1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
13 #include "getloglocation.h"
15 #include "eventinfo.h"
19 /* Drop/allow patterns */
20 static OSMatch FWDROPpm;
21 static OSMatch FWALLOWpm;
23 /* Allow custom alert output tokens */
24 typedef enum e_custom_alert_tokens_id {
25 CUSTOM_ALERT_TOKEN_TIMESTAMP = 0,
26 CUSTOM_ALERT_TOKEN_FTELL,
27 CUSTOM_ALERT_TOKEN_RULE_ALERT_OPTIONS,
28 CUSTOM_ALERT_TOKEN_HOSTNAME,
29 CUSTOM_ALERT_TOKEN_LOCATION,
30 CUSTOM_ALERT_TOKEN_RULE_ID,
31 CUSTOM_ALERT_TOKEN_RULE_LEVEL,
32 CUSTOM_ALERT_TOKEN_RULE_COMMENT,
33 CUSTOM_ALERT_TOKEN_SRC_IP,
34 CUSTOM_ALERT_TOKEN_DST_USER,
35 CUSTOM_ALERT_TOKEN_FULL_LOG,
36 CUSTOM_ALERT_TOKEN_RULE_GROUP,
37 CUSTOM_ALERT_TOKEN_LAST
40 static const char CustomAlertTokenName[CUSTOM_ALERT_TOKEN_LAST][15] = {
55 /* Store the events in a file
56 * The string must be null terminated and contain
57 * any necessary new lines, tabs, etc.
59 void OS_Store(const Eventinfo *lf)
61 if (strcmp(lf->location, "ossec-keepalive") == 0) {
64 if (strstr(lf->location, "->ossec-keepalive") != NULL) {
69 "%d %s %02d %s %s%s%s %s\n",
74 lf->hostname != lf->location ? lf->hostname : "",
75 lf->hostname != lf->location ? "->" : "",
83 void OS_LogOutput(Eventinfo *lf)
85 #ifdef LIBGEOIP_ENABLED
86 if (Config.geoipdb_file) {
87 if (lf->srcip && !lf->srcgeoip) {
88 lf->srcgeoip = GetGeoInfobyIP(lf->srcip);
90 if (lf->dstip && !lf->dstgeoip) {
91 lf->dstgeoip = GetGeoInfobyIP(lf->dstip);
97 "** Alert %ld.%ld:%s - %s\n"
98 "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'"
99 "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
102 lf->generated_rule->alert_opts & DO_MAILALERT ? " mail " : "",
103 lf->generated_rule->group,
108 lf->hostname != lf->location ? lf->hostname : "",
109 lf->hostname != lf->location ? "->" : "",
111 lf->generated_rule->sigid,
112 lf->generated_rule->level,
113 lf->generated_rule->comment,
115 lf->srcip == NULL ? "" : "\nSrc IP: ",
116 lf->srcip == NULL ? "" : lf->srcip,
118 #ifdef LIBGEOIP_ENABLED
119 lf->srcgeoip == NULL ? "" : "\nSrc Location: ",
120 lf->srcgeoip == NULL ? "" : lf->srcgeoip,
128 lf->srcport == NULL ? "" : "\nSrc Port: ",
129 lf->srcport == NULL ? "" : lf->srcport,
131 lf->dstip == NULL ? "" : "\nDst IP: ",
132 lf->dstip == NULL ? "" : lf->dstip,
134 #ifdef LIBGEOIP_ENABLED
135 lf->dstgeoip == NULL ? "" : "\nDst Location: ",
136 lf->dstgeoip == NULL ? "" : lf->dstgeoip,
144 lf->dstport == NULL ? "" : "\nDst Port: ",
145 lf->dstport == NULL ? "" : lf->dstport,
147 lf->dstuser == NULL ? "" : "\nUser: ",
148 lf->dstuser == NULL ? "" : lf->dstuser,
152 /* Print the last events if present */
153 if (lf->generated_rule->last_events) {
154 char **lasts = lf->generated_rule->last_events;
156 printf("%.1256s\n", *lasts);
159 lf->generated_rule->last_events[0] = NULL;
168 void OS_Log(Eventinfo *lf)
170 #ifdef LIBGEOIP_ENABLED
171 if (Config.geoipdb_file) {
172 if (lf->srcip && !lf->srcgeoip) {
173 lf->srcgeoip = GetGeoInfobyIP(lf->srcip);
175 if (lf->dstip && !lf->dstgeoip) {
176 lf->dstgeoip = GetGeoInfobyIP(lf->dstip);
181 /* Writing to the alert log file */
183 "** Alert %ld.%ld:%s - %s\n"
184 "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'"
185 "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
188 lf->generated_rule->alert_opts & DO_MAILALERT ? " mail " : "",
189 lf->generated_rule->group,
194 lf->hostname != lf->location ? lf->hostname : "",
195 lf->hostname != lf->location ? "->" : "",
197 lf->generated_rule->sigid,
198 lf->generated_rule->level,
199 lf->generated_rule->comment,
201 lf->srcip == NULL ? "" : "\nSrc IP: ",
202 lf->srcip == NULL ? "" : lf->srcip,
204 #ifdef LIBGEOIP_ENABLED
205 lf->srcgeoip == NULL ? "" : "\nSrc Location: ",
206 lf->srcgeoip == NULL ? "" : lf->srcgeoip,
213 lf->srcport == NULL ? "" : "\nSrc Port: ",
