file, "r+");
}
-
+
else if(!print_registry)
{
/* Printing database */
/* Print syscheck db (of modified files. */
-int _do_print_rootcheck(FILE *fp, int resolved, int time_last_scan,
+int _do_print_rootcheck(FILE *fp, int resolved, int time_last_scan,
int csv_output, int show_last)
{
int i = 0;
int f_found = 0;
-
+
/* Current time. */
time_t c_time;
time_t s_time = 0;
time_t i_time = 0;
struct tm *tm_time;
-
+
char old_day[24 +1];
char read_day[24 +1];
char buf[OS_MAXSTR + 1];
char *(ns_events[]) = {"Application Found:",
"Windows Audit:",
"Windows Malware:",
- NULL};
-
+ NULL};
+
buf[OS_MAXSTR] = '\0';
old_day[24] = '\0';
read_day[24] = '\0';
-
+
c_time = time(0);
fseek(fp, 0, SEEK_SET);
{
tm_time = localtime((time_t *)&time_last_scan);
strftime(read_day, 23, "%Y %h %d %T", tm_time);
-
+
printf("\nLast scan: %s\n\n", read_day);
}
else if(resolved)
printf("\nResolved events: \n\n");
else
- printf("\nOutstanding events: \n\n");
+ printf("\nOutstanding events: \n\n");
}
if(tmp_str)
*tmp_str = '\0';
-
+
/* Getting initial time. */
tmp_str = strchr(buf + 1, '!');
if(!tmp_str)
tmp_str = strchr(tmp_str, ' ');
if(!tmp_str)
continue;
- tmp_str++;
-
+ tmp_str++;
+
+
-
/* Checking for resolved. */
if(time_last_scan > (s_time + 86400))
{
{
if(strncmp(tmp_str, ig_events[i], strlen(ig_events[i]) -1) == 0)
break;
- i++;
+ i++;
}
if(ig_events[i])
continue;
-
+
/* Checking events that are not system audit. */
i = 0;
while(ns_events[i])
break;
i++;
}
-
+
tm_time = localtime((time_t *)&s_time);
strftime(read_day, 23, "%Y %h %d %T", tm_time);
tm_time = localtime((time_t *)&i_time);
strftime(old_day, 23, "%Y %h %d %T", tm_time);
-
+
if(!csv_output)
{
printf("%s,%s,%s,%s%s\n", resolved == 0?"outstanding":"resolved",
read_day, old_day,
ns_events[i] != NULL?"":"System Audit: ",
- tmp_str);
+ tmp_str);
}
-
-
-
+
+
+
f_found++;
}
{
printf("** No entries found.\n");
}
-
+
return(0);
}
/* Print rootcheck db */
-int print_rootcheck(char *sk_name, char *sk_ip, char *fname, int resolved,
+int print_rootcheck(char *sk_name, char *sk_ip, char *fname, int resolved,
int csv_output, int show_last)
{
int ltime = 0;
fp = fopen(tmp_file, "r+");
}
-
+
else
{
/* Printing database */
#endif
-/* Delete syscheck db */
+/* Delete syscheck db */
int delete_syscheck(char *sk_name, char *sk_ip, int full_delete)
{
FILE *fp;
char tmp_file[513];
tmp_file[512] = '\0';
-
+
/* Deleting related files */
snprintf(tmp_file, 512, "%s/(%s) %s->syscheck",
SYSCHECK_DIR,
if(fp)
fclose(fp);
- if(full_delete)
+ if(full_delete)
unlink(tmp_file);
-/* Delete rootcheck db */
+/* Delete rootcheck db */
int delete_rootcheck(char *sk_name, char *sk_ip, int full_delete)
{
FILE *fp;
char tmp_file[513];
tmp_file[512] = '\0';
-
+
/* Deleting related files */
snprintf(tmp_file, 512, "%s/(%s) %s->rootcheck",
ROOTCHECK_DIR,
if(fp)
fclose(fp);
- if(full_delete)
+ if(full_delete)
unlink(tmp_file);
/* Deleting syscheck */
delete_syscheck(sk_name, sk_ip, 1);
-
+
return(1);
}
-
+
/** char *print_agent_status(int status)
* Prints the text representation of the agent status.
char agt_msg[OS_SIZE_1024 +1];
agt_msg[OS_SIZE_1024] = '\0';
-
+
if(!exec)
{
}
-
+
if((rc = OS_SendUnix(msocket, agt_msg, 0)) < 0)
{
if(rc == OS_SOCKBUSY)
int connect_to_remoted()
{
int arq = -1;
-
+
if((arq = StartMQ(ARQUEUE, WRITE)) < 0)
{
merror(ARQ_ERROR, __local_name);
/* Agent name of null, means it is the server info. */
if(agent_name == NULL)
{
- snprintf(buf, 1024, "%s/rootcheck",
+ snprintf(buf, 1024, "%s/rootcheck",
ROOTCHECK_DIR);
}
else
{
- snprintf(buf, 1024, "%s/(%s) %s->rootcheck",
+ snprintf(buf, 1024, "%s/(%s) %s->rootcheck",
ROOTCHECK_DIR, agent_name, agent_ip);
}
-
+
/* If file is not there, set to unknown. */
fp = fopen(buf, "r");
os_strdup("Unknown", agt_info->syscheck_endtime);
return(0);
}
-
+
while(fgets(buf, 1024, fp) != NULL)
{
tmp_str = strchr(agt_info->syscheck_time, '\n');
if(tmp_str)
*tmp_str = '\0';
-
+
continue;
}
tmp_str = strchr(agt_info->syscheck_endtime, '\n');
if(tmp_str)
*tmp_str = '\0';
-
+
continue;
}
-
+
tmp_str = strstr(buf, "Starting rootcheck scan");
if(tmp_str)
os_strdup("Unknown", agt_info->syscheck_time);
if(!agt_info->syscheck_endtime)
os_strdup("Unknown", agt_info->syscheck_endtime);
-
+
fclose(fp);
return(0);
}
{
return(strdup("Not available"));
}
-
+
snprintf(buf, 1024, "%s/%s-%s", AGENTINFO_DIR, agent_name, agent_ip);
if(stat(buf, &file_status) < 0)
{
FILE *fp;
char buf[1024 +1];
-
+
/* Getting server info. */
if(!agent_name)
{
return(0);
}
-
+
snprintf(buf, 1024, "%s/%s-%s", AGENTINFO_DIR, agent_name, agent_ip);
fp = fopen(buf, "r");
if(!fp)
os_strdup("Unknown", agt_info->version);
return(0);
}
-
-
+
+
if(fgets(buf, 1024, fp))
{
char *ossec_version = NULL;
ossec_version = strchr(buf, '\n');
if(ossec_version)
*ossec_version = '\0';
-
-
+
+
ossec_version = strstr(buf, " - ");
if(ossec_version)
{
}
fclose(fp);
-
+
os_strdup("Unknown", agt_info->os);
os_strdup("Unknown", agt_info->version);
-
+
return(0);
}
char tmp_file[513];
char *agent_ip_pt = NULL;
char *tmp_str = NULL;
-
+
agent_info *agt_info = NULL;
tmp_file[512] = '\0';
if(tmp_str)
*tmp_str = '\0';
-
+
/* Setting back the ip address. */
if(agent_ip_pt)
{
char tmp_file[513];
char *agent_ip_pt = NULL;
-
+
struct stat file_status;
tmp_file[512] = '\0';
/* Server info. */
if(agent_name == NULL)
{
- return(GA_STATUS_ACTIVE);
+ return(GA_STATUS_ACTIVE);
}
-
+
/* Removing the "/", since it is not present on the file. */
if((agent_ip_pt = strchr(agent_ip, '/')))
{
return(GA_STATUS_INV);
}
-
+
if(file_status.st_mtime > (time(0) - (3*NOTIFY_TIME + 30)))
{
}
-
+
/* List available agents.
*/
char **get_agents(int flag)
{
int f_size = 0;
-
+
char **f_files = NULL;
DIR *dp;
struct dirent *entry;
-
+
/* Opening the directory given */
dp = opendir(AGENTINFO_DIR);
- if(!dp)
+ if(!dp)
{
merror("%s: Error opening directory: '%s': %s ",
__local_name,
AGENTINFO_DIR,
strerror(errno));
return(NULL);
- }
+ }
/* Reading directory */
int status = 0;
char tmp_file[513];
tmp_file[512] = '\0';
-
+
/* Just ignore . and .. */
if((strcmp(entry->d_name,".") == 0) ||
(strcmp(entry->d_name,"..") == 0))
if(stat(tmp_file, &file_status) < 0)
continue;
-
+
if(file_status.st_mtime > (time(0) - (3*NOTIFY_TIME + 30)))
{
status = 1;
continue;
}
}
-
+
f_files = (char **)realloc(f_files, (f_size +2) * sizeof(char *));
if(!f_files)
{
if(flag == GA_ALL_WSTATUS)
{
char agt_stat[512];
-
+
snprintf(agt_stat, sizeof(agt_stat) -1, "%s %s",
- entry->d_name, status == 1?"active":"disconnected");
+ entry->d_name, status == 1?"active":"disconnected");
os_strdup(agt_stat, f_files[f_size]);
}
{
os_strdup(entry->d_name, f_files[f_size]);
}
-
+
f_files[f_size +1] = NULL;
-
+
f_size++;
}
-
+
closedir(dp);
return(f_files);
}
-
+
/* EOF */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/read-alert.c, 2011/11/09 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#define RULE_BEGIN_SZ 6
#define SRCIP_BEGIN "Src IP: "
#define SRCIP_BEGIN_SZ 8
+#define GEOIP_BEGIN_SRC "Src Location: "
+#define GEOIP_BEGIN_SRC_SZ 14
+#define GEOIP_BEGIN_DST "Dst Location: "
+#define GEOIP_BEGIN_DST_SZ 14
+#define SRCPORT_BEGIN "Src Port: "
+#define SRCPORT_BEGIN_SZ 10
+#define DSTIP_BEGIN "Dst IP: "
+#define DSTIP_BEGIN_SZ 8
+#define DSTPORT_BEGIN "Dst Port: "
+#define DSTPORT_BEGIN_SZ 10
#define USER_BEGIN "User: "
#define USER_BEGIN_SZ 6
#define ALERT_MAIL "mail"
#define ALERT_MAIL_SZ 4
#define ALERT_AR "active-response"
+#define OLDMD5_BEGIN "Old md5sum was: "
+#define OLDMD5_BEGIN_SZ 16
+#define NEWMD5_BEGIN "New md5sum is : "
+#define NEWMD5_BEGIN_SZ 16
+#define OLDSHA1_BEGIN "Old sha1sum was: "
+#define OLDSHA1_BEGIN_SZ 17
+#define NEWSHA1_BEGIN "New sha1sum is : "
+#define NEWSHA1_BEGIN_SZ 17
/** void FreeAlertData(alert_data *al_data)
*/
void FreeAlertData(alert_data *al_data)
{
+ char **p;
+
+ if(al_data->alertid)
+ {
+ free(al_data->alertid);
+ al_data->alertid = NULL;
+ }
if(al_data->date)
{
free(al_data->date);
+ al_data->date = NULL;
}
if(al_data->location)
{
free(al_data->location);
+ al_data->location = NULL;
}
if(al_data->comment)
{
free(al_data->comment);
+ al_data->comment = NULL;
}
if(al_data->group)
{
free(al_data->group);
+ al_data->group = NULL;
}
if(al_data->srcip)
{
free(al_data->srcip);
+ al_data->srcip = NULL;
+ }
+ if(al_data->dstip)
+ {
+ free(al_data->dstip);
+ al_data->dstip = NULL;
}
if(al_data->user)
{
free(al_data->user);
+ al_data->user = NULL;
+ }
+ if(al_data->filename)
+ {
+ free(al_data->filename);
+ al_data->filename = NULL;
+ }
+ if(al_data->old_md5)
+ {
+ free(al_data->old_md5);
+ al_data->old_md5 = NULL;
+ }
+ if(al_data->new_md5)
+ {
+ free(al_data->new_md5);
+ al_data->new_md5 = NULL;
+ }
+ if(al_data->old_sha1)
+ {
+ free(al_data->old_sha1);
+ al_data->old_sha1 = NULL;
+ }
+ if(al_data->new_sha1)
+ {
+ free(al_data->new_sha1);
+ al_data->new_sha1 = NULL;
}
if(al_data->log)
{
- while(*(al_data->log))
+ p = al_data->log;
+
+ while(*(p))
{
- free(*(al_data->log));
- al_data->log++;
+ free(*(p));
+ *(p) = NULL;
+ p++;
}
+ free(al_data->log);
+ al_data->log = NULL;
+ }
+#ifdef GEOIP
+ if (al_data->geoipdatasrc)
+ {
+ free(al_data->geoipdatasrc);
+ al_data->geoipdatasrc = NULL;
}
+ if (al_data->geoipdatadst)
+ {
+ free(al_data->geoipdatadst);
+ al_data->geoipdatadst = NULL;
+ }
+#endif
free(al_data);
al_data = NULL;
}
*/
alert_data *GetAlertData(int flag, FILE *fp)
{
- int _r = 0, log_size;
+ int _r = 0, log_size = 0, issyscheck = 0;
char *p;
+ char *alertid = NULL;
char *date = NULL;
char *comment = NULL;
char *location = NULL;
char *srcip = NULL;
+ char *dstip = NULL;
char *user = NULL;
char *group = NULL;
+ char *filename = NULL;
+ char *old_md5 = NULL;
+ char *new_md5 = NULL;
+ char *old_sha1 = NULL;
+ char *new_sha1 = NULL;
char **log = NULL;
- int level, rule;
-
+#ifdef GEOIP
+ char *geoipdatasrc = NULL;
+ char *geoipdatadst = NULL;
+#endif
+ int level, rule, srcport = 0, dstport = 0;
+
+
char str[OS_BUFFER_SIZE+1];
str[OS_BUFFER_SIZE]='\0';
while(fgets(str, OS_BUFFER_SIZE, fp) != NULL)
{
-
+
/* Enf of alert */
- if(strcmp(str, "\n") == 0)
+ if(strcmp(str, "\n") == 0 && log_size > 0)
{
/* Found in here */
if(_r == 2)
{
alert_data *al_data;
os_calloc(1, sizeof(alert_data), al_data);
+ al_data->alertid = alertid;
al_data->level = level;
al_data->rule = rule;
al_data->location = location;
al_data->group = group;
al_data->log = log;
al_data->srcip = srcip;
+ al_data->srcport = srcport;
+ al_data->dstip = dstip;
+ al_data->dstport = dstport;
al_data->user = user;
al_data->date = date;
-
+ al_data->filename = filename;
+#ifdef GEOIP
+ al_data->geoipdatasrc = geoipdatasrc;
+ al_data->geoipdatadst = geoipdatadst;
+#endif
+ al_data->old_md5 = old_md5;
+ al_data->new_md5 = new_md5;
+ al_data->old_sha1 = old_sha1;
+ al_data->new_sha1 = new_sha1;
+
+
return(al_data);
}
_r = 0;
}
-
-
+
+
/* Checking for the header */
if(strncmp(ALERT_BEGIN, str, ALERT_BEGIN_SZ) == 0)
{
+ char *m;
+ int z = 0;
p = str + ALERT_BEGIN_SZ + 1;
-
+
+ m = strstr(p, ":");
+ if (!m)
+ {
+ continue;
+ }
+
+ z = strlen(p) - strlen(m);
+ os_realloc(alertid, (z + 1)*sizeof(char *), alertid);
+ strncpy(alertid, p, z);
+ alertid[z] = '\0';
+
/* Searching for email flag */
p = strchr(p, ' ');
if(!p)
}
p++;
-
-
- /* Checking for the flags */
- if((flag & CRALERT_MAIL_SET) &&
+
+
+ /* Checking for the flags */
+ if((flag & CRALERT_MAIL_SET) &&
(strncmp(ALERT_MAIL, p, ALERT_MAIL_SZ) != 0))
{
continue;
/* Cleaning new line from group */
os_clearnl(group, p);
+ if(group != NULL && strstr(group, "syscheck") != NULL)
+ {
+ issyscheck = 1;
+ }
}
if(_r < 1)
continue;
-
-
+
+
/*** Extract information from the event ***/
-
+
/* r1 means: 2006 Apr 13 16:15:17 /var/log/auth.log */
if(_r == 1)
{
/* Clear new line */
os_clearnl(str, p);
-
+
p = strchr(str, ':');
if(p)
{
/* If not, str is date and p is the location */
if(date || location)
merror("ZZZ Merror date or location not NULL");
-
+
os_strdup(str, date);
- os_strdup(p, location);
+ os_strdup(p, location);
_r = 2;
log_size = 0;
continue;
}
-
+
else if(_r == 2)
{
/* Rule begin */
if(strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0)
{
os_clearnl(str,p);
-
+
p = str + RULE_BEGIN_SZ;
rule = atoi(p);
if(!p)
goto l_error;
-
+
level = atoi(p);
-
+
/* Getting the comment */
p = strchr(p, '\'');
if(!p)
goto l_error;
-
+
p++;
os_strdup(p, comment);
-
+
/* Must have the closing \' */
p = strrchr(comment, '\'');
if(p)
goto l_error;
}
}
-
+
/* srcip */
else if(strncmp(SRCIP_BEGIN, str, SRCIP_BEGIN_SZ) == 0)
{
os_clearnl(str,p);
-
+
p = str + SRCIP_BEGIN_SZ;
os_strdup(p, srcip);
}
+#ifdef GEOIP
+ /* GeoIP Source Location */
+ else if (strncmp(GEOIP_BEGIN_SRC, str, GEOIP_BEGIN_SRC_SZ) == 0)
+ {
+ os_clearnl(str,p);
+ p = str + GEOIP_BEGIN_SRC_SZ;
+ os_strdup(p, geoipdatasrc);
+ }
+#endif
+ /* srcport */
+ else if(strncmp(SRCPORT_BEGIN, str, SRCPORT_BEGIN_SZ) == 0)
+ {
+ os_clearnl(str,p);
+
+ p = str + SRCPORT_BEGIN_SZ;
+ srcport = atoi(p);
+ }
+ /* dstip */
+ else if(strncmp(DSTIP_BEGIN, str, DSTIP_BEGIN_SZ) == 0)
+ {
+ os_clearnl(str,p);
+
+ p = str + DSTIP_BEGIN_SZ;
+ os_strdup(p, dstip);
+ }
+#ifdef GEOIP
+ /* GeoIP Destination Location */
+ else if (strncmp(GEOIP_BEGIN_DST, str, GEOIP_BEGIN_DST_SZ) == 0)
+ {
+ os_clearnl(str,p);
+ p = str + GEOIP_BEGIN_DST_SZ;
+ os_strdup(p, geoipdatadst);
+ }
+#endif
+ /* dstport */
+ else if(strncmp(DSTPORT_BEGIN, str, DSTPORT_BEGIN_SZ) == 0)
+ {
+ os_clearnl(str,p);
+
+ p = str + DSTPORT_BEGIN_SZ;
+ dstport = atoi(p);
+ }
/* username */
else if(strncmp(USER_BEGIN, str, USER_BEGIN_SZ) == 0)
{
os_clearnl(str,p);
-
+
p = str + USER_BEGIN_SZ;
os_strdup(p, user);
}
+ /* Old MD5 */
+ else if(strncmp(OLDMD5_BEGIN, str, OLDMD5_BEGIN_SZ) == 0)
+ {
+ os_clearnl(str,p);
+
+ p = str + OLDMD5_BEGIN_SZ;
+ os_strdup(p, old_md5);
+ }
+ /* New MD5 */
+ else if(strncmp(NEWMD5_BEGIN, str, NEWMD5_BEGIN_SZ) == 0)
+ {
+ os_clearnl(str,p);
+
+ p = str + NEWMD5_BEGIN_SZ;
+ os_strdup(p, new_md5);
+ }
+ /* Old SHA1 */
+ else if(strncmp(OLDSHA1_BEGIN, str, OLDSHA1_BEGIN_SZ) == 0)
+ {
+ os_clearnl(str,p);
+
+ p = str + OLDSHA1_BEGIN_SZ;
+ os_strdup(p, old_sha1);
+ }
+ /* New SHA1 */
+ else if(strncmp(NEWSHA1_BEGIN, str, NEWSHA1_BEGIN_SZ) == 0)
+ {
+ os_clearnl(str,p);
+
+ p = str + NEWSHA1_BEGIN_SZ;
+ os_strdup(p, new_sha1);
+ }
/* It is a log message */
else if(log_size < 20)
{
os_clearnl(str,p);
-
+
+ if(str != NULL && issyscheck == 1)
+ {
+ if(strncmp(str, "Integrity checksum changed for: '",33) == 0)
+ {
+ filename = strdup(str+33);
+ if(filename)
+ {
+ filename[strlen(filename) -1] = '\0';
+ }
+ }
+ issyscheck = 0;
+ }
+
os_realloc(log, (log_size +2)*sizeof(char *), log);
- os_strdup(str, log[log_size]);
+ os_strdup(str, log[log_size]);
log_size++;
log[log_size] = NULL;
}
continue;
l_error:
-
+
/* Freeing the memory */
_r = 0;
if(date)
free(srcip);
srcip = NULL;
}
+#ifdef GEOIP
+ if(geoipdatasrc)
+ {
+ free(geoipdatasrc);
+ geoipdatasrc = NULL;
+ }
+ if(geoipdatadst)
+ {
+ free(geoipdatadst);
+ geoipdatadst = NULL;
+ }
+#endif
if(user)
{
free(user);
user = NULL;
}
+ if(filename)
+ {
+ free(filename);
+ filename = NULL;
+ }
if(group)
{
free(group);
group = NULL;
}
+ if(old_md5)
+ {
+ free(old_md5);
+ old_md5 = NULL;
+ }
+
+ if(new_md5)
+ {
+ free(new_md5);
+ new_md5 = NULL;
+ }
+
+ if(old_sha1)
+ {
+ free(old_sha1);
+ old_sha1 = NULL;
+ }
+
+ if(new_sha1)
+ {
+ free(new_sha1);
+ new_sha1 = NULL;
+ }
while(log_size > 0)
{
log_size--;
}
}
+ if(alertid)
+ {
+ free(alertid);
+ alertid = NULL;
+ }
+
/* We need to clean end of file before returning */
clearerr(fp);
return(NULL);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/regex_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
int OS_PRegex(char *str, char *regex)
{
regex_t preg;
-
+
if(!str || !regex)
return(0);
-
-
+
+
if(regcomp(&preg, regex, REG_EXTENDED|REG_NOSUB) != 0)
{
merror("%s: Posix Regex compile error (%s).", __local_name, regex);
regfree(&preg);
return(1);
-
+
}
#endif
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/report_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/* Sort function used by OSStore sort.
