src/analysisd/alerts/log.c

   1 /* @(#) $Id: log.c,v 1.33 2009/11/20 15:38:28 dcid Exp $ */
   2
   3 /* Copyright (C) 2009 Trend Micro Inc.
   4  * All right reserved.
   5  *
   6  * This program is a free software; you can redistribute it
   7  * and/or modify it under the terms of the GNU General Public
   8  * License (version 3) as published by the FSF - Free Software
   9  * Foundation
  10  */
  11
  12
  13 #include "shared.h"
  14 #include "log.h"
  15 #include "alerts.h"
  16 #include "getloglocation.h"
  17 #include "rules.h"
  18 #include "eventinfo.h"
  19 #include "config.h"
  20
  21
  22 /* Drop/allow patterns */
  23 OSMatch FWDROPpm;
  24 OSMatch FWALLOWpm;
  25
  26
  27 /* OS_Store: v0.2, 2005/02/10 */
  28 /* Will store the events in a file
  29  * The string must be null terminated and contain
  30  * any necessary new lines, tabs, etc.
  31  *
  32  */
  33 void OS_Store(Eventinfo *lf)
  34 {
  35     fprintf(_eflog,
  36             "%d %s %02d %s %s%s%s %s\n",
  37             lf->year,
  38             lf->mon,
  39             lf->day,
  40             lf->hour,
  41             lf->hostname != lf->location?lf->hostname:"",
  42             lf->hostname != lf->location?"->":"",
  43             lf->location,
  44             lf->full_log);
  45
  46     fflush(_eflog);
  47     return;
  48 }
  49
  50
  51 /* OS_Log: v0.3, 2006/03/04 */
  52 /* _writefile: v0.2, 2005/02/09 */
  53 void OS_Log(Eventinfo *lf)
  54 {
  55     /* Writting to the alert log file */
  56     fprintf(_aflog,
  57             "** Alert %d.%ld:%s - %s\n"
  58             "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
  59             "Src IP: %s\nUser: %s\n%.1256s\n",
  60             lf->time,
  61             __crt_ftell,
  62             lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
  63             lf->generated_rule->group,
  64             lf->year,
  65             lf->mon,
  66             lf->day,
  67             lf->hour,
  68             lf->hostname != lf->location?lf->hostname:"",
  69             lf->hostname != lf->location?"->":"",
  70             lf->location,
  71             lf->generated_rule->sigid,
  72             lf->generated_rule->level,
  73             lf->generated_rule->comment,
  74             lf->srcip == NULL?"(none)":lf->srcip,
  75             lf->dstuser == NULL?"(none)":lf->dstuser,
  76             lf->full_log);
  77
  78
  79     /* Printing the last events if present */
  80     if(lf->generated_rule->last_events)
  81     {
  82         char **lasts = lf->generated_rule->last_events;
  83         while(*lasts)
  84         {
  85             fprintf(_aflog,"%.1256s\n",*lasts);
  86             lasts++;
  87         }
  88         lf->generated_rule->last_events[0] = NULL;
  89     }
  90
  91     fprintf(_aflog,"\n");
  92
  93     fflush(_aflog);
  94     return;
  95 }
  96
  97
  98
  99 void OS_InitFwLog()
 100 {
 101     /* Initializing fw log regexes */
 102     if(!OSMatch_Compile(FWDROP, &FWDROPpm, 0))
 103     {
 104         ErrorExit(REGEX_COMPILE, ARGV0, FWDROP,
 105                 FWDROPpm.error);
 106     }
 107
 108     if(!OSMatch_Compile(FWALLOW, &FWALLOWpm, 0))
 109     {
 110         ErrorExit(REGEX_COMPILE, ARGV0, FWALLOW,
 111                 FWALLOWpm.error);
 112     }
 113
 114 }
 115
 116
 117 /* FW_Log: v0.1, 2005/12/30 */
 118 int FW_Log(Eventinfo *lf)
 119 {
 120     /* If we don't have the srcip or the
 121      * action, there is no point in going
 122      * forward over here
 123      */
 124     if(!lf->action || !lf->srcip)
 125     {
 126         return(0);
 127     }
 128
 129
 130     /* Setting the actions */
 131     switch(*lf->action)
 132     {
 133         /* discard, drop, deny, */
 134         case 'd':
 135         case 'D':
 136         /* reject, */
 137         case 'r':
 138         case 'R':
 139         /* block */
 140         case 'b':
 141         case 'B':
 142             os_free(lf->action);
 143             os_strdup("DROP", lf->action);
 144             break;
 145         /* Closed */
 146         case 'c':
 147         case 'C':
 148         /* Teardown */
 149         case 't':
 150         case 'T':
 151             os_free(lf->action);
 152             os_strdup("CLOSED", lf->action);
 153             break;
 154         /* allow, accept, */
 155         case 'a':
 156         case 'A':
 157         /* pass/permitted */
 158         case 'p':
 159         case 'P':
 160         /* open */
 161         case 'o':
 162         case 'O':
 163             os_free(lf->action);
 164             os_strdup("ALLOW", lf->action);
 165             break;
 166         default:
 167             if(OSMatch_Execute(lf->action,strlen(lf->action),&FWDROPpm))
 168             {
 169                 os_free(lf->action);
 170                 os_strdup("DROP", lf->action);
 171             }
 172             if(OSMatch_Execute(lf->action,strlen(lf->action),&FWALLOWpm))
 173             {
 174                 os_free(lf->action);
 175                 os_strdup("ALLOW", lf->action);
 176             }
 177             else
 178             {
 179                 os_free(lf->action);
 180                 os_strdup("UNKNOWN", lf->action);
 181             }
 182             break;
 183     }
 184
 185
 186     /* log to file */
 187     fprintf(_fflog,
 188             "%d %s %02d %s %s%s%s %s %s %s:%s->%s:%s\n",
 189             lf->year,
 190             lf->mon,
 191             lf->day,
 192             lf->hour,
 193             lf->hostname != lf->location?lf->hostname:"",
 194             lf->hostname != lf->location?"->":"",
 195             lf->location,
 196             lf->action,
 197             lf->protocol,
 198             lf->srcip,
 199             lf->srcport,
 200             lf->dstip,
 201             lf->dstport);
 202
 203     fflush(_fflog);
 204
 205     return(1);
 206 }
 207
 208 /* EOF */