X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fanalysisd%2Falerts%2Flog.c;h=e3558a2b6abf536a3b4b3dda5afc4a1e20bb11df;hp=2acde595baa6423f2393c0ad1ae2c62a94a19fae;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/src/analysisd/alerts/log.c b/src/analysisd/alerts/log.c old mode 100755 new mode 100644 index 2acde59..e3558a2 --- a/src/analysisd/alerts/log.c +++ b/src/analysisd/alerts/log.c @@ -1,6 +1,3 @@ -/* @(#) $Id: ./src/analysisd/alerts/log.c, 2012/03/30 dcid Exp $ - */ - /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * @@ -10,7 +7,6 @@ * Foundation */ - #include "shared.h" #include "log.h" #include "alerts.h" @@ -19,148 +15,53 @@ #include "eventinfo.h" #include "config.h" -#ifdef GEOIP -/* GeoIP Stuff */ -#include "GeoIP.h" -#include "GeoIPCity.h" - -#define RFC1918_10 (167772160 & 4278190080) /* 10/8 */ -#define RFC1918_172 (2886729728 & 4293918720) /* 172.17/12 */ -#define RFC1918_192 (3232235520 & 4294901760) /* 192.168/16 */ -#define NETMASK_8 4278190080 /* 255.0.0.0 */ -#define NETMASK_12 4293918720 /* 255.240.0.0 */ -#define NETMASK_16 4294901760 /* 255.255.0.0 */ - -static const char * _mk_NA( const char * p ){ - return (p ? p : "N/A"); -} - -/* StrIP2Long */ -/* Convert an dot-quad IP address into long format - */ -static unsigned long StrIP2Int(const char *ip) { - unsigned int c1,c2,c3,c4; - /* IP address is not coming from user input -> We can trust it */ - /* only minimal checking is performed */ - size_t len = strlen(ip); - if ((len < 7) || (len > 15)) return (0); - - sscanf(ip, "%u.%u.%u.%u", &c1, &c2, &c3, &c4); - return((unsigned long)c4+c3*256+c2*256*256+c1*256*256*256); -} - - -/* GeoIP_Lookup */ -/* Use the GeoIP API to locate an IP address - */ -static void GeoIP_Lookup(const char *ip, char *buffer, const size_t length) -{ - GeoIP *gi; - GeoIPRecord *gir; - - /* Dumb way to detect an IPv6 address */ - if (strchr(ip, ':')) { - /* Use the IPv6 DB */ - gi = GeoIP_open(Config.geoip_db_path, GEOIP_INDEX_CACHE); - if (gi == NULL) { - merror(INVALID_GEOIP_DB, ARGV0, Config.geoip6_db_path); - snprintf(buffer, length, "Unknown (1)"); - return; - } - gir = GeoIP_record_by_name_v6(gi, ip); - } - else { - /* Use the IPv4 DB */ - /* If we have a RFC1918 IP, do not perform a DB lookup (performance) */ - unsigned long longip = StrIP2Int(ip); - if (longip == 0 ) { - snprintf(buffer, length, "Unknown (2)"); - return; - } - if ((longip & NETMASK_8) == RFC1918_10 || - (longip & NETMASK_12) == RFC1918_172 || - (longip & NETMASK_16) == RFC1918_192) { - snprintf(buffer, length, "RFC1918 IP"); - return; - } - - gi = GeoIP_open(Config.geoip_db_path, GEOIP_INDEX_CACHE); - if (gi == NULL) { - merror(INVALID_GEOIP_DB, ARGV0, Config.geoip_db_path); - snprintf(buffer, length, "Unknown (3)"); - return; - } - gir = GeoIP_record_by_name(gi, ip); - } - if (gir != NULL) { - snprintf(buffer,length,"%s,%s,%s", - _mk_NA(gir->country_code), - _mk_NA(GeoIP_region_name_by_code(gir->country_code, gir->region)), - _mk_NA(gir->city) - ); - GeoIP_delete(gi); - return; - } - GeoIP_delete(gi); - snprintf(buffer, length, "Unknown (4)"); - return; -} -#endif /* GEOIP */ /* Drop/allow patterns */ -OSMatch FWDROPpm; -OSMatch FWALLOWpm; - -/* - * Allow custom alert output tokens. - */ - -typedef enum e_custom_alert_tokens_id -{ - CUSTOM_ALERT_TOKEN_TIMESTAMP = 