- * Returns if d1 > d2.
+ * Returns if d1 > d2.
*/
void *_os_report_sort_compare(void *d1, void *d2)
{
OSList *d1l = (OSList *)d1;
- OSList *d2l = (OSList *)d2;
+ OSList *d2l = (OSList *)d2;
if(d1l->currently_size > d2l->currently_size)
{
int _os_report_str_int_compare(char *str, int id)
{
int pt_check = 0;
-
+
do
{
if((*str == ',')||(*str == ' '))
return(0);
}
}
+ if(r_filter->files)
+ {
+ if(!strstr(al_data->filename, r_filter->files))
+ {
+ return(0);
+ }
+ }
return(1);
}
}
return(prev_filter);
}
+ else if(strcmp(filter_by, "filename") == 0)
+ {
+ if(!(prev_filter & REPORT_REL_FILE))
+ {
+ prev_filter|=REPORT_REL_FILE;
+ }
+ return(prev_filter);
+ }
else
{
merror("%s: ERROR: Invalid relation '%s'.", __local_name, filter_by);
return(-1);
- }
+ }
}
OSListNode *list_entry;
alert_data *list_aldata;
alert_data *saved_aldata;
-
-
+
+
list_entry = OSList_GetFirstNode(st_data);
while(list_entry)
{
saved_aldata = (alert_data *)list_entry->data;
-
+
/* Removing duplicates. */
list_entry = list_entry->prev;
while(list_entry)
else if(print_related & REPORT_REL_USER)
{
list_aldata = (alert_data *)list_entry->data;
- if(strcmp(list_aldata->user, saved_aldata->user) == 0)
+ if(list_aldata->user == NULL || saved_aldata->user == NULL)
+ {
+ }
+ else if(strcmp(list_aldata->user, saved_aldata->user) == 0)
{
break;
}
else if(print_related & REPORT_REL_SRCIP)
{
list_aldata = (alert_data *)list_entry->data;
- if(strcmp(list_aldata->srcip, saved_aldata->srcip) == 0)
+ if(list_aldata->srcip == NULL || saved_aldata->srcip == NULL)
+ {
+ }
+ else if(strcmp(list_aldata->srcip, saved_aldata->srcip) == 0)
{
break;
}
break;
}
}
+ else if(print_related & REPORT_REL_FILE)
+ {
+ list_aldata = (alert_data *)list_entry->data;
+ if(list_aldata->filename == NULL || saved_aldata->filename == NULL)
+ {
+ }
+ else if(strcmp(list_aldata->filename, saved_aldata->filename) == 0)
+ {
+ break;
+ }
+ }
list_entry = list_entry->prev;
}
l_print_out(" group: '%s'", saved_aldata->group);
else if(print_related & REPORT_REL_RULE)
l_print_out(" rule: '%d'", saved_aldata->rule);
- else if(print_related & REPORT_REL_SRCIP)
+ else if(print_related & REPORT_REL_SRCIP && saved_aldata->srcip)
l_print_out(" srcip: '%s'", saved_aldata->srcip);
- else if(print_related & REPORT_REL_USER)
+ else if(print_related & REPORT_REL_USER && saved_aldata->user)
l_print_out(" user: '%s'", saved_aldata->user);
else if(print_related & REPORT_REL_LEVEL)
l_print_out(" level: '%d'", saved_aldata->level);
+ else if(print_related & REPORT_REL_FILE && saved_aldata->filename)
+ l_print_out(" filename: '%s'", saved_aldata->filename);
}
list_entry = OSList_GetNextNode(st_data);
int dopdout = 0;
OSStore *topstore = (OSStore *)topstore_pt;
OSStoreNode *next_node;
-
+
next_node = OSStore_GetFirstNode(topstore);
while(next_node)
{
_os_report_print_related(REPORT_REL_GROUP, st_data);
if(print_related & REPORT_REL_LEVEL)
_os_report_print_related(REPORT_REL_LEVEL, st_data);
+ if(print_related & REPORT_REL_FILE)
+ _os_report_print_related(REPORT_REL_FILE, st_data);
}
l_print_out(" ");
l_print_out(" ");
}
- return;
+ return;
}
char *first_alert = NULL;
char *last_alert = NULL;
void **data_to_clean = NULL;
-
-
- time_t tm;
- struct tm *p;
-
+
+
+ time_t tm;
+ struct tm *p;
+
file_queue *fileq;
alert_data *al_data;
r_filter->top_rule = OSStore_Create();
r_filter->top_group = OSStore_Create();
r_filter->top_location = OSStore_Create();
-
+ r_filter->top_files = OSStore_Create();
+
Init_FileQueue(fileq, p, CRALERT_READ_ALL|CRALERT_FP_SET);
+
/* Reading the alerts. */
while(1)
{
}
alerts_processed++;
-
+
/* Checking the filters. */
if(!_os_report_check_filters(al_data, r_filter))
FreeAlertData(al_data);
continue;
}
-
-
+
+
alerts_filtered++;
data_to_clean = os_AddPtArray(al_data, data_to_clean);
if(!first_alert)
first_alert = al_data->date;
last_alert = al_data->date;
-
-
+
+
/* Adding source ip if it is set properly. */
- if(strcmp(al_data->srcip, "(none)") != 0)
+ if(al_data->srcip != NULL && strcmp(al_data->srcip, "(none)") != 0)
_os_report_add_tostore(al_data->srcip, r_filter->top_srcip, al_data);
-
+
/* Adding user if it is set properly. */
- if(strcmp(al_data->user, "(none)") != 0)
+ if(al_data->user != NULL && strcmp(al_data->user, "(none)") != 0)
_os_report_add_tostore(al_data->user, r_filter->top_user, al_data);
mrule[76] = '\0';
snprintf(mlevel, 16, "Severity %d" , al_data->level);
snprintf(mrule, 76, "%d - %s" , al_data->rule, al_data->comment);
-
- _os_report_add_tostore(strdup(mlevel), r_filter->top_level,
+
+ _os_report_add_tostore(strdup(mlevel), r_filter->top_level,
al_data);
- _os_report_add_tostore(strdup(mrule), r_filter->top_rule,
+ _os_report_add_tostore(strdup(mrule), r_filter->top_rule,
al_data);
}
mgroup++;
continue;
}
-
- _os_report_add_tostore(tmp_str, r_filter->top_group,
+
+ _os_report_add_tostore(tmp_str, r_filter->top_group,
al_data);
mgroup++;
}
tmp_str++;
if(*tmp_str != '\0')
{
- _os_report_add_tostore(tmp_str, r_filter->top_group,
+ _os_report_add_tostore(tmp_str, r_filter->top_group,
al_data);
}
}
}
- /* Adding to the location top filter. */
- _os_report_add_tostore(al_data->location, r_filter->top_location,
+ /* Adding to the location top filter. */
+ _os_report_add_tostore(al_data->location, r_filter->top_location,
al_data);
+
+
+ if(al_data->filename != NULL)
+ {
+ _os_report_add_tostore(al_data->filename, r_filter->top_files,
+ al_data);
+ }
}
/* No report available */
if(!r_filter->report_name)
merror("%s: INFO: Report completed and zero alerts post-filter.", __local_name);
else
- merror("%s: INFO: Report '%s' completed and zero alerts post-filter.", __local_name, r_filter->report_name);
+ merror("%s: INFO: Report '%s' completed and zero alerts post-filter.", __local_name, r_filter->report_name);
return;
}
-
+
if(r_filter->report_name)
verbose("%s: INFO: Report '%s' completed. Creating output...", __local_name, r_filter->report_name);
else
- verbose("%s: INFO: Report completed. Creating output...", __local_name);
+ verbose("%s: INFO: Report completed. Creating output...", __local_name);
l_print_out(" ");
else
l_print_out("Report completed. ==");
l_print_out("------------------------------------------------");
-
+
l_print_out("->Processed alerts: %d", alerts_processed);
l_print_out("->Post-filtering alerts: %d", alerts_filtered);
l_print_out("->First alert: %s", first_alert);
l_print_out("->Last alert: %s", last_alert);
l_print_out(" ");
l_print_out(" ");
-
+
OSStore_Sort(r_filter->top_srcip, _os_report_sort_compare);
OSStore_Sort(r_filter->top_user, _os_report_sort_compare);
OSStore_Sort(r_filter->top_level, _os_report_sort_compare);
OSStore_Sort(r_filter->top_group, _os_report_sort_compare);
OSStore_Sort(r_filter->top_location, _os_report_sort_compare);
OSStore_Sort(r_filter->top_rule, _os_report_sort_compare);
-
+ OSStore_Sort(r_filter->top_files, _os_report_sort_compare);
+
if(r_filter->top_srcip)
os_report_printtop(r_filter->top_srcip, "Source ip", 0);
-
+
if(r_filter->top_user)
os_report_printtop(r_filter->top_user, "Username", 0);
-
+
if(r_filter->top_level)
os_report_printtop(r_filter->top_level, "Level", 0);
-
+
if(r_filter->top_group)
os_report_printtop(r_filter->top_group, "Group", 0);
-
+
if(r_filter->top_location)
os_report_printtop(r_filter->top_location, "Location", 0);
-
+
if(r_filter->top_rule)
os_report_printtop(r_filter->top_rule, "Rule", 0);
+ if(r_filter->top_files)
+ os_report_printtop(r_filter->top_files, "Filenames", 0);
+
/* Print related events. */
if(r_filter->related_srcip)
- os_report_printtop(r_filter->top_srcip, "Source ip",
+ os_report_printtop(r_filter->top_srcip, "Source ip",
r_filter->related_srcip);
if(r_filter->related_user)
- os_report_printtop(r_filter->top_user, "Username",
+ os_report_printtop(r_filter->top_user, "Username",
r_filter->related_user);
if(r_filter->related_level)
- os_report_printtop(r_filter->top_level, "Level",
+ os_report_printtop(r_filter->top_level, "Level",
r_filter->related_level);
if(r_filter->related_group)
- os_report_printtop(r_filter->top_group, "Group",
+ os_report_printtop(r_filter->top_group, "Group",
r_filter->related_group);
-
+
if(r_filter->related_location)
- os_report_printtop(r_filter->top_location, "Location",
+ os_report_printtop(r_filter->top_location, "Location",
r_filter->related_location);
-
+
if(r_filter->related_rule)
- os_report_printtop(r_filter->top_rule, "Rule",
+ os_report_printtop(r_filter->top_rule, "Rule",
r_filter->related_rule);
-
-
+
+ if(r_filter->related_file)
+ os_report_printtop(r_filter->top_files, "Filename",
+ r_filter->related_file);
+
+
/* If we have to dump the alerts. */
if(data_to_clean)
{
* report_filter *r_filter)
* Checks the configuration filters.
*/
-int os_report_configfilter(char *filter_by, char *filter_value,
+int os_report_configfilter(char *filter_by, char *filter_value,
report_filter *r_filter, int arg_type)
{
if(!filter_by || !filter_value)
{
return(-1);
}
-
+
if(arg_type == REPORT_FILTER)
{
if(strcmp(filter_by, "group") == 0)
{
- r_filter->group = filter_value;
+ r_filter->group = filter_value;
}
else if(strcmp(filter_by, "rule") == 0)
{
- r_filter->rule = filter_value;
+ r_filter->rule = filter_value;
}
else if(strcmp(filter_by, "level") == 0)
{
- r_filter->level = filter_value;
+ r_filter->level = filter_value;
}
else if(strcmp(filter_by, "location") == 0)
{
- r_filter->location = filter_value;
+ r_filter->location = filter_value;
}
else if(strcmp(filter_by, "user") == 0)
{
- r_filter->user = filter_value;
+ r_filter->user = filter_value;
}
else if(strcmp(filter_by, "srcip") == 0)
{
- r_filter->srcip = filter_value;
+ r_filter->srcip = filter_value;
+ }
+ else if(strcmp(filter_by, "filename") == 0)
+ {
+ r_filter->files = filter_value;
}
else
{
{
if(strcmp(filter_by, "group") == 0)
{
- r_filter->related_group =
+ r_filter->related_group =
_report_filter_value(filter_value, r_filter->related_group);
if(r_filter->related_group == -1)
}
else if(strcmp(filter_by, "rule") == 0)
{
- r_filter->related_rule =
+ r_filter->related_rule =
_report_filter_value(filter_value, r_filter->related_rule);
if(r_filter->related_rule == -1)
}
else if(strcmp(filter_by, "level") == 0)
{
- r_filter->related_level =
+ r_filter->related_level =
_report_filter_value(filter_value, r_filter->related_level);
if(r_filter->related_level == -1)
}
else if(strcmp(filter_by, "location") == 0)
{
- r_filter->related_location =
+ r_filter->related_location =
_report_filter_value(filter_value, r_filter->related_location);
if(r_filter->related_location == -1)
}
else if(strcmp(filter_by, "srcip") == 0)
{
- r_filter->related_srcip =
+ r_filter->related_srcip =
_report_filter_value(filter_value, r_filter->related_srcip);
if(r_filter->related_srcip == -1)
}
else if(strcmp(filter_by, "user") == 0)
{
- r_filter->related_user =
+ r_filter->related_user =
_report_filter_value(filter_value, r_filter->related_user);
-
+
if(r_filter->related_user == -1)
return(-1);
}
+ else if(strcmp(filter_by, "filename") == 0)
+ {
+ r_filter->related_file =
+ _report_filter_value(filter_value, r_filter->related_file);
+
+ if(r_filter->related_file == -1)
+ return(-1);
+ }
else
{
merror("%s: ERROR: Invalid related entry '%s'.", __local_name, filter_by);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/rules_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/** Prototypes **/
-int _OS_GetRulesAttributes(char **attributes,
+int _OS_GetRulesAttributes(char **attributes,
char **values,
RuleInfo *ruleinfo_pt);
RuleInfo *_OS_AllocateRule();
/* Rules_OP_ReadRules, v0.3, 2005/03/21
* Read the log rules.
* v0.3: Fixed many memory problems.
- */
-int OS_ReadXMLRules(char *rulefile,
+ */
+int OS_ReadXMLRules(char *rulefile,
void *(*ruleact_function)(RuleInfo *rule, void *data),
void *data)
{
XML_NODE node = NULL;
- /** XML variables **/
+ /** XML variables **/
/* These are the available options for the rule configuration */
-
+
char *xml_group = "group";
char *xml_rule = "rule";
char *xml_comment = "description";
char *xml_ignore = "ignore";
char *xml_check_if_ignored = "check_if_ignored";
-
+
char *xml_srcip = "srcip";
char *xml_srcport = "srcport";
char *xml_dstip = "dstip";
char *xml_status = "status";
char *xml_action = "action";
char *xml_compiled = "compiled_rule";
-
+
char *xml_if_sid = "if_sid";
char *xml_if_group = "if_group";
char *xml_if_level = "if_level";
char *xml_fts = "if_fts";
-
+
char *xml_if_matched_regex = "if_matched_regex";
char *xml_if_matched_group = "if_matched_group";
char *xml_if_matched_sid = "if_matched_sid";
-
+
char *xml_same_source_ip = "same_source_ip";
char *xml_same_src_port = "same_src_port";
char *xml_same_dst_port = "same_dst_port";
char *xml_dodiff = "check_diff";
char *xml_different_url = "different_url";
-
+
char *xml_notsame_source_ip = "not_same_source_ip";
char *xml_notsame_user = "not_same_user";
char *xml_notsame_agent = "not_same_agent";
char *xml_notsame_id = "not_same_id";
char *xml_options = "options";
-
+
char *rulepath;
-
+
int i;
debug1("%s is the rulefile", rulefile);
debug1("Not modifing the rule path");
}
-
-
- /* Reading the XML */
+
+
+ /* Reading the XML */
if(OS_ReadXML(rulepath,&xml) < 0)
{
merror(XML_ERROR, __local_name, rulepath, xml.err, xml.err_line);
/* Debug wrapper */
debug1("%s: DEBUG: read xml for rule '%s'.", __local_name, rulepath);
-
+
/* Applying any variable found */
if(OS_ApplyVariables(&xml) != 0)
/* Debug wrapper */
debug1("%s: DEBUG: XML Variables applied.", __local_name);
-
+
/* Getting the root elements */
node = OS_GetElementsbyNode(&xml, NULL);
{
merror(CONFIG_ERROR, __local_name, rulepath);
OS_ClearXML(&xml);
- return(-1);
+ return(-1);
}
/* Zeroing the rule memory -- not used anymore */
free(rulepath);
-
+
/* Checking if there is any invalid global option */
i = 0;
}
- /* Getting the rules now */
+ /* Getting the rules now */
i = 0;
while(node[i])
{
XML_NODE rule = NULL;
- /* Getting all rules for a global group */
+ /* Getting all rules for a global group */
rule = OS_GetElementsbyNode(&xml,node[i]);
if(rule == NULL)
{
{
/* Rules options */
int k = 0;
- char *regex = NULL, *match = NULL, *url = NULL,
+ char *regex = NULL, *match = NULL, *url = NULL,
*if_matched_regex = NULL, *if_matched_group = NULL,
*user = NULL, *id = NULL, *srcport = NULL,
*dstport = NULL, *status = NULL, *hostname = NULL,
*extra_data = NULL, *program_name = NULL;
-
+
RuleInfo *config_ruleinfo = NULL;
XML_NODE rule_opt = NULL;
-
+
/* Checking if the rule element is correct */
if((!rule[j]->element)||
/* Checking for the attributes of the rule */
if((!rule[j]->attributes) || (!rule[j]->values))
{
- merror(RL_INV_RULE, __local_name, rulefile);
+ merror(RL_INV_RULE, __local_name, rulefile);
OS_ClearXML(&xml);
return(-1);
}
-
+
/* Attribute block */
config_ruleinfo = _OS_AllocateRule();
* be fine
*/
os_strdup(node[i]->values[0], config_ruleinfo->group);
-
- /* Getting rules options */
+
+ /* Getting rules options */
rule_opt = OS_GetElementsbyNode(&xml, rule[j]);
if(rule_opt == NULL)
{
merror(RL_NO_OPT, __local_name, config_ruleinfo->sigid);
OS_ClearXML(&xml);
- return(-1);
+ return(-1);
}
-
- /* Reading the whole rule block */
+
+ /* Reading the whole rule block */
while(rule_opt[k])
{
if((!rule_opt[k]->element)||(!rule_opt[k]->content))
}
else if(strcasecmp(rule_opt[k]->element,xml_day_time) == 0)
{
- config_ruleinfo->day_time =
+ config_ruleinfo->day_time =
OS_IsValidTime(rule_opt[k]->content);
if(!config_ruleinfo->day_time)
{
}
else if(strcasecmp(rule_opt[k]->element,xml_week_day) == 0)
{
- config_ruleinfo->week_day =
+ config_ruleinfo->week_day =
OS_IsValidDay(rule_opt[k]->content);
if(!config_ruleinfo->week_day)
int ip_s = 0;
/* Getting size of source ip list */
- while(config_ruleinfo->srcip &&
+ while(config_ruleinfo->srcip &&
config_ruleinfo->srcip[ip_s])
{
ip_s++;
}
- config_ruleinfo->srcip =
+ config_ruleinfo->srcip =
realloc(config_ruleinfo->srcip,
(ip_s + 2) * sizeof(os_ip *));
/* Allocating memory for the individual entries */
- os_calloc(1, sizeof(os_ip),
+ os_calloc(1, sizeof(os_ip),
config_ruleinfo->srcip[ip_s]);
config_ruleinfo->srcip[ip_s +1] = NULL;
/* Checking if the ip is valid */
- if(!OS_IsValidIP(rule_opt[k]->content,
+ if(!OS_IsValidIP(rule_opt[k]->content,
config_ruleinfo->srcip[ip_s]))
{
merror(INVALID_IP, __local_name, rule_opt[k]->content);
else if(strcasecmp(rule_opt[k]->element,xml_srcport) == 0)
{
srcport = os_LoadString(srcport, rule_opt[k]->content);
-
+
if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
config_ruleinfo->alert_opts |= DO_PACKETINFO;
}
}
else if(strcasecmp(rule_opt[k]->element,xml_action) == 0)
{
- config_ruleinfo->action =
+ config_ruleinfo->action =
os_LoadString(config_ruleinfo->action,
rule_opt[k]->content);
}
{
if(!OS_StrIsNum(rule_opt[k]->content))
{
- merror(INVALID_CONFIG, __local_name,
+ merror(INVALID_CONFIG, __local_name,
xml_if_level,
- rule_opt[k]->content);
+ rule_opt[k]->content);
return(-1);
}
rule_opt[k]->content);
return(-1);
}
- config_ruleinfo->if_matched_sid =
+ config_ruleinfo->if_matched_sid =
atoi(rule_opt[k]->content);
}
else if(strcasecmp(rule_opt[k]->element,
xml_options) == 0)
{
- if(strcmp("alert_by_email",
+ if(strcmp("alert_by_email",
rule_opt[k]->content) == 0)
{
if(!(config_ruleinfo->alert_opts & DO_MAILALERT))
config_ruleinfo->alert_opts&=0xfff-DO_MAILALERT;
}
}
- else if(strcmp("log_alert",
+ else if(strcmp("log_alert",
rule_opt[k]->content) == 0)
{
if(!(config_ruleinfo->alert_opts & DO_LOGALERT))
}
}
else
- {
+ {
merror(XML_VALUEERR, __local_name, xml_options,
rule_opt[k]->content);
rule_opt[k]->content);
OS_ClearXML(&xml);
return(-1);
- }
+ }
}
else if(strcasecmp(rule_opt[k]->element,
xml_ignore) == 0)
return(-1);
}
}
- /* XXX As new features are added into ../analysisd/rules.c
- * This code needs to be updated to match, but is out of date
- * it's become a nightmare to correct with out just make the
- * problem for someone later.
