-/* @(#) $Id: exec.c,v 1.39 2009/11/20 15:38:28 dcid Exp $ */
+/* @(#) $Id: ./src/analysisd/alerts/exec.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 3) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
#include "eventinfo.h"
-/* OS_Exec v0.1
+/* OS_Exec v0.1
*/
void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
{
/* Cleaning the IP */
if(lf->srcip && (ar->ar_cmd->expect & SRCIP))
{
- ip = strrchr(lf->srcip, ':');
- if(ip)
+ if(strncmp(lf->srcip, "::ffff:", 7) == 0)
{
- ip++;
+ ip = lf->srcip + 7;
}
else
{
ip = lf->srcip;
}
-
/* Checking if IP is to ignored */
if(Config.white_list)
{
OSMatch **wl;
srcip_size = strlen(ip);
-
+
wl = Config.hostname_white_list;
while(*wl)
{
{
ip = "-";
}
-
-
+
+
/* Getting username */
if(lf->dstuser && (ar->ar_cmd->expect & USERNAME))
{
}
- /* active response on the server.
+ /* active response on the server.
* The response must be here if the ar->location is set to AS
* or the ar->location is set to local (REMOTE_AGENT) and the
* event location is from here.
- */
+ */
if((ar->location & AS_ONLY) ||
((ar->location & REMOTE_AGENT) && (lf->location[0] != '(')) )
{
if(!(Config.ar & LOCAL_AR))
return;
-
+
snprintf(exec_msg, OS_SIZE_1024,
"%s %s %s %d.%ld %d %s",
ar->name,
merror("%s: Error communicating with execd.", ARGV0);
}
}
-
- /* Active response to the forwarder */
- else if((Config.ar & REMOTE_AR) && (lf->location[0] == '('))
+
+ /* Active response to the forwarder */
+ else if((Config.ar & REMOTE_AR))
{
- int rc;
- snprintf(exec_msg, OS_SIZE_1024,
- "%s %c%c%c %s %s %s %s %d.%ld %d %s",
- lf->location,
- (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
- (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
- (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
- ar->agent_id != NULL? ar->agent_id: "(null)",
- ar->name,
- user,
- ip,
- lf->time,
- __crt_ftell,
- lf->generated_rule->sigid,
- lf->location);
-
+ int rc;
+ /*If lf->location start with a ( was generated by remote agent and its ID is included in lf->location
+ if missing then it must of been generated by the local analysisd so prepend a false id tag */
+ if(lf->location[0] == '(') {
+ snprintf(exec_msg, OS_SIZE_1024,
+ "%s %c%c%c %s %s %s %s %d.%ld %d",
+ lf->location,
+ (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
+ (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
+ (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
+ ar->agent_id != NULL? ar->agent_id: "(null)",
+ ar->name,
+ user,
+ ip,
+ lf->time,
+ __crt_ftell,
+ lf->generated_rule->sigid);
+ } else {
+ snprintf(exec_msg, OS_SIZE_1024,
+ "(local_source) %s %c%c%c %s %s %s %s %d.%ld %d",
+ lf->location,
+ (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
+ (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
+ (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
+ ar->agent_id != NULL? ar->agent_id: "(null)",
+ ar->name,
+ user,
+ ip,
+ lf->time,
+ __crt_ftell,
+ lf->generated_rule->sigid);
+ }
+
if((rc = OS_SendUnix(*arq, exec_msg, 0)) < 0)
{
if(rc == OS_SOCKBUSY)
}
else
{
- merror("%s: AR socket error (shutdown?).", ARGV0);
+ merror("%s: AR socket error (shutdown?).", ARGV0);
}
merror("%s: Error communicating with ar queue (%d).", ARGV0, rc);
}
}
-
+
return;
}