214 lf->srcport == NULL ? "" : lf->srcport,
216 lf->dstip == NULL ? "" : "\nDst IP: ",
217 lf->dstip == NULL ? "" : lf->dstip,
219 #ifdef LIBGEOIP_ENABLED
220 lf->dstgeoip == NULL ? "" : "\nDst Location: ",
221 lf->dstgeoip == NULL ? "" : lf->dstgeoip,
229 lf->dstport == NULL ? "" : "\nDst Port: ",
230 lf->dstport == NULL ? "" : lf->dstport,
232 lf->dstuser == NULL ? "" : "\nUser: ",
233 lf->dstuser == NULL ? "" : lf->dstuser,
237 /* Print the last events if present */
238 if (lf->generated_rule->last_events) {
239 char **lasts = lf->generated_rule->last_events;
241 fprintf(_aflog, "%.1256s\n", *lasts);
244 lf->generated_rule->last_events[0] = NULL;
247 fprintf(_aflog, "\n");
253 void OS_CustomLog(const Eventinfo *lf, const char *format)
257 char tmp_buffer[1024];
259 /* Replace all the tokens */
260 os_strdup(format, log);
262 snprintf(tmp_buffer, 1024, "%ld", (long int)lf->time);
263 tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_TIMESTAMP], tmp_buffer);
268 snprintf(tmp_buffer, 1024, "%ld", __crt_ftell);
269 log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_FTELL], tmp_buffer);
275 snprintf(tmp_buffer, 1024, "%s", (lf->generated_rule->alert_opts & DO_MAILALERT) ? "mail " : "");
276 tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_ALERT_OPTIONS], tmp_buffer);
282 snprintf(tmp_buffer, 1024, "%s", lf->hostname ? lf->hostname : "None");
283 log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_HOSTNAME], tmp_buffer);
289 snprintf(tmp_buffer, 1024, "%s", lf->location ? lf->location : "None");
290 tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_LOCATION], tmp_buffer);
296 snprintf(tmp_buffer, 1024, "%d", lf->generated_rule->sigid);
297 log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_ID], tmp_buffer);
303 snprintf(tmp_buffer, 1024, "%d", lf->generated_rule->level);
304 tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_LEVEL], tmp_buffer);
310 snprintf(tmp_buffer, 1024, "%s", lf->srcip ? lf->srcip : "None");
311 log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_SRC_IP], tmp_buffer);
317 snprintf(tmp_buffer, 1024, "%s", lf->dstuser ? lf->dstuser : "None");
319 tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_DST_USER], tmp_buffer);
325 escaped_log = escape_newlines(lf->full_log);
327 log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_FULL_LOG], escaped_log );
334 os_free(escaped_log);
338 snprintf(tmp_buffer, 1024, "%s", lf->generated_rule->comment ? lf->generated_rule->comment : "");
339 tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_COMMENT], tmp_buffer);
345 snprintf(tmp_buffer, 1024, "%s", lf->generated_rule->group ? lf->generated_rule->group : "");
346 log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_GROUP], tmp_buffer);
352 fprintf(_aflog, "%s", log);
353 fprintf(_aflog, "\n");
366 /* Initialize fw log regexes */
367 if (!OSMatch_Compile(FWDROP, &FWDROPpm, 0)) {
368 ErrorExit(REGEX_COMPILE, ARGV0, FWDROP,
372 if (!OSMatch_Compile(FWALLOW, &FWALLOWpm, 0)) {
373 ErrorExit(REGEX_COMPILE, ARGV0, FWALLOW,
378 int FW_Log(Eventinfo *lf)
380 /* If we don't have the srcip or the
381 * action, there is no point in going
384 if (!lf->action || !lf->srcip || !lf->dstip || !lf->srcport ||
385 !lf->dstport || !lf->protocol) {
389 /* Set the actions */
390 switch (*lf->action) {
391 /* discard, drop, deny, */
401 os_strdup("DROP", lf->action);
410 os_strdup("CLOSED", lf->action);
422 os_strdup("ALLOW", lf->action);
425 if (OSMatch_Execute(lf->action, strlen(lf->action), &FWDROPpm)) {
427 os_strdup("DROP", lf->action);
429 if (OSMatch_Execute(lf->action, strlen(lf->action), &FWALLOWpm)) {
431 os_strdup("ALLOW", lf->action);
434 os_strdup("UNKNOWN", lf->action);
441 "%d %s %02d %s %s%s%s %s %s %s:%s->%s:%s\n",
446 lf->hostname != lf->location ? lf->hostname : "",
447 lf->hostname != lf->location ? "->" : "",