+++ /dev/null
-#!/usr/bin/perl -w\r
-use Socket;\r
-use POSIX 'setsid';\r
-use strict;\r
-use ossecmysql;\r
-# ---------------------------------------------------------------------------\r
-# Author: Meir Michanie (meirm@riunx.com)\r
-# Co-Author: J.A.Senger (jorge@br10.com.br)\r
-# $Id$\r
-# ---------------------------------------------------------------------------\r
-# http://www.riunx.com/\r
-# ---------------------------------------------------------------------------\r
-#\r
-# ---------------------------------------------------------------------------\r
-# About this script\r
-# ---------------------------------------------------------------------------\r
-#\r
-# "Ossec to Snorby" records the OSSEC HIDS alert logs in MySQL database.\r
-# It can run as a daemon (ossec2snorby.pl), recording in real-time the logs in database or\r
-# as a simple script (ossec2snorby.pl).\r
-#\r
-# ---------------------------------------------------------------------------\r
-# Snorby support by Jean-Pierre Zurbrugg (jp.zurbrugg@live.com)\r
-# ---------------------------------------------------------------------------\r
-# The original script by the Author and Co-author was taken as a template and\r
-# modified to work with Snorby (http://snorby.org) which uses a Snort DB schema.\r
-# Credit must go to the author\Co-author for the initial template. \r
-#\r
-########################### WARNING ###############################\r
-# My modifications are by far stable and worthy of a production environment\r
-# WHITHOUT INICIAL TWEAKING. Please setup your labs and make sure everything\r
-# works properly before using this script on a production environment.\r
-########################### WARNING ###############################\r
-#\r
-#\r
-# Changelog:\r
-# * Extra validations were added to make sure srcip\dstip do not remain with\r
-# a default value of "0" which causes GUI parsing errors if left unhandled.\r
-# * Validation against '$hostname'; if localhost then srcip="127.0.0.1"\r
-# * Snorby expects IP related data to be published on its "iphdr" table.\r
-# * Snorby expects OSSEC's logs to be converted to HEX and wordwrapped.\r
-# * Modified the scripts "Daemon" mode; it now uses "tail -Fn 0 <file>"\r
-#\r
-# ---------------------------------------------------------------------------\r
-# Prerequisites\r
-# ---------------------------------------------------------------------------\r
-#\r
-# MySQL Server\r
-# Perl DBD::mysql module\r
-# Perl DBI module\r
-#\r
-# Snorby prerequesites:\r
-# import ossec2snorby_category.sql from contrib directory\r
-# Populate "domain" in /etc/ossec2snorby.conf\r
-#\r
-# ---------------------------------------------------------------------------\r
-# Installation steps\r
-# ---------------------------------------------------------------------------\r
-# \r
-# 1) Create a user to access the database initially created by Snorby;\r
-# 2) Copy ossec2snorby.conf to /etc/ossec2snorby.conf with 0600 permissions\r
-# 3) Edit /etc/ossec2snorby.conf according to your needs:\r
-# dbhost=localhost\r
