src/analysisd/alerts/log.c

   1 /* @(#) $Id$ */
   2
   3 /* Copyright (C) 2009 Trend Micro Inc.
   4  * All right reserved.
   5  *
   6  * This program is a free software; you can redistribute it
   7  * and/or modify it under the terms of the GNU General Public
   8  * License (version 2) as published by the FSF - Free Software
   9  * Foundation
  10  */
  11
  12
  13 #include "shared.h"
  14 #include "log.h"
  15 #include "alerts.h"
  16 #include "getloglocation.h"
  17 #include "rules.h"
  18 #include "eventinfo.h"
  19 #include "config.h"
  20
  21
  22 /* Drop/allow patterns */
  23 OSMatch FWDROPpm;
  24 OSMatch FWALLOWpm;
  25
  26
  27 /* OS_Store: v0.2, 2005/02/10 */
  28 /* Will store the events in a file
  29  * The string must be null terminated and contain
  30  * any necessary new lines, tabs, etc.
  31  *
  32  */
  33 void OS_Store(Eventinfo *lf)
  34 {
  35     fprintf(_eflog,
  36             "%d %s %02d %s %s%s%s %s\n",
  37             lf->year,
  38             lf->mon,
  39             lf->day,
  40             lf->hour,
  41             lf->hostname != lf->location?lf->hostname:"",
  42             lf->hostname != lf->location?"->":"",
  43             lf->location,
  44             lf->full_log);
  45
  46     fflush(_eflog);
  47     return;
  48 }
  49
  50
  51
  52 void OS_LogOutput(Eventinfo *lf)
  53 {
  54     printf(
  55            "** Alert %d.%ld:%s - %s\n"
  56             "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
  57             "Src IP: %s\nUser: %s\n%.1256s\n",
  58             lf->time,
  59             __crt_ftell,
  60             lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
  61             lf->generated_rule->group,
  62             lf->year,
  63             lf->mon,
  64             lf->day,
  65             lf->hour,
  66             lf->hostname != lf->location?lf->hostname:"",
  67             lf->hostname != lf->location?"->":"",
  68             lf->location,
  69             lf->generated_rule->sigid,
  70             lf->generated_rule->level,
  71             lf->generated_rule->comment,
  72             lf->srcip == NULL?"(none)":lf->srcip,
  73             lf->dstuser == NULL?"(none)":lf->dstuser,
  74             lf->full_log);
  75
  76
  77     /* Printing the last events if present */
  78     if(lf->generated_rule->last_events)
  79     {
  80         char **lasts = lf->generated_rule->last_events;
  81         while(*lasts)
  82         {
  83             printf("%.1256s\n",*lasts);
  84             lasts++;
  85         }
  86         lf->generated_rule->last_events[0] = NULL;
  87     }
  88
  89     printf("\n");
  90
  91     fflush(stdout);
  92     return;
  93 }
  94
  95
  96
  97 /* OS_Log: v0.3, 2006/03/04 */
  98 /* _writefile: v0.2, 2005/02/09 */
  99 void OS_Log(Eventinfo *lf)
 100 {
 101     /* Writting to the alert log file */
 102     fprintf(_aflog,
 103             "** Alert %d.%ld:%s - %s\n"
 104             "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
 105             "Src IP: %s\nUser: %s\n%.1256s\n",
 106             lf->time,
 107             __crt_ftell,
 108             lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
 109             lf->generated_rule->group,
 110             lf->year,
 111             lf->mon,
 112             lf->day,
 113             lf->hour,
 114             lf->hostname != lf->location?lf->hostname:"",
 115             lf->hostname != lf->location?"->":"",
 116             lf->location,
 117             lf->generated_rule->sigid,
 118             lf->generated_rule->level,
 119             lf->generated_rule->comment,
 120             lf->srcip == NULL?"(none)":lf->srcip,
 121             lf->dstuser == NULL?"(none)":lf->dstuser,
 122             lf->full_log);
 123
 124
 125     /* Printing the last events if present */
 126     if(lf->generated_rule->last_events)
 127     {
 128         char **lasts = lf->generated_rule->last_events;
 129         while(*lasts)
 130         {
 131             fprintf(_aflog,"%.1256s\n",*lasts);
 132             lasts++;
 133         }
 134         lf->generated_rule->last_events[0] = NULL;
 135     }
 136
 137     fprintf(_aflog,"\n");
 138
 139     fflush(_aflog);
 140     return;
 141 }
 142
 143
 144
 145 void OS_InitFwLog()
 146 {
 147     /* Initializing fw log regexes */
 148     if(!OSMatch_Compile(FWDROP, &FWDROPpm, 0))
 149     {
 150         ErrorExit(REGEX_COMPILE, ARGV0, FWDROP,
 151                 FWDROPpm.error);
 152     }
 153
 154     if(!OSMatch_Compile(FWALLOW, &FWALLOWpm, 0))
 155     {
 156         ErrorExit(REGEX_COMPILE, ARGV0, FWALLOW,
 157                 FWALLOWpm.error);
 158     }
 159
 160 }
 161
 162
 163 /* FW_Log: v0.1, 2005/12/30 */
 164 int FW_Log(Eventinfo *lf)
 165 {
 166     /* If we don't have the srcip or the
 167      * action, there is no point in going
 168      * forward over here
 169      */
 170     if(!lf->action || !lf->srcip)
 171     {
 172         return(0);
 173     }
 174
 175
 176     /* Setting the actions */
 177     switch(*lf->action)
 178     {
 179         /* discard, drop, deny, */
 180         case 'd':
 181         case 'D':
 182         /* reject, */
 183         case 'r':
 184         case 'R':
 185         /* block */
 186         case 'b':
 187         case 'B':
 188             os_free(lf->action);
 189             os_strdup("DROP", lf->action);
 190             break;
 191         /* Closed */
 192         case 'c':
 193         case 'C':
 194         /* Teardown */
 195         case 't':
 196         case 'T':
 197             os_free(lf->action);
 198             os_strdup("CLOSED", lf->action);
 199             break;
 200         /* allow, accept, */
 201         case 'a':
 202         case 'A':
 203         /* pass/permitted */
 204         case 'p':
 205         case 'P':
 206         /* open */
 207         case 'o':
 208         case 'O':
 209             os_free(lf->action);
 210             os_strdup("ALLOW", lf->action);
 211             break;
 212         default:
 213             if(OSMatch_Execute(lf->action,strlen(lf->action),&FWDROPpm))
 214             {
 215                 os_free(lf->action);
 216                 os_strdup("DROP", lf->action);
 217             }
 218             if(OSMatch_Execute(lf->action,strlen(lf->action),&FWALLOWpm))
 219             {
 220                 os_free(lf->action);
 221                 os_strdup("ALLOW", lf->action);
 222             }
 223             else
 224             {
 225                 os_free(lf->action);
 226                 os_strdup("UNKNOWN", lf->action);
 227             }
 228             break;
 229     }
 230
 231
 232     /* log to file */
 233     fprintf(_fflog,
 234             "%d %s %02d %s %s%s%s %s %s %s:%s->%s:%s\n",
 235             lf->year,
 236             lf->mon,
 237             lf->day,
 238             lf->hour,
 239             lf->hostname != lf->location?lf->hostname:"",
 240             lf->hostname != lf->location?"->":"",
 241             lf->location,
 242             lf->action,
 243             lf->protocol,
 244             lf->srcip,
 245             lf->srcport,
 246             lf->dstip,
 247             lf->dstport);
 248
 249     fflush(_fflog);
 250
 251     return(1);
 252 }
 253
 254 /* EOF */