projects / ossec-hids.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Imported Upstream version 2.7
[ossec-hids.git] / src / analysisd / prelude.c
1 /* @(#) $Id: ./src/analysisd/prelude.c, 2011/09/08 dcid Exp $
2  */
3
4 /* Copyright (C) 2009 Trend Micro Inc.
5  * All right reserved.
6  *
7  * This program is a free software; you can redistribute it
8  * and/or modify it under the terms of the GNU General Public
9  * License (version 2) as published by the FSF - Free Software
10  * Foundation
11  */
12
13
14 #ifdef PRELUDE
15
16 #include <libprelude/prelude.h>
17 #include <libprelude/prelude-log.h>
18 #include <libprelude/idmef-message-print.h>
19
20 #include "prelude.h"
21 #include "shared.h"
22 #include "eventinfo.h"
23 #include "rules.h"
24
25 #define DEFAULT_ANALYZER_NAME "OSSEC"
26 #define ANALYZER_CLASS "Host IDS, File Integrity Checker, Log Analyzer"
27 #define ANALYZER_MODEL "Ossec"
28 #define ANALYZER_MANUFACTURER __site
29 #define ANALYZER_VERSION __version
30 #define FILE_USER 0
31 #define FILE_GROUP 1
32 #define FILE_OTHER 2
33
34 /*
35  * Ossec to Prelude
36  */
37
38
39 /** OSSEC to prelude severity mapping. **/
40 char *(ossec2prelude_sev[])={"info","info","info","info",
41                              "low","low","low","low",
42                              "medium", "medium", "medium", "medium",
43                              "high", "high", "high", "high", "high"};
44
45
46 /* Prelude client */
47 static prelude_client_t *prelude_client;
48
49
50 void prelude_idmef_debug(idmef_message_t *idmef)
51 {
52         prelude_io_t *pio;
53
54         prelude_io_new(&pio);
55         prelude_io_set_file_io(pio, stderr);
56         idmef_message_print(idmef, pio);
57         prelude_io_destroy(pio);
58 }
59
60
61
62 static int
63 add_idmef_object(idmef_message_t *msg, const char *object, const char *value)
64 {
65     int ret = 0;
66     idmef_value_t *val;
67     idmef_path_t *path;
68
69     /* Can value be null? better check in here.  */
70     if(value == NULL)
71     {
72         return(0);
73     }
74
75     ret = idmef_path_new_fast(&path, object);
76     if(ret < 0)
77     {
78         return(-1);
79     }
80
81     ret = idmef_value_new_from_path(&val, path, value);
82     if(ret < 0)
83     {
84         idmef_path_destroy(path);
85         return(-1);
86     }
87
88     ret = idmef_path_set(path, msg, val);
89     if(ret < 0)
90     {
91         merror("%s: OSSEC2Prelude: IDMEF: Cannot add object '%s': %s.",
92                ARGV0, object, prelude_strerror(ret));
93     }
94
95     idmef_value_destroy(val);
96     idmef_path_destroy(path);
97
98     return(ret);
99 }
100
101
102 static int
103 setup_analyzer(idmef_analyzer_t *analyzer)
104 {
105     int ret;
106     prelude_string_t *string;
107
108     ret = idmef_analyzer_new_model(analyzer, &string);
109     if ( ret < 0 )
110         goto err;
111     prelude_string_set_constant(string, ANALYZER_MODEL);
112
113     ret = idmef_analyzer_new_class(analyzer, &string);
114     if ( ret < 0 )
115         goto err;
116     prelude_string_set_constant(string, ANALYZER_CLASS);
117
118     ret = idmef_analyzer_new_manufacturer(analyzer, &string);
119     if ( ret < 0 )
120         goto err;
121     prelude_string_set_constant(string, ANALYZER_MANUFACTURER);
122
123     ret = idmef_analyzer_new_version(analyzer, &string);
124     if ( ret < 0 )
125         goto err;
126     prelude_string_set_constant(string, ANALYZER_VERSION);
127
128
129     return 0;
130
131     err:
132     merror("%s: OSSEC2Prelude: %s: IDMEF error: %s.",
133             ARGV0, prelude_strsource(ret), prelude_strerror(ret));
134
135     return -1;
136 }
137
138
139
140 void prelude_start(char *profile, int argc, char **argv)
141 {
142     int ret;
143     prelude_client = NULL;
144
145
146     ret = prelude_init(&argc, argv);
147     if (ret < 0)
148     {
149         merror("%s: %s: Unable to initialize the Prelude library: %s.",
150                ARGV0, prelude_strsource(ret), prelude_strerror(ret));
151         return;
152     }
153
154     ret = prelude_client_new(&prelude_client,
155                              profile!=NULL?profile:DEFAULT_ANALYZER_NAME);
