X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fshared%2Fread-alert.c;h=b5d8a3bdf8f043beef1b7ba1810ee341608337cb;hp=b9553b65796eb851fe858257218be0e275024f8a;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hpb=301048b51990573e58a30dc4a5bb4ec285cad554 diff --git a/src/shared/read-alert.c b/src/shared/read-alert.c index b9553b6..b5d8a3b 100755 --- a/src/shared/read-alert.c +++ b/src/shared/read-alert.c @@ -1,4 +1,5 @@ -/* @(#) $Id$ */ +/* @(#) $Id: ./src/shared/read-alert.c, 2011/11/09 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. @@ -27,11 +28,29 @@ #define RULE_BEGIN_SZ 6 #define SRCIP_BEGIN "Src IP: " #define SRCIP_BEGIN_SZ 8 +#define GEOIP_BEGIN_SRC "Src Location: " +#define GEOIP_BEGIN_SRC_SZ 14 +#define GEOIP_BEGIN_DST "Dst Location: " +#define GEOIP_BEGIN_DST_SZ 14 +#define SRCPORT_BEGIN "Src Port: " +#define SRCPORT_BEGIN_SZ 10 +#define DSTIP_BEGIN "Dst IP: " +#define DSTIP_BEGIN_SZ 8 +#define DSTPORT_BEGIN "Dst Port: " +#define DSTPORT_BEGIN_SZ 10 #define USER_BEGIN "User: " #define USER_BEGIN_SZ 6 #define ALERT_MAIL "mail" #define ALERT_MAIL_SZ 4 #define ALERT_AR "active-response" +#define OLDMD5_BEGIN "Old md5sum was: " +#define OLDMD5_BEGIN_SZ 16 +#define NEWMD5_BEGIN "New md5sum is : " +#define NEWMD5_BEGIN_SZ 16 +#define OLDSHA1_BEGIN "Old sha1sum was: " +#define OLDSHA1_BEGIN_SZ 17 +#define NEWSHA1_BEGIN "New sha1sum is : " +#define NEWSHA1_BEGIN_SZ 17 /** void FreeAlertData(alert_data *al_data) @@ -39,38 +58,98 @@ */ void FreeAlertData(alert_data *al_data) { + char **p; + + if(al_data->alertid) + { + free(al_data->alertid); + al_data->alertid = NULL; + } if(al_data->date) { free(al_data->date); + al_data->date = NULL; } if(al_data->location) { free(al_data->location); + al_data->location = NULL; } if(al_data->comment) { free(al_data->comment); + al_data->comment = NULL; } if(al_data->group) { free(al_data->group); + al_data->group = NULL; } if(al_data->srcip) { free(al_data->srcip); + al_data->srcip = NULL; + } + if(al_data->dstip) + { + free(al_data->dstip); + al_data->dstip = NULL; } if(al_data->user) { free(al_data->user); + al_data->user = NULL; + } + if(al_data->filename) + { + free(al_data->filename); + al_data->filename = NULL; + } + if(al_data->old_md5) + { + free(al_data->old_md5); + al_data->old_md5 = NULL; + } + if(al_data->new_md5) + { + free(al_data->new_md5); + al_data->new_md5 = NULL; + } + if(al_data->old_sha1) + { + free(al_data->old_sha1); + al_data->old_sha1 = NULL; + } + if(al_data->new_sha1) + { + free(al_data->new_sha1); + al_data->new_sha1 = NULL; } if(al_data->log) { - while(*(al_data->log)) + p = al_data->log; + + while(*(p)) { - free(*(al_data->log)); - al_data->log++; + free(*(p)); + *(p) = NULL; + p++; } + free(al_data->log); + al_data->log = NULL; + } +#ifdef GEOIP + if (al_data->geoipdatasrc) + { + free(al_data->geoipdatasrc); + al_data->geoipdatasrc = NULL; } + if (al_data->geoipdatadst) + { + free(al_data->geoipdatadst); + al_data->geoipdatadst = NULL; + } +#endif free(al_data); al_data = NULL; } @@ -81,33 +160,46 @@ void FreeAlertData(alert_data *al_data) */ alert_data *GetAlertData(int flag, FILE *fp) { - int _r = 0, log_size; + int _r = 0, log_size = 0, issyscheck = 0; char *p; + char *alertid = NULL; char *date = NULL; char *comment = NULL; char *location = NULL; char *srcip = NULL; + char *dstip = NULL; char *user = NULL; char *group = NULL; + char *filename = NULL; + char *old_md5 = NULL; + char *new_md5 = NULL; + char *old_sha1 = NULL; + char *new_sha1 = NULL; char **log = NULL; - int level, rule; - +#ifdef GEOIP + char *geoipdatasrc = NULL; + char *geoipdatadst = NULL; +#endif + int level, rule, srcport = 0, dstport = 0; + + char str[OS_BUFFER_SIZE+1]; str[OS_BUFFER_SIZE]='\0'; while(fgets(str, OS_BUFFER_SIZE, fp) != NULL) { - + /* Enf of alert */ - if(strcmp(str, "\n") == 0) + if(strcmp(str, "\n") == 0 && log_size > 0) { /* Found in here */ if(_r == 2) { alert_data *al_data; os_calloc(1, sizeof(alert_data), al_data); + al_data->alertid = alertid; al_data->level = level; al_data->rule = rule; al_data->location = location; @@ -115,20 +207,46 @@ alert_data *GetAlertData(int flag, FILE *fp) al_data->group = group; al_data->log = log; al_data->srcip = srcip; + al_data->srcport = srcport; + al_data->dstip = dstip; + al_data->dstport = dstport; al_data->user = user; al_data->date = date; - + al_data->filename = filename; +#ifdef GEOIP + al_data->geoipdatasrc = geoipdatasrc; + al_data->geoipdatadst = geoipdatadst; +#endif + al_data->old_md5 = old_md5; + al_data->new_md5 = new_md5; + al_data->old_sha1 = old_sha1; + al_data->new_sha1 = new_sha1; + + return(al_data); } _r = 0; } - - + + /* Checking for the header */ if(strncmp(ALERT_BEGIN, str, ALERT_BEGIN_SZ) == 0) { + char *m; + int z = 0; p = str + ALERT_BEGIN_SZ + 1; - + + m = strstr(p, ":"); + if (!m) + { + continue; + } + + z = strlen(p) - strlen(m); + os_realloc(alertid, (z + 1)*sizeof(char *), alertid); + strncpy(alertid, p, z); + alertid[z] = '\0'; + /* Searching for email flag */ p = strchr(p, ' '); if(!p) @@ -137,10 +255,10 @@ alert_data *GetAlertData(int flag, FILE *fp) } p++; - - - /* Checking for the flags */ - if((flag & CRALERT_MAIL_SET) && + + + /* Checking for the flags */ + if((flag & CRALERT_MAIL_SET) && (strncmp(ALERT_MAIL, p, ALERT_MAIL_SZ) != 0)) { continue; @@ -154,6 +272,10 @@ alert_data *GetAlertData(int flag, FILE *fp) /* Cleaning new line from group */ os_clearnl(group, p); + if(group != NULL && strstr(group, "syscheck") != NULL) + { + issyscheck = 1; + } } @@ -164,16 +286,16 @@ alert_data *GetAlertData(int flag, FILE *fp) if(_r < 1) continue; - - + + /*** Extract information from the event ***/ - + /* r1 means: 2006 Apr 13 16:15:17 /var/log/auth.log */ if(_r == 1) { /* Clear new line */ os_clearnl(str, p); - + p = strchr(str, ':'); if(p) { @@ -196,22 +318,22 @@ alert_data *GetAlertData(int flag, FILE *fp) /* If not, str is date and p is the location */ if(date || location) merror("ZZZ Merror date or location not NULL"); - + os_strdup(str, date); - os_strdup(p, location); + os_strdup(p, location); _r = 2; log_size = 0; continue; } - + else if(_r == 2) { /* Rule begin */ if(strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0) { os_clearnl(str,p); - + p = str + RULE_BEGIN_SZ; rule = atoi(p); @@ -226,17 +348,17 @@ alert_data *GetAlertData(int flag, FILE *fp) if(!p) goto l_error; - + level = atoi(p); - + /* Getting the comment */ p = strchr(p, '\''); if(!p) goto l_error; - + p++; os_strdup(p, comment); - + /* Must have the closing \' */ p = strrchr(comment, '\''); if(p) @@ -248,30 +370,117 @@ alert_data *GetAlertData(int flag, FILE *fp) goto