+ /* XXX As new features are added into ../analysisd/rules.c
+ * This code needs to be updated to match, but is out of date
+ * it's become a nightmare to correct with out just make the
+ * problem for someone later.
*
- * This hack will allow any crap xml to pass without an
- * error. The correct fix is to refactor the code so that
+ * This hack will allow any crap xml to pass without an
+ * error. The correct fix is to refactor the code so that
* ../analysisd/rules* and this code are not duplicates
*
else
os_strdup(if_matched_group, config_ruleinfo->if_group);
}
}
-
+
/* If_matched_sid, we need to get the if_sid */
if(config_ruleinfo->if_matched_sid &&
/* Calling the function provided. */
ruleact_function(config_ruleinfo, data);
-
+
j++; /* next rule */
} /* while(rule[j]) */
OS_ClearNode(rule);
i++;
-
+
} /* while (node[i]) */
/* Cleaning global node */
RuleInfo *_OS_AllocateRule()
{
RuleInfo *ruleinfo_pt = NULL;
-
-
+
+
/* Allocation memory for structure */
ruleinfo_pt = (RuleInfo *)calloc(1,sizeof(RuleInfo));
if(ruleinfo_pt == NULL)
{
ErrorExit(MEM_ERROR,__local_name);
}
-
+
/* Default values */
ruleinfo_pt->level = -1;
/* Default category is syslog */
ruleinfo_pt->category = SYSLOG;
- ruleinfo_pt->ar = NULL;
-
+ ruleinfo_pt->ar = NULL;
+
ruleinfo_pt->context = 0;
-
+
/* Default sigid of -1 */
ruleinfo_pt->sigid = -1;
ruleinfo_pt->firedtimes = 0;
ruleinfo_pt->ignore_time = 0;
ruleinfo_pt->timeframe = 0;
ruleinfo_pt->time_ignored = 0;
-
- ruleinfo_pt->context_opts = 0;
- ruleinfo_pt->alert_opts = 0;
- ruleinfo_pt->ignore = 0;
- ruleinfo_pt->ckignore = 0;
+
+ ruleinfo_pt->context_opts = 0;
+ ruleinfo_pt->alert_opts = 0;
+ ruleinfo_pt->ignore = 0;
+ ruleinfo_pt->ckignore = 0;
ruleinfo_pt->day_time = NULL;
ruleinfo_pt->week_day = NULL;
ruleinfo_pt->comment = NULL;
ruleinfo_pt->info = NULL;
ruleinfo_pt->cve = NULL;
-
+
ruleinfo_pt->if_sid = NULL;
ruleinfo_pt->if_group = NULL;
ruleinfo_pt->if_level = NULL;
-
+
ruleinfo_pt->if_matched_regex = NULL;
ruleinfo_pt->if_matched_group = NULL;
ruleinfo_pt->if_matched_sid = 0;
-
- ruleinfo_pt->user = NULL;
+
+ ruleinfo_pt->user = NULL;
ruleinfo_pt->srcip = NULL;
ruleinfo_pt->srcport = NULL;
ruleinfo_pt->dstip = NULL;
ruleinfo_pt->hostname = NULL;
ruleinfo_pt->program_name = NULL;
ruleinfo_pt->action = NULL;
-
+
/* Zeroing last matched events */
ruleinfo_pt->__frequency = 0;
ruleinfo_pt->last_events = NULL;
/* zeroing the list of previous matches */
ruleinfo_pt->sid_prev_matched = NULL;
ruleinfo_pt->group_prev_matched = NULL;
-
+
ruleinfo_pt->sid_search = NULL;
ruleinfo_pt->group_search = NULL;
-
+
ruleinfo_pt->event_search = NULL;
return(ruleinfo_pt);
RuleInfo *ruleinfo_pt)
{
int k = 0;
-
+
char *xml_id = "id";
char *xml_level = "level";
char *xml_maxsize = "maxsize";
char *xml_noalert = "noalert";
char *xml_ignore_time = "ignore";
char *xml_overwrite = "overwrite";
-
-
+
+
/* Getting attributes */
while(attributes[k])
{
{
if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 6 ))
{
- ruleinfo_pt->sigid = atoi(values[k]);
+ ruleinfo_pt->sigid = atoi(values[k]);
}
else
{
ruleinfo_pt->maxsize = atoi(values[k]);
/* adding EXTRAINFO options */
- if(ruleinfo_pt->maxsize > 0 &&
+ if(ruleinfo_pt->maxsize > 0 &&
!(ruleinfo_pt->alert_opts & DO_EXTRAINFO))
{
ruleinfo_pt->alert_opts |= DO_EXTRAINFO;
/* Rule accuracy */
else if(strcasecmp(attributes[k],xml_accuracy) == 0)
{
- merror("%s: XXX: Use of 'accuracy' isn't supported. Ignoring.",
+ merror("%s: XXX: Use of 'accuracy' isn't supported. Ignoring.",
__local_name);
}
/* Rule ignore_time */
else
{
merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
- return(-1);
+ return(-1);
}
}
/* Rule noalert */
/* print rule */
void OS_PrintRuleinfo(RuleInfo *rule)
{
- debug1("%s: __local_name: Print Rule:%d, level %d, ignore: %d, frequency:%d",
+ debug1("%s: __local_name: Print Rule:%d, level %d, ignore: %d, frequency:%d",
__local_name,
- rule->sigid,
+ rule->sigid,
rule->level,
rule->ignore_time,
rule->frequency);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/sig_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
void HandleSIG()
{
merror(SIGNAL_RECV, pidfile);
-
+
DeletePID(pidfile);
-
+
exit(1);
}
go to HandleSIG() */
pidfile = process_name;
- signal(SIGHUP, SIG_IGN);
+ signal(SIGHUP, SIG_IGN);
signal(SIGINT, HandleSIG);
signal(SIGQUIT, HandleSIG);
signal(SIGTERM, HandleSIG);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/store_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/* Common API for dealing with ordered lists.
* Provides a fast search on average (n/2).
- */
+ */
#include "shared.h"
-/* Create the list storage
+/* Create the list storage
* Return NULL on error
*/
OSStore *OSStore_Create()
my_list = calloc(1, sizeof(OSStore));
if(!my_list)
return(NULL);
-
+
my_list->first_node = NULL;
my_list->last_node = NULL;
my_list->cur_node = NULL;
my_list->currently_size = 0;
my_list->max_size = 0;
my_list->free_data_function = NULL;
-
+
return(my_list);
}
-/* Deletes the list storage
+/* Deletes the list storage
* Return NULL on error
*/
OSStore *OSStore_Free(OSStore *list)
free(list);
list = NULL;
-
+
return(list);
}
{
return(0);
}
-
+
/* Minimum size is 1 */
if(max_size <= 1)
{
{
return(0);
}
-
+
list->free_data_function = free_data_function;
return(1);
}
/* In here, this node should stay where it is. */
else if(movenode == list->cur_node->prev)
{
- break;
+ break;
}
/* In here we need to replace the nodes. */
else
{
newnode = list->cur_node;
-
+
if(list->cur_node->prev)
list->cur_node->prev->next = list->cur_node->next;
-
+
if(list->cur_node->next)
list->cur_node->next->prev = list->cur_node->prev;
else
- list->last_node = list->cur_node->prev;
-
- list->cur_node = list->cur_node->prev;
+ list->last_node = list->cur_node->prev;
+
+ list->cur_node = list->cur_node->prev;
+
-
newnode->next = movenode->next;
newnode->prev = movenode;
if(movenode->next)
movenode->next->prev = newnode;
-
+
movenode->next = newnode;
-
+
break;
}
}
if(list->cur_node->prev)
list->cur_node->prev->next = list->cur_node->next;
-
+
if(list->cur_node->next)
list->cur_node->next->prev = list->cur_node->prev;
- else
- list->last_node = list->cur_node->prev;
-
+ else
+ list->last_node = list->cur_node->prev;
+
list->cur_node = list->cur_node->prev;
-
+
newnode->prev = NULL;
newnode->next = list->first_node;
list->first_node->prev = newnode;
-
- list->first_node = newnode;
+
+ list->first_node = newnode;
}
-
+
list->cur_node = list->cur_node->next;
}
{
int chk_rc;
list->cur_node = list->first_node;
-
+
while(list->cur_node)
{
if((chk_rc = strcmp(list->cur_node->key, key)) >= 0)
if(chk_rc == 0)
return(list->cur_node->data);
- /* Not found */
+ /* Not found */
return(NULL);
}
{
int chk_rc;
list->cur_node = list->first_node;
-
+
while(list->cur_node)
{
if((chk_rc = strcmp(list->cur_node->key, key)) >= 0)
if(chk_rc == 0)
return(1);
- /* Not found */
+ /* Not found */
return(0);
}
while(list->cur_node)
{
- if((chk_rc = strncmp(list->cur_node->key, key,
+ if((chk_rc = strncmp(list->cur_node->key, key,
list->cur_node->key_size)) >= 0)
{
/* Found */
int OSStore_Put(OSStore *list, char *key, void *data)
{
int chk_rc;
- OSStoreNode *newnode;
+ OSStoreNode *newnode;
/* Allocating memory for new node */
list->first_node = newnode;
list->last_node = newnode;
}
-
-
- /* Store the data in order */
+
+
+ /* Store the data in order */
else
{
list->cur_node = list->first_node;
{
return(1);
}
-
+
/* If there is no prev node, it is because
- * this is the first node.
+ * this is the first node.
*/
if(list->cur_node->prev)
list->cur_node->prev->next = newnode;
else
list->first_node = newnode;
-
-
+
+
newnode->prev = list->cur_node->prev;
-
+
list->cur_node->prev = newnode;
newnode->next = list->cur_node;
break;
list->last_node = newnode;
}
}
-
+
/* Increment list size */
list->currently_size++;
-
+
return(1);
}
--- /dev/null
+/* @(#) $Id: ./src/shared/string_op.c, 2011/11/01 dcid Exp $
+ */
+
+/* Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is a free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ *
+ * License details at the LICENSE file included with OSSEC or
+ * online at: http://www.ossec.net/en/licensing.html
+ */
+
+
+#include "shared.h"
+#include "string.h"
+
+/** os_trimcrlf
+ * Trims the cr and/or LF from the last positions of a string
+ */
+void os_trimcrlf(char *str)
+{
+ int len;
+
+ len=strlen(str);
+ len--;
+
+ while (str[len]=='\n' || str[len]=='\r')
+ {
+ str[len]='\0';
+ len--;
+ }
+}
+
+/* Remove offending char (e.g., double quotes) from source */
+char *os_strip_char(char *source, char remove) {
+ char *clean;
+ char *iterator = source;
+ int length = 0;
+ int i;
+
+ // Figure out how much memory to allocate
+ for( ; *iterator; iterator++ ) {
+ if ( *iterator != remove ) {
+ length++;
+ }
+ }
+
+ // Allocate the memory
+ if( (clean = malloc( length + 1 )) == NULL ) {
+ // Return NULL
+ return NULL;
+ }
+ memset(clean, '\0', length + 1);
+
+ // Remove the characters
+ iterator=source;
+ for( i=0; *iterator; iterator++ ) {
+ if ( *iterator != remove ) {
+ clean[i] = *iterator;
+ i++;
+ }
+ }
+
+ return clean;
+}
+
+/* Do a substring */
+int os_substr(char *dest, const char *src, int position, int length) {
+ dest[0]='\0';
+
+ if( length <= 0 ) {
+ // Unsupported negative length string
+ return -3;
+ }
+ if( src == NULL ) {
+ return -2;
+ }
+ if( position >= strlen(src) ) {
+ return -1;
+ }
+
+ strncat(dest, (src + position), length);
+ // Return Success
+ return 0;
+}
+
+
+/* EOF */
char *tmp;
char buf[1024];
OSHash *mhash;
-
+
mhash = OSHash_Create();
while(1)
if(strncmp(buf, "get ", 4) == 0)
{
printf("Getting key: '%s'\n", buf + 4);
- printf("Found: '%s'\n", (char *)OSHash_Get(mhash, buf + 4));
+ printf("Found: '%s'\n", (char *)OSHash_Get(mhash, buf + 4));
}
else
{
printf("Adding key: '%s'\n", buf);
i = OSHash_Add(mhash, strdup(buf), strdup(buf));
-
+
printf("rc = %d\n", i);
}
}
{
printf("Invalid ip\n");
}
-
+
if(OS_IPFound(argv[2], &myip))
{
printf("IP MATCHED!\n");
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/validate_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
#include "shared.h"
-char *ip_address_regex =
- "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/?"
+char *ip_address_regex =
+ "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/?"
"([0-9]{0,2}|[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})$";
/* Global vars */
char *buf_pt;
char *tmp_buffer;
char *ret;
-
+
#ifndef WIN32
if(isChroot())
{
snprintf(def_file,OS_FLSIZE,"%s", defines_file);
#endif
-
+
fp = fopen(def_file, "r");
if(!fp)
{
}
tmp_buffer = buf_pt;
-
+
/* Getting the equal */
buf_pt = strchr(buf_pt, '=');
if(!buf_pt)
{
*tmp_buffer = '\0';
}
-
+
os_strdup(buf_pt, ret);
fclose(fp);
return(ret);
}
-
+
fclose(fp);
return(NULL);
}
char *value;
char *pt;
-
+
/* We first try to read from the local define file. */
value = _read_file(high_name, low_name, OSSEC_LDEFINES);
if(!value)
{
return(!_true);
}
-
+
/* If negate is set */
if(that_ip->ip[0] == '!')
{
_true = 0;
}
-
+
/* Checking if ip is in thatip & netmask */
if((net.s_addr & that_ip->netmask) == that_ip->ip_address)
{
return(!_true);
}
-
+
/** int OS_IPFoundList(char *ip_address, os_ip **list_of_ips)
* Checks if ip_address is present on the "list_of_ips".
* Returns 1 on success or 0 on failure.
{
return(!_true);
}
-
+
while(*list_of_ips)
{
os_ip *l_ip = *list_of_ips;
-
+
if(l_ip->ip[0] == '!')
{
_true = 0;
}
-
+
if((net.s_addr & l_ip->netmask) == l_ip->ip_address)
{
return(_true);
}
return(!_true);
-}
+}
+
-
/** int OS_IsValidIP(char *ip)
* Validates if an ip address is in the right
* format.
{
os_strdup(ip_address, final_ip->ip);
}
-
+
if(*ip_address == '!')
{
ip_address++;
}
-
- #ifndef WIN32
+
+ #ifndef WIN32
/* checking against the basic regex */
if(!OS_PRegex(ip_address, ip_address_regex))
{
tmp_ip = ip_address;
while(*tmp_ip != '\0')
{
- if((*tmp_ip < '0' ||
- *tmp_ip > '9') &&
+ if((*tmp_ip < '0' ||
+ *tmp_ip > '9') &&
*tmp_ip != '.' &&
*tmp_ip != '/')
{
- /* Getting the cidr/netmask if available */
+ /* Getting the cidr/netmask if available */
tmp_str = strchr(ip_address,'/');
if(tmp_str)
{
int cidr;
struct in_addr net;
-
+
*tmp_str = '\0';
tmp_str++;
}
}
}
-
+
if((net.s_addr = inet_addr(ip_address)) <= 0)
{
if(strcmp("0.0.0.0", ip_address) == 0)
{
struct in_addr net;
nmask = 32;
-
+
if(strcmp("any", ip_address) == 0)
{
net.s_addr = 0;
{
return(0);
}
-
+
if(final_ip)
{
final_ip->ip_address = net.s_addr;
if(!_mask_inited)
_init_masks();
-
+
final_ip->netmask = htonl(_netmasks[nmask]);
}
/* Comparing against min/max value */
if((strncmp(time_str, ossec_time, 5) >= 0)&&
- (strncmp(time_str, ossec_time+5,5) <= 0))
+ (strncmp(time_str, ossec_time+5,5) <= 0))
{
return(_true);
}
-
+
return(!_true);
}
int _size = 0;
int chour = 0;
int cmin = 0;
-
+
/* Invalid time format */
if(!isdigit((int)*str))
{
merror(INVALID_TIME, __local_name, str);
}
-
+
/* Hour */
chour = atoi(str);
return(NULL);
}
-
+
/* Going after the hour */
while(isdigit((int)*str))
{
merror(INVALID_TIME, __local_name, str);
return(NULL);
}
-
-
+
+
/* Getting minute */
if(*str == ':')
{
/* Removing spaces */
RM_WHITE(str);
-
+
if((*str == 'a') || (*str == 'A'))
{
str++;
if((*str == 'm') || (*str == 'M'))
{
chour += 12;
-
+
/* New hour must be valid */
if(chour < 0 || chour >= 24)
{
merror(INVALID_TIME, __local_name, str);
return(NULL);
}
-
+
snprintf(ossec_hour, 6, "%02d:%02d", chour, cmin);
str++;
return(str);
}
-
+
}
else
{
char first_hour[7];
char second_hour[7];
int ng = 0;
-
+
/* Must be not null */
if(!time_str)
return(NULL);
-
-
+
+
/* Clearing memory */
memset(first_hour, '\0', 7);
memset(second_hour, '\0', 7);
-
-
+
+
/* Removing white spaces */
RM_WHITE(time_str);
RM_WHITE(time_str);
}
-
+
/* Getting first hour */
time_str = __gethour(time_str, first_hour);
if(!time_str)
/* Removing white spaces */
RM_WHITE(time_str);
-
+
if(*time_str != '-')
{
return(NULL);
time_str = __gethour(time_str, second_hour);
if(!time_str)
return(NULL);
-
+
RM_WHITE(time_str);
if(*time_str != '\0')
{
}
os_calloc(13, sizeof(char), ret);
-
+
/* Fixing dump hours */
if(strcmp(first_hour,second_hour) > 0)
{
snprintf(ret, 12, "!%s%s", second_hour, first_hour);
return(ret);
}
-
+
/* For the normal times */
snprintf(ret, 12, "%c%s%s", ng == 0?'.':'!', first_hour, second_hour);
return(ret);
/* Unique times can't have a !. */
if(*ossec_time == '!')
return(0);
-
-
+
+
ossec_time++;
/* Comparing against min/max value */
/* Negative */
if(ossec_day[7] == '!')
_true = 0;
-
+
if(week_day < 0 || week_day > 7)
{
return(0);
/* It is on the right day */
if(ossec_day[week_day] == 1)
return(_true);
-
- return(!_true);
+
+ return(!_true);
}
int i = 0, ng = 0;
char *ret;
char day_ret[9] = {0,0,0,0,0,0,0,0,0};
- char *(days[]) =
+ char *(days[]) =
{
"sunday", "sun", "monday", "mon", "tuesday", "tue",
"wednesday", "wed", "thursday", "thu", "friday",
/* Must be a valid string */
if(!day_str)
return(NULL);
-
-
+
+
RM_WHITE(day_str);
-
+
/* checking for negatives */
if(*day_str == '!')
{
merror(INVALID_DAY, __local_name, day_str);
return(NULL);
}
-
+
day_str += strlen(days[i]);
if(IS_SEP(day_str))
merror(INVALID_DAY, __local_name, day_str);
return(NULL);
}
-
+
return(ret);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/shared/wait_op.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/* For same threads. */
__wait_lock = 1;
-
+
if(isChroot())
{
fp = fopen(WAIT_FILE, "w");
void os_delwait()
{
__wait_lock = 0;
-
+
if(isChroot())
{
unlink(WAIT_FILE);
* Works as a simple inter process lock (only the main
* process is allowed to lock).
*/
-#ifdef WIN32
+#ifdef WIN32
void os_wait()
{
if(!__wait_lock)
void os_wait()
{
struct stat file_status;
-
+
/* If the wait file is not present, keep going.