156     if (!prelude_client)
157     {
158         merror("%s: %s: Unable to create a prelude client object: %s.",
159                ARGV0, prelude_strsource(ret), prelude_strerror(ret));
160
161         return;
162     }
163
164
165     ret = setup_analyzer(prelude_client_get_analyzer(prelude_client));
166     if(ret < 0)
167     {
168         merror("%s: %s: Unable to setup analyzer: %s",
169                ARGV0, prelude_strsource(ret), prelude_strerror(ret));
170
171         prelude_client_destroy(prelude_client,
172                                PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
173
174         return;
175     }
176
177
178     ret = prelude_client_set_flags(prelude_client,
179           prelude_client_get_flags(prelude_client)
180           | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER);
181     if(ret < 0)
182     {
183         merror("%s: %s: Unable to set prelude client flags: %s.",
184                ARGV0, prelude_strsource(ret), prelude_strerror(ret));
185     }
186
187
188     /* Setting uid and gid of ossec. */
189     prelude_client_profile_set_uid(prelude_client_get_profile(prelude_client),
190                                    Privsep_GetUser(USER));
191     prelude_client_profile_set_gid(prelude_client_get_profile(prelude_client),
192                                    Privsep_GetGroup(GROUPGLOBAL));
193
194
195     ret = prelude_client_start(prelude_client);
196     if (ret < 0)
197     {
198         merror("%s: %s: Unable to initialize prelude client: %s.",
199                ARGV0, prelude_strsource(ret), prelude_strerror(ret));
200
201         prelude_client_destroy(prelude_client,
202                                PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
203
204         return;
205     }
206
207
208     return;
209
210 }
211
212 void FileAccess_PreludeLog(idmef_message_t *idmef,
213                            int filenum,
214                            char *filename,
215                            char *md5,
216                            char *sha1,
217                            char *owner,
218                            char *gowner,
219                            int perm) {
220
221     int _checksum_counter = 0;
222     char _prelude_section[128];
223     _prelude_section[127] = '\0';
224
225     debug1("%s: DEBUG: filename = %s.", ARGV0, filename);
226     debug1("%s: DEBUG: filenum = %d.", ARGV0, filenum);
227     if (filenum == 0) {
228         snprintf(_prelude_section,128,"alert.target(0).file(%d).name",filenum);
229         add_idmef_object(idmef, _prelude_section, filename);
230         snprintf(_prelude_section,128,"alert.target(0).file(%d).category",filenum);
231         add_idmef_object(idmef, _prelude_section, "original");
232     } else if (filenum == 1) {
233         snprintf(_prelude_section,128,"alert.target(0).file(%d).name",filenum);
234         add_idmef_object(idmef, _prelude_section, filename);
235         snprintf(_prelude_section,128,"alert.target(0).file(%d).category",filenum);
236         add_idmef_object(idmef, _prelude_section, "current");
237     } else {
238         return;
239     }
240
241
242     /* Add the hashs */
243     if (md5) {
244         snprintf(_prelude_section,128,"alert.target(0).file(%d).checksum(%d).algorithm",filenum, _checksum_counter);
245         add_idmef_object(idmef, _prelude_section, "MD5");
246         snprintf(_prelude_section,128,"alert.target(0).file(%d).checksum(%d).value",filenum, _checksum_counter);
247         add_idmef_object(idmef, _prelude_section, md5);
248         _checksum_counter++;
249     }
250     if (sha1) {
251         snprintf(_prelude_section,128,"alert.target(0).file(%d).checksum(%d).algorithm",filenum, _checksum_counter);
252         add_idmef_object(idmef, _prelude_section, "SHA1");
253         snprintf(_prelude_section,128,"alert.target(0).file(%d).checksum(%d).value",filenum, _checksum_counter);
254         add_idmef_object(idmef, _prelude_section, sha1);
255         _checksum_counter++;
256     }
257
258     /* add the owner */
259     if (owner) {
260         debug1("%s: DEBUG: owner = %s.", ARGV0, owner);