0, - CUSTOM_ALERT_TOKEN_FTELL, - CUSTOM_ALERT_TOKEN_RULE_ALERT_OPTIONS, - CUSTOM_ALERT_TOKEN_HOSTNAME, - CUSTOM_ALERT_TOKEN_LOCATION, - CUSTOM_ALERT_TOKEN_RULE_ID, - CUSTOM_ALERT_TOKEN_RULE_LEVEL, - CUSTOM_ALERT_TOKEN_RULE_COMMENT, - CUSTOM_ALERT_TOKEN_SRC_IP, - CUSTOM_ALERT_TOKEN_DST_USER, - CUSTOM_ALERT_TOKEN_FULL_LOG, - CUSTOM_ALERT_TOKEN_RULE_GROUP, - CUSTOM_ALERT_TOKEN_LAST +static OSMatch FWDROPpm; +static OSMatch FWALLOWpm; + +/* Allow custom alert output tokens */ +typedef enum e_custom_alert_tokens_id { + CUSTOM_ALERT_TOKEN_TIMESTAMP = 0, + CUSTOM_ALERT_TOKEN_FTELL, + CUSTOM_ALERT_TOKEN_RULE_ALERT_OPTIONS, + CUSTOM_ALERT_TOKEN_HOSTNAME, + CUSTOM_ALERT_TOKEN_LOCATION, + CUSTOM_ALERT_TOKEN_RULE_ID, + CUSTOM_ALERT_TOKEN_RULE_LEVEL, + CUSTOM_ALERT_TOKEN_RULE_COMMENT, + CUSTOM_ALERT_TOKEN_SRC_IP, + CUSTOM_ALERT_TOKEN_DST_USER, + CUSTOM_ALERT_TOKEN_FULL_LOG, + CUSTOM_ALERT_TOKEN_RULE_GROUP, + CUSTOM_ALERT_TOKEN_LAST } CustomAlertTokenID; -char CustomAlertTokenName[CUSTOM_ALERT_TOKEN_LAST][15] = -{ -{ "$TIMESTAMP" }, -{ "$FTELL" }, -{ "$RULEALERT" }, -{ "$HOSTNAME" }, -{ "$LOCATION" }, -{ "$RULEID" }, -{ "$RULELEVEL" }, -{ "$RULECOMMENT" }, -{ "$SRCIP" }, -{ "$DSTUSER" }, -{ "$FULLLOG" }, -{ "$RULEGROUP" }, +static const char CustomAlertTokenName[CUSTOM_ALERT_TOKEN_LAST][15] = { + { "$TIMESTAMP" }, + { "$FTELL" }, + { "$RULEALERT" }, + { "$HOSTNAME" }, + { "$LOCATION" }, + { "$RULEID" }, + { "$RULELEVEL" }, + { "$RULECOMMENT" }, + { "$SRCIP" }, + { "$DSTUSER" }, + { "$FULLLOG" }, + { "$RULEGROUP" }, }; -/* OS_Store: v0.2, 2005/02/10 */ -/* Will store the events in a file + +/* Store the events in a file * The string must be null terminated and contain * any necessary new lines, tabs, etc. - * */ -void OS_Store(Eventinfo *lf) +void OS_Store(const Eventinfo *lf) { - if(strcmp(lf->location, "ossec-keepalive") == 0) - { + if (strcmp(lf->location, "ossec-keepalive") == 0) { return; } - if(strstr(lf->location, "->ossec-keepalive") != NULL) - { + if (strstr(lf->location, "->ossec-keepalive") != NULL) { return; } @@ -170,8 +71,8 @@ void OS_Store(Eventinfo *lf) lf->mon, lf->day, lf->hour, - lf->hostname != lf->location?lf->hostname:"", - lf->hostname != lf->location?"->":"", + lf->hostname != lf->location ? lf->hostname : "", + lf->hostname != lf->location ? "->" : "", lf->location, lf->full_log); @@ -179,80 +80,80 @@ void OS_Store(Eventinfo *lf) return; } - - void OS_LogOutput(Eventinfo *lf) { -#ifdef GEOIP - char geoip_msg_src[OS_SIZE_1024 +1]; - char geoip_msg_dst[OS_SIZE_1024 +1]; - geoip_msg_src[0] = '\0'; - geoip_msg_dst[0] = '\0'; - if (Config.loggeoip) { - if (lf->srcip) GeoIP_Lookup(lf->srcip, geoip_msg_src, OS_SIZE_1024); - if (lf->dstip) GeoIP_Lookup(lf->dstip, geoip_msg_dst, OS_SIZE_1024); +#ifdef LIBGEOIP_ENABLED + if (Config.geoipdb_file) { + if (lf->srcip && !lf->srcgeoip) { + lf->srcgeoip = GetGeoInfobyIP(lf->srcip); + } + if (lf->dstip && !lf->dstgeoip) { + lf->dstgeoip = GetGeoInfobyIP(lf->dstip); + } } #endif - printf( - "** Alert %d.%ld:%s - %s\n" - "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'" - "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n", - lf->time, - __crt_ftell, - lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"", - lf->generated_rule->group, - lf->year, - lf->mon, - lf->day, - lf->hour, - lf->hostname != lf->location?lf->hostname:"", - lf->hostname != lf->location?"