src/logcollector/read_snortfull.c

   1 /* @(#) $Id$ */
   2
   3 /* Copyright (C) 2009 Trend Micro Inc.
   4  * All right reserved.
   5  *
   6  * This program is a free software; you can redistribute it
   7  * and/or modify it under the terms of the GNU General Public
   8  * License (version 2) as published by the FSF - Free Software
   9  * Foundation
  10  */
  11
  12 /* v0.4 (2006/01/13): Fixing to read snort-full logs correctly.
  13  *
  14  */
  15
  16
  17 #include "shared.h"
  18 #include "logcollector.h"
  19
  20
  21 /* Read snort_full files */
  22 void *read_snortfull(int pos, int *rc, int drop_it)
  23 {
  24     int f_msg_size = OS_MAXSTR;
  25
  26     char *one = "one";
  27     char *two = "two";
  28
  29     char *p = NULL;
  30     char *q;
  31     char str[OS_MAXSTR + 1];
  32     char f_msg[OS_MAXSTR +1];
  33
  34     *rc = 0;
  35     str[OS_MAXSTR]='\0';
  36     f_msg[OS_MAXSTR] = '\0';
  37
  38     while(fgets(str, OS_MAXSTR, logff[pos].fp) != NULL)
  39     {
  40         /* Removing \n at the end of the string */
  41         if ((q = strrchr(str, '\n')) != NULL)
  42         {
  43             *q = '\0';
  44         }
  45         else
  46         {
  47             goto file_error;
  48         }
  49
  50         /* First part of the message */
  51         if(p == NULL)
  52         {
  53             if(strncmp(str, "[**] [", 6) == 0)
  54             {
  55                 strncpy(f_msg, str, OS_MAXSTR);
  56                 f_msg_size -= strlen(str)+1;
  57                 p = one;
  58             }
  59         }
  60         else
  61         {
  62             if(p == one)
  63             {
  64                 /* Second line has the [Classification: */
  65                 if(strncmp(str, "[Classification: ", 16) == 0)
  66                 {
  67                     strncat(f_msg, str, f_msg_size);
  68                     f_msg_size -= strlen(str)+1;
  69                     p = two;
  70                 }
  71                 else if(strncmp(str, "[Priority: ", 10) == 0)
  72                 {
  73                     strncat(f_msg, "[Classification: Preprocessor] "
  74                                    "[Priority: 3] ", f_msg_size);
  75                     f_msg_size -= strlen(str)+1;
  76                     p = two;
  77                 }
  78
  79                 /* If it is a preprocessor message, it will not have
  80                  * the classification.
  81                  */
  82                 else if((str[2] == '/')&&(str[5] == '-')&&(q = strchr(str,' ')))
  83                 {
  84                     strncat(f_msg, "[Classification: Preprocessor] "
  85                                    "[Priority: 3] ", f_msg_size);
  86                     strncat(f_msg, ++q, f_msg_size -40);
  87
  88                     /* Cleaning for next event */
  89                     p = NULL;
  90
  91                     /* Sending the message */
  92                     if(drop_it == 0)
  93                     {
  94                         if(SendMSG(logr_queue,f_msg, logff[pos].file,
  95                                     LOCALFILE_MQ) < 0)
  96                         {
  97                             merror(QUEUE_SEND, ARGV0);
  98                             if((logr_queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
  99                             {
 100                                 ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
 101                             }
 102                         }
 103                     }
 104
 105                     f_msg[0] = '\0';
 106                     f_msg_size = OS_MAXSTR;
 107                     str[0] = '\0';
 108                 }
 109                 else
 110                 {
 111                     goto file_error;
 112                 }
 113             }
 114             else if(p == two)
 115             {
 116                 /* Third line has the 01/13-15 (date) */
 117                 if((str[2] == '/')&&(str[5] == '-')&&(q = strchr(str,' ')))
 118                 {
 119                     strncat(f_msg, ++q, f_msg_size);
 120                     f_msg_size -= strlen(q)+1;
 121                     p = NULL;
 122
 123                     /* Sending the message */
 124                     if(drop_it == 0)
 125                     {
 126                         if(SendMSG(logr_queue,f_msg, logff[pos].file,
 127                                     LOCALFILE_MQ) < 0)
 128                         {
 129                             merror(QUEUE_SEND, ARGV0);
 130                             if((logr_queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
 131                             {
 132                                 ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
 133                             }
 134                         }
 135                     }
 136
 137                     f_msg[0] = '\0';
 138                     f_msg_size = OS_MAXSTR;
 139                     str[0] = '\0';
 140                 }
 141                 else
 142                 {
 143                     goto file_error;
 144                 }
 145
 146             }
 147         }
 148
 149         continue;
 150
 151         file_error:
 152
 153         merror("%s: Bad formated snort full file.", ARGV0);
 154         *rc = -1;
 155         return(NULL);
 156
 157     }
 158
 159
 160     return(NULL);
 161 }
 162
 163 /* EOF */