5 # ---------------------------------------------------------------------------
6 # Author: Meir Michanie (meirm@riunx.com)
7 # Co-Author: J.A.Senger (jorge@br10.com.br)
9 # ---------------------------------------------------------------------------
10 # http://www.riunx.com/
11 # ---------------------------------------------------------------------------
13 # ---------------------------------------------------------------------------
15 # ---------------------------------------------------------------------------
17 # "Ossec to Mysql" records the OSSEC HIDS alert logs in MySQL database.
18 # It can run as a daemon (ossec2mysqld.pl), recording in real-time the logs in database or
19 # as a simple script (ossec2mysql.pl).
21 # ---------------------------------------------------------------------------
23 # ---------------------------------------------------------------------------
26 # Perl DBD::mysql module
29 # ---------------------------------------------------------------------------
31 # ---------------------------------------------------------------------------
33 # 1) Create new database
34 # 2a) Run ossec2mysql.sql to create MySQL tables in your database
35 # 2b) Create BASE tables with snort tables extention
36 # 3) Create a user to access the database;
37 # 4) Copy ossec2mysql.conf to /etc/ossec2mysql.conf with 0600 permissions
38 # 3) Edit /etc/ossec2mysql.conf according to your configuration:
49 # ---------------------------------------------------------------------------
51 # ---------------------------------------------------------------------------
53 # This program is free software; you can redistribute it and/or
54 # modify it under the terms of the GNU General Public License
55 # as published by the Free Software Foundation; either version 2
56 # of the License, or (at your option) any later version.
58 # This program is distributed in the hope that it will be useful,
59 # but WITHOUT ANY WARRANTY; without even the implied warranty of
60 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
61 # GNU General Public License for more details.
63 # You should have received a copy of the GNU General Public License
64 # along with this program; if not, write to the Free Software
65 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
67 # ---------------------------------------------------------------------------
69 # ---------------------------------------------------------------------------
71 # OSSEC HIDS is an Open Source Host-based Intrusion Detection System.
72 # It performs log analysis and correlation, integrity checking,
73 # rootkit detection, time-based alerting and active response.
74 # http://www.ossec.net
76 # ---------------------------------------------------------------------------
78 # ---------------------------------------------------------------------------
80 # ---------------------------------------------------------------------------
81 $SIG{TERM} = sub { &gracefulend('TERM')};
82 $SIG{INT} = sub { &gracefulend('INT')};
84 my ($DAEMONLOGFILE)='/var/log/ossec2mysql.log';
85 my ($DAEMONLOGERRORFILE) = '/var/log/ossec2mysql.err';
86 my ($LOGGER)='ossec2mysql';
90 $conf{dbhost}='localhost';
91 $conf{database}='snort';
94 $conf{dbpasswd}='password';
97 $conf{sensor}='sensor';
98 $conf{hids_interface}='ossec';
102 my($OCT) = '(?:25[012345]|2[0-4]\d|1?\d\d?)';
104 my($IP) = $OCT . '\.' . $OCT . '\.' . $OCT . '\.' . $OCT;
108 &help() unless @ARGV;
110 my ($hids_id,$hids,$hids_interface,$last_cid)=(undef, 'localhost', 'ossec',0);