*/
if(stat(WAIT_FILE_PATH, &file_status) == -1)
return;
}
-
+
/* Wait until the lock is gone. */
verbose(WAITING_MSG, __local_name);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/syscheckd/config.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#include "syscheck.h"
#include "config/config.h"
+char *SYSCHECK_EMPTY[] = { NULL };
+
int Read_Syscheck_Config(char * cfgfile)
{
int modules = 0;
syscheck.registry = NULL;
syscheck.reg_fp = NULL;
#endif
+ syscheck.prefilter_cmd = NULL;
+
+ debug2("%s: Reading Configuration [%s]", "syscheckd", cfgfile);
/* Reading config */
if(ReadConfig(modules, cfgfile, &syscheck, NULL) < 0)
#ifdef CLIENT
+ debug2("%s: Reading Client Configuration [%s]", "syscheckd", cfgfile);
+
/* Reading shared config */
modules|= CAGENT_CONFIG;
ReadConfig(modules, AGENTCONFIG, &syscheck, NULL);
#endif
-
+
+ #ifndef WIN32
/* We must have at least one directory to check */
if(!syscheck.dir || syscheck.dir[0] == NULL)
{
return(1);
}
-
+
+ #else
+ /* We must have at least one directory or registry key to check. Since
+ it's possible on Windows to have syscheck enabled but only monitoring
+ either the filesystem or the registry, both lists must be valid,
+ even if empty.
+ */
+ if(!syscheck.dir) syscheck.dir = SYSCHECK_EMPTY;
+ if(!syscheck.registry) syscheck.registry = SYSCHECK_EMPTY;
+
+ if((syscheck.dir[0] == NULL) && (syscheck.registry[0] == NULL))
+ {
+ return(1);
+ }
+ #endif
+
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/syscheckd/create_db.c, 2011/11/02 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* New file */
sleep(1);
-
+
debug2("%s: DEBUG: new file '%s'.", ARGV0, file_name);
return(0);
}
char *buf;
char sha1s = '+';
struct stat statbuf;
-
+
/* Checking if file is to be ignored */
if(syscheck.ignore)
int i = 0;
while(syscheck.ignore[i] != NULL)
{
- if(strncasecmp(syscheck.ignore[i], file_name,
+ if(strncasecmp(syscheck.ignore[i], file_name,
strlen(syscheck.ignore[i])) == 0)
{
- return(0);
+ return(0);
}
i++;
int i = 0;
while(syscheck.ignore_regex[i] != NULL)
{
- if(OSMatch_Execute(file_name, strlen(file_name),
+ if(OSMatch_Execute(file_name, strlen(file_name),
syscheck.ignore_regex[i]))
{
return(0);
merror("%s: Error accessing '%s'.",ARGV0, file_name);
return(-1);
}
-
+
if(S_ISDIR(statbuf.st_mode))
{
#ifdef DEBUG
/* restricting file types. */
if(restriction)
{
- if(!OSMatch_Execute(file_name, strlen(file_name),
+ if(!OSMatch_Execute(file_name, strlen(file_name),
restriction))
{
return(0);
}
}
-
-
+
+
/* No S_ISLNK on windows */
#ifdef WIN32
- else if(S_ISREG(statbuf.st_mode))
+ if(S_ISREG(statbuf.st_mode))
#else
- else if(S_ISREG(statbuf.st_mode) || S_ISLNK(statbuf.st_mode))
- #endif
+ if(S_ISREG(statbuf.st_mode) || S_ISLNK(statbuf.st_mode))
+ #endif
{
os_md5 mf_sum;
os_sha1 sf_sum;
{
if(S_ISREG(statbuf_lnk.st_mode))
{
- if(OS_MD5_SHA1_File(file_name, mf_sum, sf_sum) < 0)
+ if(OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum) < 0)
{
strncpy(mf_sum, "xxx", 4);
strncpy(sf_sum, "xxx", 4);
}
}
}
- else if(OS_MD5_SHA1_File(file_name, mf_sum, sf_sum) < 0)
+ else if(OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum) < 0)
#else
- if(OS_MD5_SHA1_File(file_name, mf_sum, sf_sum) < 0)
+ if(OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum) < 0)
#endif
-
+
{
strncpy(mf_sum, "xxx", 4);
strncpy(sf_sum, "xxx", 4);
if(opts & CHECK_SEECHANGES)
sha1s = 'n';
else
- sha1s = '-';
+ sha1s = '-';
}
-
-
+
+
buf = OSHash_Get(syscheck.fp, file_name);
if(!buf)
{
char alert_msg[912 +1];
-
+
alert_msg[912] = '\0';
if(opts & CHECK_SEECHANGES)
}
}
-
+
snprintf(alert_msg, 912, "%c%c%c%c%c%c%d:%d:%d:%d:%s:%s",
opts & CHECK_SIZE?'+':'-',
opts & CHECK_PERM?'+':'-',
/* Sending the new checksum to the analysis server */
- alert_msg[912 +1] = '\0';
- snprintf(alert_msg, 912, "%d:%d:%d:%d:%s:%s %s",
+ alert_msg[912] = '\0';
+ snprintf(alert_msg, 912, "%d:%d:%d:%d:%s:%s %s",
opts & CHECK_SIZE?(int)statbuf.st_size:0,
opts & CHECK_PERM?(int)statbuf.st_mode:0,
opts & CHECK_OWNER?(int)statbuf.st_uid:0,
{
char alert_msg[OS_MAXSTR +1];
char c_sum[256 +2];
-
+
c_sum[0] = '\0';
c_sum[256] = '\0';
alert_msg[0] = '\0';
send_syscheck_msg(alert_msg);
}
}
-
-
+
+
/* Sleeping in here too */
if(__counter >= (syscheck.sleep_after))
{
__counter++;
- #ifdef DEBUG
+ #ifdef DEBUG
verbose("%s: file '%s %s'",ARGV0, file_name, mf_sum);
#endif
}
int read_dir(char *dir_name, int opts, OSMatch *restriction)
{
int dir_size;
-
- char f_name[PATH_MAX +2];
+
+ char f_name[PATH_MAX +2];
DIR *dp;
-
- struct dirent *entry;
+
+ struct dirent *entry;
f_name[PATH_MAX +1] = '\0';
if((dir_name == NULL)||((dir_size = strlen(dir_name)) > PATH_MAX))
{
merror(NULL_ERROR, ARGV0);
-
+
return(-1);
}
-
-
+
+
/* Opening the directory given */
dp = opendir(dir_name);
- if(!dp)
+ if(!dp)
{
if(errno == ENOTDIR)
{
if(read_file(dir_name, opts, restriction) == 0)
return(0);
}
-
+
#ifdef WIN32
int di = 0;
char *(defaultfilesn[])= {
if(defaultfilesn[di] == NULL)
{
merror("%s: WARN: Error opening directory: '%s': %s ",
- ARGV0, dir_name, strerror(errno));
+ ARGV0, dir_name, strerror(errno));
}
-
+
#else
-
+
merror("%s: WARN: Error opening directory: '%s': %s ",
ARGV0,
dir_name,
strerror(errno));
#endif
-
+
return(-1);
}
-
+
/* Checking for real time flag. */
if(opts & CHECK_REALTIME)
while((entry = readdir(dp)) != NULL)
{
char *s_name;
-
+
/* Just ignore . and .. */
if((strcmp(entry->d_name,".") == 0) ||
- (strcmp(entry->d_name,"..") == 0))
+ (strcmp(entry->d_name,"..") == 0))
continue;
-
+
strncpy(f_name, dir_name, PATH_MAX);
-
+
s_name = f_name;
-
+
s_name += dir_size;
/* checking if the file name is already null terminated */
if(*(s_name-1) != '/')
*s_name++ = '/';
-
+
*s_name = '\0';
-
+
strncpy(s_name, entry->d_name, PATH_MAX - dir_size -2);
+
+ /* Check integrity of the file */
read_file(f_name, opts, restriction);
}
int i = 0;
__counter = 0;
- do
+ while(syscheck.dir[i] != NULL)
{
read_dir(syscheck.dir[i], syscheck.opts[i], syscheck.filerestrict[i]);
i++;
- }while(syscheck.dir[i] != NULL);
+ }
return(0);
}
{
ErrorExit("%s: Unable to create syscheck database."
". Exiting.",ARGV0);
- return(0);
+ return(0);
}
if(!OSHash_setSize(syscheck.fp, 2048))
return(0);
}
-
+
/* dir_name can't be null */
if((syscheck.dir == NULL) || (syscheck.dir[0] == NULL))
{
merror("%s: No directories to check.",ARGV0);
return(-1);
}
-
+
merror("%s: INFO: Starting syscheck database (pre-scan).", ARGV0);
i++;
}while(syscheck.dir[i] != NULL);
-
+ #if defined (USEINOTIFY) || defined (WIN32)
+ if(syscheck.realtime && (syscheck.realtime->fd >= 0))
+ verbose("%s: INFO: Real time file monitoring started.", ARGV0);
+ #endif
+
merror("%s: INFO: Finished creating syscheck database (pre-scan "
"completed).", ARGV0);
return(0);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/syscheckd/run_check.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2010 Trend Micro Inc.
* All right reserved.
}
create_db(1);
-
+
/* Sending scan ending message */
sleep(syscheck.tsleep +10);
send_rootcheck_msg("Ending syscheck scan.");
}
}
-
-
+
+
/* start_daemon
- * Run periodicaly the integrity checking
+ * Run periodicaly the integrity checking
*/
void start_daemon()
{
int day_scanned = 0;
int curr_day = 0;
-
+
time_t curr_time = 0;
-
+
time_t prev_time_rk = 0;
time_t prev_time_sk = 0;
char curr_hour[12];
struct tm *p;
-
+
/* To be used by select. */
#ifdef USEINOTIFY
fd_set rfds;
#endif
-
+
/*
- * SCHED_BATCH forces the kernel to assume this is a cpu intensive
+ * SCHED_BATCH forces the kernel to assume this is a cpu intensive
* process
- * and gives it a lower priority. This keeps ossec-syscheckd
+ * and gives it a lower priority. This keeps ossec-syscheckd
* from reducing
* the interactity of an ssh session when checksumming large files.
* This is available in kernel flavors >= 2.6.16
#ifdef SCHED_BATCH
struct sched_param pri;
int status;
-
+
pri.sched_priority = 0;
status = sched_setscheduler(0, SCHED_BATCH, &pri);
-
+
debug1("%s: Setting SCHED_BATCH returned: %d", ARGV0, status);
#endif
-
-
+
+
#ifdef DEBUG
verbose("%s: Starting daemon ..",ARGV0);
#endif
-
-
-
+
+
+
/* Some time to settle */
memset(curr_hour, '\0', 12);
sleep(syscheck.tsleep * 10);
- /* If the scan time/day is set, reset the
- * syscheck.time/rootcheck.time
+ /* If the scan time/day is set, reset the
+ * syscheck.time/rootcheck.time
*/
if(syscheck.scan_time || syscheck.scan_day)
{
{
prev_time_rk = time(0);
}
-
-
+
+
/* Before entering in daemon mode itself */
prev_time_sk = time(0);
sleep(syscheck.tsleep * 10);
-
+
/* If the scan_time or scan_day is set, we need to handle the
* current day/time on the loop.
*/
if(syscheck.scan_time || syscheck.scan_day)
{
- curr_time = time(0);
+ curr_time = time(0);
p = localtime(&curr_time);
curr_day = p->tm_mday;
-
+
if(syscheck.scan_time && syscheck.scan_day)
{
if((OS_IsAfterTime(curr_hour, syscheck.scan_time)) &&
}
}
-
- #if defined (USEINOTIFY) || defined (WIN32)
- if(syscheck.realtime && (syscheck.realtime->fd >= 0))
- verbose("%s: INFO: Starting real time file monitoring.", ARGV0);
- #endif
-
- /* Checking every SYSCHECK_WAIT */
+ /* Checking every SYSCHECK_WAIT */
while(1)
{
int run_now = 0;
curr_time = time(0);
-
+
/* Checking if syscheck should be restarted, */
run_now = os_check_restart_syscheck();
-
+
/* Checking if a day_time or scan_time is set. */
if(syscheck.scan_time || syscheck.scan_day)
{
day_scanned = 0;
curr_day = p->tm_mday;
}
-
-
+
+
/* Checking for the time of the scan. */
if(!day_scanned && syscheck.scan_time && syscheck.scan_day)
{
run_now = 1;
}
}
-
+
else if(!day_scanned && syscheck.scan_time)
{
/* Assign hour/min/sec values */
- snprintf(curr_hour, 9, "%02d:%02d:%02d",
+ snprintf(curr_hour, 9, "%02d:%02d:%02d",
p->tm_hour, p->tm_min, p->tm_sec);
if(OS_IsAfterTime(curr_hour, syscheck.scan_time))
}
}
}
-
-
+
+
/* If time elapsed is higher than the rootcheck_time,
* run it.
}
}
-
+
/* If time elapsed is higher than the syscheck time,
* run syscheck time.
*/
syscheck.scan_on_start = 1;
}
-
-
+
+
else
{
/* Sending scan start message */
run_dbcheck();
}
-
+
/* Sending scan ending message */
sleep(syscheck.tsleep + 20);
if(syscheck.dir[0])
merror("%s: INFO: Ending syscheck scan.", ARGV0);
send_rootcheck_msg("Ending syscheck scan.");
}
-
+
/* Sending database completed message */
send_syscheck_msg(HC_SK_DB_COMPLETED);
debug2("%s: DEBUG: Sending database completed message.", ARGV0);
-
+
prev_time_sk = time(0);
- }
+ }
#ifdef USEINOTIFY
FD_SET(syscheck.realtime->fd, &rfds);
- run_now = select(syscheck.realtime->fd + 1, &rfds,
+ run_now = select(syscheck.realtime->fd + 1, &rfds,
NULL, NULL, &selecttime);
if(run_now < 0)
{
int c_read_file(char *file_name, char *oldsum, char *newsum)
{
int size = 0, perm = 0, owner = 0, group = 0, md5sum = 0, sha1sum = 0, seechanges = 0;
-
+
struct stat statbuf;
os_md5 mf_sum;
/* Cleaning sums */
strncpy(mf_sum, "xxx", 4);
strncpy(sf_sum, "xxx", 4);
-
-
+
+
/* Stating the file */
#ifdef WIN32
/* owner */
if(oldsum[2] == '+')
- owner = 1;
-
+ owner = 1;
+
/* group */
if(oldsum[3] == '+')
group = 1;
-
+
/* md5 sum */
if(oldsum[4] == '+')
md5sum = 1;
sha1sum = 0;
seechanges = 1;
}
-
-
+
+
/* Generating new checksum */
#ifdef WIN32
if(S_ISREG(statbuf.st_mode))
if(sha1sum || md5sum)
{
/* Generating checksums of the file. */
- if(OS_MD5_SHA1_File(file_name, mf_sum, sf_sum) < 0)
+ if(OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum) < 0)
{
strncpy(sf_sum, "xxx", 4);
strncpy(mf_sum, "xxx", 4);
if(sha1sum || md5sum)
{
/* Generating checksums of the file. */
- if(OS_MD5_SHA1_File(file_name, mf_sum, sf_sum) < 0)
+ if(OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum) < 0)
{
strncpy(sf_sum, "xxx", 4);
strncpy(mf_sum, "xxx", 4);
}
}
#endif
-
+
newsum[0] = '\0';
newsum[255] = '\0';
snprintf(newsum,255,"%d:%d:%d:%d:%s:%s",
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/syscheckd/run_realtime.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
#include <sys/inotify.h>
-#define REALTIME_MONITOR_FLAGS IN_MODIFY|IN_ATTRIB|IN_MOVED_TO|IN_DELETE|IN_MOVED_FROM
+#define REALTIME_MONITOR_FLAGS IN_MODIFY|IN_ATTRIB|IN_MOVED_FROM|IN_MOVED_TO|IN_CREATE|IN_DELETE|IN_DELETE_SELF
#define REALTIME_EVENT_SIZE (sizeof (struct inotify_event))
#define REALTIME_EVENT_BUFFER (2048 * (REALTIME_EVENT_SIZE + 16))
merror("%s: ERROR: Unable to initialize inotify.", ARGV0);
return(-1);
}
- #endif
+ #endif
return(1);
}
wd = inotify_add_watch(syscheck.realtime->fd,
dir,
- REALTIME_MONITOR_FLAGS);
+ REALTIME_MONITOR_FLAGS);
if(wd < 0)
{
- merror("%s: ERROR: Unable to add directory to real time "
+ merror("%s: ERROR: Unable to add directory to real time "
"monitoring: '%s'. %d %d", ARGV0, dir, wd, errno);
}
else
len = read(syscheck.realtime->fd, buf, REALTIME_EVENT_BUFFER);
- if (len < 0)
+ if (len < 0)
{
merror("%s: ERROR: Unable to read from real time buffer.", ARGV0);
- }
+ }
else if (len > 0)
{
- while (i < len)
+ while (i < len)
{
event = (struct inotify_event *) &buf[i];
snprintf(wdchar, 32, "%d", event->wd);
- snprintf(final_name, MAX_LINE, "%s/%s",
+ snprintf(final_name, MAX_LINE, "%s/%s",
(char *)OSHash_Get(syscheck.realtime->dirtb, wdchar),
event->name);
realtime_checksumfile(final_name);
if(dwerror != ERROR_SUCCESS)
{
- merror("%s: ERROR: real time call back called, but error is set.",
+ merror("%s: ERROR: real time call back called, but error is set.",
ARGV0);
return;
}
rtlocald = OSHash_Get(syscheck.realtime->dirtb, wdchar);
if(rtlocald == NULL)
{
- merror("%s: ERROR: real time call back called, but hash is empty.",
+ merror("%s: ERROR: real time call back called, but hash is empty.",
ARGV0);
return;
}
-
+
do
{
TRUE,
FILE_NOTIFY_CHANGE_FILE_NAME|FILE_NOTIFY_CHANGE_DIR_NAME|FILE_NOTIFY_CHANGE_SIZE|FILE_NOTIFY_CHANGE_LAST_WRITE,
0,
- &rtlocald->overlap,
+ &rtlocald->overlap,
RTCallBack);
if(rc == 0)
{
- merror("%s: ERROR: Unable to set directory for monitoring: %s",
+ merror("%s: ERROR: Unable to set directory for monitoring: %s",
ARGV0, rtlocald->dir);
sleep(2);
}
os_calloc(1, sizeof(win32rtfim), rtlocald);
-
+
rtlocald->h = CreateFile(dir,
FILE_LIST_DIRECTORY,
NULL);
- if(rtlocald->h == INVALID_HANDLE_VALUE ||
- rtlocald->h == NULL)
+ if(rtlocald->h == INVALID_HANDLE_VALUE ||
+ rtlocald->h == NULL)
{
free(rtlocald);
rtlocald = NULL;
if(OSHash_Get(syscheck.realtime->dirtb, wdchar))
{
- merror("%s: ERROR: Entry already in the real time hash: %s",
+ merror("%s: ERROR: Entry already in the real time hash: %s",
ARGV0, wdchar);
CloseHandle(rtlocald->overlap.hEvent);
free(rtlocald);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/syscheckd/seechanges.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
snprintf(buf, OS_MAXSTR, "%s/local/%s/diff.%d",
DIFF_DIR_PATH, filename, alert_diff_time);
-
+
fp = fopen(buf, "r");
if(!fp)
{
else
{
/* Weird diff with only one large line. */
- buf[256] = '\0';
+ buf[256] = '\0';
}
}
else
/* Getting up to 20 line changes. */
tmp_str = buf;
-
+
while(tmp_str && (*tmp_str != '\0'))
{
tmp_str = strchr(tmp_str, '\n');
if(!tmp_str)
- break;
+ break;
else if(n >= 19)
{
- *tmp_str = '\0';
+ *tmp_str = '\0';
break;
}
n++;
- tmp_str++;
+ tmp_str++;
}
buf, n>=19?