-# database=snorby\r
-# debug=5\r
-# dbport=3306\r
-# dbpasswd=mypassword\r
-# dbuser=ossecuser\r
-# daemonize=0\r
-# resolve=1\r
-# domain=mydomain.local\r
-#\r
-# NOTE: It is recommended to keep "resolve" as "1" and populate "domain" with\r
-# your actual domain. Not doing so will restrict the script and force it\r
-# to populate IPs as "0.0.0.1" for events whose SRC or DST IP are unknown.\r
-#\r
-# ---------------------------------------------------------------------------\r
-# License\r
-# ---------------------------------------------------------------------------\r
-#\r
-# This program is free software; you can redistribute it and/or\r
-# modify it under the terms of the GNU General Public License\r
-# as published by the Free Software Foundation; either version 2\r
-# of the License, or (at your option) any later version.\r
-#\r
-# This program is distributed in the hope that it will be useful,\r
-# but WITHOUT ANY WARRANTY; without even the implied warranty of\r
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r
-# GNU General Public License for more details.\r
-#\r
-# You should have received a copy of the GNU General Public License\r
-# along with this program; if not, write to the Free Software\r
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\r
-#\r
-# ---------------------------------------------------------------------------\r
-# About OSSEC HIDS\r
-# ---------------------------------------------------------------------------\r
-#\r
-# OSSEC HIDS is an Open Source Host-based Intrusion Detection System.\r
-# It performs log analysis and correlation, integrity checking,\r
-# rootkit detection, time-based alerting and active response.\r
-# http://www.ossec.net\r
-#\r
-# ---------------------------------------------------------------------------\r
-\r
-# ---------------------------------------------------------------------------\r
-# Parameters\r
-# ---------------------------------------------------------------------------\r
-my $VERSION="0.4";\r
-$SIG{TERM} = sub { &gracefulend('TERM')};\r
-$SIG{INT} = sub { &gracefulend('INT')};\r
-\r
-# If no ARGV are given then present &help().\r
-&help() unless @ARGV;\r
-\r
-my ($RUNASDAEMON)=0;\r
-my ($DAEMONLOGFILE)='/var/log/ossec2snorby.log';\r
-my ($DAEMONLOGERRORFILE) = '/var/log/ossec2snorby.err';\r
-# Declare OSSEC's log path and filename format.\r
-my $LOG='/var/ossec/logs/alerts/alerts.log'; # we need to tail this file instead of the old.\r
- # With this we can survive file rotations while\r
- # running in daemon mode.\r
-\r
-my ($LOGGER)='ossec2snorby';\r
-my($OCT) = '(?:25[012345]|2[0-4]\d|1?\d\d?)';\r
-my($IP) = $OCT . '\.' . $OCT . '\.' . $OCT . '\.' . $OCT;\r
-my $dump=0;\r
-my ($hids_id,$hids,$hids_interface,$last_cid)=(undef, 'localhost', 'ossec',0);\r
-my ($tempvar,$VERBOSE)=(0,0); \r
-\r
-my %conf;\r
-$conf{dbhost}='localhost';\r
-$conf{database}='snort';\r
-$conf{debug}=5;\r
-$conf{dbport}='3306';\r
-$conf{dbpasswd}='password';\r
-$conf{dbuser}='user';\r
-$conf{daemonize}=0;\r
-$conf{sensor}='sensor';\r
-$conf{hids_interface}='ossec';\r
