X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fanalysisd%2Fcleanevent.c;h=938aa0ef87fee07a11a20e8ae46b8b8884ebd96b;hp=f830438c366173403a3d72020942d7cd8dbd0d76;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hpb=301048b51990573e58a30dc4a5bb4ec285cad554 diff --git a/src/analysisd/cleanevent.c b/src/analysisd/cleanevent.c index f830438..938aa0e 100755 --- a/src/analysisd/cleanevent.c +++ b/src/analysisd/cleanevent.c @@ -1,4 +1,5 @@ -/* @(#) $Id$ */ +/* @(#) $Id: ./src/analysisd/cleanevent.c, 2011/09/08 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All rights reserved. @@ -8,7 +9,7 @@ * License (version 2) as published by the FSF - Free Software * Foundation. * - * License details at the LICENSE file included with OSSEC or + * License details at the LICENSE file included with OSSEC or * online at: http://www.ossec.net/en/licensing.html */ @@ -30,9 +31,9 @@ char *(month[])={"Jan","Feb","Mar","Apr","May","Jun","Jul","Aug", - + /* OS_CleanMSG v0.3: 2006/03/04 - * Format a received message in the + * Format a received message in the * Eventinfo structure. */ int OS_CleanMSG(char *msg, Eventinfo *lf) @@ -58,23 +59,23 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) merror(FORMAT_ERROR, ARGV0); return(-1); } - + *pieces = '\0'; - pieces++; - - + pieces++; + + os_strdup(msg, lf->location); - - + + /* Getting the log length */ loglen = strlen(pieces) + 1; - - + + /* Assigning the values in the strucuture (lf->full_log) */ os_malloc((2*loglen) +1, lf->full_log); - - - /* Setting the whole message at full_log */ + + + /* Setting the whole message at full_log */ strncpy(lf->full_log, pieces, loglen); @@ -82,22 +83,22 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) lf->log = lf->full_log+loglen; strncpy(lf->log, pieces, loglen); - - - /* Checking for the syslog date format. - * ( ex: Dec 29 10:00:01 + + + /* Checking for the syslog date format. + * ( ex: Dec 29 10:00:01 * or 2007-06-14T15:48:55-04:00 for syslog-ng isodate * or 2009-05-22T09:36:46.214994-07:00 for rsyslog ) */ if( ( - (loglen > 17) && - (pieces[3] == ' ') && - (pieces[6] == ' ') && - (pieces[9] == ':') && - (pieces[12] == ':') && + (loglen > 17) && + (pieces[3] == ' ') && + (pieces[6] == ' ') && + (pieces[9] == ':') && + (pieces[12] == ':') && (pieces[15] == ' ') && (lf->log+=16) - ) + ) || ( (loglen > 33) && @@ -106,7 +107,7 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) (pieces[10] == 'T') && (pieces[13] == ':') && (pieces[16] == ':') && - + ( ((pieces[22] == ':') && (pieces[25] == ' ') && (lf->log+=26)) || @@ -114,9 +115,9 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) ((pieces[19] == '.') && (pieces[29] == ':') && (lf->log+=32)) ) - + ) - ) + ) { /* Checking for an extra space in here */ if(*lf->log == ' ') @@ -125,15 +126,15 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) /* Hostname */ pieces = lf->hostname = lf->log; - - + + /* Checking for a valid hostname */ while(isValidChar(*pieces) == 1) { pieces++; } - - + + /* Checking if it is a syslog without hostname (common on Solaris. */ if(*pieces == ':' && pieces[1] == ' ') { @@ -151,8 +152,8 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) lf->log = pieces; } - - /* Extracting the hostname */ + + /* Extracting the hostname */ else if(*pieces != ' ') { /* Invalid hostname */ @@ -175,13 +176,13 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) /* Extracting program_name */ - /* Valid names: - * p_name: + /* Valid names: + * p_name: * p_name[pid]: * p_name[pid]: [ID xx facility.severity] * auth|security:info p_name: - * - */ + * + */ while(isValidChar(*pieces) == 1) { pieces++; @@ -194,7 +195,7 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) *pieces = '\0'; pieces+=2; } - + /* Checking for the second format: p_name[pid]: */ else if((*pieces == '[') && (isdigit((int)pieces[1]))) { @@ -245,7 +246,7 