X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fanalysisd%2Fdecoders%2Fplugins%2Fsonicwall_decoder.c;h=42e854a4a2998057f27b0687afac9dbcd92043e6;hp=56c41a47a442da8731d95a923578c69037c526b0;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hpb=301048b51990573e58a30dc4a5bb4ec285cad554 diff --git a/src/analysisd/decoders/plugins/sonicwall_decoder.c b/src/analysisd/decoders/plugins/sonicwall_decoder.c index 56c41a4..42e854a 100644 --- a/src/analysisd/decoders/plugins/sonicwall_decoder.c +++ b/src/analysisd/decoders/plugins/sonicwall_decoder.c @@ -1,4 +1,5 @@ -/* @(#) $Id$ */ +/* @(#) $Id: ./src/analysisd/decoders/plugins/sonicwall_decoder.c, 2011/09/08 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All rights reserved. @@ -8,7 +9,7 @@ * License (version 2) as published by the FSF - Free Software * Foundation. * - * License details at the LICENSE file included with OSSEC or + * License details at the LICENSE file included with OSSEC or * online at: http://www.ossec.net/en/licensing.html */ @@ -31,7 +32,7 @@ /** Global variables -- not thread safe. If we ever multi thread * analysisd, these will need to be changed. - */ + */ OSRegex *__sonic_regex_prid = NULL; OSRegex *__sonic_regex_sdip = NULL; OSRegex *__sonic_regex_prox = NULL; @@ -89,13 +90,13 @@ void *SonicWall_Decoder_Init() -/* SonicWall decoder +/* SonicWall decoder * Will extract the id, severity, action, srcip, dstip, protocol,srcport,dstport * severity will be extracted as status. * Examples: * Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 * Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN - */ + */ void *SonicWall_Decoder_Exec(Eventinfo *lf) { int i = 0; @@ -106,9 +107,9 @@ void *SonicWall_Decoder_Exec(Eventinfo *lf) /* Zeroing category */ category[0] = '\0'; lf->decoder_info->type = SYSLOG; - - - + + + /** We first run our regex to extract the severity, cat and id. **/ if(!(tmp_str = OSRegex_Execute(lf->log, __sonic_regex_prid))) { @@ -131,7 +132,7 @@ void *SonicWall_Decoder_Exec(Eventinfo *lf) /* Clearing all substrings */ __sonic_regex_prid->sub_strings[0] = NULL; __sonic_regex_prid->sub_strings[2] = NULL; - + free(__sonic_regex_prid->sub_strings[1]); __sonic_regex_prid->sub_strings[1] = NULL; } @@ -156,9 +157,9 @@ void *SonicWall_Decoder_Exec(Eventinfo *lf) { return(NULL); } - if(__sonic_regex_sdip->sub_strings[0] && - __sonic_regex_sdip->sub_strings[1] && - __sonic_regex_sdip->sub_strings[2] && + if(__sonic_regex_sdip->sub_strings[0] && + __sonic_regex_sdip->sub_strings[1] && + __sonic_regex_sdip->sub_strings[2] && __sonic_regex_sdip->sub_strings[3]) { /* Setting all the values */ @@ -186,7 +187,7 @@ void *SonicWall_Decoder_Exec(Eventinfo *lf) i = 0; tmp_str += 6; - + /* Allocating memory for the protocol */ os_calloc(8, sizeof(char), proto); @@ -222,7 +223,7 @@ void *SonicWall_Decoder_Exec(Eventinfo *lf) - + /** Setting the category/action based on the id. **/ /* IDS event */ @@ -230,16 +231,16 @@ void *SonicWall_Decoder_Exec(Eventinfo *lf) { lf->decoder_info->type = IDS; } - + /* Firewall connection opened */ else if((strcmp(lf->id, "98") == 0) || - (strcmp(lf->id, "597") == 0) || - (strcmp(lf->id, "598") == 0)) + (strcmp(lf->id, "597") == 0) || + (strcmp(lf->id, "598") == 0)) { lf->decoder_info->type = FIREWALL; - os_strdup("pass", lf->action); + os_strdup("pass", lf->action); } - + /* Firewall connection dropped */ else if((strcmp(lf->id, "38") == 0) || (strcmp(lf->id, "36") == 0) || @@ -248,16 +249,16 @@ void *SonicWall_Decoder_Exec(Eventinfo *lf) (strcmp(lf->id, "37") == 0)) { lf->decoder_info->type = FIREWALL; - os_strdup("drop", lf->action); + os_strdup("drop", lf->action); } - + /* Firewall connection closed */ else if(strcmp(lf->id, "537") == 0) { lf->decoder_info->type = FIREWALL; os_strdup("close", lf->action); } - + /* Proxy msg */ else if(strcmp(lf->id, "97") == 0) { @@ -269,7 +270,7 @@ void *SonicWall_Decoder_Exec(Eventinfo *lf) { return(NULL); } - + /* We first run our regex to extract the severity and id. */ if(!OSRegex_Execute(tmp_str, __sonic_regex_prox)) @@ -289,18 +290,18 @@ void *SonicWall_Decoder_Exec(Eventinfo *lf) { return(NULL); } - + /* Getting HTTP page */ - if(__sonic_regex_prox->sub_strings[1] && + if(__sonic_regex_prox->sub_strings[1] && __sonic_regex_prox->sub_strings[2]) { char *final_url; int url_size = strlen(__sonic_regex_prox->sub_strings[1]) + strlen(__sonic_regex_prox->sub_strings[2]) + 2; - + os_calloc(url_size +1, sizeof(char), final_url); - snprintf(final_url, url_size, "%s%s", + snprintf(final_url, url_size, "%s%s", __sonic_regex_prox->sub_strings[1], __sonic_regex_prox->sub_strings[2]); @@ -323,7 +324,7 @@ void *SonicWall_Decoder_Exec(Eventinfo *lf) return(NULL); } - + return(NULL); }