-$conf{resolve}=1;\r
-$conf{domain}='';\r
-\r
-# OSSEC's default class_ID\r
-# We will categorize events as "unknown" if a match could not be found...\r
-my $sig_class_id=2; # We will try to fetch the correct class_id later.\r
-\r
-my($sig_class_name,$taillog);\r
-# ---------------------------------------------------------------------------\r
-# Arguments parsing\r
-# ---------------------------------------------------------------------------\r
-while (@ARGV){\r
- $_= shift @ARGV;\r
- if (m/^-d$|^--daemon$/){\r
- $conf{daemonize}=1;\r
- }elsif ( m/^-h$|^--help$/){\r
- &help();\r
- }elsif ( m/^-n$|^--noname$/){\r
- $conf{'resolve'}=0;\r
- }elsif ( m/^-v$|^--verbose$/){\r
- $VERBOSE=1;\r
- }elsif ( m/^--interface$/){\r
- $conf{hids_interface}= shift @ARGV if @ARGV; # ossec-rt/ossec-feed\r
- }elsif ( m/^--sensor$/){\r
- $conf{sensor}= shift @ARGV if @ARGV; # monitor\r
- }elsif ( m/^--conf$/){\r
- $conf{conf}= shift @ARGV if @ARGV; # localhost\r
- &loadconf(\%conf);\r
- }elsif ( m/^--dbhost$/){\r
- $conf{dbhost}= shift @ARGV if @ARGV; # localhost\r
- }elsif ( m/^--dbport$/){\r
- $conf{dbport}= shift @ARGV if @ARGV; # localhost\r
- }elsif ( m/^--dbname$/){\r
- $conf{database}= shift @ARGV if @ARGV; # snort\r
- }elsif ( m/^--dbuser$/){\r
- $conf{dbuser}= shift @ARGV if @ARGV; # root\r
- }elsif ( m/^--dbpass$/){\r
- $conf{dbpasswd}= shift @ARGV if @ARGV; # monitor\r
- }\r
-\r
-}\r
-if ($conf{dbpasswd}=~ m/^--stdin$/){\r
- print "dbpassword:";\r
- $conf{dbpasswd}=<>;\r
- chomp $conf{dbpasswd};\r
-}\r
-$hids=$conf{sensor} if exists($conf{sensor});\r
-$hids_interface=$conf{hids_interface} if exists($conf{hids_interface});\r
-\r
-# START IN DAEMON MODE ?\r
-&daemonize() if $conf{daemonize};\r
-\r
-my $dbi= ossecmysql->new(%conf) || die ("Could not connect to $conf{dbhost}:$conf{dbport}:$conf{database} as $conf{dbpasswd}\n");\r
-\r
-####\r
-# SQL vars;\r
-my ($query,$numrows,$row_ref);\r
-\r
-####\r
-#get sensor id\r
-$query= 'select sid,last_cid from sensor where hostname=? and interface=?';\r
-$numrows= $dbi->execute($query,$hids,$hids_interface);\r
-if (1==$numrows){\r
- $row_ref=$dbi->{sth}->fetchrow_hashref;\r
- $hids_id=$row_ref->{sid};\r
- $last_cid=$row_ref->{last_cid};\r
-}else{\r
- $query="INSERT INTO sensor ( sid , hostname , interface , filter , detail , encoding , last_cid )\r
-VALUES (\r
-NULL , ?, ? , NULL , ? , ?, ?\r
-)";\r
- $numrows= $dbi->execute($query,$hids,$hids_interface,1,2,0);\r
- $hids_id=$dbi->lastid();\r
-}\r
-$dbi->{sth}->finish;\r
-&forceprintlog ("SENSOR:$hids; feed:$hids_interface; id:$hids_id; last cid:$last_cid");\r
-\r
-my $newrecord=0;\r
-my %stats;\r
-my %resolv;\r
-my ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,\r
- $srcip,$dstip,$user,$text,$filtered,$osseclevel)=();\r
-my $lasttimestamp=0;\r
-my $delta=0;\r
-\r
-&taillog($last_cid,$LOG);\r
-################################################################\r
-sub forceprintlog(){\r
- $tempvar=$VERBOSE;\r
- $VERBOSE=1;\r
- &printlog (@_);\r
- $VERBOSE=$tempvar;\r
-}\r
-\r
-sub taillog {\r
