X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fanalysisd%2Falerts%2Fexec.c;h=073ac5893957728da2d36fd6edae37dabfabe2d2;hp=46bf4ac5b5cb122461db1ca28e37840361b14f95;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hpb=301048b51990573e58a30dc4a5bb4ec285cad554

diff --git a/src/analysisd/alerts/exec.c b/src/analysisd/alerts/exec.c
index 46bf4ac..073ac58 100755
--- a/src/analysisd/alerts/exec.c
+++ b/src/analysisd/alerts/exec.c
@@ -1,11 +1,12 @@
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/alerts/exec.c, 2011/09/08 dcid Exp $
+ */
 
 /* Copyright (C) 2009 Trend Micro Inc.
  * All right reserved.
  *
  * This program is a free software; you can redistribute it
  * and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software 
+ * License (version 2) as published by the FSF - Free Software
  * Foundation
  */
 
@@ -25,7 +26,7 @@
 #include "eventinfo.h"
 
 
-/* OS_Exec v0.1 
+/* OS_Exec v0.1
  */
 void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
 {
@@ -37,17 +38,15 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
     /* Cleaning the IP */
     if(lf->srcip && (ar->ar_cmd->expect & SRCIP))
     {
-        ip = strrchr(lf->srcip, ':');
-        if(ip)
+        if(strncmp(lf->srcip, "::ffff:", 7) == 0)
         {
-            ip++;
+            ip = lf->srcip + 7;
         }
         else
         {
             ip = lf->srcip;
         }
 
-
         /* Checking if IP is to ignored */
         if(Config.white_list)
         {
@@ -64,7 +63,7 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
             OSMatch **wl;
 
             srcip_size = strlen(ip);
-        
+
             wl = Config.hostname_white_list;
             while(*wl)
             {
@@ -78,8 +77,8 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
     {
         ip = "-";
     }
-   
-   
+
+
     /* Getting username */
     if(lf->dstuser && (ar->ar_cmd->expect & USERNAME))
     {
@@ -91,17 +90,17 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
     }
 
 
-    /* active response on the server. 
+    /* active response on the server.
      * The response must be here if the ar->location is set to AS
      * or the ar->location is set to local (REMOTE_AGENT) and the
      * event location is from here.
-     */         
+     */
     if((ar->location & AS_ONLY) ||
       ((ar->location & REMOTE_AGENT) && (lf->location[0] != '(')) )
     {
         if(!(Config.ar & LOCAL_AR))
             return;
-            
+
         snprintf(exec_msg, OS_SIZE_1024,
                 "%s %s %s %d.%ld %d %s",
                 ar->name,
@@ -117,27 +116,44 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
             merror("%s: Error communicating with execd.", ARGV0);
         }
     }
-   
 
-    /* Active response to the forwarder */ 
-    else if((Config.ar & REMOTE_AR) && (lf->location[0] == '('))
+
+    /* Active response to the forwarder */
+    else if((Config.ar & REMOTE_AR))
     {
-        int rc;
-        snprintf(exec_msg, OS_SIZE_1024,
-                "%s %c%c%c %s %s %s %s %d.%ld %d %s",
-                lf->location,
-                (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
-                (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
-                (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
-                ar->agent_id != NULL? ar->agent_id: "(null)",
-                ar->name,
-                user,
-                ip,
-                lf->time,
-                __crt_ftell,
-                lf->generated_rule->sigid,
-                lf->location);
-       
+	int rc;
+	/*If lf->location start with a (  was generated by remote agent and its ID is included in lf->location
+		if missing then it must of been generated by the local analysisd so prepend a false id tag */
+	if(lf->location[0] == '(') {
+        	snprintf(exec_msg, OS_SIZE_1024,
+                	"%s %c%c%c %s %s %s %s %d.%ld %d",
+                	lf->location,
+                	(ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
+                	(ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
+                	(ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
+                	ar->agent_id != NULL? ar->agent_id: "(null)",
+                	ar->name,
+                	user,
+                	ip,
+                	lf->time,
+                	__crt_ftell,
+                	lf->generated_rule->sigid);
+	} else {
+	        snprintf(exec_msg, OS_SIZE_1024,
+                	"(local_source) %s %c%c%c %s %s %s %s %d.%ld %d",
+                	lf->location,
+                	(ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
+                	(ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
+                	(ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
+                	ar->agent_id != NULL? ar->agent_id: "(null)",
+                	ar->name,
+                	user,
+                	ip,
+                	lf->time,
+                	__crt_ftell,
+                	lf->generated_rule->sigid);
+	}
+
         if((rc = OS_SendUnix(*arq, exec_msg, 0)) < 0)
         {
             if(rc == OS_SOCKBUSY)
@@ -146,12 +162,12 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
             }
             else
             {
-                merror("%s: AR socket error (shutdown?).", ARGV0);   
+                merror("%s: AR socket error (shutdown?).", ARGV0);
             }
             merror("%s: Error communicating with ar queue (%d).", ARGV0, rc);
         }
     }
-    
+
     return;
 }