->":"", - lf->location, - lf->generated_rule->sigid, - lf->generated_rule->level, - lf->generated_rule->comment, - - lf->srcip == NULL?"":"\nSrc IP: ", - lf->srcip == NULL?"":lf->srcip, -#ifdef GEOIP - (strlen(geoip_msg_src) == 0)?"":"\nSrc Location: ", - (strlen(geoip_msg_src) == 0)?"":geoip_msg_src, + printf( + "** Alert %ld.%ld:%s - %s\n" + "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'" + "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n", + (long int)lf->time, + __crt_ftell, + lf->generated_rule->alert_opts & DO_MAILALERT ? " mail " : "", + lf->generated_rule->group, + lf->year, + lf->mon, + lf->day, + lf->hour, + lf->hostname != lf->location ? lf->hostname : "", + lf->hostname != lf->location ? "->" : "", + lf->location, + lf->generated_rule->sigid, + lf->generated_rule->level, + lf->generated_rule->comment, + + lf->srcip == NULL ? "" : "\nSrc IP: ", + lf->srcip == NULL ? "" : lf->srcip, + +#ifdef LIBGEOIP_ENABLED + lf->srcgeoip == NULL ? "" : "\nSrc Location: ", + lf->srcgeoip == NULL ? "" : lf->srcgeoip, #else - "", - "", + "", + "", #endif - lf->srcport == NULL?"":"\nSrc Port: ", - lf->srcport == NULL?"":lf->srcport, - lf->dstip == NULL?"":"\nDst IP: ", - lf->dstip == NULL?"":lf->dstip, -#ifdef GEOIP - (strlen(geoip_msg_dst) == 0)?"":"\nDst Location: ", - (strlen(geoip_msg_dst) == 0)?"":geoip_msg_dst, + lf->srcport == NULL ? "" : "\nSrc Port: ", + lf->srcport == NULL ? "" : lf->srcport, + + lf->dstip == NULL ? "" : "\nDst IP: ", + lf->dstip == NULL ? "" : lf->dstip, + +#ifdef LIBGEOIP_ENABLED + lf->dstgeoip == NULL ? "" : "\nDst Location: ", + lf->dstgeoip == NULL ? "" : lf->dstgeoip, #else - "", - "", + "", + "", #endif - lf->dstport == NULL?"":"\nDst Port: ", - lf->dstport == NULL?"":lf->dstport, - lf->dstuser == NULL?"":"\nUser: ", - lf->dstuser == NULL?"":lf->dstuser, - lf->full_log); + lf->dstport == NULL ? "" : "\nDst Port: ", + lf->dstport == NULL ? "" : lf->dstport, + + lf->dstuser == NULL ? "" : "\nUser: ", + lf->dstuser == NULL ? "" : lf->dstuser, + lf->full_log); - /* Printing the last events if present */ - if(lf->generated_rule->last_events) - { + /* Print the last events if present */ + if (lf->generated_rule->last_events) { char **lasts = lf->generated_rule->last_events; - while(*lasts) - { - printf("%.1256s\n",*lasts); + while (*lasts) { + printf("%.1256s\n", *lasts); lasts++; } lf->generated_rule->last_events[0] = NULL; @@ -264,258 +165,229 @@ void OS_LogOutput(Eventinfo *lf) return; } - - -/* OS_Log: v0.3, 2006/03/04 */ -/* _writefile: v0.2, 2005/02/09 */ void OS_Log(Eventinfo *lf) { -#ifdef GEOIP - char geoip_msg_src[OS_SIZE_1024 +1]; - char geoip_msg_dst[OS_SIZE_1024 +1]; - geoip_msg_src[0] = '\0'; - geoip_msg_dst[0] = '\0'; - if (Config.loggeoip) { - if (lf->srcip) GeoIP_Lookup(lf->srcip, geoip_msg_src, OS_SIZE_1024 ); - if (lf->dstip) GeoIP_Lookup(lf->dstip, geoip_msg_dst, OS_SIZE_1024 ); +#ifdef LIBGEOIP_ENABLED + if (Config.geoipdb_file) { + if (lf->srcip && !lf->srcgeoip) { + lf->srcgeoip = GetGeoInfobyIP(lf->srcip); + } + if (lf->dstip && !lf->dstgeoip) { + lf->dstgeoip = GetGeoInfobyIP(lf->dstip); + } } #endif - /* Writting to the alert log file */ + + /* Writing to the alert log file */ fprintf(_aflog, - "** Alert %d.%ld:%s - %s\n" + "** Alert %ld.