l_error; } } - + /* srcip */ else if(strncmp(SRCIP_BEGIN, str, SRCIP_BEGIN_SZ) == 0) { os_clearnl(str,p); - + p = str + SRCIP_BEGIN_SZ; os_strdup(p, srcip); } +#ifdef GEOIP + /* GeoIP Source Location */ + else if (strncmp(GEOIP_BEGIN_SRC, str, GEOIP_BEGIN_SRC_SZ) == 0) + { + os_clearnl(str,p); + p = str + GEOIP_BEGIN_SRC_SZ; + os_strdup(p, geoipdatasrc); + } +#endif + /* srcport */ + else if(strncmp(SRCPORT_BEGIN, str, SRCPORT_BEGIN_SZ) == 0) + { + os_clearnl(str,p); + + p = str + SRCPORT_BEGIN_SZ; + srcport = atoi(p); + } + /* dstip */ + else if(strncmp(DSTIP_BEGIN, str, DSTIP_BEGIN_SZ) == 0) + { + os_clearnl(str,p); + + p = str + DSTIP_BEGIN_SZ; + os_strdup(p, dstip); + } +#ifdef GEOIP + /* GeoIP Destination Location */ + else if (strncmp(GEOIP_BEGIN_DST, str, GEOIP_BEGIN_DST_SZ) == 0) + { + os_clearnl(str,p); + p = str + GEOIP_BEGIN_DST_SZ; + os_strdup(p, geoipdatadst); + } +#endif + /* dstport */ + else if(strncmp(DSTPORT_BEGIN, str, DSTPORT_BEGIN_SZ) == 0) + { + os_clearnl(str,p); + + p = str + DSTPORT_BEGIN_SZ; + dstport = atoi(p); + } /* username */ else if(strncmp(USER_BEGIN, str, USER_BEGIN_SZ) == 0) { os_clearnl(str,p); - + p = str + USER_BEGIN_SZ; os_strdup(p, user); } + /* Old MD5 */ + else if(strncmp(OLDMD5_BEGIN, str, OLDMD5_BEGIN_SZ) == 0) + { + os_clearnl(str,p); + + p = str + OLDMD5_BEGIN_SZ; + os_strdup(p, old_md5); + } + /* New MD5 */ + else if(strncmp(NEWMD5_BEGIN, str, NEWMD5_BEGIN_SZ) == 0) + { + os_clearnl(str,p); + + p = str + NEWMD5_BEGIN_SZ; + os_strdup(p, new_md5); + } + /* Old SHA1 */ + else if(strncmp(OLDSHA1_BEGIN, str, OLDSHA1_BEGIN_SZ) == 0) + { + os_clearnl(str,p); + + p = str + OLDSHA1_BEGIN_SZ; + os_strdup(p, old_sha1); + } + /* New SHA1 */ + else if(strncmp(NEWSHA1_BEGIN, str, NEWSHA1_BEGIN_SZ) == 0) + { + os_clearnl(str,p); + + p = str + NEWSHA1_BEGIN_SZ; + os_strdup(p, new_sha1); + } /* It is a log message */ else if(log_size < 20) { os_clearnl(str,p); - + + if(str != NULL && issyscheck == 1) + { + if(strncmp(str, "Integrity checksum changed for: '",33) == 0) + { + filename = strdup(str+33); + if(filename) + { + filename[strlen(filename) -1] = '\0'; + } + } + issyscheck = 0; + } + os_realloc(log, (log_size +2)*sizeof(char *), log); - os_strdup(str, log[log_size]); + os_strdup(str, log[log_size]); log_size++; log[log_size] = NULL; } @@ -279,7 +488,7 @@ alert_data *GetAlertData(int flag, FILE *fp) continue; l_error: - + /* Freeing the memory */ _r = 0; if(date) @@ -302,16 +511,56 @@ alert_data *GetAlertData(int flag, FILE *fp) free(srcip); srcip = NULL; } +#ifdef GEOIP + if(geoipdatasrc) + { + free(geoipdatasrc); + geoipdatasrc = NULL; + } + if(geoipdatadst) + { + free(geoipdatadst); + geoipdatadst = NULL; + } +#endif if(user) { free(user); user = NULL; } + if(filename) + { + free(filename); + filename = NULL; + } if(group) { free(group); group = NULL; } + if(old_md5) + { + free(old_md5); + old_md5 = NULL; + } + + if(new_md5) + { + free(new_md5); + new_md5 = NULL; + } + + if(old_sha1) + { + free(old_sha1); + old_sha1 = NULL; + } + + if(new_sha1) + { + free(new_sha1); + new_sha1 = NULL; + } while(log_size > 0) { log_size--; @@ -323,6 +572,12 @@ alert_data *GetAlertData(int flag, FILE *fp) } } + if(alertid) + { + free(alertid); + alertid = NULL; + } + /* We need to clean end of file before returning */ clearerr(fp); return(NULL);