"\nMore changes..":
"");
-
-
+
+
fclose(fp);
return(strdup(diff_alert));
}
char *tmpstr = NULL;
char *newdir = NULL;
-
+
os_strdup(filename, buffer);
newdir = buffer;
tmpstr = strchr(buffer +1, '/');
{
#ifndef WIN32
if(mkdir(newdir, 0770) == -1)
- #else
+ #else
if(mkdir(newdir) == -1)
- #endif
+ #endif
{
merror(MKDIR_ERROR, ARGV0, newdir);
free(buffer);
os_md5 md5sum_old;
os_md5 md5sum_new;
-
+
old_location[OS_MAXSTR] = '\0';
tmp_location[OS_MAXSTR] = '\0';
diff_cmd[OS_MAXSTR] = '\0';
if(OS_MD5_File(filename, md5sum_new) != 0)
{
//merror("%s: ERROR: Invalid internal state (missing '%s').",
- // ARGV0, filename);
+ // ARGV0, filename);
return(NULL);
}
/* Run diff. */
date_of_change = File_DateofChange(old_location);
- snprintf(diff_cmd, 2048, "diff \"%s\" \"%s\" > \"%s/local/%s/diff.%d\" "
+ snprintf(diff_cmd, 2048, "diff \"%s\" \"%s\" > \"%s/local/%s/diff.%d\" "
"2>/dev/null",
- tmp_location, old_location,
+ tmp_location, old_location,
DIFF_DIR_PATH, filename +1, date_of_change);
if(system(diff_cmd) != 256)
{
merror("%s: ERROR: Unable to run diff for %s",
ARGV0, filename);
- return(NULL);
+ return(NULL);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/syscheckd/syscheck-baseline.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
{
int c,r,no_stop = 1;
int test_config = 0;
-
+
char *cfg = DEFAULTCPATH;
char *input_f = NULL;
char *output_f = NULL;
-
-
+
+
/* Zeroing the structure */
syscheck.workdir = NULL;
/* Setting the name */
OS_SetName(ARGV0);
-
-
+
+
while((c = getopt(argc, argv, "VtdshD:c:i:o:")) != -1)
{
switch(c)
break;
case 's':
no_stop = 0;
- break;
+ break;
case 'd':
nowDebug();
break;
break;
case 't':
test_config = 1;
- break;
+ break;
default:
help(ARGV0);
- break;
+ break;
}
}
/* Reading internal options */
read_internal(no_stop);
-
-
+
+
/* Exit if testing config */
if(test_config)
exit(0);
-
+
/* Setting default values */
if(syscheck.workdir == NULL)
syscheck.workdir = DEFAULTDIR;
syscheck.db = (char *)calloc(1024,sizeof(char));
if(syscheck.db == NULL)
ErrorExit(MEM_ERROR,ARGV0);
-
+
snprintf(syscheck.db,1023, output_f);
/* Start the signal handling */
StartSIG(ARGV0);
-
+
/* Start up message */
verbose(STARTUP_MSG, ARGV0, getpid());
-
+
/* Create local database */
create_db(0);
-
+
fflush(syscheck.fp);
- return(0);
+ return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/syscheckd/syscheck.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#include "rootcheck/rootcheck.h"
-int dump_syscheck_entry(config *syscheck, char *entry, int vals, int reg);
+int dump_syscheck_entry(config *syscheck, char *entry, int vals, int reg, char *restrictfile);
if(!syscheck.dir)
{
merror(SK_NO_DIR, ARGV0);
- dump_syscheck_entry(&syscheck, "", 0, 0);
+ dump_syscheck_entry(&syscheck, "", 0, 0, NULL);
}
else if(!syscheck.dir[0])
{
if(!syscheck.registry)
{
- dump_syscheck_entry(&syscheck, "", 0, 1);
+ dump_syscheck_entry(&syscheck, "", 0, 1, NULL);
}
syscheck.registry[0] = NULL;
syscheck.rootcheck = 0;
merror("%s: WARN: Rootcheck module disabled.", ARGV0);
}
-
+
/* Printing options */
r = 0;
while(syscheck.registry[r] != NULL)
{
- verbose("%s: INFO: Monitoring registry entry: '%s'.",
+ verbose("%s: INFO: Monitoring registry entry: '%s'.",
ARGV0, syscheck.registry[r]);
r++;
}
-
+
r = 0;
while(syscheck.dir[r] != NULL)
{
/* Start up message */
verbose(STARTUP_MSG, ARGV0, getpid());
-
-
-
+
+
+
/* Some sync time */
sleep(syscheck.tsleep + 10);
/* Waiting if agent started properly. */
os_wait();
-
+
start_daemon();
exit(0);
-}
+}
#endif
/* Syscheck unix main.
*/
-#ifndef WIN32
+#ifndef WIN32
int main(int argc, char **argv)
{
int c,r;
int test_config = 0,run_foreground = 0;
-
+
char *cfg = DEFAULTCPATH;
-
-
+
+
/* Zeroing the structure */
syscheck.workdir = NULL;
/* Setting the name */
OS_SetName(ARGV0);
-
-
+
+
while((c = getopt(argc, argv, "VtdhfD:c:")) != -1)
{
switch(c)
break;
case 't':
test_config = 1;
- break;
+ break;
default:
help(ARGV0);
- break;
+ break;
}
}
{
if(!test_config)
merror(SK_NO_DIR, ARGV0);
- dump_syscheck_entry(&syscheck, "", 0, 0);
+ dump_syscheck_entry(&syscheck, "", 0, 0, NULL);
}
else if(!syscheck.dir[0])
{
/* Reading internal options */
read_internal();
-
-
+
+
/* Rootcheck config */
if(rootcheck_init(test_config) == 0)
merror("%s: WARN: Rootcheck module disabled.", ARGV0);
}
-
+
/* Exit if testing config */
if(test_config)
exit(0);
-
+
/* Setting default values */
if(syscheck.workdir == NULL)
syscheck.workdir = DEFAULTDIR;
- if(!run_foreground)
+ if(!run_foreground)
{
nowDaemon();
goDaemon();
}
-
+
/* Initial time to settle */
- sleep(syscheck.tsleep + 2);
-
-
+ sleep(syscheck.tsleep + 2);
+
+
/* Connect to the queue */
if((syscheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
- {
+ {
merror(QUEUE_ERROR, ARGV0, DEFAULTQPATH, strerror(errno));
sleep(5);
/* Start the signal handling */
StartSIG(ARGV0);
-
+
/* Creating pid */
if(CreatePID(ARGV0, getpid()) < 0)
}
r++;
}
-
-
+
+
/* Some sync time */
sleep(syscheck.tsleep + 10);
/* Start the daemon */
start_daemon();
- return(0);
+ return(0);
}
#endif /* ifndef WIN32 */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/syscheckd/syscheck.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#ifndef __SYSCHECK_H
/* int run_dbcheck()
* Checks database for changes.
*/
-int run_dbcheck();
-
+int run_dbcheck();
+
/** void os_winreg_check()
* Checks the registry for changes.
- */
+ */
void os_winreg_check();
/* starts real time */
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/syscheckd/win-registry.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-
+
/* Windows only */
#ifdef WIN32
-
+
#include "shared.h"
#include "syscheck.h"
#include "os_crypto/md5/md5_op.h"
#include "os_crypto/sha1/sha1_op.h"
-#include "os_crypto/md5_sha1/md5_sha1_op.h"
+#include "os_crypto/md5_sha1/md5_sha1_op.h"
/* Default values */
#define SYS_WIN_REG "syscheck/syscheckregistry.db"
#define SYS_REG_TMP "syscheck/syscheck_sum.tmp"
-
-
+
+
/* Global variables */
HKEY sub_tree;
int ig_count = 0;
int os_winreg_changed(char *key, char *md5, char *sha1)
{
char buf[MAX_LINE +1];
-
+
buf[MAX_LINE] = '\0';
if(n_buf == NULL)
continue;
- *n_buf = '\0';
-
+ *n_buf = '\0';
+
n_buf = strchr(buf, ' ');
if(n_buf == NULL)
continue;
-
+
if(strcmp(n_buf +1, key) != 0)
continue;
-
+
/* Entry found, checking if checksum is the same */
- *n_buf = '\0';
+ *n_buf = '\0';
if((strncmp(buf, md5, sizeof(os_md5) -1) == 0)&&
(strcmp(buf + sizeof(os_md5) -1, sha1) == 0))
{
/* Checking if ret has nothing else. */
if(ret && (*ret == '\0'))
ret = NULL;
-
- /* fixing tmp_str and the real name of the registry */
+
+ /* fixing tmp_str and the real name of the registry */
if(tmp_str && (*tmp_str == '\0'))
*tmp_str = '\\';
-
+
return(ret);
}
/* void os_winreg_querykey(HKEY hKey, char *p_key)
* Query the key and get all its values.
*/
-void os_winreg_querykey(HKEY hKey, char *p_key, char *full_key_name)
+void os_winreg_querykey(HKEY hKey, char *p_key, char *full_key_name)
{
int i, rc;
DWORD j;
DWORD value_count;
/* Variables for RegEnumValue */
- TCHAR value_buffer[MAX_VALUE_NAME +1];
- TCHAR data_buffer[MAX_VALUE_NAME +1];
+ TCHAR value_buffer[MAX_VALUE_NAME +1];
+ TCHAR data_buffer[MAX_VALUE_NAME +1];
DWORD value_size;
DWORD data_size;
sub_key_name_b[0] = '\0';
sub_key_name_b[MAX_KEY_LENGTH] = '\0';
sub_key_name_b[MAX_KEY_LENGTH +1] = '\0';
-
+
/* We use the class_name, subkey_count and the value count. */
rc = RegQueryInfoKey(hKey, class_name_b, &class_name_s, NULL,
if(subkey_count)
{
/* We open each subkey and call open_key */
- for(i=0;i<subkey_count;i++)
- {
+ for(i=0;i<subkey_count;i++)
+ {
sub_key_name_s = MAX_KEY_LENGTH;
rc = RegEnumKeyEx(hKey, i, sub_key_name_b, &sub_key_name_s,
- NULL, NULL, NULL, NULL);
-
+ NULL, NULL, NULL, NULL);
+
/* Checking for the rc. */
- if(rc == ERROR_SUCCESS)
+ if(rc == ERROR_SUCCESS)
{
char new_key[MAX_KEY + 2];
char new_key_full[MAX_KEY + 2];
if(p_key)
{
- snprintf(new_key, MAX_KEY,
+ snprintf(new_key, MAX_KEY,
"%s\\%s", p_key, sub_key_name_b);
- snprintf(new_key_full, MAX_KEY,
+ snprintf(new_key_full, MAX_KEY,
"%s\\%s", full_key_name, sub_key_name_b);
}
else
{
snprintf(new_key, MAX_KEY, "%s", sub_key_name_b);
- snprintf(new_key_full, MAX_KEY,
+ snprintf(new_key_full, MAX_KEY,
"%s\\%s", full_key_name, sub_key_name_b);
}
}
}
}
-
+
/* Getting Values (if available) */
- if (value_count)
+ if (value_count)
{
/* md5 and sha1 sum */
os_md5 mf_sum;
}
/* Getting each value */
- for(i=0;i<value_count;i++)
- {
- value_size = MAX_VALUE_NAME;
+ for(i=0;i<value_count;i++)
+ {
+ value_size = MAX_VALUE_NAME;
data_size = MAX_VALUE_NAME;
value_buffer[0] = '\0';
data_buffer[0] = '\0';
rc = RegEnumValue(hKey, i, value_buffer, &value_size,
- NULL, &data_type, data_buffer, &data_size);
+ NULL, &data_type, (LPBYTE)data_buffer, &data_size);
/* No more values available */
if(rc != ERROR_SUCCESS)
/* Generating checksum of the values */
fclose(checksum_fp);
- if(OS_MD5_SHA1_File(SYS_REG_TMP, mf_sum, sf_sum) == -1)
+ if(OS_MD5_SHA1_File(SYS_REG_TMP, syscheck.prefilter_cmd, mf_sum, sf_sum) == -1)
{
merror(FOPEN_ERROR, ARGV0, SYS_REG_TMP);
return;
{
char reg_changed[MAX_LINE +1];
snprintf(reg_changed, MAX_LINE, "0:0:0:0:%s:%s %s",
- mf_sum, sf_sum, full_key_name);
+ mf_sum, sf_sum, full_key_name);
/* Notifying server */
notify_registry(reg_changed, 0);
}
ig_count++;
-
+
/* Registry ignore list */
if(full_key_name && syscheck.registry_ignore)
{
/* Debug entries */
debug1("%s: DEBUG: Starting os_winreg_check", ARGV0);
-
-
+
+
/* Zeroing ig_count before checking */
ig_count = 1;
-
+
/* Checking if the registry fp is open */
if(syscheck.reg_fp == NULL)
{
sub_tree = NULL;
rk = NULL;
-
+
/* Ignored entries are zeroed */
if(*syscheck.registry[i] == '\0')
{
i++;
continue;
}
-
-
+
+
/* Reading syscheck registry entry */
debug1("%s: DEBUG: Attempt to read: %s", ARGV0, syscheck.registry[i]);
-
-
+
+
rk = os_winreg_sethkey(syscheck.registry[i]);
if(sub_tree == NULL)
{
struct statfs fs;
int percentbfree=0;
int percentnfree=0;
-
+
if(statfs(path, &fs) != 0)
return(-1);
if((fs.f_bfree == 0)||(fs.f_ffree == 0))
return(-1);
- percentbfree = (int)(100*fs.f_bfree)/fs.f_blocks;
- percentnfree = (int)(100*fs.f_ffree)/fs.f_files;
+ percentbfree = (int)(100*fs.f_bfree)/fs.f_blocks;
+ percentnfree = (int)(100*fs.f_ffree)/fs.f_files;
printf("file system for %s has %d free blocks out of a total of %d - %d. Total of %d%% FREE \n",path,fs.f_ffree,fs.f_blocks,percentbfree,percentnfree);
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/util/agent_control.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int gid = 0;
int uid = 0;
int c = 0, restart_syscheck = 0, restart_all_agents = 0, list_agents = 0;
- int info_agent = 0, agt_id = 0, active_only = 0, csv_output = 0;
+ int info_agent = 0, agt_id = 0, active_only = 0, csv_output = 0;
int list_responses = 0, end_time = 0, restart_agent = 0;
char shost[512];
-
+
keystore keys;
-
-
+
+
/* Setting the name */
OS_SetName(ARGV0);
-
-
+
+
/* user arguments */
if(argc < 2)
{
break;
case 'L':
list_responses = 1;
- break;
+ break;
case 'e':
end_time = 1;
- break;
+ break;
case 'r':
restart_syscheck = 1;
break;
list_agents++;
break;
case 's':
- csv_output = 1;
- break;
+ csv_output = 1;
+ break;
case 'c':
active_only++;
- break;
+ break;
case 'i':
info_agent++;
case 'u':
helpmsg();
}
agent_id = optarg;
- restart_agent = 1;
+ restart_agent = 1;
case 'a':
restart_all_agents = 1;
break;
}
}
-
-
+
+
/* Getting the group name */
gid = Privsep_GetGroup(group);
uid = Privsep_GetUser(user);
ErrorExit(USER_ERROR, ARGV0, user, group);
}
-
+
/* Setting the group */
if(Privsep_SetGroup(gid) < 0)
{
ErrorExit(SETGID_ERROR,ARGV0, group);
}
-
-
+
+
/* Chrooting to the default directory */
if(Privsep_Chroot(dir) < 0)
{
/* Inside chroot now */
nowChroot();
-
+
/* Setting the user */
if(Privsep_SetUser(uid) < 0)
{
printf("\nOSSEC HIDS %s. Available active responses:\n", ARGV0);
}
-
+
fp = fopen(DEFAULTAR, "r");
if(fp)
{
r_cmd = strchr(buffer, ' ');
if(!r_cmd)
continue;
-
+
*r_cmd = '\0';
r_cmd++;
if(*r_cmd == '-')
r_timeout = strchr(r_cmd, ' ');
if(!r_timeout)
continue;
- *r_timeout = '\0';
-
+ *r_timeout = '\0';
+
if(strcmp(r_name, "restart-ossec0") == 0)
{
continue;
exit(0);
}
-
+
/* Listing available agents. */
if(list_agents)
{
if(!csv_output)
{
- printf("\nOSSEC HIDS %s. List of available agents:",
+ printf("\nOSSEC HIDS %s. List of available agents:",
ARGV0);
printf("\n ID: 000, Name: %s (server), IP: 127.0.0.1, Active/Local\n",
shost);
printf("\n");
exit(0);
}
-
+
/* Checking if the provided ID is valid. */
- if(agent_id != NULL)
+ if(agent_id != NULL)
{
if(strcmp(agent_id, "000") != 0)
{
agt_id = -1;
}
}
-
+
/* Printing information from an agent. */
char final_ip[128 +1];
char final_mask[128 +1];
agent_info *agt_info;
-
+
final_ip[128] = '\0';
final_mask[128] = '\0';
-
+
if(!csv_output)
printf("\nOSSEC HIDS %s. Agent information:", ARGV0);
/* Getting netmask from ip. */
getNetmask(keys.keyentries[agt_id]->ip->netmask, final_mask, 128);
- snprintf(final_ip, 128, "%s%s",keys.keyentries[agt_id]->ip->ip,
+ snprintf(final_ip, 128, "%s%s",keys.keyentries[agt_id]->ip->ip,
final_mask);
}
else
{
- printf("%s,%s,%s,%s,",
+ printf("%s,%s,%s,%s,",
keys.keyentries[agt_id]->id,
keys.keyentries[agt_id]->name,
final_ip,
- print_agent_status(agt_status));
+ print_agent_status(agt_status));
}
}
else
{
- agt_status = get_agent_status(NULL, NULL);
+ agt_status = get_agent_status(NULL, NULL);
agt_info = get_agent_info(NULL, "127.0.0.1");
if(!csv_output)
printf("000,%s,127.0.0.1,%s/Local,",
shost,
print_agent_status(agt_status));
-
+
}
}
-
+
if(!csv_output)
{
printf(" Operating system: %s\n", agt_info->os);
printf(" Client version: %s\n", agt_info->version);
printf(" Last keep alive: %s\n\n", agt_info->last_keepalive);
-
+
if(end_time)
{
}
else
{
- printf("%s,%s,%s,%s,%s,\n",
+ printf("%s,%s,%s,%s,%s,\n",
agt_info->os,
agt_info->version,
agt_info->last_keepalive,
agt_info->syscheck_time,
agt_info->rootcheck_time);
}
-
+
exit(0);
}
exit(0);
}
-
+
if(restart_syscheck && agent_id)
exit(0);
}
-
-
+
+
if(restart_agent && agent_id)
{
/* Connecting to remoted. */
exit(0);
}
-
+
printf("\n** Invalid argument combination.\n");
helpmsg();
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/util/clear_stats.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
{
int clear_daily = 0;
int clear_weekly = 0;
-
+
char *dir = DEFAULTDIR;
char *group = GROUPGLOBAL;
char *user = USER;
int gid;
int uid;
-
+
/* Setting the name */
OS_SetName(ARGV0);
-
-
+
+
/* user arguments */
if(argc != 2)
{
helpmsg();
}
-
+
/* Getting the group name */
gid = Privsep_GetGroup(group);
uid = Privsep_GetUser(user);
ErrorExit(USER_ERROR, ARGV0, user, group);
}
-
+
/* Setting the group */
if(Privsep_SetGroup(gid) < 0)
{
ErrorExit(SETGID_ERROR,ARGV0, group);
}
-
-
+
+
/* Chrooting to the default directory */
if(Privsep_Chroot(dir) < 0)
{
/* Inside chroot now */
nowChroot();
-
+
/* Setting the user */
if(Privsep_SetUser(uid) < 0)
{
ErrorExit(SETUID_ERROR, ARGV0, user);
}
-
+
/* User options */
if(strcmp(argv[1], "-h") == 0)
{
{
ErrorExit("%s: Unable to open: '%s'", ARGV0, daily_dir);
}
-
+
while((entry = readdir(daily)) != NULL)
{
char full_path[OS_MAXSTR +1];
-
- /* Do not even attempt to delete . and .. :) */
+
+ /* Do not even attempt to delete . and .. :) */
if((strcmp(entry->d_name,".") == 0)||
(strcmp(entry->d_name,"..") == 0))
{
continue;
}
-
+
/* Remove file */
full_path[OS_MAXSTR] = '\0';
snprintf(full_path, OS_MAXSTR, "%s/%s", daily_dir, entry->d_name);
unlink(full_path);
}
-
+
closedir(daily);
}
-
-
+
+
/* Clear weekly averages */
if(clear_weekly)
{
daily = opendir(dir_path);
if(!daily)
{
- ErrorExit("%s: Unable to open: '%s' (no stats)",
+ ErrorExit("%s: Unable to open: '%s' (no stats)",
ARGV0, dir_path);
}
/* Remove file */
full_path[OS_MAXSTR] = '\0';
- snprintf(full_path, OS_MAXSTR, "%s/%s", dir_path,
+ snprintf(full_path, OS_MAXSTR, "%s/%s", dir_path,
entry->d_name);
unlink(full_path);
}
-
+
i++;
closedir(daily);
}
}
-
- printf("\n** Internal stats clear.\n\n");
+
+ printf("\n** Internal stats clear.\n\n");
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/util/list_agents.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
char *dir = DEFAULTDIR;
char *group = GROUPGLOBAL;
char *user = USER;
-
+
char *msg;
char **agent_list;
int gid;
int uid;
int flag;
-
+
/* Setting the name */
OS_SetName(ARGV0);
-
-
+
+
/* user arguments */
if(argc < 2)
{
helpmsg();
}
-
+
/* Getting the group name */
gid = Privsep_GetGroup(group);
uid = Privsep_GetUser(user);
ErrorExit(USER_ERROR, ARGV0, user, group);
}
-
+
/* Setting the group */
if(Privsep_SetGroup(gid) < 0)
{
ErrorExit(SETGID_ERROR,ARGV0, group);
}
-
-
+
+
/* Chrooting to the default directory */