- my ($last_cid,$LOG)=@_;\r
- while (<>) {\r
- if (m/^$/){\r
- # we reached a newline, finish up with current record.\r
- $newrecord=1;\r
- next unless $timestamp;\r
- $alerthostip=$alerthost if $alerthost=~ m/^$IP$/;\r
- \r
- # Populate DST IP\r
- if ($alerthostip){\r
- $dstip=$alerthostip;\r
- $resolv{$alerthost}=$dstip;\r
-\r
- }else{\r
- if (exists $resolv{$alerthost}){\r
- $dstip=$resolv{$alerthost};\r
- }else{\r
- if ($conf{'resolve'}){\r
- if ($alerthost =~m/(\d+\.\d+\.\d+\.\d+)/ ){\r
- $dstip=$1;\r
- }else{\r
- # the "host" command doesn't work with Flatname\NetBIOS names.\r
- # The server's hostname is almost always a flatname and OSSEC\r
- # doesn't return an IP for alerts generated from localhost.\r
- # Ex. 2013 Jan 24 15:51:36 ubuntu->/var/log/auth.log \r
- my $x = `cat /etc/hostname`; # get Host's hostname\r
- chomp $x; # remove extra lines, if any.\r
- if ($x eq $alerthost) { # Validate if $alerthost is us, localhost.\r
- $dstip='127.0.0.1'; # Snorby does not allow empty\"0" as IP value.\r
- }else{\r
- my $fetch=&host2ip($alerthost);\r
- \r
- if (defined $fetch){\r
- $dstip=$fetch;\r
- }else{\r
- $dstip=$srcip;\r
- }\r
- }\r
- }\r
- }\r
- $resolv{$alerthost}=$dstip;\r
- }\r
- }\r
- \r
- #Populate SRC IP (requires dstip to be populated)\r
- if (! defined $srcip) {\r
- if (defined $dstip) {\r
- #Feb 6 15:18:21 1.1.1.1 %ASA-3-313001: Denied ICMP type=3, code=3 from 111.111.1.1 on interface OUTSIDE\r
- $filtered =~ s/$dstip//; # filter out known dstip from log output.\r
- $srcip=$1 if $filtered=~ m/\s($IP)\s/; # Search all text for an IP address.\r
- # This could easily bug out with logs that contains\r
- # version numbering such as mysql 1.3.4.5.\r
- }\r
- # Windows logs include "User Name" in their log output. Some companies name their employees's PCs after its users which is\r
- # resolvable via DNS.\r
- # Windows logs may state a computer name as "User Name". Lets strip out the "$" from the computer name...\r
- if (defined $user and ! defined $srcip) {\r
- my $u=$user;\r
- $u=~ s/\$//; # remove "$" from computer names.\r
-\r
- my $fetch=&host2ip($u);\r
- $srcip=$fetch if (defined $fetch);\r
- }\r
- if (! defined $srcip or $srcip eq '') {\r
- # NO recognizable IPs or User Names were found on log output,\r
- # this suggests the log was generated by dstip.\r
- $srcip=$dstip; \r
- }\r
- }\r
- #\r
- $last_cid= &prepair2basedata(\r
- $hids_id,\r
- $last_cid,\r
- $timestamp,\r
- $sec,\r
- $mail,\r
- $date,\r
- $alerthost,\r
- $datasource,\r
- $rule,\r
- $level,\r
- $description,\r
- $srcip,\r
- $dstip,\r
- $user,\r
- $text\r
- );\r
- ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,\r
- $srcip,$dstip,$user,$text)=();\r
- next ;\r
- }\r
- if (m/^\*\* Alert ([0-9]+).([0-9]+):(.*)$/){\r
- $timestamp=$1;\r
- if ( $timestamp == $lasttimestamp){\r
- $delta++;\r
- }else{\r
- $delta=0;\r
- $lasttimestamp=$timestamp;\r
- }\r
- $sec=$2;\r
- $mail=$3;\r
- $mail=$mail ? $mail : 'nomail';\r
-#2006 Aug 29 17:19:52 firewall -> /var/log/messages\r
-#2006 Aug 30 11:52:14 192.168.0.45->/var/log/secure\r