261         snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).user_id.number",filenum,FILE_USER);
262         add_idmef_object(idmef, _prelude_section,owner);
263         snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).user_id.type",filenum,FILE_USER);
264         add_idmef_object(idmef, _prelude_section, "user-privs");
265     }
266     /*add the group owner */
267     if (gowner) {
268         debug1("%s: DEBUG: gowner = %s.", ARGV0, gowner);
269         snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).user_id.number",filenum,FILE_GROUP);
270         add_idmef_object(idmef, _prelude_section,gowner);
271         snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).user_id.type",filenum,FILE_GROUP);
272         add_idmef_object(idmef, _prelude_section, "group-privs");
273     }
274     /*add the permissions */
275     if (perm) {
276         if (perm & S_IWUSR) {
277             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(0)",filenum,FILE_USER);
278             add_idmef_object(idmef, _prelude_section,"write");
279             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(1)",filenum,FILE_USER);
280             add_idmef_object(idmef, _prelude_section,"delete");
281         }
282         if (perm & S_IXUSR) {
283             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(2)",filenum,FILE_USER);
284             add_idmef_object(idmef, _prelude_section,"execute");
285         }
286         if (perm & S_IRUSR ) {
287             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(3)",filenum,FILE_USER);
288             add_idmef_object(idmef, _prelude_section,"read");
289         }
290         if (perm & S_ISUID) {
291             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(4)",filenum,FILE_USER);
292             add_idmef_object(idmef, _prelude_section,"executeAs");
293         }
294
295         if (perm & S_IWGRP) {
296             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(0)",filenum,FILE_GROUP);
297             add_idmef_object(idmef, _prelude_section,"write");
298             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(1)",filenum,FILE_GROUP);
299             add_idmef_object(idmef, _prelude_section,"delete");
300         }
301         if (perm & S_IXGRP) {
302             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(2)",filenum,FILE_GROUP);
303             add_idmef_object(idmef, _prelude_section,"execute");
304         }
305         if (perm & S_IRGRP ) {
306             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(3)",filenum,FILE_GROUP);
307             add_idmef_object(idmef, _prelude_section,"read");
308         }
309         if (perm & S_ISGID) {
310             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(4)",filenum,FILE_GROUP);
311             add_idmef_object(idmef, _prelude_section,"executeAs");
312         }
313         if (perm & S_IWOTH) {
314             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(0)",filenum,FILE_OTHER);
315             add_idmef_object(idmef, _prelude_section,"write");
316             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(1)",filenum,FILE_OTHER);
317             add_idmef_object(idmef, _prelude_section,"delete");
318         }
319         if (perm & S_IXOTH) {
320             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(2)",filenum,FILE_OTHER);
321             add_idmef_object(idmef, _prelude_section,"execute");
322         }
323         if (perm & S_IROTH ) {
324             snprintf(_prelude_section,128,"alert.target(0).file(%d).File_Access(%d).permission(3)",filenum,FILE_OTHER);
325             add_idmef_object(idmef, _prelude_section,"read");
326         }
327     }
328     return;
329 }
330
331
332 void OS_PreludeLog(Eventinfo *lf)
333 {
334     int ret;
335     int classification_counter = 0;
336     int additional_data_counter = 0;
337     char _prelude_section[128];
338     char _prelude_data[256];
339     idmef_message_t *idmef;
340     RuleInfoDetail *last_info_detail;
341
342
343     /* Generate prelude alert */
344     ret = idmef_message_new(&idmef);
345     if ( ret < 0 ) {