if(Privsep_Chroot(dir) < 0)
{
/* Inside chroot now */
nowChroot();
-
+
/* Setting the user */
if(Privsep_SetUser(uid) < 0)
{
ErrorExit(SETUID_ERROR, ARGV0, user);
}
-
+
/* User options */
if(strcmp(argv[1], "-h") == 0)
{
if(agent_list)
{
char **agent_list_pt = agent_list;
-
+
while(*agent_list)
{
printf("%s %s\n", *agent_list, msg);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/util/ossec-regex.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
int main(int argc, char **argv)
{
char *pattern;
-
+
char msg[OS_MAXSTR +1];
memset(msg, '\0', OS_MAXSTR +1);
- OSRegex regex;
- OSMatch matcher;
+ OSRegex regex;
+ OSMatch matcher;
OS_SetName(ARGV0);
-
-
+
+
/* user arguments */
if(argc != 2)
{
helpmsg();
return(-1);
}
-
+
/* User options */
if(strcmp(argv[1], "-h") == 0)
{
}
os_strdup(argv[1], pattern);
- if(!OSRegex_Compile(pattern, ®ex, 0))
- {
+ if(!OSRegex_Compile(pattern, ®ex, 0))
+ {
printf("pattern does not compile with OSRegex_Compile\n");
- return(-1);
+ return(-1);
}
if(!OSMatch_Compile(pattern, &matcher, 0))
{
while((fgets(msg, OS_MAXSTR, stdin)) != NULL)
- {
- /* Removing new line. */
+ {
+ /* Removing new line. */
if(msg[strlen(msg) -1] == '\n')
msg[strlen(msg) -1] = '\0';
- /* Make sure we ignore blank lines. */
- if(strlen(msg) < 2) { continue; }
+ /* Make sure we ignore blank lines. */
+ if(strlen(msg) < 2) { continue; }
if(OSRegex_Execute(msg, ®ex))
- printf("+OSRegex_Execute: %s\n",msg);
+ printf("+OSRegex_Execute: %s\n",msg);
/*
else
- printf("-OSRegex_Execute: \n");
+ printf("-OSRegex_Execute: \n");
*/
- if(OS_Regex(pattern, msg))
+ if(OS_Regex(pattern, msg))
printf("+OS_Regex : %s\n", msg);
/*
else
- printf("-OS_Regex: \n");
+ printf("-OS_Regex: \n");
*/
- if(OSMatch_Execute(msg, strlen(msg), &matcher))
- printf("+OSMatch_Compile: %s\n", msg);
-
- if(OS_Match2(pattern, msg))
- printf("+OS_Match2 : %s\n", msg);
+ if(OSMatch_Execute(msg, strlen(msg), &matcher))
+ printf("+OSMatch_Compile: %s\n", msg);
+
+ if(OS_Match2(pattern, msg))
+ printf("+OS_Match2 : %s\n", msg);
}
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/util/rootcheck_control.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/** help **/
void helpmsg()
{
- printf("\nOSSEC HIDS %s: Manages the policy and auditing database.\n",
+ printf("\nOSSEC HIDS %s: Manages the policy and auditing database.\n",
ARGV0);
printf("Available options:\n");
printf("\t-h This help message.\n");
int active_only = 0, csv_output = 0;
char shost[512];
-
-
-
+
+
+
/* Setting the name */
OS_SetName(ARGV0);
-
-
+
+
/* user arguments */
if(argc < 2)
{
list_agents++;
break;
case 's':
- csv_output = 1;
+ csv_output = 1;
break;
case 'c':
active_only++;
- break;
+ break;
case 'r':
resolved_only = 1;
- break;
+ break;
case 'q':
resolved_only = 2;
- break;
+ break;
case 'L':
show_last = 1;
break;
}
}
-
-
+
+
/* Getting the group name */
gid = Privsep_GetGroup(group);
uid = Privsep_GetUser(user);
ErrorExit(USER_ERROR, ARGV0, user, group);
}
-
+
/* Setting the group */
if(Privsep_SetGroup(gid) < 0)
{
ErrorExit(SETGID_ERROR,ARGV0, group);
}
-
-
+
+
/* Chrooting to the default directory */
if(Privsep_Chroot(dir) < 0)
{
/* Inside chroot now */
nowChroot();
-
+
/* Setting the user */
if(Privsep_SetUser(uid) < 0)
}
-
+
/* Listing available agents. */
if(list_agents)
{
if(!csv_output)
{
- printf("\nOSSEC HIDS %s. List of available agents:",
+ printf("\nOSSEC HIDS %s. List of available agents:",
ARGV0);
printf("\n ID: 000, Name: %s (server), IP: 127.0.0.1, "
"Active/Local\n", shost);
printf("\n");
exit(0);
}
-
+
/* Update rootcheck database. */
continue;
}
- snprintf(full_path, OS_MAXSTR,"%s/%s", ROOTCHECK_DIR,
+ snprintf(full_path, OS_MAXSTR,"%s/%s", ROOTCHECK_DIR,
entry->d_name);
fp = fopen(full_path, "w");
exit(0);
}
- else if((strcmp(agent_id, "000") == 0) ||
+ else if((strcmp(agent_id, "000") == 0) ||
(strcmp(agent_id, "local") == 0))
{
char final_dir[1024];
}
}
-
+
/* Printing information from an agent. */
if(info_agent)
{
if(!csv_output)
printf("\nPolicy and auditing events for local system '%s - %s':\n",
shost, "127.0.0.1");
-
+
print_rootcheck(NULL,
- NULL, NULL, resolved_only, csv_output, show_last);
+ NULL, NULL, resolved_only, csv_output, show_last);
}
else
{
/* Getting netmask from ip. */
final_ip[128] = '\0';
final_mask[128] = '\0';
- getNetmask(keys.keyentries[i]->ip->netmask,
+ getNetmask(keys.keyentries[i]->ip->netmask,
final_mask, 128);
snprintf(final_ip, 128, "%s%s",keys.keyentries[i]->ip->ip,
final_mask);
if(!csv_output)
printf("\nPolicy and auditing events for agent "
"'%s (%s) - %s':\n",
- keys.keyentries[i]->name, keys.keyentries[i]->id,
+ keys.keyentries[i]->name, keys.keyentries[i]->id,
final_ip);
print_rootcheck(keys.keyentries[i]->name,
- keys.keyentries[i]->ip->ip, NULL,
+ keys.keyentries[i]->ip->ip, NULL,
resolved_only, csv_output, show_last);
}
-
+
exit(0);
}
-
+
printf("\n** Invalid argument combination.\n");
helpmsg();
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/util/syscheck_control.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/** help **/
void helpmsg()
{
- printf("\nOSSEC HIDS %s: Manages the integrity checking database.\n",
+ printf("\nOSSEC HIDS %s: Manages the integrity checking database.\n",
ARGV0);
printf("Available options:\n");
printf("\t-h This help message.\n");
int active_only = 0, csv_output = 0;
char shost[512];
-
-
-
+
+
+
/* Setting the name */
OS_SetName(ARGV0);
-
-
+
+
/* user arguments */
if(argc < 2)
{
break;
case 'd':
zero_counter = 2;
- break;
+ break;
case 's':
- csv_output = 1;
+ csv_output = 1;
case 'c':
active_only++;
- break;
+ break;
case 'r':
registry_only = 1;
- break;
+ break;
case 'i':
info_agent++;
if(!optarg)
}
}
-
-
+
+
/* Getting the group name */
gid = Privsep_GetGroup(group);
uid = Privsep_GetUser(user);
ErrorExit(USER_ERROR, ARGV0, user, group);
}
-
+
/* Setting the group */
if(Privsep_SetGroup(gid) < 0)
{
ErrorExit(SETGID_ERROR,ARGV0, group);
}
-
-
+
+
/* Chrooting to the default directory */
if(Privsep_Chroot(dir) < 0)
{
/* Inside chroot now */
nowChroot();
-
+
/* Setting the user */
if(Privsep_SetUser(uid) < 0)
}
-
+
/* Listing available agents. */
if(list_agents)
{
if(!csv_output)
{
- printf("\nOSSEC HIDS %s. List of available agents:",
+ printf("\nOSSEC HIDS %s. List of available agents:",
ARGV0);
printf("\n ID: 000, Name: %s (server), IP: 127.0.0.1, "
"Active/Local\n", shost);
printf("\n");
exit(0);
}
-
+
/* Update syscheck database. */
continue;
}
- snprintf(full_path, OS_MAXSTR,"%s/%s", SYSCHECK_DIR,
+ snprintf(full_path, OS_MAXSTR,"%s/%s", SYSCHECK_DIR,
entry->d_name);
fp = fopen(full_path, "w");
exit(0);
}
- else if((strcmp(agent_id, "000") == 0) ||
+ else if((strcmp(agent_id, "000") == 0) ||
(strcmp(agent_id, "local") == 0))
{
char final_dir[1024];
}
}
-
+
/* Printing information from an agent. */
if(info_agent)
{
shost, "127.0.0.1");
if(fname)
{
- printf("Detailed information for entries matching: '%s'\n",
+ printf("Detailed information for entries matching: '%s'\n",
fname);
}
-
+
print_syscheck(NULL,
- NULL, fname, 0, 0,
+ NULL, fname, 0, 0,
csv_output, zero_counter);
}
else if(strchr(agent_id, '@'))
{
if(fname)
{
- printf("Detailed information for entries matching: '%s'\n",
+ printf("Detailed information for entries matching: '%s'\n",
fname);
}
print_syscheck(agent_id, NULL, fname, registry_only, 0,
{
printf("\nIntegrity changes for 'Windows Registry' of"
" agent '%s (%s) - %s':\n",
- keys.keyentries[i]->name, keys.keyentries[i]->id,
- final_ip);
+ keys.keyentries[i]->name, keys.keyentries[i]->id,
+ final_ip);
}
else
{
printf("\nIntegrity changes for agent "
"'%s (%s) - %s':\n",
- keys.keyentries[i]->name, keys.keyentries[i]->id,
+ keys.keyentries[i]->name, keys.keyentries[i]->id,
final_ip);
}
if(fname)
{
- printf("Detailed information for entries matching: '%s'\n",
+ printf("Detailed information for entries matching: '%s'\n",
fname);
}
print_syscheck(keys.keyentries[i]->name,
- keys.keyentries[i]->ip->ip, fname,
+ keys.keyentries[i]->ip->ip, fname,
registry_only, 0, csv_output, zero_counter);
}
-
+
exit(0);
}
-
+
printf("\n** Invalid argument combination.\n");
helpmsg();
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/util/syscheck_update.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/** help **/
void helpmsg()
{
- printf("\nOSSEC HIDS %s: Updates the integrity check database.\n", ARGV0);
+ printf("\nOSSEC HIDS %s: Updates (clears) the integrity check database.\n", ARGV0);
printf("Available options:\n");
printf("\t-h This help message.\n");
printf("\t-l List available agents.\n");
- printf("\t-a Update syscheck database for all agents.\n");
- printf("\t-u <id> Update syscheck database for a specific agent.\n");
- printf("\t-u local Update syscheck database locally.\n\n");
+ printf("\t-a Update (clear) syscheck database for all agents.\n");
+ printf("\t-u <id> Update (clear) syscheck database for a specific agent.\n");
+ printf("\t-u local Update (clear) syscheck database locally.\n\n");
exit(1);
}
-
/** main **/
int main(int argc, char **argv)
{
char *user = USER;
int gid;
int uid;
-
+
/* Setting the name */
OS_SetName(ARGV0);
-
-
+
+
/* user arguments */
if(argc < 2)
{
helpmsg();
}
-
+
/* Getting the group name */
gid = Privsep_GetGroup(group);
uid = Privsep_GetUser(user);
ErrorExit(USER_ERROR, ARGV0, user, group);
}
-
+
/* Setting the group */
if(Privsep_SetGroup(gid) < 0)
{
ErrorExit(SETGID_ERROR,ARGV0, group);
}
-
-
+
+
/* Chrooting to the default directory */
if(Privsep_Chroot(dir) < 0)
{
/* Inside chroot now */
nowChroot();
-
+
/* Setting the user */
if(Privsep_SetUser(uid) < 0)
{
ErrorExit(SETUID_ERROR, ARGV0, user);
}
-
+
/* User options */
if(strcmp(argv[1], "-h") == 0)
{
}
else if(strcmp(argv[1], "-l") == 0)
{
- printf("\nOSSEC HIDS %s: Updates the integrity check database.",
+ printf("\nOSSEC HIDS %s: Updates the integrity check database.",
ARGV0);
print_agents(0, 0, 0);
printf("\n");
}
snprintf(full_path, OS_MAXSTR,"%s/%s", SYSCHECK_DIR, entry->d_name);
-
+
fp = fopen(full_path, "w");
if(fp)
{
}
closedir(sys_dir);
- printf("\n** Integrity check database updated.\n\n");
+ printf("\n** Integrity check database updated.\n\n");
exit(0);
}
else
helpmsg();
}
-
+
/* local */
if(strcmp(argv[2],"local") == 0)
{
char final_dir[1024];
FILE *fp;
snprintf(final_dir, 1020, "/%s/syscheck", SYSCHECK_DIR);
-
+
fp = fopen(final_dir, "w");
if(fp)
{
/* Deleting cpt file */
snprintf(final_dir, 1020, "/%s/.syscheck.cpt", SYSCHECK_DIR);
-
+
fp = fopen(final_dir, "w");
if(fp)
{
printf("\n** Invalid agent id '%s'.\n", argv[2]);
helpmsg();
}
-
+
/* Deleting syscheck */
delete_syscheck(keys.keyentries[i]->name,keys.keyentries[i]->ip->ip,0);
}
-
- printf("\n** Integrity check database updated.\n\n");
+
+ printf("\n** Integrity check database updated.\n\n");
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/util/verify-agent-conf.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2010 Trend Micro Inc.
* All right reserved.
#define ARGV0 "verify-agent-conf"
+/** help **/
+void helpmsg()
+{
+ printf("\nOSSEC HIDS %s: Verify agent.conf syntax for errors.\n", ARGV0);
+ printf("Usage: %s [-f <agent.conf file>]\n\n", ARGV0);
+ printf("Available options:\n");
+ printf("\t-h This help message.\n");
+ printf("\t-f Full file name and path to config file to be tested.\n");
+ printf("\t If this option is not specified the following default\n");
+ printf("\t will be used.\n");
+ printf(" ");
+ printf("\t Validation is successful, if no errors are shown.\n");
+ exit(1);
+}
+
/* main: v0.3: 2005/04/04 */
int main(int argc, char **argv)
{
+ char* ar=AGENTCONFIG;
+ int c=0;
int modules = 0;
logreader_config log_config;
/* Setting the name */
OS_SetName(ARGV0);
-
+
+
+ /* printf ("Agrc [%d], Argv [%s]\n", argc, *argv); */
+
+ /* user arguments */
+ if(argc > 1)
+ {
+ while((c = getopt(argc, argv, "Vdhf:")) != -1)
+ {
+ switch(c){
+ case 'V':
+ print_version();
+ break;
+ case 'h':
+ helpmsg();
+ break;
+ case 'd':
+ nowDebug();
+ break;
+ case 'f':
+ if(!optarg)
+ {
+ merror("%s: -f needs an argument",ARGV0);
+ helpmsg();
+ }
+ ar = optarg;
+ break;
+ default:
+ helpmsg();
+ break;
+ }
+
+ }
+ }
+
+
+
+ printf("\n%s: Verifying [%s].\n\n", ARGV0, ar);
modules|= CLOCALFILE;
modules|= CAGENT_CONFIG;
log_config.config = NULL;
- if(ReadConfig(modules, AGENTCONFIG, &log_config, NULL) < 0)
+ if(ReadConfig(modules, ar, &log_config, NULL) < 0)
{
return(OS_INVALID);
}
- logff = log_config.config;
+ logff = log_config.config;
return(0);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/add-localfile.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#include <stdio.h>
#include <stdlib.h>
/* Clearing memory */
memset(line, '\0', OS_MAXSTR +1);
- /* Reading file and looking for str */
+ /* Reading file and looking for str */
while(fgets(line, OS_MAXSTR, fp) != NULL)
{
if(OS_Match(str, line))
/* Check is syscheck is present in the config */
int config_file(char *name, char *file, int quiet)
{
- int add = 0;
-
char ffile[256];
FILE *fp;
ffile[255] = '\0';
-
+
/* Checking if the file has a variable format */
if(strchr(file, '%') != NULL)
{
strncpy(ffile, file, 255);
}
-
-
+
+
/* Looking for ffile */
if(!fileexist(ffile))
{
}
return(-1);
}
-
+
if(dogrep(OSSECCONF, file))
{
- printf("%s: Log file already configured: '%s'.\n",
+ printf("%s: Log file already configured: '%s'.\n",
name, file);
return(0);
}
-
-
+
+
/* Add iis config config */
fp = fopen(OSSECCONF, "a");
if(!fp)
{
printf("%s: Unable to edit configuration file.\n", name);
- return(0);
+ return(0);
}
-
+
printf("%s: Adding log file to be monitored: '%s'.\n", name,file);
- fprintf(fp, "\r\n"
- "\r\n"
+ fprintf(fp, "\r\n"
+ "\r\n"
"<!-- Extra log file -->\r\n"
"<ossec_config>\r\n"
" <localfile>\r\n"
fclose(fp);
return(0);
-
+
}
/* Setup windows after install */
int main(int argc, char **argv)
{
int quiet = 0;
-
+
if(argc < 2)
{
printf("%s: Invalid syntax.\n", argv[0]);
quiet = 1;
}
-
+
/* Checking if ossec was installed already */
if(!fileexist(OSSECCONF))
{
{
config_file(argv[0], argv[1], quiet);
}
-
+
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/extract-win-el.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
/** int startEL(char *app, os_el *el)
- * Starts the event logging for each el
+ * Starts the event logging for each el
*/
int startEL(char *app, os_el *el)
{
el->h = OpenEventLog(NULL, app);
if(!el->h)
{
- return(0);
+ return(0);
}
el->name = app;
-/** char *el_getCategory(int category_id)
+/** char *el_getCategory(int category_id)
* Returns a string related to the category id of the log.
*/
char *el_getCategory(int category_id)
/** int el_getEventDLL(char *evt_name, char *source, char *event)
* Returns the event.
*/
-int el_getEventDLL(char *evt_name, char *source, char *event)
+int el_getEventDLL(char *evt_name, char *source, char *event)
{
HKEY key;
DWORD ret;
keyname[255] = '\0';
- snprintf(keyname, 254,
- "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s",
- evt_name,
+ snprintf(keyname, 254,
+ "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s",
+ evt_name,
source);
- /* Opening registry */
+ /* Opening registry */
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, keyname, 0, KEY_ALL_ACCESS, &key)
!= ERROR_SUCCESS)
{
- return(0);
+ return(0);
}
ret = MAX_PATH -1;
- if (RegQueryValueEx(key, "EventMessageFile", NULL,
+ if (RegQueryValueEx(key, "EventMessageFile", NULL,
NULL, (LPBYTE)event, &ret) != ERROR_SUCCESS)
{
event[0] = '\0';
-/** char *el_getmessage()
+/** char *el_getmessage()
* Returns a descriptive message of the event.
*/
-char *el_getMessage(EVENTLOGRECORD *er, char *name,
- char * source, LPTSTR *el_sstring)
+char *el_getMessage(EVENTLOGRECORD *er, char *name,
+ char * source, LPTSTR *el_sstring)
{
DWORD fm_flags = 0;
char tmp_str[257];
/* Get the file name from the registry (stored on event) */
if(!el_getEventDLL(name, source, event))
{
- return(NULL);
- }
+ return(NULL);
+ }
curr_str = event;
- /* If our event has multiple libraries, try each one of them */
+ /* If our event has multiple libraries, try each one of them */
while((next_str = strchr(curr_str, ';')))
{
*next_str = '\0';
hevt = LoadLibraryEx(tmp_str, NULL, DONT_RESOLVE_DLL_REFERENCES);
if(hevt)
{
- if(!FormatMessage(fm_flags, hevt, er->EventID,
+ if(!FormatMessage(fm_flags, hevt, er->EventID,
0,
(LPTSTR) &message, 0, el_sstring))
{
- message = NULL;
+ message = NULL;
}
FreeLibrary(hevt);
hevt = LoadLibraryEx(tmp_str, NULL, DONT_RESOLVE_DLL_REFERENCES);
if(hevt)
{
- int hr;
- if(!(hr = FormatMessage(fm_flags, hevt, er->EventID,
+ int hr;
+ if(!(hr = FormatMessage(fm_flags, hevt, er->EventID,
0,
(LPTSTR) &message, 0, el_sstring)))
{
- message = NULL;
+ message = NULL;
}
FreeLibrary(hevt);
/** void readel(os_el *el)
* Reads the event log.
