X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fshared%2Freport_op.c;h=ede6310fae4f9725836c95e58c1e8e98a686df0c;hp=06dc8b4c62e078efc0505eb527c5f24c066db504;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hpb=301048b51990573e58a30dc4a5bb4ec285cad554 diff --git a/src/shared/report_op.c b/src/shared/report_op.c index 06dc8b4..ede6310 100755 --- a/src/shared/report_op.c +++ b/src/shared/report_op.c @@ -1,4 +1,5 @@ -/* @(#) $Id$ */ +/* @(#) $Id: ./src/shared/report_op.c, 2011/09/08 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All rights reserved. @@ -35,12 +36,12 @@ void l_print_out(const char *msg, ...) /* Sort function used by OSStore sort. - * Returns if d1 > d2. + * Returns if d1 > d2. */ void *_os_report_sort_compare(void *d1, void *d2) { OSList *d1l = (OSList *)d1; - OSList *d2l = (OSList *)d2; + OSList *d2l = (OSList *)d2; if(d1l->currently_size > d2l->currently_size) { @@ -71,7 +72,7 @@ void _os_header_print(int t, char *hname) int _os_report_str_int_compare(char *str, int id) { int pt_check = 0; - + do { if((*str == ',')||(*str == ' ')) @@ -151,6 +152,13 @@ int _os_report_check_filters(alert_data *al_data, report_filter *r_filter) return(0); } } + if(r_filter->files) + { + if(!strstr(al_data->filename, r_filter->files)) + { + return(0); + } + } return(1); } @@ -207,11 +215,19 @@ int _report_filter_value(char *filter_by, int prev_filter) } return(prev_filter); } + else if(strcmp(filter_by, "filename") == 0) + { + if(!(prev_filter & REPORT_REL_FILE)) + { + prev_filter|=REPORT_REL_FILE; + } + return(prev_filter); + } else { merror("%s: ERROR: Invalid relation '%s'.", __local_name, filter_by); return(-1); - } + } } @@ -222,13 +238,13 @@ int _os_report_print_related(int print_related, OSList *st_data) OSListNode *list_entry; alert_data *list_aldata; alert_data *saved_aldata; - - + + list_entry = OSList_GetFirstNode(st_data); while(list_entry) { saved_aldata = (alert_data *)list_entry->data; - + /* Removing duplicates. */ list_entry = list_entry->prev; while(list_entry) @@ -263,7 +279,10 @@ int _os_report_print_related(int print_related, OSList *st_data) else if(print_related & REPORT_REL_USER) { list_aldata = (alert_data *)list_entry->data; - if(strcmp(list_aldata->user, saved_aldata->user) == 0) + if(list_aldata->user == NULL || saved_aldata->user == NULL) + { + } + else if(strcmp(list_aldata->user, saved_aldata->user) == 0) { break; } @@ -272,7 +291,10 @@ int _os_report_print_related(int print_related, OSList *st_data) else if(print_related & REPORT_REL_SRCIP) { list_aldata = (alert_data *)list_entry->data; - if(strcmp(list_aldata->srcip, saved_aldata->srcip) == 0) + if(list_aldata->srcip == NULL || saved_aldata->srcip == NULL) + { + } + else if(strcmp(list_aldata->srcip, saved_aldata->srcip) == 0) { break; } @@ -286,6 +308,17 @@ int _os_report_print_related(int print_related, OSList *st_data) break; } } + else if(print_related & REPORT_REL_FILE) + { + list_aldata = (alert_data *)list_entry->data; + if(list_aldata->filename == NULL || saved_aldata->filename == NULL) + { + } + else if(strcmp(list_aldata->filename, saved_aldata->filename) == 0) + { + break; + } + } list_entry = list_entry->prev; } @@ -297,12 +330,14 @@ int _os_report_print_related(int print_related, OSList *st_data) l_print_out(" group: '%s'", saved_aldata->group); else if(print_related & REPORT_REL_RULE) l_print_out(" rule: '%d'", saved_aldata->rule); - else if(print_related & REPORT_REL_SRCIP) + else if(print_related & REPORT_REL_SRCIP && saved_aldata->srcip) l_print_out(" srcip: '%s'", saved_aldata->srcip); - else if(print_related & REPORT_REL_USER) + else if(print_related & REPORT_REL_USER && saved_aldata->user) l_print_out(" user: '%s'", saved_aldata->user); else if(print_related & REPORT_REL_LEVEL) l_print_out(" level: '%d'", saved_aldata->level); + else if(print_related & REPORT_REL_FILE && saved_aldata->filename) + l_print_out(" filename: '%s'", saved_aldata->filename); } list_entry = OSList_GetNextNode(st_data); @@ -347,7 +382,7 @@ void os_report_printtop(void *topstore_pt, char *hname, int print_related) int dopdout = 0; OSStore *topstore = (OSStore *)topstore_pt; OSStoreNode *next_node; - + next_node = OSStore_GetFirstNode(topstore); while(next_node) { @@ -396,6 +431,8 @@ void os_report_printtop(void *topstore_pt, char *hname, int print_related) _os_report_print_related(REPORT_REL_GROUP, st_data); if(print_related & REPORT_REL_LEVEL) _os_report_print_related(REPORT_REL_LEVEL, st_data); + if(print_related & REPORT_REL_FILE) + _os_report_print_related(REPORT_REL_FILE, st_data); } @@ -408,7 +445,7 @@ void os_report_printtop(void *topstore_pt, char *hname, int print_related) l_print_out(" "); l_print_out(" "); } - return; + return; } @@ -420,11 +457,11 @@ void os_ReportdStart(report_filter *r_filter) char *first_alert = NULL; char *last_alert = NULL; void **data_to_clean = NULL; - - - time_t tm; - struct tm *p; - + + + time_t tm; + struct tm *p; + file_queue *fileq; alert_data *al_data; @@ -466,10 +503,12 @@ void os_ReportdStart(report_filter *r_filter) r_filter->top_rule = OSStore_Create(); r_filter->top_group = OSStore_Create(); r_filter->top_location = OSStore_Create(); - + r_filter->top_files = OSStore_Create(); + Init_FileQueue(fileq, p, CRALERT_READ_ALL|CRALERT_FP_SET); + /* Reading the alerts. */ while(1) { @@ -481,7 +520,7 @@ void os_ReportdStart(report_filter *r_filter) } alerts_processed++; - + /* Checking the filters. */ if(!_os_report_check_filters(al_data, r_filter)) @@ -489,8 +528,8 @@ void os_ReportdStart(report_filter *r_filter) FreeAlertData(al_data); continue; } - - + + alerts_filtered++; data_to_clean = os_AddPtArray(al_data, data_to_clean); @@ -499,15 +538,15 @@ void os_ReportdStart(report_filter *r_filter) if(!first_alert) first_alert = al_data->date; last_alert = al_data->date; - - + + /* Adding source ip if it is set properly. */ - if(strcmp(al_data->srcip, "(none)") != 0) + if(al_data->srcip != NULL && strcmp(al_data->srcip, "(none)") != 0) _os_report_add_tostore(al_data->srcip, r_filter->top_srcip, al_data); - + /* Adding user if it is set properly. */ - if(strcmp(al_data->user, "(none)") != 0) + if(al_data->user != NULL && strcmp(al_data->user, "(none)") != 0) _os_report_add_tostore(al_data->user, r_filter->top_user, al_data); @@ -518,10 +557,10 @@ void os_ReportdStart(report_filter *r_filter) mrule[76] = '\0'; snprintf(mlevel, 16, "Severity %d" , al_data->level); snprintf(mrule, 76, "%d - %s" , al_data->rule, al_data->comment); - - _os_report_add_tostore(strdup(mlevel), r_filter->top_level, + + _os_report_add_tostore(strdup(mlevel), r_filter->top_level, al_data); - _os_report_add_tostore(strdup(mrule), r_filter->top_rule, + _os_report_add_tostore(strdup(mrule), r_filter->top_rule, al_data); } @@ -543,8 +582,8 @@ void os_ReportdStart(report_filter *r_filter) mgroup++; continue; } - - _os_report_add_tostore(tmp_str, r_filter->top_group, + + _os_report_add_tostore(tmp_str, r_filter->top_group, al_data); mgroup++; } @@ -556,16 +595,23 @@ void os_ReportdStart(report_filter *r_filter) tmp_str++; if(*tmp_str != '\0') { - _os_report_add_tostore(tmp_str, r_filter->top_group, + _os_report_add_tostore(tmp_str, r_filter->top_group, al_data); } } } - /* Adding to the location top filter. */ - _os_report_add_tostore(al_data->location, r_filter->top_location, + /* Adding to the location top filter. */ + _os_report_add_tostore(al_data->location, r_filter->top_location, al_data); + + + if(al_data->filename != NULL) + { + _os_report_add_tostore(al_data->filename, r_filter->top_files, + al_data); + } } /* No report available */ @@ -574,15 +620,15 @@ void os_ReportdStart(report_filter *r_filter) if(!r_filter->report_name) merror("%s: INFO: Report completed and zero alerts post-filter.", __local_name); else - merror("%s: INFO: Report '%s' completed and zero alerts post-filter.", __local_name, r_filter->report_name); + merror("%s: INFO: Report '%s' completed and zero alerts post-filter.", __local_name, r_filter->report_name); return; } - + if(r_filter->report_name) verbose("%s: INFO: Report '%s' completed. Creating output...", __local_name, r_filter->report_name); else - verbose("%s: INFO: Report completed. Creating output...", __local_name); + verbose("%s: INFO: Report completed. Creating output...", __local_name); l_print_out(" "); @@ -591,66 +637,74 @@ void os_ReportdStart(report_filter *r_filter) else l_print_out("Report completed. =="); l_print_out("------------------------------------------------"); - + l_print_out("->Processed alerts: %d", alerts_processed); l_print_out("->Post-filtering alerts: %d", alerts_filtered); l_print_out("->First alert: %s", first_alert); l_print_out("->Last alert: %s", last_alert); l_print_out(" "); l_print_out(" "); - + OSStore_Sort(r_filter->top_srcip, _os_report_sort_compare); OSStore_Sort(r_filter->top_user, _os_report_sort_compare); OSStore_Sort(r_filter->top_level, _os_report_sort_compare); OSStore_Sort(r_filter->top_group, _os_report_sort_compare); OSStore_Sort(r_filter->top_location, _os_report_sort_compare); OSStore_Sort(r_filter->top_rule, _os_report_sort_compare); - + OSStore_Sort(r_filter->top_files, _os_report_sort_compare); + if(r_filter->top_srcip) os_report_printtop(r_filter->top_srcip, "Source ip", 0); - + if(r_filter->top_user) os_report_printtop(r_filter->top_user, "Username", 0); - + if(r_filter->top_level) os_report_printtop(r_filter->top_level, "Level", 0); - + if(r_filter->top_group) os_report_printtop(r_filter->top_group, "Group", 0); - + if(r_filter->top_location) os_report_printtop(r_filter->top_location, "Location", 0); - + if(r_filter->top_rule) os_report_printtop(r_filter->top_rule, "Rule", 0); + if(r_filter->top_files) + os_report_printtop(r_filter->top_files, "Filenames", 0); + /* Print related events. */ if(r_filter->related_srcip) - os_report_printtop(r_filter->top_srcip, "Source ip", + os_report_printtop(r_filter->top_srcip, "Source ip", r_filter->related_srcip); if(r_filter->related_user) - os_report_printtop(r_filter->top_user, "Username", + os_report_printtop(r_filter->top_user, "Username", r_filter->related_user); if(r_filter->related_level) - os_report_printtop(r_filter->top_level, "Level", + os_report_printtop(r_filter->top_level, "Level", r_filter->related_level); if(r_filter->related_group) - os_report_printtop(r_filter->top_group, "Group", + os_report_printtop(r_filter->top_group, "Group", r_filter->related_group); - + if(r_filter->related_location) - os_report_printtop(r_filter->top_location, "Location", + os_report_printtop(r_filter->top_location, "Location", r_filter->related_location); - + if(r_filter->related_rule) - os_report_printtop(r_filter->top_rule, "Rule", + os_report_printtop(r_filter->top_rule, "Rule", r_filter->related_rule); - - + + if(r_filter->related_file) + os_report_printtop(r_filter->top_files, "Filename", + r_filter->related_file); + + /* If