%ld:%s - %s\n" "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'" "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n", - lf->time, + (long int)lf->time, __crt_ftell, - lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"", + lf->generated_rule->alert_opts & DO_MAILALERT ? " mail " : "", lf->generated_rule->group, lf->year, lf->mon, lf->day, lf->hour, - lf->hostname != lf->location?lf->hostname:"", - lf->hostname != lf->location?"->":"", + lf->hostname != lf->location ? lf->hostname : "", + lf->hostname != lf->location ? "->" : "", lf->location, lf->generated_rule->sigid, lf->generated_rule->level, lf->generated_rule->comment, - lf->srcip == NULL?"":"\nSrc IP: ", - lf->srcip == NULL?"":lf->srcip, + lf->srcip == NULL ? "" : "\nSrc IP: ", + lf->srcip == NULL ? "" : lf->srcip, -#ifdef GEOIP - (strlen(geoip_msg_src) == 0)?"":"\nSrc Location: ", - (strlen(geoip_msg_src) == 0)?"":geoip_msg_src, +#ifdef LIBGEOIP_ENABLED + lf->srcgeoip == NULL ? "" : "\nSrc Location: ", + lf->srcgeoip == NULL ? "" : lf->srcgeoip, #else "", "", #endif - lf->srcport == NULL?"":"\nSrc Port: ", - lf->srcport == NULL?"":lf->srcport, - lf->dstip == NULL?"":"\nDst IP: ", - lf->dstip == NULL?"":lf->dstip, + lf->srcport == NULL ? "" : "\nSrc Port: ", + lf->srcport == NULL ? "" : lf->srcport, + + lf->dstip == NULL ? "" : "\nDst IP: ", + lf->dstip == NULL ? "" : lf->dstip, -#ifdef GEOIP - (strlen(geoip_msg_dst) == 0)?"":"\nDst Location: ", - (strlen(geoip_msg_dst) == 0)?"":geoip_msg_dst, +#ifdef LIBGEOIP_ENABLED + lf->dstgeoip == NULL ? "" : "\nDst Location: ", + lf->dstgeoip == NULL ? "" : lf->dstgeoip, #else "", "", #endif - lf->dstport == NULL?"":"\nDst Port: ", - lf->dstport == NULL?"":lf->dstport, - lf->dstuser == NULL?"":"\nUser: ", - lf->dstuser == NULL?"":lf->dstuser, - lf->full_log); + lf->dstport == NULL ? "" : "\nDst Port: ", + lf->dstport == NULL ? "" : lf->dstport, + + lf->dstuser == NULL ? "" : "\nUser: ", + lf->dstuser == NULL ? "" : lf->dstuser, + lf->full_log); - /* Printing the last events if present */ - if(lf->generated_rule->last_events) - { + /* Print the last events if present */ + if (lf->generated_rule->last_events) { char **lasts = lf->generated_rule->last_events; - while(*lasts) - { - fprintf(_aflog,"%.1256s\n",*lasts); + while (*lasts) { + fprintf(_aflog, "%.1256s\n", *lasts); lasts++; } lf->generated_rule->last_events[0] = NULL; } - fprintf(_aflog,"\n"); - + fprintf(_aflog, "\n"); fflush(_aflog); + return; } -/* OS_CustomLog: v0.1, 2012/10/10*/ -void OS_CustomLog(Eventinfo *lf,char* format) +void OS_CustomLog(const Eventinfo *lf, const char *format) { - char *log; - char *tmp_log; - char tmp_buffer[1024]; - //Replace all the tokens: - os_strdup(format,log); - - snprintf(tmp_buffer, 1024, "%d", lf->time); - tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_TIMESTAMP], tmp_buffer); - if(log) - { - os_free(log); - log=NULL; - } - snprintf(tmp_buffer, 1024, "%ld", __crt_ftell); - log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_FTELL], tmp_buffer); - if (tmp_log) - { - os_free(tmp_log); - tmp_log=NULL; - } - - - snprintf(tmp_buffer, 1024, "%s", (lf->generated_rule->alert_opts & DO_MAILALERT)?"mail " : ""); - tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_ALERT_OPTIONS], tmp_buffer); - if(log) - { - os_free(log); - log=NULL; - } - - - snprintf(tmp_buffer, 1024, "%s",lf->hostname?lf->hostname:"None"); - log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_HOSTNAME], tmp_buffer); - if (tmp_log) - { - os_free(tmp_log); - tmp_log=NULL; - } - - snprintf(tmp_buffer, 