- */
+ */
void readel(os_el *el, int printit)
{
DWORD nstr;
LPSTR el_sstring[57];
/* Er must point to the mbuffer */
- el->er = (EVENTLOGRECORD *) &mbuffer;
+ el->er = (EVENTLOGRECORD *) &mbuffer;
/* Zeroing the last values */
el_string[1024] = '\0';
final_msg[1023] = '\0';
el_sstring[56] = NULL;
- /* Reading the event log */
- while(ReadEventLog(el->h,
+ /* Reading the event log */
+ while(ReadEventLog(el->h,
EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
0,
el->er, BUFFER_SIZE -1, &read, &needed))
el_sstring[nstr] = (LPSTR)sstr;
sstr = strchr( (LPSTR)sstr, '\0');
- sstr++;
+ sstr++;
}
/* Get a more descriptive message (if available) */
- descriptive_msg = el_getMessage(el->er, el->name, source,
+ descriptive_msg = el_getMessage(el->er, el->name, source,
el_sstring);
if(descriptive_msg != NULL)
{
/* Remove any \n or \r */
- tmp_str = descriptive_msg;
+ tmp_str = descriptive_msg;
while((tmp_str = strchr(tmp_str, '\n')))
{
*tmp_str = ' ';
- tmp_str++;
+ tmp_str++;
}
- tmp_str = descriptive_msg;
+ tmp_str = descriptive_msg;
while((tmp_str = strchr(tmp_str, '\r')))
{
*tmp_str = ' ';
- tmp_str++;
+ tmp_str++;
}
}
}
if(printit)
{
- DWORD _evtid = 65535;
- int id = (int)el->er->EventID & _evtid;
-
- snprintf(final_msg, 1022,
+ DWORD _evtid = 65535;
+ int id = (int)el->er->EventID & _evtid;
+
+ snprintf(final_msg, 1022,
"%d WinEvtLog: %s: %s(%d): %s: %s(%s): %s",
(int)el->er->TimeGenerated,
el->name,
- category,
+ category,
id,
source,
el_user,
el_domain,
descriptive_msg != NULL?descriptive_msg:el_string);
-
+
fprintf(fp, "%s\n", final_msg);
}
}
else if((argc == 3)&&(strcmp(argv[1], "-f") == 0))
{
- file = argv[2];
- }
+ file = argv[2];
+ }
else
help();
-
+
fp = fopen(file, "w");
if(!fp)
{
printf("Unable to open file '%s'\n", file);
exit(1);
}
-
+
win_startel("Application");
win_startel("System");
win_startel("Security");
-** OSSEC Windows Agent v2.5.1 **
-** Copyright (C) 2010 Trend Micro Inc. **
+** OSSEC Windows Agent v2.7 **
+** Copyright (C) 2012 Trend Micro Inc. **
-Thanks for installing 'OSSEC Windows Agent version 2.5.1'. Before you continue,
+Thanks for installing 'OSSEC Windows Agent version 2.7'. Before you continue,
make sure that you have an instance of the OSSEC server running and configured
to accept this system as an agent.
echo Making windows agent
"C:\MinGW\bin\windres.exe" -i icofile.rc -o icon.o
-"C:\MinGW\bin\gcc.exe" -o "ossec-agent" -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 -DOSSECHIDS icon.o os_regex/*.c os_net/*.c os_xml/*.c zlib-1.2.3/*.c config/*.c shared/*.c os_execd/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/sha1/*.c os_crypto/md5_sha1/*.c os_crypto/shared/*.c rootcheck/*.c *.c -Iheaders/ -I./ -lwsock32
-"C:\MinGW\bin\gcc.exe" -o "ossec-rootcheck" -Wall -DARGV0=\"ossec-rootcheck\" -DCLIENT -DWIN32 icon.o os_regex/*.c os_net/*.c os_xml/*.c config/*.c shared/*.c win_service.c rootcheck/*.c -Iheaders/ -I./ -lwsock32
-"C:\MinGW\bin\gcc.exe" -o "manage_agents" -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 -DMA os_regex/*.c zlib-1.2.3/*.c os_zlib.c shared/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/shared/*.c addagent/*.c -Iheaders/ -I./ -lwsock32
-"C:\MinGW\bin\gcc.exe" -o setup-windows -Wall os_regex/*.c -DARGV0=\"setup-windows\" -DCLIENT -DWIN32 win_service.c shared/file_op.c shared/debug_op.c setup/setup-win.c setup/setup-shared.c -Iheaders/ -I./ -lwsock32
-"C:\MinGW\bin\gcc.exe" -o setup-syscheck -Wall os_regex/*.c os_xml/*.c setup/setup-syscheck.c setup/setup-shared.c -I./ -Iheaders/
-"C:\MinGW\bin\gcc.exe" -o service-start -Wall icon.o os_regex/*.c setup/service-start.c -I./
-"C:\MinGW\bin\gcc.exe" -o service-stop -Wall os_regex/*.c setup/service-stop.c -I./
-"C:\MinGW\bin\gcc.exe" -o setup-iis -Wall os_regex/*.c setup/setup-iis.c -I./
-"C:\MinGW\bin\gcc.exe" -o add-localfile -Wall os_regex/*.c setup/add-localfile.c -I./
+"C:\MinGW\bin\gcc.exe" -o "ossec-agent" -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 -DOSSECHIDS icon.o os_regex/*.c os_net/*.c os_xml/*.c zlib-1.2.3/*.c config/*.c shared/*.c os_execd/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/sha1/*.c os_crypto/md5_sha1/*.c os_crypto/shared/*.c rootcheck/*.c *.c -I. -Iheaders/ -lwsock32
+"C:\MinGW\bin\gcc.exe" -o "ossec-rootcheck" -Wall -DARGV0=\"ossec-rootcheck\" -DCLIENT -DWIN32 icon.o os_regex/*.c os_net/*.c os_xml/*.c config/*.c shared/*.c win_service.c rootcheck/*.c -Iheaders/ -I. -lwsock32
+"C:\MinGW\bin\gcc.exe" -o "manage_agents" -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 -DMA os_regex/*.c zlib-1.2.3/*.c os_zlib.c shared/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/shared/*.c addagent/*.c -Iheaders/ -I. -lwsock32
+"C:\MinGW\bin\gcc.exe" -o setup-windows -Wall os_regex/*.c -DARGV0=\"setup-windows\" -DCLIENT -DWIN32 win_service.c shared/file_op.c shared/debug_op.c setup/setup-win.c setup/setup-shared.c -Iheaders/ -I. -lwsock32
+"C:\MinGW\bin\gcc.exe" -o setup-syscheck -Wall os_regex/*.c os_xml/*.c setup/setup-syscheck.c setup/setup-shared.c -I. -Iheaders/
+"C:\MinGW\bin\gcc.exe" -o service-start -Wall icon.o os_regex/*.c setup/service-start.c -I.
+"C:\MinGW\bin\gcc.exe" -o service-stop -Wall os_regex/*.c setup/service-stop.c -I.
+"C:\MinGW\bin\gcc.exe" -o setup-iis -Wall os_regex/*.c setup/setup-iis.c -I.
+"C:\MinGW\bin\gcc.exe" -o add-localfile -Wall os_regex/*.c setup/add-localfile.c -I.
cd ui\
make
echo Making windows agent
-i586-mingw32msvc-windres -i icofile.rc -o icon.o
-i586-mingw32msvc-gcc -o ossec-agent.exe -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 -DOSSECHIDS icon.o os_regex/*.c os_net/*.c os_xml/*.c zlib-1.2.3/*.c config/*.c shared/*.c os_execd/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/sha1/*.c os_crypto/md5_sha1/*.c os_crypto/shared/*.c rootcheck/*.c *.c -Iheaders/ -I./ -lwsock32
-i586-mingw32msvc-gcc -o ossec-rootcheck.exe -Wall -DARGV0=\"ossec-rootcheck\" -DCLIENT -DWIN32 icon.o os_regex/*.c os_net/*.c os_xml/*.c config/*.c shared/*.c win_service.c rootcheck/*.c -Iheaders/ -I./ -lwsock32
-i586-mingw32msvc-gcc -o manage_agents.exe -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 -DMA os_regex/*.c zlib-1.2.3/*.c os_zlib.c shared/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/shared/*.c addagent/*.c -Iheaders/ -I./ -lwsock32
-i586-mingw32msvc-gcc -o setup-windows.exe -Wall os_regex/*.c -DARGV0=\"setup-windows\" -DCLIENT -DWIN32 win_service.c shared/file_op.c shared/debug_op.c setup/setup-win.c setup/setup-shared.c -Iheaders/ -I./ -lwsock32
-i586-mingw32msvc-gcc -o setup-syscheck.exe -Wall os_regex/*.c os_xml/*.c setup/setup-syscheck.c setup/setup-shared.c -I./ -Iheaders/
-i586-mingw32msvc-gcc -o service-start.exe -Wall icon.o os_regex/*.c setup/service-start.c -I./
-i586-mingw32msvc-gcc -o service-stop.exe -Wall os_regex/*.c setup/service-stop.c -I./
-i586-mingw32msvc-gcc -o setup-iis.exe -Wall os_regex/*.c setup/setup-iis.c -I./
-i586-mingw32msvc-gcc -o add-localfile.exe -Wall os_regex/*.c setup/add-localfile.c -I./
+i686-pc-mingw32-windres -i icofile.rc -o icon.o
+i686-pc-mingw32-gcc -o ossec-agent.exe -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 -DOSSECHIDS icon.o os_regex/*.c os_net/*.c os_xml/*.c zlib-1.2.3/*.c config/*.c shared/*.c os_execd/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/sha1/*.c os_crypto/md5_sha1/*.c os_crypto/shared/*.c rootcheck/*.c *.c -Iheaders/ -I./ -lwsock32
+i686-pc-mingw32-gcc -o ossec-rootcheck.exe -Wall -DARGV0=\"ossec-rootcheck\" -DCLIENT -DWIN32 icon.o os_regex/*.c os_net/*.c os_xml/*.c config/*.c shared/*.c win_service.c rootcheck/*.c -Iheaders/ -I./ -lwsock32
+i686-pc-mingw32-gcc -o manage_agents.exe -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 -DMA os_regex/*.c zlib-1.2.3/*.c os_zlib.c shared/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/shared/*.c addagent/*.c -Iheaders/ -I./ -lwsock32
+i686-pc-mingw32-gcc -o agent-auth.exe -Wall -DARGV0=\"agent-auth\" -DUSE_OPENSSL -DCLIENT -DWIN32 -DMA os_auth/main-client.c os_auth/ssl.c addagent/validate.c os_net/*.c os_regex/*.c zlib-1.2.3/*.c os_zlib.c shared/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/shared/*.c -Iheaders/ -I./ -lwsock32 -lssl -lcrypto
+i686-pc-mingw32-gcc -o setup-windows.exe -Wall os_regex/*.c -DARGV0=\"setup-windows\" -DCLIENT -DWIN32 win_service.c shared/file_op.c shared/debug_op.c setup/setup-win.c setup/setup-shared.c -Iheaders/ -I./ -lwsock32
+i686-pc-mingw32-gcc -o setup-syscheck.exe -Wall os_regex/*.c os_xml/*.c setup/setup-syscheck.c setup/setup-shared.c -I./ -Iheaders/
+i686-pc-mingw32-gcc -o service-start.exe -Wall icon.o os_regex/*.c setup/service-start.c -I./
+i686-pc-mingw32-gcc -o service-stop.exe -Wall os_regex/*.c setup/service-stop.c -I./
+i686-pc-mingw32-gcc -o setup-iis.exe -Wall os_regex/*.c setup/setup-iis.c -I./
+i686-pc-mingw32-gcc -o add-localfile.exe -Wall os_regex/*.c setup/add-localfile.c -I./
cd ui
sh ./make.sh
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/os_win.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/** int UninstallService()
* Uninstall the OSSEC HIDS agent service.
*/
-int UninstallService();
+int UninstallService();
-/** int QueryService():
- * Checks if service is running.
+/** int QueryService():
+ * Checks if service is running.
* Return 1 on success (running) or 0 if not.
*/
int CheckServiceRunning();
!define MUI_ICON favicon.ico
!define MUI_UNICON ossec-uninstall.ico
-!define VERSION "2.5.1"
+!define VERSION "2.7"
!define NAME "OSSEC HIDS"
!define /date CDATE "%b %d %Y at %H:%M:%S"
Name "${NAME} Windows Agent v${VERSION}"
-BrandingText "Copyright (C) 2010 Trend Micro Inc."
+BrandingText "Copyright (C) 2012 Trend Micro Inc."
OutFile "ossec-win32-agent.exe"
InstallDir "$PROGRAMFILES\ossec-agent"
<directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
- <directories check_all="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>
+ <directories check_all="yes" realtime="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>
+ <directories check_all="yes" realtime="yes">C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
#define MAX_KEY_LENGTH 255
#define MAX_KEY 2048
#define MAX_VALUE_NAME 16383
-
+
char *(os_winreg_ignore_list[]) = {"SOFTWARE\\Classes","test123",NULL};
HKEY sub_tree;
int os_winreg_open_key(char *subkey);
-void os_winreg_querykey(HKEY hKey, char *p_key)
+void os_winreg_querykey(HKEY hKey, char *p_key)
{
int i, rc;
DWORD j;
DWORD value_count;
/* Variables for RegEnumValue */
- TCHAR value_buffer[MAX_VALUE_NAME +1];
- TCHAR data_buffer[MAX_VALUE_NAME +1];
+ TCHAR value_buffer[MAX_VALUE_NAME +1];
+ TCHAR data_buffer[MAX_VALUE_NAME +1];
DWORD value_size;
DWORD data_size;
class_name_b[MAX_PATH] = '\0';
sub_key_name_b[0] = '\0';
sub_key_name_b[MAX_KEY_LENGTH] = '\0';
-
+
/* We use the class_name, subkey_count and the value count. */
rc = RegQueryInfoKey(hKey, class_name_b, &class_name_s, NULL,
if(subkey_count)
{
/* We open each subkey and call open_key */
- for(i=0;i<subkey_count;i++)
- {
+ for(i=0;i<subkey_count;i++)
+ {
sub_key_name_s = MAX_KEY_LENGTH;
rc = RegEnumKeyEx(hKey, i, sub_key_name_b, &sub_key_name_s,
- NULL, NULL, NULL, NULL);
-
+ NULL, NULL, NULL, NULL);
+
/* Checking for the rc. */
- if(rc == ERROR_SUCCESS)
+ if(rc == ERROR_SUCCESS)
{
char new_key[MAX_KEY_LENGTH + 2];
new_key[MAX_KEY_LENGTH +1] = '\0';
if(p_key)
{
- snprintf(new_key, MAX_KEY_LENGTH,
+ snprintf(new_key, MAX_KEY_LENGTH,
"%s\\%s", p_key, sub_key_name_b);
}
else
}
}
}
-
+
/* Getting Values (if available) */
- if (value_count)
+ if (value_count)
{
/* md5 and sha1 sum */
os_md5 mf_sum;
os_sha1 sf_sum;
-
+
/* Clearing the values for value_size and data_size */
value_buffer[MAX_VALUE_NAME] = '\0';
data_buffer[MAX_VALUE_NAME] = '\0';
- for(i=0;i<value_count;i++)
- {
- value_size = MAX_VALUE_NAME;
+ for(i=0;i<value_count;i++)
+ {
+ value_size = MAX_VALUE_NAME;
data_size = MAX_VALUE_NAME;
value_buffer[0] = '\0';
{
return(0);
}
- i++;
+ i++;
}
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/service-start.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#include <stdio.h>
#include <stdlib.h>
printf("%s: Attempting to start ossec.", argv[0]);
system("net start OssecSvc");
-
+
system("pause");
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/service-stop.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#include <stdio.h>
#include <stdlib.h>
printf("%s: Attempting to stop ossec.", argv[0]);
system("net stop OssecSvc");
-
+
system("pause");
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/setup-iis.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#include <stdio.h>
#include <stdlib.h>
int direxist(char *dir)
{
DIR *dp;
-
+
/* Opening dir */
dp = opendir(dir);
if(dp == NULL)
return(0);
-
+
closedir(dp);
- return(1);
+ return(1);
}
/* Clearing memory */
memset(line, '\0', OS_MAXSTR +1);
- /* Reading file and looking for str */
+ /* Reading file and looking for str */
while(fgets(line, OS_MAXSTR, fp) != NULL)
{
if(OS_Match(str, line))
if(dogrep(OSSECCONF, vfile))
{
- printf("%s: Log file already configured: '%s'.\n",
+ printf("%s: Log file already configured: '%s'.\n",
name, vfile);
return(1);
}
if(!fp)
{
printf("%s: Unable to edit configuration file.\n", name);
- return(1);
+ return(1);
}
- fprintf(fp, "\r\n"
- "\r\n"
+ fprintf(fp, "\r\n"
+ "\r\n"
"<!-- IIS log file -->\r\n"
"<ossec_config>\r\n"
" <localfile>\r\n"
time_t tm;
struct tm *p;
-
- char win_dir[2048];
-
-
+
+ char win_dir[2048];
+
+
if(argc >= 2)
{
if(chdir(argv[1]) != 0)
return(0);
}
}
-
+
/* Checking if ossec was installed already */
if(!fileexist(OSSECCONF))
{
/* Getting todays day */
tm = time(NULL);
p = localtime(&tm);
-
- total = 0;
- printf("%s: Looking for IIS log files to monitor.\r\n",
+ total = 0;
+
+ printf("%s: Looking for IIS log files to monitor.\r\n",
argv[0]);
- printf("%s: For more information: http://www.ossec.net/en/win.html\r\n",
+ printf("%s: For more information: http://www.ossec.net/en/win.html\r\n",
argv[0]);
printf("\r\n");
-
-
+
+
/* Getting windows directory */
get_win_dir(win_dir, sizeof(win_dir) -1);
-
-
+
+
/* Looking for IIS log files */
while(i <= 254)
{
i++;
/* Searching for NCSA */
- snprintf(lfile,
- OS_MAXSTR,
+ snprintf(lfile,
+ OS_MAXSTR,
"%s\\System32\\LogFiles\\W3SVC%d\\nc%02d%02d%02d.log",
win_dir,i, (p->tm_year+1900)-2000, p->tm_mon+1, p->tm_mday);
- snprintf(vfile,
- OS_MAXSTR,
+ snprintf(vfile,
+ OS_MAXSTR,
"%s\\System32\\LogFiles\\W3SVC%d\\nc%%y%%m%%d.log",
win_dir, i);
-
+
/* Try dir-based */
config_iis(argv[0], lfile, vfile);
/* Searching for W3C extended */
- snprintf(lfile,
- OS_MAXSTR,
+ snprintf(lfile,
+ OS_MAXSTR,
"%s\\System32\\LogFiles\\W3SVC%d\\ex%02d%02d%02d.log",
win_dir, i, (p->tm_year+1900)-2000, p->tm_mon+1, p->tm_mday);
-
- snprintf(vfile,
- OS_MAXSTR,
+
+ snprintf(vfile,
+ OS_MAXSTR,
"%s\\System32\\LogFiles\\W3SVC%d\\ex%%y%%m%%d.log",
win_dir, i);
-
+
/* Try dir-based */
if(config_iis(argv[0], lfile, vfile) == 0)
{
/* Searching for FTP Extended format */
- snprintf(lfile,
- OS_MAXSTR,
+ snprintf(lfile,
+ OS_MAXSTR,
"%s\\System32\\LogFiles\\MSFTPSVC%d\\ex%02d%02d%02d.log",
win_dir, i, (p->tm_year+1900)-2000, p->tm_mon+1, p->tm_mday);
-
- snprintf(vfile,
- OS_MAXSTR,
+
+ snprintf(vfile,
+ OS_MAXSTR,
"%s\\System32\\LogFiles\\MSFTPSVC%d\\ex%%y%%m%%d.log",
win_dir, i);
if(config_iis(argv[0], lfile, vfile) == 0)
/* Searching for IIS SMTP logs */
- snprintf(lfile,
- OS_MAXSTR,
+ snprintf(lfile,
+ OS_MAXSTR,
"%s\\System32\\LogFiles\\SMTPSVC%d\\ex%02d%02d%02d.log",
win_dir, i, (p->tm_year+1900)-2000, p->tm_mon+1, p->tm_mday);
-
- snprintf(vfile,
- OS_MAXSTR,
+
+ snprintf(vfile,
+ OS_MAXSTR,
"%s\\System32\\LogFiles\\SMTPSVC%d\\ex%%y%%m%%d.log",
win_dir, i);
if(config_iis(argv[0], lfile, vfile) == 0)
printf("%s: No IIS log added. Look at the link above for more "
"information.\r\n", argv[0]);
}
-
+
return(0);
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/setup-shared.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#include <stdio.h>
#include <stdlib.h>
/* Clearing memory */
memset(line, '\0', OS_MAXSTR +1);
- /* Reading file and looking for str */
+ /* Reading file and looking for str */
while(fgets(line, OS_MAXSTR, fp) != NULL)
{
if(OS_Match(str, line))
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/setup-shared.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#include <stdio.h>
#include <stdlib.h>
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/setup-syscheck.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#include "setup-shared.h"
#include "os_xml/os_xml.h"
{
char *status;
char *(xml_syscheck_status[])={"ossec_config","syscheck","disabled", NULL};
-
+
if(argc < 3)
{
printf("%s: Invalid syntax.\n", argv[0]);
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/setup-win.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
-
+
#include "setup-shared.h"
printf("Try: '%s directory'\n\n", argv[0]);
return(0);
}
-
+
/* Trying to chdir to ossec directory. */
if(chdir(argv[1]) != 0)
{
printf("%s: Invalid directory: '%s'.\n", argv[0], argv[1]);
return(0);
}
-
+
/* Checking if ossec was installed already (upgrade) */
if(!fileexist(OSSECCONF))
{
char cmd[OS_MAXSTR +1];
-
+
/* Copy default config to ossec.conf */
snprintf(cmd, OS_MAXSTR, "copy %s %s", OSSECDEF, OSSECCONF);
system(cmd);
/* Setting up local files */
system("add-localfile.exe \"C:\\Windows\\pfirewall.log\" --quiet");
system("add-localfile.exe \"C:\\Documents and Settings\\All Users\\Application Data\\Symantec\\Symantec AntiVirus Corporate Edition\\7.5\\Logs\\\%m\%d20\%y.log\" --quiet");
-
+
/* Configure ossec for automatic startup */
system("sc config OssecSvc start= auto");
/* Changing permissions. */
checkVista();
-
+
if(isVista)
{
char cmd[OS_MAXSTR +1];
/* Changing permissions. */
system("echo y|cacls * /T /G Administrators:f ");
-
+
/* Copying them back. */
snprintf(cmd, OS_MAXSTR, "move ..\\os_win32ui.exe .");
system(cmd);
; my template correctly.
