src/logcollector/read_snortfull.c

   1 /* @(#) $Id: ./src/logcollector/read_snortfull.c, 2011/09/08 dcid Exp $
   2  */
   3
   4 /* Copyright (C) 2009 Trend Micro Inc.
   5  * All right reserved.
   6  *
   7  * This program is a free software; you can redistribute it
   8  * and/or modify it under the terms of the GNU General Public
   9  * License (version 2) as published by the FSF - Free Software
  10  * Foundation
  11  */
  12
  13 /* v0.4 (2006/01/13): Fixing to read snort-full logs correctly.
  14  *
  15  */
  16
  17
  18 #include "shared.h"
  19 #include "logcollector.h"
  20
  21
  22 /* Read snort_full files */
  23 void *read_snortfull(int pos, int *rc, int drop_it)
  24 {
  25     int f_msg_size = OS_MAXSTR;
  26
  27     char *one = "one";
  28     char *two = "two";
  29
  30     char *p = NULL;
  31     char *q;
  32     char str[OS_MAXSTR + 1];
  33     char f_msg[OS_MAXSTR +1];
  34
  35     *rc = 0;
  36     str[OS_MAXSTR]='\0';
  37     f_msg[OS_MAXSTR] = '\0';
  38
  39     while(fgets(str, OS_MAXSTR, logff[pos].fp) != NULL)
  40     {
  41         /* Removing \n at the end of the string */
  42         if ((q = strrchr(str, '\n')) != NULL)
  43         {
  44             *q = '\0';
  45         }
  46         else
  47         {
  48             goto file_error;
  49         }
  50
  51         /* First part of the message */
  52         if(p == NULL)
  53         {
  54             if(strncmp(str, "[**] [", 6) == 0)
  55             {
  56                 strncpy(f_msg, str, OS_MAXSTR);
  57                 f_msg_size -= strlen(str)+1;
  58                 p = one;
  59             }
  60         }
  61         else
  62         {
  63             if(p == one)
  64             {
  65                 /* Second line has the [Classification: */
  66                 if(strncmp(str, "[Classification: ", 16) == 0)
  67                 {
  68                     strncat(f_msg, str, f_msg_size);
  69                     f_msg_size -= strlen(str)+1;
  70                     p = two;
  71                 }
  72                 else if(strncmp(str, "[Priority: ", 10) == 0)
  73                 {
  74                     strncat(f_msg, "[Classification: Preprocessor] "
  75                                    "[Priority: 3] ", f_msg_size);
  76                     f_msg_size -= strlen(str)+1;
  77                     p = two;
  78                 }
  79
  80                 /* If it is a preprocessor message, it will not have
  81                  * the classification.
  82                  */
  83                 else if((str[2] == '/')&&(str[5] == '-')&&(q = strchr(str,' ')))
  84                 {
  85                     strncat(f_msg, "[Classification: Preprocessor] "
  86                                    "[Priority: 3] ", f_msg_size);
  87                     strncat(f_msg, ++q, f_msg_size -40);
  88
  89                     /* Cleaning for next event */
  90                     p = NULL;
  91
  92                     /* Sending the message */
  93                     if(drop_it == 0)
  94                     {
  95                         if(SendMSG(logr_queue,f_msg, logff[pos].file,
  96                                     LOCALFILE_MQ) < 0)
  97                         {
  98                             merror(QUEUE_SEND, ARGV0);
  99                             if((logr_queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
 100                             {
 101                                 ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
 102                             }
 103                         }
 104                     }
 105
 106                     f_msg[0] = '\0';
 107                     f_msg_size = OS_MAXSTR;
 108                     str[0] = '\0';
 109                 }
 110                 else
 111                 {
 112                     goto file_error;
 113                 }
 114             }
 115             else if(p == two)
 116             {
 117                 /* Third line has the 01/13-15 (date) */
 118                 if((str[2] == '/')&&(str[5] == '-')&&(q = strchr(str,' ')))
 119                 {
 120                     strncat(f_msg, ++q, f_msg_size);
 121                     f_msg_size -= strlen(q)+1;
 122                     p = NULL;
 123
 124                     /* Sending the message */
 125                     if(drop_it == 0)
 126                     {
 127                         if(SendMSG(logr_queue,f_msg, logff[pos].file,
 128                                     LOCALFILE_MQ) < 0)
 129                         {
 130                             merror(QUEUE_SEND, ARGV0);
 131                             if((logr_queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
 132                             {
 133                                 ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
 134                             }
 135                         }
 136                     }
 137
 138                     f_msg[0] = '\0';
 139                     f_msg_size = OS_MAXSTR;
 140                     str[0] = '\0';
 141                 }
 142                 else
 143                 {
 144                     goto file_error;
 145                 }
 146
 147             }
 148         }
 149
 150         continue;
 151
 152         file_error:
 153
 154         merror("%s: Bad formated snort full file.", ARGV0);
 155         *rc = -1;
 156         return(NULL);
 157
 158     }
 159
 160
 161     return(NULL);
 162 }
 163
 164 /* EOF */