346         merror("%s: OSSEC2Prelude: Cannot create IDMEF message", ARGV0);
347         return;
348     }
349
350
351     add_idmef_object(idmef, "alert.assessment.impact.description",
352                             lf->generated_rule->comment);
353
354     add_idmef_object(idmef, "alert.assessment.impact.severity",
355                             (lf->generated_rule->level > 15) ? "high":
356                             ossec2prelude_sev[lf->generated_rule->level]);
357
358     add_idmef_object(idmef, "alert.assessment.impact.completion", "succeeded");
359
360     if (lf->action)
361     {
362         switch(*lf->action)
363         {
364             /* discard, drop, deny, */
365             case 'd':
366             case 'D':
367             /* reject, */
368             case 'r':
369             case 'R':
370             /* block */
371             case 'b':
372             case 'B':
373                 snprintf(_prelude_data,256,"DROP: %s", lf->action);
374                 break;
375             /* Closed */
376             case 'c':
377             case 'C':
378             /* Teardown */
379             case 't':
380             case 'T':
381                 snprintf(_prelude_data,256,"CLOSED: %s", lf->action);
382                 break;
383             /* allow, accept, */
384             case 'a':
385             case 'A':
386             /* pass/permitted */
387             case 'p':
388             case 'P':
389             /* open */
390             case 'o':
391             case 'O':
392                 snprintf(_prelude_data,256,"ALLOW: %s", lf->action);
393                 break;
394             default:
395                 snprintf(_prelude_data,256,"%s", lf->action);
396                 break;
397         }
398         add_idmef_object(idmef, "alert.assessment.action(0).category", "3");
399         add_idmef_object(idmef, "alert.assessment.action(0).description", _prelude_data);
400     }
401
402
403
404
405
406
407     /* Begin Classification Infomations */
408     {
409         add_idmef_object(idmef, "alert.classification.text",
410                                 lf->generated_rule->comment);
411
412
413         /* The Common Vulnerabilities and Exposures (CVE) (http://www.cve.mitre.org/)
414          * infomation if present in the triggering rule
415          */
416         if(lf->generated_rule->cve)
417         {
418             snprintf(_prelude_section,128,"alert.classification.reference(%d).origin",
419                                           classification_counter);
420             add_idmef_object(idmef, _prelude_section, "cve");
421             snprintf(_prelude_section,128,"alert.classification.reference(%d).name",
422                                           classification_counter);
423             add_idmef_object(idmef, _prelude_section, lf->generated_rule->cve);
424             snprintf(_prelude_section,128,"alert.classification.reference(%d).meaning",
425                                            classification_counter);
426             snprintf(_prelude_data,256,"CVE:%s", lf->generated_rule->cve);
427             add_idmef_object(idmef, _prelude_section, _prelude_data);
428             classification_counter++;
429         }
430
431         /* Rule sid is used to create a link to the rule on the OSSEC wiki */
432         if(lf->generated_rule->sigid)
433         {
434             snprintf(_prelude_section,128,"alert.classification.reference(%d).origin",
435                                            classification_counter);
436             add_idmef_object(idmef, _prelude_section, "vendor-specific");
437
438             snprintf(_prelude_section,128,"alert.classification.reference(%d).name",
439                                            classification_counter);
440             snprintf(_prelude_data,256,"Rule:%d",lf->generated_rule->sigid);
441             add_idmef_object(idmef, _prelude_section, _prelude_data);
442
443             snprintf(_prelude_section,128,"alert.classification.reference(%d).meaning",
444                                            classification_counter);
445             add_idmef_object(idmef, _prelude_section, "OSSEC Rule Wiki Documentation");