!include "MUI.nsh"
-!define VERSION "2.5.1"
-!define NAME "Ossec HIDS"
+!define VERSION "2.7"
+!define NAME "OSSEC HIDS"
!define /date CDATE "%b %d %Y at %H:%M:%S"
Name "${NAME} Windows Agent v${VERSION}"
-BrandingText "Copyright (C) 2010 Trend Micro Inc."
+BrandingText "Copyright (C) 2011 Trend Micro Inc."
OutFile "win32ui.exe"
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/ui/common.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
int gen_server_info(HWND hwnd)
{
memset(ui_server_info, '\0', 2048 +1);
- snprintf(ui_server_info, 2048,
+ snprintf(ui_server_info, 2048,
"Agent: %s (%s) - %s\r\n\r\n"
"Status: %s",
- config_inst.agentname,
- config_inst.agentid,
+ config_inst.agentname,
+ config_inst.agentid,
config_inst.agentip,
config_inst.status);
SetDlgItemText(hwnd, UI_SERVER_TOP, config_inst.version);
SetDlgItemText(hwnd, UI_SERVER_INFO, ui_server_info);
}
-
+
/* Initializing auth key */
SetDlgItemText(hwnd, UI_SERVER_AUTH, config_inst.key);
/* Initializing server ip */
SetDlgItemText(hwnd, UI_SERVER_TEXT, config_inst.server);
- SendMessage(hStatus, SB_SETTEXT, 0, (LPARAM)"http://www.ossec.net");
+ SendMessage(hStatus, SB_SETTEXT, 0, (LPARAM)"http://www.ossec.net");
return(0);
}
}
- /* Testing for permission - this is a vista thing.
+ /* Testing for permission - this is a vista thing.
* For some reason vista is not reporting the return codes
* properly.
*/
{
config_inst.admin_access = 0;
}
-
+
fclose(fp);
/* trying to open it to read. */
{
config_inst.admin_access = 0;
}
-
+
if(unlink(".test-file.tst"))
{
config_inst.admin_access = 0;
{
char *tmp_str;
-
+
/* Clearing config */
config_clear();
/* Getting version/install date */
- config_inst.version = cat_file(VERSION_FILE, NULL);
+ config_inst.version = cat_file(VERSION_FILE, NULL);
if(config_inst.version)
{
config_inst.install_date = strchr(config_inst.version, '-');
/* Getting number of messages sent */
- tmp_str = cat_file(SENDER_FILE, NULL);
+ tmp_str = cat_file(SENDER_FILE, NULL);
if(tmp_str)
{
unsigned long int tmp_val = 0;
/* Getting server ip */
if(!get_ossec_server())
{
- if(config_inst.status == ST_MISSING_IMPORT)
+ if(strcmp(config_inst.status, ST_MISSING_IMPORT) == 0)
{
config_inst.status = ST_MISSING_ALL;
}
free(str);
str = NULL;
}
-
+
str = OS_GetOneContentforElement(&xml, xml_serverhost);
if(str)
{
/* Setting up final server name when not available */
config_inst.server = strdup(FL_NOSERVER);
-
+
OS_ClearXML(&xml);
return(0);
char **xml_pt = NULL;
char *(xml_serverip[])={"ossec_config","client","server-ip", NULL};
char *(xml_serverhost[])={"ossec_config","client","server-hostname", NULL};
-
+
/* Verifying IP Address */
if(OS_IsValidIP(ip, NULL) != 1)
/* Reading the XML. Printing error and line number */
- if(OS_WriteXML(CONFIG, NEWCONFIG, xml_pt,
+ if(OS_WriteXML(CONFIG, NEWCONFIG, xml_pt,
NULL, NULL, ip, 0) != 0)
{
MessageBox(hwnd, "Unable to set OSSEC Server IP Address.\r\n"
echo Making windows agent UI
-i586-mingw32msvc-windres -o resource.o win32ui.rc
-i586-mingw32msvc-gcc -o os_win32ui.exe -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 resource.o ../os_net/*.c ../os_xml/*.c ../addagent/b64.c ../shared/validate_op.c ../shared/debug_op.c ../win_service.c *.c -I../headers/ -I../ -lcomctl32 -mwindows -lwsock32
+i686-pc-mingw32-windres -o resource.o win32ui.rc
+i686-pc-mingw32-gcc -o os_win32ui.exe -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 resource.o ../os_net/*.c ../os_xml/*.c ../addagent/b64.c ../shared/validate_op.c ../shared/debug_op.c ../win_service.c *.c -I../headers/ -I../ -lcomctl32 -mwindows -lwsock32
cp -pr os_win32ui.exe ../
cd ../
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/ui/os_win32ui.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* Dialog -- About OSSEC */
-BOOL CALLBACK AboutDlgProc(HWND hwnd, UINT Message,
+BOOL CALLBACK AboutDlgProc(HWND hwnd, UINT Message,
WPARAM wParam, LPARAM lParam)
{
switch(Message)
{
int ret_code = 0;
-
+
switch(Message)
{
case WM_INITDIALOG:
hStatus = CreateWindowEx(0, STATUSCLASSNAME, NULL,
- WS_CHILD|WS_VISIBLE|SBARS_SIZEGRIP,
+ WS_CHILD|WS_VISIBLE|SBARS_SIZEGRIP,
0, 0, 0, 0,
- hwnd, (HMENU)IDC_MAIN_STATUS,
+ hwnd, (HMENU)IDC_MAIN_STATUS,
GetModuleHandle(NULL), NULL);
- SendMessage(hStatus, SB_SETPARTS,
- sizeof(statwidths)/sizeof(int),
+ SendMessage(hStatus, SB_SETPARTS,
+ sizeof(statwidths)/sizeof(int),
(LPARAM)statwidths);
SendMessage(hStatus, SB_SETTEXT, 0, (LPARAM)"http://www.ossec.net");
-
+
/* Initializing config */
config_read(hwnd);
/* Setting the icons */
- SendMessage(hwnd, WM_SETICON, ICON_SMALL,
- (LPARAM)LoadIcon(GetModuleHandle(NULL),
+ SendMessage(hwnd, WM_SETICON, ICON_SMALL,
+ (LPARAM)LoadIcon(GetModuleHandle(NULL),
MAKEINTRESOURCE(IDI_OSSECICON)));
- SendMessage(hwnd, WM_SETICON, ICON_BIG,
- (LPARAM)LoadIcon(GetModuleHandle(NULL),
+ SendMessage(hwnd, WM_SETICON, ICON_BIG,
+ (LPARAM)LoadIcon(GetModuleHandle(NULL),
MAKEINTRESOURCE(IDI_OSSECICON)));
if(config_inst.admin_access == 0)
"Admin access required.", MB_OK);
break;
}
-
+
}
break;
break;
}
- /** Getting values from the user (if chosen save)
+ /** Getting values from the user (if chosen save)
* We should probably create another function for it...
**/
-
+
/* Getting server ip */
len = GetWindowTextLength(GetDlgItem(hwnd, UI_SERVER_TEXT));
if(len > 0)
{
exit(-1);
}
-
+
GetDlgItemText(hwnd, UI_SERVER_TEXT, buf, len + 1);
/* If auth key changed, set it */
GlobalFree(buf);
}
}
-
-
+
+
/* Getting auth key */
len = GetWindowTextLength(GetDlgItem(hwnd, UI_SERVER_AUTH));
if(len > 0)
id = decd_buf;
name = strchr(id, ' ');
if(name)
- {
- *name = '\0';
+ {
+ *name = '\0';
name++;
ip = strchr(name, ' ');
if(!ip)
{
MessageBox(hwnd, "Unable to import "
- "authentication key. Invalid.",
+ "authentication key. Invalid.",
"Error Saving.", MB_OK);
}
else
{
char mbox_msg[1024 +1];
mbox_msg[1024] = '\0';
-
+
snprintf(mbox_msg, 1024, "Adding key for:\r\n\r\n"
- "Agent ID: %s\r\n"
- "Agent Name: %s\r\n"
+ "Agent ID: %s\r\n"
+ "Agent Name: %s\r\n"
"IP Address: %s\r\n",
id, name, ip);
-
- ret = MessageBox(hwnd, mbox_msg,
+
+ ret = MessageBox(hwnd, mbox_msg,
"Confirm Importing Key", MB_OKCANCEL);
if(ret == IDOK)
{
}
}
-
+
}
/* Free used memory */
(LPARAM)"Auth key and server ip saved ..");
}
- }
+ }
}
break;
-
+
case UI_MENU_MANAGE_EXIT:
PostMessage(hwnd, WM_CLOSE, 0, 0);
break;
case UI_MENU_VIEW_LOGS:
_spawnlp( _P_NOWAIT, "notepad", "notepad " OSSECLOGS, NULL );
break;
- case UI_MENU_VIEW_CONFIG:
+ case UI_MENU_VIEW_CONFIG:
_spawnlp( _P_NOWAIT, "notepad", "notepad " CONFIG, NULL );
break;
case UI_MENU_HELP_HELP:
break;
case UI_MENU_HELP_ABOUT:
{
- DialogBox(GetModuleHandle(NULL),
+ DialogBox(GetModuleHandle(NULL),
MAKEINTRESOURCE(IDD_ABOUT), hwnd, AboutDlgProc);
}
break;
case IDC_CANCEL:
- config_read(hwnd);
+ config_read(hwnd);
gen_server_info(hwnd);
break;
-
+
case UI_MENU_MANAGE_START:
-
+
/* Starting OSSEC -- must have a valid config before. */
if((strcmp(config_inst.key, FL_NOKEY) != 0) &&
(strcmp(config_inst.server, FL_NOSERVER) != 0))
{
ret_code = 0;
}
-
+
if(ret_code == 0)
{
MessageBox(hwnd, "Unable to start OSSEC (check config).",
MessageBox(hwnd, "Agent already running (try restart).",
"Already running..", MB_OK);
}
- break;
+ break;
case UI_MENU_MANAGE_STOP:
-
+
/* Stopping OSSEC */
ret_code = os_stop_service();
if(ret_code == 1)
}
break;
case UI_MENU_MANAGE_RESTART:
-
+
if((strcmp(config_inst.key, FL_NOKEY) == 0) ||
(strcmp(config_inst.server, FL_NOSERVER) == 0))
{
MessageBox(hwnd, "Unable to restart OSSEC (check config).",
"Error -- Unable to restart", MB_OK);
break;
-
+
}
-
+
ret_code = os_stop_service();
-
+
/* Starting OSSEC */
ret_code = os_start_service();
if(ret_code == 0)
MessageBox(hwnd, "OSSEC Agent Restarted.",
"Restarted..", MB_OK);
}
- break;
+ break;
}
break;
-
+
case WM_CLOSE:
EndDialog(hwnd, 0);
break;
-
+
default:
return FALSE;
}
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/ui/os_win32ui.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#define ST_MISSING_ALL "Require import of authentication key.\r\n" \
" Missing OSSEC Server IP address.\r\n" \
" - Not Running..."
-
+
/* Pre-def fields */
-/* @(#) $Id$ */\r
+/* @(#) $Id: ./src/win32/ui/win32ui.rc, 2011/09/08 dcid Exp $
+ */\r
\r
/* Copyright (C) 2009 Trend Micro Inc.\r
* All rights reserved.\r
os_crypto os_crypto
headers headers
shared shared
+os_auth os_auth
error_messages error_messages
addagent addagent
config config
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/win_agent.c, 2011/11/01 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
/* Find where I'm */
mypath[OS_MAXSTR] = '\0';
myfile[OS_MAXSTR] = '\0';
-
-
+
+
/* mypath is going to be the whole path of the file */
strncpy(mypath, argv[0], OS_MAXSTR);
tmpstr = strrchr(mypath, '\\');
getcwd(mypath, OS_MAXSTR -1);
strncat(mypath, "\\", OS_MAXSTR - (strlen(mypath) + 2));
strncat(mypath, myfile, OS_MAXSTR - (strlen(mypath) + 2));
-
-
+
+
if(argc > 1)
{
if(strcmp(argv[1], "install-service") == 0)
int local_start()
{
int debug_level;
+ int accept_manager_commands = 0;
char *cfg = DEFAULTCPATH;
WSADATA wsaData;
DWORD threadID;
nowDebug();
debug_level--;
}
-
-
-
+ accept_manager_commands = getDefine_Int("logcollector",
+ "remote_commands", 0, 1);
+
+
+
+
/* Configuration file not present */
if(File_DateofChange(cfg) < 0)
ErrorExit("%s: Configuration file '%s' not found",ARGV0,cfg);
{
ErrorExit("%s: WSAStartup() failed", ARGV0);
}
-
+
/* Read agent config */
debug1("%s: DEBUG: Reading agent configuration.", ARGV0);
/* Reading logcollector config file */
debug1("%s: DEBUG: Reading logcollector configuration.", ARGV0);
- if(LogCollectorConfig(cfg) < 0)
+ if(LogCollectorConfig(cfg, accept_manager_commands) < 0)
{
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
}
{
ErrorExit(AG_NOKEYS_EXIT, ARGV0);
}
-
+
/* If there is not file to monitor, create a clean entry
{
logr->execdq = -1;
}
-
-
+
+
/* Reading keys */
verbose(ENC_READ, ARGV0);
-
+
OS_ReadKeys(&keys);
OS_StartCounter(&keys);
- os_write_agent_info(keys.keyentries[0]->name, NULL, keys.keyentries[0]->id);
+ os_write_agent_info(keys.keyentries[0]->name, NULL, keys.keyentries[0]->id, NULL);
/* Initial random numbers */
/* Starting syscheck thread */
- if(CreateThread(NULL,
- 0,
- (LPTHREAD_START_ROUTINE)skthread,
- NULL,
- 0,
+ if(CreateThread(NULL,
+ 0,
+ (LPTHREAD_START_ROUTINE)skthread,
+ NULL,
+ 0,
(LPDWORD)&threadID) == NULL)
{
merror(THREAD_ERROR, ARGV0);
}
-
+
/* Checking if server is connected */
os_setwait();
-
+
start_agent(1);
-
+
os_delwait();
/* Sending integrity message for agent configs */
intcheck_file(cfg, "");
intcheck_file(OSSEC_DEFINES, "");
-
+
/* Starting receiver thread */
- if(CreateThread(NULL,
- 0,
- (LPTHREAD_START_ROUTINE)receiver_thread,
- NULL,
- 0,
+ if(CreateThread(NULL,
+ 0,
+ (LPTHREAD_START_ROUTINE)receiver_thread,
+ NULL,
+ 0,
(LPDWORD)&threadID2) == NULL)
{
merror(THREAD_ERROR, ARGV0);
}
-
-
+
+
/* Sending agent information message */
send_win32_info(time(0));
-
-
+
+
/* Startting logcollector -- main process here */
LogCollectorStart();
int SendMSG(int queue, char *message, char *locmsg, char loc)
{
int _ssize;
-
+
time_t cu_time;
-
+
char *pl;
char tmpstr[OS_MAXSTR+2];
char crypt_msg[OS_MAXSTR +2];
-
- DWORD dwWaitResult;
+
+ DWORD dwWaitResult;
tmpstr[OS_MAXSTR +1] = '\0';
crypt_msg[OS_MAXSTR +1] = '\0';
debug2("%s: DEBUG: Attempting to send message to server.", ARGV0);
-
+
/* Using a mutex to synchronize the writes */
while(1)
{
dwWaitResult = WaitForSingleObject(hMutex, 1000000L);
- if(dwWaitResult != WAIT_OBJECT_0)
+ if(dwWaitResult != WAIT_OBJECT_0)
{
switch(dwWaitResult)
{
case WAIT_ABANDONED:
merror("%s: Error waiting mutex (abandoned).", ARGV0);
return(0);
- default:
- merror("%s: Error waiting mutex.", ARGV0);
+ default:
+ merror("%s: Error waiting mutex.", ARGV0);
return(0);
}
}
cu_time = time(0);
-
+
#ifndef ONEWAY
/* Check if the server has responded */
{
int curr_rip = logr->rip_id;
merror("%s: INFO: Trying next server ip in "
- "line: '%s'.",
+ "line: '%s'.",
ARGV0,
logr->rip[logr->rip_id + 1] != NULL?
logr->rip[logr->rip_id + 1]:
logr->rip[0]);
-
+
connect_server(logr->rip_id +1);
if(logr->rip_id != curr_rip)
}
}
- verbose(AG_CONNECTED, ARGV0, logr->rip[logr->rip_id],
+ verbose(AG_CONNECTED, ARGV0, logr->rip[logr->rip_id],
logr->port);
verbose(SERVER_UP, ARGV0);
}
}
-
+
/* locmsg cannot have the C:, as we use it as delimiter */
pl = strchr(locmsg, ':');
if(pl)
pl = locmsg;
}
-
+
debug2("%s: DEBUG: Sending message to server: '%s'", ARGV0, message);
-
+
snprintf(tmpstr,OS_MAXSTR,"%c:%s:%s", loc, pl, message);
_ssize = CreateSecMSG(&keys, tmpstr, crypt_msg, 0);
merror(SEC_ERROR,ARGV0);
if(!ReleaseMutex(hMutex))
{
- merror("%s: Error releasing mutex.", ARGV0);
+ merror("%s: Error releasing mutex.", ARGV0);
}
-
+
return(-1);
}
{
merror("%s: Error releasing mutex.", ARGV0);
}
- return(0);
+ return(0);
}
{
/* Connecting to the server. */
connect_server(0);
-
+
if((path == NULL) && (type == 0))
{
return(0);
}
-
+
return(0);
}
__win32_shared_time = __win32_curr_time;
}
-
-
+
+
/* get shared files */
if(!__win32_shared)
{
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/win32/win_service.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#endif
static LPTSTR g_lpszServiceName = "OssecSvc";
-static LPTSTR g_lpszServiceDisplayName = "OSSEC Hids";
-static LPTSTR g_lpszServiceDescription = "OSSEC Hids Windows Agent";
+static LPTSTR g_lpszServiceDisplayName = "OSSEC HIDS";
+static LPTSTR g_lpszServiceDescription = "OSSEC HIDS Windows Agent";
static SERVICE_STATUS ossecServiceStatus;
static SERVICE_STATUS_HANDLE ossecServiceStatusHandle;
rc = -1;
}
}
-
+
CloseServiceHandle(schService);
}
if(schService)
{
SERVICE_STATUS lpServiceStatus;
-
- if(ControlService(schService,
+
+ if(ControlService(schService,
SERVICE_CONTROL_STOP, &lpServiceStatus))
{
rc = 1;
}
-
+
CloseServiceHandle(schService);
}
{
/* Checking status */
SERVICE_STATUS lpServiceStatus;
-
+
if(QueryServiceStatus(schService, &lpServiceStatus))
{
if(lpServiceStatus.dwCurrentState == SERVICE_RUNNING)
}
CloseServiceHandle(schService);
}
-
+
CloseServiceHandle(schSCManager);
}
return(rc);
}
-
+
/* int InstallService()
* Install the OSSEC HIDS agent service.
*/
SC_HANDLE schSCManager, schService;
LPCTSTR lpszBinaryPathName = NULL;
SERVICE_DESCRIPTION sdBuf;
-
+
/* Cleaning up some variables */
buffer[MAX_PATH] = '\0';
-
-
+
+
/* Executable path -- it must be called with the
* full path
*/
lpszBinaryPathName = path;
-
+
/* Opening the services database */
schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
}
/* Creating the service */
- schService = CreateService(schSCManager,
+ schService = CreateService(schSCManager,
g_lpszServiceName,
g_lpszServiceDisplayName,
SERVICE_ALL_ACCESS,
SERVICE_ERROR_NORMAL,
lpszBinaryPathName,
NULL, NULL, NULL, NULL, NULL);
-
+
if (schService == NULL)
{
goto install_error;
{
goto install_error;
}
-
+
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
{
char local_msg[1025];
LPVOID lpMsgBuf;
-
+
memset(local_msg, 0, 1025);
FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER |
/* int UninstallService()
* Uninstall the OSSEC HIDS agent service.
*/
-int UninstallService()
+int UninstallService()
{
SC_HANDLE schSCManager, schService;
-
+
/* Removing from the services database */
schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (schSCManager)
fprintf(stderr, " [%s] Error removing from "
"the Services database.\n", ARGV0);
-
+
return(0);
}
}
return;
}
-
+
/** void WinSetError()
* Sets the error code in the services
OssecServiceCtrlHandler(SERVICE_CONTROL_STOP);
}
-
+
/** int os_WinMain(int argc, char **argv)
* Initializes OSSEC dispatcher
*/
-int os_WinMain(int argc, char **argv)
+int os_WinMain(int argc, char **argv)
{
SERVICE_TABLE_ENTRY steDispatchTable[] =
{
ossecServiceStatus.dwCheckPoint = 0;
ossecServiceStatus.dwWaitHint = 0;
- ossecServiceStatusHandle =
- RegisterServiceCtrlHandler(g_lpszServiceName,
+ ossecServiceStatusHandle =
+ RegisterServiceCtrlHandler(g_lpszServiceName,
OssecServiceCtrlHandler);
if (ossecServiceStatusHandle == (SERVICE_STATUS_HANDLE)0)
projects / ossec-hids.git / commitdiff