111 my ($tempvar,$VERBOSE)=(0,0);
112 # ---------------------------------------------------------------------------
114 # ---------------------------------------------------------------------------
117 if (m/^-d$|^--daemon$/){
119 }elsif ( m/^-h$|^--help$/){
121 }elsif ( m/^-n$|^--noname$/){
123 }elsif ( m/^-v$|^--verbose$/){
125 }elsif ( m/^--interface$/){
126 $conf{hids_interface}= shift @ARGV if @ARGV; # ossec-rt/ossec-feed
127 }elsif ( m/^--sensor$/){
128 $conf{sensor}= shift @ARGV if @ARGV; # monitor
129 }elsif ( m/^--conf$/){
130 $conf{conf}= shift @ARGV if @ARGV; # localhost
132 }elsif ( m/^--dbhost$/){
133 $conf{dbhost}= shift @ARGV if @ARGV; # localhost
134 }elsif ( m/^--dbport$/){
135 $conf{dbport}= shift @ARGV if @ARGV; # localhost
136 }elsif ( m/^--dbname$/){
137 $conf{database}= shift @ARGV if @ARGV; # snort
138 }elsif ( m/^--dbuser$/){
139 $conf{dbuser}= shift @ARGV if @ARGV; # root
140 }elsif ( m/^--dbpass$/){
141 $conf{dbpasswd}= shift @ARGV if @ARGV; # monitor
145 if ($conf{dbpasswd}=~ m/^--stdin$/){
148 chomp $conf{dbpasswd};
150 $hids=$conf{sensor} if exists($conf{sensor});
151 $hids_interface=$conf{hids_interface} if exists($conf{hids_interface});
153 &daemonize() if $conf{daemonize};
154 my $dbi= ossecmysql->new(%conf) || die ("Could not connect to $conf{dbhost}:$conf{dbport}:$conf{database} as $conf{dbpasswd}\n");
157 my ($query,$numrows,$row_ref);
160 $query= 'select sid,last_cid from sensor where hostname=? and interface=?';
161 $numrows= $dbi->execute($query,$hids,$hids_interface);
163 $row_ref=$dbi->{sth}->fetchrow_hashref;
164 $hids_id=$row_ref->{sid};
165 $last_cid=$row_ref->{last_cid};
167 $query="INSERT INTO sensor ( sid , hostname , interface , filter , detail , encoding , last_cid )
169 NULL , ?, ? , NULL , ? , ?, ?
171 $numrows= $dbi->execute($query,$hids,$hids_interface,1,2,0);
172 $hids_id=$dbi->lastid();
175 &forceprintlog ("SENSOR:$hids; feed:$hids_interface; id:$hids_id; last cid:$last_cid");
180 my ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
181 $srcip,$dstip,$user,$text)=();
184 ########################################################
185 my $datepath=`date "+%Y/%b/ossec-alerts-%d.log"`;
186 my $LOG='/var/ossec/logs/alerts/'. $datepath;
188 &taillog($last_cid,$LOG);
189 ################################################################
199 my ($last_cid,$LOG)=@_;
203 next unless $timestamp;
204 $alerthostip=$alerthost if $alerthost=~ m/^$IP$/;
207 $resolv{$alerthost}=$dstip;
209 if (exists $resolv{$alerthost}){
210 $dstip=$resolv{$alerthost};
212 if ($conf{'resolve'}){
213 $dstip=`host $alerthost 2>/dev/null | grep 'has address' `;
214 if ($dstip =~m/(\d+\.\d+\.\d+\.\d+)/ ){
222 $resolv{$alerthost}=$dstip;
227 $last_cid= &prepair2basedata(
244 ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
245 $srcip,$dstip,$user,$text)=();
248 if (m/^\*\* Alert ([0-9]+).([0-9]+):(.*)$/){
250 if ( $timestamp == $lasttimestamp){
254 $lasttimestamp=$timestamp;
258 $mail=$mail ? $mail : 'nomail';
259 #2006 Aug 29 17:19:52 firewall -> /var/log/messages
260 #2006 Aug 30 11:52:14 192.168.0.45->/var/log/secure
261 #2006 Sep 12 11:12:16 92382-Snort1 -> 172.16.176.132
263 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+(\S+)\s*->(.*)$/){
267 if ($datasource=~ m/(\d+\.\d+\.\d+\.\d+)/){
269 $datasource="remoted";
273 #2006 Aug 29 17:33:31 (recepcao) 10.0.3.154 -> syscheck
274 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+\((.*?)\)\s+(\S+)\s*->(.*)$/){
279 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)$/){
281 $alerthost='localhost';