446
447             snprintf(_prelude_section,128,"alert.classification.reference(%d).url",
448                                            classification_counter);
449             snprintf(_prelude_data, 256,"http://www.ossec.net/wiki/Rule:%d",
450                                         lf->generated_rule->sigid);
451             add_idmef_object(idmef, _prelude_section, _prelude_data);
452
453             classification_counter++;
454         }
455
456         /* Extended Info Details */
457         for (last_info_detail = lf->generated_rule->info_details;
458              last_info_detail != NULL;
459              last_info_detail = last_info_detail->next)
460         {
461             if (last_info_detail->type == RULEINFODETAIL_LINK)
462             {
463                 snprintf(_prelude_section,128,"alert.classification.reference(%d).origin",
464                                                classification_counter);
465                 add_idmef_object(idmef, _prelude_section, "vendor-specific");
466
467                 snprintf(_prelude_section,128,"alert.classification.reference(%d).name",
468                                                classification_counter);
469                 snprintf(_prelude_data,256,"Rule:%d link",lf->generated_rule->sigid);
470                 add_idmef_object(idmef, _prelude_section, _prelude_data);
471                 snprintf(_prelude_section,128,"alert.classification.reference(%d).url",
472                                                classification_counter);
473                 add_idmef_object(idmef, _prelude_section, last_info_detail->data);
474
475                 classification_counter++;
476             }
477             else if(last_info_detail->type == RULEINFODETAIL_TEXT)
478             {
479                 snprintf(_prelude_section,128,"alert.classification.reference(%d).origin",
480                                                classification_counter);
481                 add_idmef_object(idmef, _prelude_section, "vendor-specific");
482
483                 snprintf(_prelude_section,128,"alert.classification.reference(%d).name",
484                                                classification_counter);
485                 snprintf(_prelude_data,256,"Rule:%d info",lf->generated_rule->sigid);
486                 add_idmef_object(idmef, _prelude_section, _prelude_data);
487
488                 snprintf(_prelude_section,128,"alert.classification.reference(%d).meaning",
489                                                 classification_counter);
490                 add_idmef_object(idmef, _prelude_section, last_info_detail->data);
491                 classification_counter++;
492             }
493             else
494             {
495                 snprintf(_prelude_section,128,"alert.classification.reference(%d).origin",
496                                                classification_counter);
497                 switch(last_info_detail->type)
498                 {
499                     case RULEINFODETAIL_CVE:
500                         add_idmef_object(idmef, _prelude_section, "cve");
501                         break;
502                     case RULEINFODETAIL_OSVDB:
503                         add_idmef_object(idmef, _prelude_section, "osvdb");
504                         break;
505                     case RULEINFODETAIL_BUGTRACK:
506                         add_idmef_object(idmef, _prelude_section, "bugtraqid");
507                         break;
508                     default:
509                         add_idmef_object(idmef, _prelude_section, "vendor-specific");
510                         break;
511                 }
512                 snprintf(_prelude_section,128,"alert.classification.reference(%d).name",
513                                                classification_counter);
514                 add_idmef_object(idmef, _prelude_section, last_info_detail->data);
515             }
516         }
517
518
519         /* Break ok the list of groups on the "," boundry
520          * For each section create a prelude reference classification
521          * that points back to the the OSSEC wiki for more infomation.
