X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fanalysisd%2Falerts%2Flog.c;fp=src%2Fanalysisd%2Falerts%2Flog.c;h=2acde595baa6423f2393c0ad1ae2c62a94a19fae;hp=95e1e632be797e3e0fadbb9de0fa0cee19dd54be;hb=789cbc8e52da68eba3517b920ef22e000cf3c9fd;hpb=ef70704f0b31b59bb719b884d6a99cb9e3e2044a

diff --git a/src/analysisd/alerts/log.c b/src/analysisd/alerts/log.c
index 95e1e63..2acde59 100755
--- a/src/analysisd/alerts/log.c
+++ b/src/analysisd/alerts/log.c
@@ -32,33 +32,31 @@
 #define NETMASK_16     4294901760      /* 255.255.0.0  */
 
 static const char * _mk_NA( const char * p ){
-	return p ? p : "N/A";
+	return (p ? p : "N/A");
 }
 
 /* StrIP2Long */
 /* Convert an dot-quad IP address into long format
  */
-unsigned long StrIP2Int(char *ip) {
-        unsigned int c1,c2,c3,c4;
-       /* IP address is not coming from user input -> We can trust it */
-       /* only minimal checking is performed */
-        int len = strlen(ip);
-        if ((len < 7) || (len > 15)) return 0;
-
-        sscanf(ip, "%d.%d.%d.%d", &c1, &c2, &c3, &c4);
-        return((unsigned long)c4+c3*256+c2*256*256+c1*256*256*256);
+static unsigned long StrIP2Int(const char *ip) {
+	unsigned int c1,c2,c3,c4;
+	/* IP address is not coming from user input -> We can trust it */
+	/* only minimal checking is performed */
+	size_t len = strlen(ip);
+	if ((len < 7) || (len > 15)) return (0);
+
+	sscanf(ip, "%u.%u.%u.%u", &c1, &c2, &c3, &c4);
+	return((unsigned long)c4+c3*256+c2*256*256+c1*256*256*256);
 }
 
 
-/* GeoIPLookup */
+/* GeoIP_Lookup */
 /* Use the GeoIP API to locate an IP address
  */
-char *GeoIPLookup(char *ip)
+static void GeoIP_Lookup(const char *ip, char *buffer, const size_t length)
 {
 	GeoIP	*gi;
 	GeoIPRecord	*gir;
-	char buffer[OS_SIZE_1024 +1];
-        unsigned long longip;
 
 	/* Dumb way to detect an IPv6 address */
 	if (strchr(ip, ':')) {
@@ -66,37 +64,46 @@ char *GeoIPLookup(char *ip)
 		gi = GeoIP_open(Config.geoip_db_path, GEOIP_INDEX_CACHE);
 		if (gi == NULL) {
 			merror(INVALID_GEOIP_DB, ARGV0, Config.geoip6_db_path);
-			return("Unknown");
+			snprintf(buffer, length, "Unknown (1)");
+			return;
 		}
-		gir = GeoIP_record_by_name_v6(gi, (const char *)ip);
+		gir = GeoIP_record_by_name_v6(gi, ip);
 	}
 	else {
 		/* Use the IPv4 DB */
-                /* If we have a RFC1918 IP, do not perform a DB lookup (performance) */
-                longip = StrIP2Int(ip);
-                if (longip == 0 ) return("Unknown");
-                if ((longip & NETMASK_8)  == RFC1918_10 ||
-                    (longip & NETMASK_12) == RFC1918_172 ||
-                    (longip & NETMASK_16) == RFC1918_192) return("");
+		/* If we have a RFC1918 IP, do not perform a DB lookup (performance) */
+		unsigned long longip = StrIP2Int(ip);
+		if (longip == 0 ) {
+			snprintf(buffer, length, "Unknown (2)");
+			return;
+		}
+		if ((longip & NETMASK_8)  == RFC1918_10 ||
+		(longip & NETMASK_12) == RFC1918_172 ||
+		(longip & NETMASK_16) == RFC1918_192) {
+			snprintf(buffer, length, "RFC1918 IP");
+			return;
+		}
 