we have to dump the alerts. */ if(data_to_clean) { @@ -682,39 +736,43 @@ void os_ReportdStart(report_filter *r_filter) * report_filter *r_filter) * Checks the configuration filters. */ -int os_report_configfilter(char *filter_by, char *filter_value, +int os_report_configfilter(char *filter_by, char *filter_value, report_filter *r_filter, int arg_type) { if(!filter_by || !filter_value) { return(-1); } - + if(arg_type == REPORT_FILTER) { if(strcmp(filter_by, "group") == 0) { - r_filter->group = filter_value; + r_filter->group = filter_value; } else if(strcmp(filter_by, "rule") == 0) { - r_filter->rule = filter_value; + r_filter->rule = filter_value; } else if(strcmp(filter_by, "level") == 0) { - r_filter->level = filter_value; + r_filter->level = filter_value; } else if(strcmp(filter_by, "location") == 0) { - r_filter->location = filter_value; + r_filter->location = filter_value; } else if(strcmp(filter_by, "user") == 0) { - r_filter->user = filter_value; + r_filter->user = filter_value; } else if(strcmp(filter_by, "srcip") == 0) { - r_filter->srcip = filter_value; + r_filter->srcip = filter_value; + } + else if(strcmp(filter_by, "filename") == 0) + { + r_filter->files = filter_value; } else { @@ -726,7 +784,7 @@ int os_report_configfilter(char *filter_by, char *filter_value, { if(strcmp(filter_by, "group") == 0) { - r_filter->related_group = + r_filter->related_group = _report_filter_value(filter_value, r_filter->related_group); if(r_filter->related_group == -1) @@ -734,7 +792,7 @@ int os_report_configfilter(char *filter_by, char *filter_value, } else if(strcmp(filter_by, "rule") == 0) { - r_filter->related_rule = + r_filter->related_rule = _report_filter_value(filter_value, r_filter->related_rule); if(r_filter->related_rule == -1) @@ -742,7 +800,7 @@ int os_report_configfilter(char *filter_by, char *filter_value, } else if(strcmp(filter_by, "level") == 0) { - r_filter->related_level = + r_filter->related_level = _report_filter_value(filter_value, r_filter->related_level); if(r_filter->related_level == -1) @@ -750,7 +808,7 @@ int os_report_configfilter(char *filter_by, char *filter_value, } else if(strcmp(filter_by, "location") == 0) { - r_filter->related_location = + r_filter->related_location = _report_filter_value(filter_value, r_filter->related_location); if(r_filter->related_location == -1) @@ -758,7 +816,7 @@ int os_report_configfilter(char *filter_by, char *filter_value, } else if(strcmp(filter_by, "srcip") == 0) { - r_filter->related_srcip = + r_filter->related_srcip = _report_filter_value(filter_value, r_filter->related_srcip); if(r_filter->related_srcip == -1) @@ -766,12 +824,20 @@ int os_report_configfilter(char *filter_by, char *filter_value, } else if(strcmp(filter_by, "user") == 0) { - r_filter->related_user = + r_filter->related_user = _report_filter_value(filter_value, r_filter->related_user); - + if(r_filter->related_user == -1) return(-1); } + else if(strcmp(filter_by, "filename") == 0) + { + r_filter->related_file = + _report_filter_value(filter_value, r_filter->related_file); + + if(r_filter->related_file == -1) + return(-1); + } else { merror("%s: ERROR: Invalid related entry '%s'.", __local_name, filter_by);