522          */
523         if(lf->generated_rule->group)
524         {
525             char *copy_group;
526             char new_generated_rule_group[256];
527             new_generated_rule_group[255] = '\0';
528             strncpy(new_generated_rule_group, lf->generated_rule->group, 255);
529             copy_group = strtok(new_generated_rule_group, ",");
530             while (copy_group) {
531                 snprintf(_prelude_section,128,"alert.classification.reference(%d).origin",
532                                                classification_counter);
533                 add_idmef_object(idmef, _prelude_section, "vendor-specific");
534
535                 snprintf(_prelude_section,128,"alert.classification.reference(%d).name",
536                                                classification_counter);
537                 snprintf(_prelude_data,256,"Group:%s",copy_group);
538                 add_idmef_object(idmef, _prelude_section, _prelude_data);
539
540                 snprintf(_prelude_section,128,"alert.classification.reference(%d).meaning",
541                                                 classification_counter);
542                 add_idmef_object(idmef, _prelude_section, "OSSEC Group Wiki Documenation");
543
544                 snprintf(_prelude_section,128,"alert.classification.reference(%d).url",
545                                                classification_counter);
546                 snprintf(_prelude_data,256,"http://www.ossec.net/wiki/Group:%s",
547                                            copy_group);
548                 add_idmef_object(idmef, _prelude_section, _prelude_data);
549
550                 classification_counter++;
551                 copy_group = strtok(NULL, ",");
552             }
553         }
554     } /* end classification block */
555
556
557
558     /* Begin Node infomation block */
559     {
560         /* Setting source info. */
561         add_idmef_object(idmef, "alert.source(0).Spoofed", "no");
562         add_idmef_object(idmef, "alert.source(0).Node.Address(0).address",
563                                 lf->srcip);
564         add_idmef_object(idmef, "alert.source(0).Service.port", lf->srcport);
565
566         if(lf->srcuser)
567         {
568             add_idmef_object(idmef, "alert.source(0).User.UserId(0).name", lf->srcuser);
569         }
570
571
572         /* Setting target */
573         add_idmef_object(idmef, "alert.target(0).Service.name", lf->program_name);
574         add_idmef_object(idmef, "alert.target(0).Spoofed", "no");
575
576         if(lf->dstip)
577         {
578             add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",
579                                     lf->dstip);
580         }
581         else
582         {
583             char *tmp_str;
584             char new_prelude_target[256];
585
586             new_prelude_target[255] = '\0';
587             strncpy(new_prelude_target, lf->hostname, 255);
588
589             /* The messages can have the file, so we need to remove it.
590              * formats can be:
591              * enigma->/var/log/authlog
592              * (esqueleto2) 192.168.2.99->/var/log/squid/access.log
593              */
594             tmp_str = strstr(new_prelude_target, "->");
595             if(tmp_str)
596             {
597                 *tmp_str = '\0';
598             }
599             add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",
600                                     new_prelude_target);
601         }
602         add_idmef_object(idmef, "alert.target(0).Service.name", lf->hostname);
603         add_idmef_object(idmef, "alert.target(0).Service.port", lf->dstport);
604
605         if(lf->dstuser)
606         {
607             add_idmef_object(idmef, "alert.target(0).User.category", "2");
608             add_idmef_object(idmef, "alert.target(0).User.UserId(0).name", lf->dstuser);
609         }
610     } /* end Node infomation block */
611
612
613     /* Setting source file. */
614     add_idmef_object(idmef, "alert.additional_data(0).type", "string");
615     add_idmef_object(idmef, "alert.additional_data(0).meaning", "Source file");
616     add_idmef_object(idmef, "alert.additional_data(0).data", lf->location);
617     additional_data_counter++;
618
619
620     /* Setting full log. */
621     add_idmef_object(idmef, "alert.additional_data(1).type", "string");
622     add_idmef_object(idmef, "alert.additional_data(1).meaning", "Full Log");
623     add_idmef_object(idmef, "alert.additional_data(1).data", lf->full_log);
624     additional_data_counter++;
625
626     idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
627                              idmef_analyzer_ref
628                              (prelude_client_get_analyzer(prelude_client)),
629                              IDMEF_LIST_PREPEND);
630     debug1("%s: DEBUG: lf->filename = %s.", ARGV0, lf->filename);
631     if (lf->filename) {
632         FileAccess_PreludeLog(idmef,
633                               0,
634                               lf->filename,
635                               lf->md5_before,
636                               lf->sha1_before,
637                               lf->owner_before,
638                               lf->gowner_before,
639                               lf->perm_before);
640         FileAccess_PreludeLog(idmef,
641                               1,
642                               lf->filename,
643                               lf->md5_after,
644                               lf->sha1_after,
645                               lf->owner_after,
646                               lf->gowner_after,
647                               lf->perm_after);
648         debug1("%s: DEBUG: done with alert.target(0).file(1)", ARGV0);
649     }
650
651     debug1("%s: DEBUG: Sending IDMEF alert", ARGV0);
652     prelude_client_send_idmef(prelude_client, idmef);
653     debug1("%s: DEBUG: destroying IDMEF alert", ARGV0);
654     idmef_message_destroy(idmef);
655 }
656
657
658
659 #endif /* PRELUDE */
660
661 /* EOF */
ossec-hids