-#2006 Sep 12 11:12:16 92382-Snort1 -> 172.16.176.132\r
- }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+(\S+)\s*->(.*)$/){\r
- $date=$1;\r
- $alerthost=$2;\r
- $datasource=$3;\r
- if ($datasource=~ m/(\d+\.\d+\.\d+\.\d+)/){\r
- $alerthost=$1;\r
- $datasource="remoted";\r
- }\r
-#2006 Aug 29 17:33:31 (recepcao) 10.0.3.154 -> syscheck\r
- }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+\((.*?)\)\s+(\S+)\s*->(.*)$/){\r
- $date=$1;\r
- $alerthost=$2;\r
- $alerthostip=$3;\r
- $datasource=$4;\r
- }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)$/){\r
- $date=$1;\r
- $alerthost='localhost';\r
- $datasource=$2;\r
- }elsif ( m/Rule: ([0-9]+) \(level ([0-9]+)\) -> \'(.*)\'$/ ){\r
- $rule=$1;\r
- $level=$2;\r
- $osseclevel=$level; # Keep copy of OSSEC level as it will later be converted to snort level.\r
- $description= $3;\r
- }elsif ( m/src\s?ip:/i){\r
- if ( m/($IP)/){\r
- $srcip=$1;\r
- }else{\r
- $srcip='1'; # Snorby doesn't like srcip\dstip = 0\null.\r
- }\r
- }elsif ( m/User: (.*)$/){\r
- $user=$1;\r
- }elsif ( m/(.*)$/){\r
- my $x=$1;\r
- \r
- # Get IP from User Name + DNS query.\r
- if (! defined $user){\r
- if ( m/User\s?Name:\s?(\S+)\s/i){\r
- my $u=$1;\r
- $user="$u";\r
- }\r
- }\r
- $x =~ s/(.$)/$1\r\n/; # lets multiline this string for cleaner output once $payload wordwraps it.\r
- $text .=$x;\r
- \r
- # This variable will be used to populate srcip once we reach the end of the current log entry.\r
- $filtered=$text;\r
- }\r
- } # End of while read line\r
-}\r
-\r
-sub ossec_aton(){\r
- my ($ip)=@_;\r
- if ($ip=~ m/(\d+)\.(\d+)\.(\d+)\.(\d+)/){\r
- my $num= ($1 * 256 ** 3) + ($2 * 256 ** 2)+ ($3 * 256 ** 1)+ ($4);\r
-\r
- return "$num";\r
- }else{\r
- return "1"; # Snorby has a bug where it wont ouput "N\A" on the IP columns if srcip\dstip = 0\null\r
- }\r
-\r
-}\r
-\r
-sub prepair2basedata(){\r
- my (\r
- $hids_id,\r
- $last_cid,\r
- $timestamp,\r
- $sec,\r
- $mail,\r
- $date,\r
- $alerthost,\r
- $datasource,\r
- $rule,\r
- $level,\r
- $description,\r
- $srcip,\r
- $dstip,\r
- $user,\r
- $text\r
- )=@_;\r
- my ($payload,$count,$query,$row_ref,$sig_id);\r
- \r
- \r
-###\r
-# Get sig_class_id\r
-#\r
-# Note: the original script stated sig_class_id as "1" by default which in BASE might be ok but for \r
-# snorby it maps to a category of "not-suspicious" which is not efficient when stats are ran based on\r
-# event categories alone...\r
-#\r
-# Furthermore, OSSEC allows a rule to have multiple categories assigned to it which snorby was not prepared to handle GUI\r
-# wize. (The event details contains a small section where the category value can be shown, this section is too small\r
-# to show OSSEC's sometimes long category results such as :\r
-# syslog,sshd,invalid_login,authentication_failed,)\r
-#\r
-# We will use the last category shown only...This isn't the correct approach but my programing skills prevent me\r
-# from providing a better solution.\r
-\r
- # ex: - syslog,sshd,invalid_login,authentication_failed,\r
- if ($mail=~ m/\.*\,?(\w+\_?\w+)\,?$/){ # $mail contains the rule's categories. No clue why its named $mail...\r