 		gi = GeoIP_open(Config.geoip_db_path, GEOIP_INDEX_CACHE);
 		if (gi == NULL) {
 			merror(INVALID_GEOIP_DB, ARGV0, Config.geoip_db_path);
-			return("Unknown");
+			snprintf(buffer, length, "Unknown (3)");
+			return;
 		}
-		gir = GeoIP_record_by_name(gi, (const char *)ip);
+		gir = GeoIP_record_by_name(gi, ip);
 	}
 	if (gir != NULL) {
-		sprintf(buffer,"%s,%s,%s",
+		snprintf(buffer,length,"%s,%s,%s",
 				_mk_NA(gir->country_code),
 				_mk_NA(GeoIP_region_name_by_code(gir->country_code, gir->region)),
 				_mk_NA(gir->city)
 		);
 		GeoIP_delete(gi);
-		return(buffer);
+		return;
 	}
 	GeoIP_delete(gi);
-	return("Unknown");
+	snprintf(buffer, length, "Unknown (4)");
+	return;
 }
 #endif /* GEOIP */
 
@@ -104,7 +111,42 @@ char *GeoIPLookup(char *ip)
 OSMatch FWDROPpm;
 OSMatch FWALLOWpm;
 
+/*
+ * Allow custom alert output tokens.
+ */
 
+typedef enum e_custom_alert_tokens_id
+{
+  CUSTOM_ALERT_TOKEN_TIMESTAMP = 0,
+  CUSTOM_ALERT_TOKEN_FTELL,
+  CUSTOM_ALERT_TOKEN_RULE_ALERT_OPTIONS,
+  CUSTOM_ALERT_TOKEN_HOSTNAME,
+  CUSTOM_ALERT_TOKEN_LOCATION,
+  CUSTOM_ALERT_TOKEN_RULE_ID,
+  CUSTOM_ALERT_TOKEN_RULE_LEVEL,
+  CUSTOM_ALERT_TOKEN_RULE_COMMENT,
+  CUSTOM_ALERT_TOKEN_SRC_IP,
+  CUSTOM_ALERT_TOKEN_DST_USER,
+  CUSTOM_ALERT_TOKEN_FULL_LOG,
+  CUSTOM_ALERT_TOKEN_RULE_GROUP,
+  CUSTOM_ALERT_TOKEN_LAST
+} CustomAlertTokenID;
+
+char CustomAlertTokenName[CUSTOM_ALERT_TOKEN_LAST][15] =
+{
+{ "$TIMESTAMP" },
+{ "$FTELL" },
+{ "$RULEALERT" },
+{ "$HOSTNAME" },
+{ "$LOCATION" },
+{ "$RULEID" },
+{ "$RULELEVEL" },
+{ "$RULECOMMENT" },
+{ "$SRCIP" },
+{ "$DSTUSER" },
+{ "$FULLLOG" },
+{ "$RULEGROUP" },
+};
 /* OS_Store: v0.2, 2005/02/10 */
 /* Will store the events in a file
  * The string must be null terminated and contain
@@ -134,7 +176,7 @@ void OS_Store(Eventinfo *lf)
             lf->full_log);
 
     fflush(_eflog);
-    return;	
+    return;
 }
 
 
@@ -147,8 +189,8 @@ void OS_LogOutput(Eventinfo *lf)
     geoip_msg_src[0] = '\0';
     geoip_msg_dst[0] = '\0';
     if (Config.loggeoip) {
- 	if (lf->srcip) { strncpy(geoip_msg_src, GeoIPLookup(lf->srcip), OS_SIZE_1024); }
-	if (lf->dstip) { strncpy(geoip_msg_dst, GeoIPLookup(lf->dstip), OS_SIZE_1024); }
+ 	if (lf->srcip) GeoIP_Lookup(lf->srcip, geoip_msg_src, OS_SIZE_1024);
+	if (lf->dstip) GeoIP_Lookup(lf->dstip, geoip_msg_dst, OS_SIZE_1024);
     }
 #endif
     printf(
@@ -219,7 +261,7 @@ void OS_LogOutput(Eventinfo *lf)
     printf("\n");
 
     fflush(stdout);
-    return;	
+    return;
 }
 
 
@@ -234,8 +276,8 @@ void OS_Log(Eventinfo *lf)
     geoip_msg_src[0] = '\0';
     geoip_msg_dst[0] = '\0';
     if (Config.loggeoip) {
-        if (lf->srcip) { strncpy(geoip_msg_src, GeoIPLookup(lf->srcip), OS_SIZE_1024 ); }
-        if (lf->dstip) { strncpy(geoip_msg_dst, GeoIPLookup(lf->dstip), OS_SIZE_1024 ); }
+        if (lf->srcip) GeoIP_Lookup(lf->srcip, geoip_msg_src, OS_SIZE_1024 );
+        if (lf->dstip) GeoIP_Lookup(lf->dstip, geoip_msg_dst, OS_SIZE_1024 );
     }
 #endif
     /* Writting to the alert log file */
@@ -307,10 +349,137 @@ void OS_Log(Eventinfo *lf)
     fprintf(_aflog,"\n");
 