1024, "%s",lf->location?lf->location:"None"); - tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_LOCATION], tmp_buffer); - if(log) - { - os_free(log); - log=NULL; - } - - - snprintf(tmp_buffer, 1024, "%d", lf->generated_rule->sigid); - log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_ID], tmp_buffer); - if (tmp_log) - { - os_free(tmp_log); - tmp_log=NULL; - } - - snprintf(tmp_buffer, 1024, "%d", lf->generated_rule->level); - tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_LEVEL], tmp_buffer); - if(log) - { - os_free(log); - log=NULL; - } - - snprintf(tmp_buffer, 1024, "%s",lf->srcip?lf->srcip:"None"); - log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_SRC_IP], tmp_buffer); - if (tmp_log) - { - os_free(tmp_log); - tmp_log=NULL; - } - - snprintf(tmp_buffer, 1024, "%s",lf->srcuser?lf->srcuser:"None"); - - tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_DST_USER], tmp_buffer); - if(log) - { - os_free(log); - log=NULL; - } - char * escaped_log; - escaped_log = escape_newlines(lf->full_log); - - log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_FULL_LOG],escaped_log ); - if (tmp_log) - { - os_free(tmp_log); - tmp_log=NULL; - } - - if(escaped_log) - { - os_free(escaped_log); - escaped_log=NULL; - } - - snprintf(tmp_buffer, 1024, "%s",lf->generated_rule->comment?lf->generated_rule->comment:""); - tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_COMMENT], tmp_buffer); - if(log) - { - os_free(log); - log=NULL; - } - - snprintf(tmp_buffer, 1024, "%s",lf->generated_rule->group?lf->generated_rule->group:""); - log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_GROUP], tmp_buffer); - if (tmp_log) - { - os_free(tmp_log); - tmp_log=NULL; - } - - - fprintf(_aflog,"%s",log); - fprintf(_aflog,"\n"); - fflush(_aflog); - - if(log) - { - os_free(log); - log=NULL; - } - - return; + char *log; + char *tmp_log; + char tmp_buffer[1024]; + + /* Replace all the tokens */ + os_strdup(format, log); + + snprintf(tmp_buffer, 1024, "%ld", (long int)lf->time); + tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_TIMESTAMP], tmp_buffer); + if (log) { + os_free(log); + log = NULL; + } + snprintf(tmp_buffer, 1024, "%ld", __crt_ftell); + log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_FTELL], tmp_buffer); + if (tmp_log) { + os_free(tmp_log); + tmp_log = NULL; + } + + snprintf(tmp_buffer, 1024, "%s", (lf->generated_rule->alert_opts & DO_MAILALERT) ? "mail " : ""); + tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_ALERT_OPTIONS], tmp_buffer); + if (log) { + os_free(log); + log = NULL; + } + + snprintf(tmp_buffer, 1024, "%s", lf->hostname ? lf->hostname : "None"); + log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_HOSTNAME], tmp_buffer); + if (tmp_log) { + os_free(tmp_log); + tmp_log = NULL; + } + + snprintf(tmp_buffer, 1024, "%s", lf->location ? lf->location : "None"); + tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_LOCATION], tmp_buffer); + if (log) { + os_free(log); + log = NULL; + } + + snprintf(tmp_buffer, 1024, "%d", lf->generated_rule->sigid); + log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_ID], tmp_buffer); + if (tmp_log) { + os_free(tmp_log); + tmp_log = NULL; + } + + snprintf(tmp_buffer, 1024, "%d", lf->generated_rule->level); + tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_LEVEL], tmp_buffer); + if (log) { + os_free(log); + log = NULL; + } + + snprintf(tmp_buffer, 1024, "%s", lf->srcip ? lf->srcip : "None"); + log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_SRC_IP], tmp_buffer); + if (tmp_log) { + os_free(tmp_log); + tmp_log = NULL; + } + + snprintf(tmp_buffer, 1024, "%s", lf->dstuser ? lf->dstuser : "None"); + + tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_DST_USER], tmp_buffer); + if (log) { + os_free(log); + log = NULL; + } + char *escaped_log; + escaped_log = escape_newlines(lf->full_log); + + log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_FULL_LOG], escaped_log ); + if (tmp_log) { + os_free(tmp_log); + tmp_log = NULL; + } + + if (escaped_log) { + os_free(escaped_log); + escaped_log = NULL; + } + + snprintf(tmp_buffer, 1024, "%s", lf->generated_rule->comment ? lf->generated_rule->comment : ""); + tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_COMMENT], tmp_buffer); + if (log) { + os_free(log); + log = NULL; + } + + snprintf(tmp_buffer, 1024, "%s", lf->generated_rule->group ? lf->generated_rule->group : ""); + log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_GROUP], tmp_buffer); + if (tmp_log) { + os_free(tmp_log); + tmp_log = NULL; + } + + fprintf(_aflog, "%s", log); + fprintf(_aflog, "\n"); + fflush(_aflog); + + if (log) { + os_free(log); + log = NULL; + } + + return; } void OS_InitFwLog() { - /* Initializing fw log regexes */ - if(!OSMatch_Compile(FWDROP, &FWDROPpm, 0)) - { + /* Initialize fw log regexes */ + if (!OSMatch_Compile(FWDROP, &FWDROPpm, 0)) { ErrorExit(REGEX_COMPILE, ARGV0, FWDROP, - FWDROPpm.error); + FWDROPpm.error); } - if(!OSMatch_Compile(FWALLOW, &FWALLOWpm, 0)) - { + if (!OSMatch_Compile(FWALLOW, &FWALLOWpm, 0)) { ErrorExit(REGEX_COMPILE, ARGV0, FWALLOW, - FWALLOWpm.error); + FWALLOWpm.error); } - } - -/* FW_Log: v0.1, 2005/12/30 */ int FW_Log(Eventinfo *lf) { /* If we don't have the srcip or the * action, there is no point in going * forward over here */ - if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || - !lf->dstport || !lf->protocol) - { - return(0); + if (!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || + !lf->dstport || !lf->protocol) { + return (0); } - - /* Setting the actions */ - switch(*lf->action) - { + /* Set the actions */ + switch (*lf->action) { /* discard, drop, deny, */ case 'd': case 'D': @@ -550,34 +422,29 @@ int FW_Log(Eventinfo *lf) os_strdup("ALLOW", lf->action); break; default: - if(OSMatch_Execute(lf->action,strlen(lf->action),&FWDROPpm)) - { + if (OSMatch_Execute(lf->action, strlen(lf->action), &FWDROPpm)) { os_free(lf->action); os_strdup("DROP", lf->action); } - if(OSMatch_Execute(lf->action,strlen(lf->action),&FWALLOWpm)) - { + if (OSMatch_Execute(lf->action, strlen(lf->action), &FWALLOWpm)) { os_free(lf->action); os_strdup("ALLOW", lf->action); - } - else - { + } else { os_free(lf->action); os_strdup("UNKNOWN", lf->action); } break; } - - /* log to file */ + /* Log to file */ fprintf(_fflog, "%d %s %02d %s %s%s%s %s %s %s:%s->%s:%s\n", lf->year, lf->mon, lf->day, lf->hour, - lf->hostname != lf->location?lf->hostname:"", - lf->hostname != lf->location?"->":"", + lf->hostname != lf->location ? lf->hostname : "", + lf->hostname != lf->location ? "->" : "", lf->location, lf->action, lf->protocol, @@ -588,7 +455,6 @@ int FW_Log(Eventinfo *lf) fflush(_fflog); - return(1); + return (1); } -/* EOF */