- $sig_class_name=$1;\r
- &printlog ("SIG_CLASS_NAME: $sig_class_name \n");\r
- $query = "SELECT sig_class_id FROM category WHERE cat_name=?";\r
- $dbi->execute($query,$sig_class_name);\r
- $count=$dbi->{sth}->rows;\r
- if ($count){\r
- $row_ref=$dbi->{sth}->fetchrow_hashref;\r
- $sig_class_id=$row_ref->{sig_class_id};\r
- &printlog ("SIG_CLASS_ID: $sig_class_id");\r
- }else{\r
- &printlog ("SIG_CLASS_ID NOT FOUND. USING DEFAULT SIG.");\r
- $sig_class_id=2;\r
- }\r
- }else{\r
- &printlog ("COULD NOT GET A RULE CATEGORY. USING DEFAULT SIG.");\r
- $sig_class_id=2;\r
- }\r
-\r
-###\r
-#\r
-# Get/Set signature id\r
-\r
- # Convert OSSEC Severity to Snort Severity.\r
- # Dont modify this after having live data on Snorby as it will create duplicated\r
- # sig_names.\r
- $level=4 if ($level <= 4); # Informational only.\r
- $level=3 if ($level == 5); # User generated errors \ low severity.\r
- $level=2 if (($level >= 6) && ($level <=11)); # Low to mid severity attacks.\r
- $level=1 if ($level >= 12); # High importance events \ Successfull attacks \ all our bases belong to them!\r
-\r
- $query = "SELECT sig_id FROM signature where sig_name=? and sig_class_id=? and sig_priority=? and sig_rev=? and sig_sid=? and sig_gid is NULL";\r
- $dbi->execute($query,$description,$sig_class_id,$level,0,$rule);\r
- $count=$dbi->{sth}->rows;\r
- if ($count){\r
- $row_ref=$dbi->{sth}->fetchrow_hashref;\r
- $sig_id=$row_ref->{sig_id};\r
- &printlog ("REUSING SIGNATURE\n");\r
- }else{\r
- $query="INSERT INTO signature ( sig_id , sig_name , sig_class_id , sig_priority , sig_rev , sig_sid , sig_gid )\r
-VALUES (\r
-NULL ,?, ? , ? , ? , ?, NULL\r
-)";\r
- $dbi->execute($query,$description,$sig_class_id,$level,0,$rule);\r
- $sig_id = $dbi->lastid();\r
- }\r
- $dbi->{sth}->finish;\r
- &printlog ("SIGNATURE: $sig_id\n");\r
- \r
- \r
- ############################\r
- ############################\r
- #DEBUG\r
- # &printlog ("filtered: $filtered \n");\r
- # &printlog ("SRC IP: $srcip \n");\r
- # &printlog ("DST IP: $dstip \n");\r
- # &printlog ("mail: $mail \n");\r
- # &printlog ("sig_class_name: $sig_class_name");\r
- # &printlog ("date: $date \n");\r
- # &printlog ("alerthost: $alerthost \n");\r
- # &printlog ("rule: $rule \n");\r
- # &printlog ("level: $level \n");\r
- # &printlog ("OSSEC level: $osseclevel \n");\r
- # &printlog ("USER: $user \n");\r
- # &printlog ("text: $text \n");\r
- # &printlog ("sec?: $sec \n");\r
- # &printlog ("datasource: $datasource \n");\r
- # &printlog ("description: $description \n");\r
- # exit 1;\r
- ############################\r
- \r
- \r
-#######\r
-#\r
-# Set event\r
- $query="INSERT INTO event ( sid , cid , signature , timestamp )\r
-VALUES (\r
-? , ? , ? ,? \r
-)";\r
- $last_cid++;\r
- $dbi->execute($query,$hids_id,$last_cid,$sig_id,&fixdate2base($date));\r
-\r
- &printlog ("EVENT: ($query,$hids_id,$last_cid,$sig_id,&fixdate2base($date)\n");\r
- $dbi->{sth}->finish;\r
-#########\r
-#\r
-# Set iphdr\r
-\r
- # And yet again,Snorby doesn't like empty IP fields; Validate if srcip or dstip are empty.\r