     fflush(_aflog);
-    return;	
+    return;
 }
 
-
+/* OS_CustomLog: v0.1, 2012/10/10*/
+void OS_CustomLog(Eventinfo *lf,char* format)
+{
+  char *log;
+  char *tmp_log;
+  char tmp_buffer[1024];
+  //Replace all the tokens:
+  os_strdup(format,log);
+
+  snprintf(tmp_buffer, 1024, "%d", lf->time);
+  tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_TIMESTAMP], tmp_buffer);
+  if(log)
+  {
+    os_free(log);
+    log=NULL;
+  }
+  snprintf(tmp_buffer, 1024, "%ld", __crt_ftell);
+  log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_FTELL], tmp_buffer);
+  if (tmp_log)
+  {
+    os_free(tmp_log);
+    tmp_log=NULL;
+  }
+
+
+  snprintf(tmp_buffer, 1024, "%s", (lf->generated_rule->alert_opts & DO_MAILALERT)?"mail " : "");
+  tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_ALERT_OPTIONS], tmp_buffer);
+  if(log)
+  {
+    os_free(log);
+    log=NULL;
+  }
+
+
+  snprintf(tmp_buffer, 1024, "%s",lf->hostname?lf->hostname:"None");
+  log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_HOSTNAME], tmp_buffer);
+  if (tmp_log)
+  {
+    os_free(tmp_log);
+    tmp_log=NULL;
+  }
+
+  snprintf(tmp_buffer, 1024, "%s",lf->location?lf->location:"None");
+  tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_LOCATION], tmp_buffer);
+  if(log)
+  {
+    os_free(log);
+    log=NULL;
+  }
+
+
+  snprintf(tmp_buffer, 1024, "%d", lf->generated_rule->sigid);
+  log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_ID], tmp_buffer);
+  if (tmp_log)
+  {
+    os_free(tmp_log);
+    tmp_log=NULL;
+  }
+
+  snprintf(tmp_buffer, 1024, "%d", lf->generated_rule->level);
+  tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_LEVEL], tmp_buffer);
+  if(log)
+  {
+    os_free(log);
+    log=NULL;
+  }
+
+  snprintf(tmp_buffer, 1024, "%s",lf->srcip?lf->srcip:"None");
+  log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_SRC_IP], tmp_buffer);
+  if (tmp_log)
+  {
+    os_free(tmp_log);
+    tmp_log=NULL;
+  }
+
+  snprintf(tmp_buffer, 1024, "%s",lf->srcuser?lf->srcuser:"None");
+
+  tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_DST_USER], tmp_buffer);
+  if(log)
+  {
+    os_free(log);
+    log=NULL;
+  }
+  char * escaped_log;
+  escaped_log = escape_newlines(lf->full_log);
+
+  log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_FULL_LOG],escaped_log );
+  if (tmp_log)
+  {
+    os_free(tmp_log);
+    tmp_log=NULL;
+  }
+
+  if(escaped_log)
+  {
+    os_free(escaped_log);
+    escaped_log=NULL;
+  }
+
+  snprintf(tmp_buffer, 1024, "%s",lf->generated_rule->comment?lf->generated_rule->comment:"");
+  tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_COMMENT], tmp_buffer);
+  if(log)
+  {
+    os_free(log);
+    log=NULL;
+  }
+
+  snprintf(tmp_buffer, 1024, "%s",lf->generated_rule->group?lf->generated_rule->group:"");
+  log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_GROUP], tmp_buffer);
+  if (tmp_log)
+  {
+    os_free(tmp_log);
+    tmp_log=NULL;
+  }
+
+
+  fprintf(_aflog,"%s",log);
+  fprintf(_aflog,"\n");
+  fflush(_aflog);
+
+  if(log)
+  {
+    os_free(log);
+    log=NULL;
+  }
+
+  return;
+}
 
 void OS_InitFwLog()
 {