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) pieces++; while(isalnum((int)*pieces)) pieces++; - + if(*pieces == ' ') { pieces++; @@ -301,15 +302,15 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) lf->program_name = NULL; } } - - + + /* Removing [ID xx facility.severity] */ if(pieces) { /* Setting log after program name */ lf->log = pieces; - if((pieces[0] == '[') && + if((pieces[0] == '[') && (pieces[1] == 'I') && (pieces[2] == 'D') && (pieces[3] == ' ')) @@ -332,8 +333,8 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) lf->p_name_size = strlen(lf->program_name); } } - - /* xferlog date format + + /* xferlog date format * Mon Apr 17 18:27:14 2006 1 64.160.42.130 */ else if((loglen > 28) && @@ -349,17 +350,17 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) /* Moving log to the beginning of the message */ lf->log+=24; } - + /* Checking for snort date format - * ex: 01/28-09:13:16.240702 [**] - */ - else if( (loglen > 24) && - (pieces[2] == '/') && + * ex: 01/28-09:13:16.240702 [**] + */ + else if( (loglen > 24) && + (pieces[2] == '/') && (pieces[5] == '-') && - (pieces[8] == ':') && + (pieces[8] == ':') && (pieces[11]== ':') && - (pieces[14]== '.') && + (pieces[14]== '.') && (pieces[21] == ' ') ) { lf->log+=23; @@ -367,19 +368,19 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) /* Checking for apache log format */ /* [Fri Feb 11 18:06:35 2004] [warn] */ - else if( (loglen > 27) && - (pieces[0] == '[') && + else if( (loglen > 27) && + (pieces[0] == '[') && (pieces[4] == ' ') && - (pieces[8] == ' ') && + (pieces[8] == ' ') && (pieces[11]== ' ') && - (pieces[14]== ':') && + (pieces[14]== ':') && (pieces[17]== ':') && - (pieces[20]== ' ') && + (pieces[20]== ' ') && (pieces[25]== ']') ) { lf->log+=27; } - + /* Checking for the osx asl log format. * Examples: * [Time 2006.12.28 15:53:55 UTC] [Facility auth] [Sender sshd] [PID 483] [Message error: PAM: Authentication failure for username from 192.168.0.2] [Level 3] [UID -2] [GID -2] [Host Hostname] @@ -398,8 +399,8 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) { /* Do not read more than 1 message entry -> log tampering */ short unsigned int done_message = 0; - - + + /* Removing the date */ lf->log+=25; @@ -421,10 +422,10 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) if(pieces) { *pieces = '\0'; - + /* Setting program_name size */ lf->p_name_size = strlen(lf->program_name); - + pieces++; } /* Invalid program name */ @@ -434,14 +435,14 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) break; } } - + /* Getting message */ else if((strncmp(pieces, "Message ", 8) == 0) && (done_message == 0)) { pieces+=8; done_message = 1; - + lf->log = pieces; /* Getting the closing brackets */ @@ -471,7 +472,7 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) *pieces = '\0'; pieces++; } - + /* Invalid hostname */ else { @@ -484,12 +485,12 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) pieces = strchr(pieces, '['); } } - + /* Checking for squid date format * 1140804070.368 11623 * seconds from 00:00:00 1970-01-01 UTC */ - else if((loglen > 32) && + else if((loglen > 32) && (pieces[0] == '1') && (pieces[10] == '.') && (pieces[14] == ' ') && @@ -507,7 +508,7 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) } - /* Every message must be in the format + /* Every message must be in the format * hostname->location or * (agent) ip->location. */ @@ -524,13 +525,13 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) lf->hostname = __shost; } - + /* Setting up the event data */ lf->time = c_time; p = localtime(&c_time); - + /* Assign hour, day, year and month values */ lf->day = p->tm_mday; lf->year = p->tm_year+1900; @@ -539,14 +540,14 @@ int OS_CleanMSG(char *msg, Eventinfo *lf) p->tm_hour, p->tm_min, p->tm_sec); - + /* Setting the global hour/weekday */ __crt_hour = p->tm_hour; - __crt_wday = p->tm_wday; - - + __crt_wday = p->tm_wday; + + #ifdef TESTRULE if(!alert_only)