- $srcip = "1" if !defined $srcip; # leaving the fields srcip / dstip with a value = 0\r
- $dstip = "1" if !defined $dstip; # causes output to get messed up on the GUI. \r
-\r
- $query=" INSERT INTO iphdr ( sid , cid , ip_src , ip_dst , ip_ver , ip_hlen , ip_tos , ip_len , ip_id , ip_flags , ip_off , ip_ttl , ip_proto , ip_csum )\r
-VALUES (\r
-? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?\r
-) ";\r
- $dbi->execute($query,$hids_id,$last_cid,&ossec_aton($srcip),&ossec_aton($dstip),4,5,0,20,0,0,0,0,0,0);\r
- &printlog ("iphdr: ($query,$hids_id,$last_cid,&ossec_aton($srcip),&ossec_aton($dstip),4,5,0,undef,undef,undef,undef,undef,undef,undef)\n");\r
- $dbi->{sth}->finish;\r
-\r
-#########\r
-#\r
-#\r
-# Set data\r
- $payload = "$date ($alerthost) $dstip->$datasource\r\nRule: $rule (OSSEC level $osseclevel) -> $description\r\n$text";\r
- $payload =~ s/(.{1,109}\S|\S+)\s+/$1\r\n/mg; # Snorby does not wordwrap the payload, lets wrap the first 109 non-whitespace chars. \r
- $payload = unpack("H*",$payload); # Convert to HEX\r
-\r
- $query=" INSERT INTO data ( sid , cid , data_payload ) \r
-VALUES (\r
-?,?,?)";\r
- $dbi->execute($query,$hids_id,$last_cid,$payload);\r
- &printlog ("DATA: ($query,$hids_id,$last_cid,$payload)\n");\r
- $dbi->{sth}->finish;\r
-##########\r
-#\r
- $query="UPDATE sensor SET last_cid=? where sid=? limit 1";\r
- $numrows= $dbi->execute($query,$last_cid,$hids_id);\r
-\r
- $dbi->{sth}->finish;\r
- return $last_cid;\r
-} # end sub\r
-\r
-sub host2ip {\r
- # This sub requires argument 0 to be a named host. We also need to know\r
- # the domain to which we belong to in order to append it to the host if\r
- # its a flatname host.\r
- my $host=$_[0];\r
- my $domain=$conf{domain} if exists($conf{domain});\r
- my $CMD;\r
-\r
- # Validate if we were fed a flatnamed host or a FQDN.\r
- if ($host =~ m/.*\..+/){\r
- # FQDN\r
- $CMD=`host $host 2>/dev/null | grep 'has address' `;\r
- if ($CMD =~m/(\d+\.\d+\.\d+\.\d+)/ ){\r
- return($1);\r
- }else{\r
- return undef; # return False.\r
- }\r
- \r
- }else{\r
- # FLATNAME\r
- if (! defined $domain or $domain eq ''){\r
- &printlog ('[WARNING]: domain value was not populated on ossec2snorby.conf." . \r
- " DNS resolutions cannot be completed for NetBIOS\Flatname hosts.');\r
- return undef;\r
- }\r
-\r
- # There is an extra "." after $domain, this is to ensure linux\r
- # does not append "localdomain" at the end of the host.\r
- $CMD=`host $host.$domain. 2>/dev/null | grep 'has address' `;\r
- if ($CMD =~m/(\d+\.\d+\.\d+\.\d+)/ ){\r
- return($1);\r
- }else{\r
- return undef; # return False.\r
- }\r
- }\r
-}\r
-\r
-sub fixdate2base(){\r
- my ($date)=@_;\r
- $date=~ s/ Jan /-01-/;\r
- $date=~ s/ Feb /-02-/;\r
- $date=~ s/ Mar /-03-/;\r
- $date=~ s/ Apr /-04-/;\r
- $date=~ s/ May /-05-/;\r
- $date=~ s/ Jun /-06-/;\r
- $date=~ s/ Jul /-07-/;\r
- $date=~ s/ Aug /-08-/;\r
- $date=~ s/ Sep /-09-/;\r
- $date=~ s/ Oct /-10-/;\r
- $date=~ s/ Nov /-11-/;\r
- $date=~ s/ Dec /-12-/;\r
- $date=~ s/\s$//g;\r
- return $date;\r
