X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fanalysisd%2Fdecoders%2Fplugins%2Fossecalert_decoder.c;h=0f91fc0e21e6a576a620b8974af957fae4eafee7;hp=d0f642ac023e11cafd5aafbb7351014cb2c79d7a;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hpb=301048b51990573e58a30dc4a5bb4ec285cad554

diff --git a/src/analysisd/decoders/plugins/ossecalert_decoder.c b/src/analysisd/decoders/plugins/ossecalert_decoder.c
index d0f642a..0f91fc0 100644
--- a/src/analysisd/decoders/plugins/ossecalert_decoder.c
+++ b/src/analysisd/decoders/plugins/ossecalert_decoder.c
@@ -1,4 +1,5 @@
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/plugins/ossecalert_decoder.c, 2012/03/28 dcid Exp $
+ */
 
 /* Copyright (C) 2009 Trend Micro Inc.
  * All rights reserved.
@@ -8,7 +9,7 @@
  * License (version 2) as published by the FSF - Free Software
  * Foundation.
  *
- * License details at the LICENSE file included with OSSEC or 
+ * License details at the LICENSE file included with OSSEC or
  * online at: http://www.ossec.net/en/licensing.html
  */
 
@@ -34,12 +35,12 @@ void *OSSECAlert_Decoder_Init()
 
 #define oa_strchr(x,y,z) z = strchr(x,y); if(!z){ return(NULL); }
 
-/* OSSECAlert decoder 
+/* OSSECAlert decoder
  * Will extract the rule_id and point back to the original rule.
  * Will also extract srcip and username if available.
  * Examples:
- * 
- */                             
+ *
+ */
 void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
 {
     char *oa_id = 0;
@@ -54,12 +55,13 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
 
 
     /* Checking the alert level. */
-    if(strncmp("Alert Level: ", lf->log, 12) != 0)
+    if(strncmp("Alert Level: ", lf->log, 12) != 0 &&
+       strncmp("ossec: Alert Level:", lf->log, 18) != 0)
     {
         return(NULL);
     }
 
-    
+
     /* Going past the level. */
     oa_strchr(lf->log, ';', tmp_str);
     tmp_str++;
@@ -71,10 +73,10 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
     if(*tmp_str != ' ')
     {
         return(NULL);
-    }    
+    }
     tmp_str++;
 
-    
+
     /* Getting id. */
     oa_id = tmp_str;
     oa_strchr(tmp_str, ' ', tmp_str);
@@ -104,7 +106,7 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
 
     /* Setting location; */
     oa_location = tmp_str;
-    
+
 
     oa_strchr(tmp_str, ';', tmp_str);
     *tmp_str = '\0';
@@ -122,7 +124,7 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
     }
     else
     {
-        snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname, 
+        snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname,
                  lf->location, oa_location);
         free(lf->location);
         os_strdup(oa_newlocation, lf->location);
@@ -132,7 +134,7 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
     *tmp_str = ';';
     tmp_str++;
 
-    
+
     /* Getting additional fields. */
     while((*tmp_str == ' ') && (tmp_str[1] != ' '))
     {
@@ -158,18 +160,18 @@ void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
         *tmp_str = ';';
         tmp_str++;
     }
-    
+
 
     /* Removing space. */
     while(*tmp_str == ' ')
         tmp_str++;
-    
-    
+
+
     /* Creating new full log. */
     free(lf->full_log);
     os_strdup(tmp_str, lf->full_log);
     lf->log = lf->full_log;
-    
+
 
     /* Rule that generated. */
     lf->generated_rule = rule_pointer;