-}\r
-sub version(){\r
- print "OSSEC report tool $VERSION\n";\r
- print "Licensed under GPL\n";\r
- print "Contributor Meir Michanie\n";\r
-}\r
-\r
-sub help(){\r
- &version();\r
- print "This tool helps you import into base the alerts generated by ossec."\r
- . " More info in the doc directory .\n";\r
- print "Usage:\n";\r
- print "$0 [-h|--help] # This text you read now\n";\r
- print "Options:\n";\r
- print "\t--dbhost <hostname>\n";\r
- print "\t--dbname <database>\n";\r
- print "\t--dbport <[0-9]+>\n";\r
- print "\t--dbpass <dbpasswd>\n";\r
- print "\t--dbuser <dbuser>\n";\r
- print "\t-d|--daemonize\n";\r
- print "\t-n|--noname\n";\r
- print "\t-v|--verbose\n";\r
- print "\t--conf <ossec2based-config>\n";\r
- print "\t--sensor <sensor-name>\n";\r
- print "\t--interface <ifname>\n";\r
- \r
- exit 0;\r
-}\r
-\r
-\r
-sub daemonize {\r
- my $running = kill 0, `cat /var/run/ossec2base2.pid`;\r
- if ($running){\r
- print "OSSEC2SNORBY is already running...\n";\r
- exit 1;\r
- }\r
-\r
- chdir '/' or die "Can't chdir to /: $!";\r
- \r
- open STDOUT, ">>$DAEMONLOGFILE"\r
- or die "Can't write to $DAEMONLOGFILE: $!";\r
-\r
- # I may be mistaken but the original script didn't seem to actually\r
- # tail the logs. It would run until it hit EOF and then exit script.\r
- $taillog= open STDIN,"-|", "/usr/bin/tail", "-Fn 0", "$LOG";\r
- if ($taillog){\r
- &forceprintlog ("Daemon started TAIL PID: $taillog");\r
- &forceprintlog ("NOW MONITORING: $LOG");\r
- }else{\r
- &forceprintlog ("Could not start daemon on $LOG: $!");\r
- exit 1;\r
- }\r
-\r
- defined(my $pid = fork) or die "Can't fork: $!";\r
- if ($pid){\r
- open (PIDFILE , ">/var/run/ossec2snorby.pid") ;\r
- print PIDFILE "$pid\n";\r
- close (PIDFILE);\r
- exit 0;\r
- }\r
- setsid or die "Can't start a new session: $!";\r
- open STDERR, ">>$DAEMONLOGERRORFILE" or die "Can't write to $DAEMONLOGERRORFILE: $!";\r
-}\r
-\r
-sub gracefulend(){\r
- my ($signal)=@_;\r
- &forceprintlog ("Terminating upon signal $signal");\r
- &forceprintlog ("Daemon halted");\r
- # This might be paranoid or simply useless but better safe than sorry.\r
- close STDOUT or die "WARNING: Closing STDOUT failed.";\r
- close STDERR or die "WARNING: Closing STDERR failed.";\r
- kill 3, $taillog or die "WARNING: Closing $taillog failed.";\r
- close STDIN or die "WARNING: Closing STDIN failed.";\r
- exit 0;\r
-}\r
-\r
-sub printlog(){\r
- return unless $VERBOSE;\r
- my (@lines)=@_;\r
- foreach my $line(@lines){\r
- chomp $line;\r
- my ($date)=scalar localtime;\r
- $date=~ s/^\S+\s+(\S+.*\s[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}).*$/$1/;\r
- print "$date $LOGGER: $line\n";\r
- }\r
- }\r
-\r
-\r
-sub loadconf(){\r
- my ($hash_ref)=@_;\r
- my $conf=$hash_ref->{conf};\r
- unless (-f $conf) { &printlog ("ERROR: I can't find config file $conf"); exit 1;}\r
- unless (open ( CONF , "$conf")){ &printlog ("ERROR: I can't open file $conf");exit 1;}\r
- while (<CONF>){\r
- next if m/^$|^#/;\r
- if ( m/^(\S+)\s?=\s?(.*?)$/) {\r
- $hash_ref->{$1} = $2;\r
- }\r
- }\r
- close CONF;\r
-}\r