283 }elsif ( m/Rule: ([0-9]+) \(level ([0-9]+)\) -> (.*)$/ ){
287 }elsif ( m/Src IP:/){
293 }elsif ( m/User: (.*)$/){
300 } # End while read line
306 if ($ip=~ m/(\d+)\.(\d+)\.(\d+)\.(\d+)/){
307 my $num= ($1 * 256 ** 3) + ($2 * 256 ** 2)+ ($3 * 256 ** 1)+ ($4);
316 sub prepair2basedata(){
334 my ($count,$query,$row_ref,$sig_id);
337 # Get/Set signature id
338 $query = "SELECT sig_id FROM signature where sig_name=? and sig_class_id=? and sig_priority=? and sig_rev=? and sig_sid=? and sig_gid is NULL";
339 $dbi->execute($query,$description,1,$level,0,$rule);
340 $count=$dbi->{sth}->rows;
342 $row_ref=$dbi->{sth}->fetchrow_hashref;
343 $sig_id=$row_ref->{sig_id};
344 &printlog ("REUSING SIGNATURE\n");
346 $query="INSERT INTO signature ( sig_id , sig_name , sig_class_id , sig_priority , sig_rev , sig_sid , sig_gid )
348 NULL ,?, ? , ? , ? , ?, NULL
350 $dbi->execute($query,$description,1,$level,0,$rule);
351 $sig_id = $dbi->lastid();
354 &printlog ("SIGNATURE: $sig_id\n");
358 $query="INSERT INTO event ( sid , cid , signature , timestamp )
363 $dbi->execute($query,$hids_id,$last_cid,$sig_id,&fixdate2base($date));
365 &printlog ("EVENT: ($query,$hids_id,$last_cid,$sig_id,&fixdate2base($date)\n");
370 $query=" INSERT INTO acid_event ( sid , cid , signature , sig_name , sig_class_id , sig_priority , timestamp , ip_src , ip_dst , ip_proto , layer4_sport , layer4_dport )
372 ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?, ?
374 $dbi->execute($query,$hids_id,$last_cid,$sig_id,$description,1,$level,&fixdate2base($date),&ossec_aton($srcip),&ossec_aton($dstip),undef,undef,undef);
375 &printlog ("ACID_EVENT: ($query,$hids_id,$last_cid,$sig_id,$description,1,$level,&fixdate2base($date),&ossec_aton($srcip),&ossec_aton($dstip),undef,undef)\n");
382 $text = "** Alert $timestamp.$sec:\t$mail\n$date $alerthost -> $datasource\nRule: $rule (level $level) -> $description\nSrc IP: ($srcip)\nUser: $user\n$text";
383 $query=" INSERT INTO data ( sid , cid , data_payload )
386 $dbi->execute($query,$hids_id,$last_cid,$text);
387 &printlog ("DATA: ($query,$hids_id,$last_cid,$text)\n");
391 $query="UPDATE sensor SET last_cid=? where sid=? limit 1";
392 $numrows= $dbi->execute($query,$last_cid,$hids_id);
400 $date=~ s/ Jan /-01-/;
401 $date=~ s/ Feb /-02-/;
402 $date=~ s/ Mar /-03-/;
403 $date=~ s/ Apr /-04-/;
404 $date=~ s/ May /-05-/;
405 $date=~ s/ Jun /-06-/;
406 $date=~ s/ Jul /-07-/;
407 $date=~ s/ Aug /-08-/;
408 $date=~ s/ Sep /-09-/;
409 $date=~ s/ Oct /-10-/;
410 $date=~ s/ Nov /-11-/;
411 $date=~ s/ Dec /-12-/;
416 print "OSSEC report tool $VERSION\n";
417 print "Licensed under GPL\n";
418 print "Contributor Meir Michanie\n";
423 print "This tool helps you import into base the alerts generated by ossec."
424 . " More info in the doc directory .\n";
426 print "$0 [-h|--help] # This text you read now\n";
428 print "\t--dbhost <hostname>\n";
429 print "\t--dbname <database>\n";
430 print "\t--dbport <[0-9]+>\n";
431 print "\t--dbpass <dbpasswd>\n";
432 print "\t--dbuser <dbuser>\n";
433 print "\t-d|--daemonize\n";
434 print "\t-n|--noname\n";
435 print "\t-v|--verbose\n";
436 print "\t--conf <ossec2based-config>\n";
437 print "\t--sensor <sensor-name>\n";
438 print "\t--interface <ifname>\n";
445 chdir '/' or die "Can't chdir to /: $!";
446 open STDIN, '/dev/null' or die "Can't read /dev/null: $!";
447 open STDOUT, ">>$DAEMONLOGFILE"
448 or die "Can't write to $DAEMONLOGFILE: $!";
449 defined(my $pid = fork) or die "Can't fork: $!";
451 open (PIDFILE , ">/var/run/ossec2base2.pid") ;
452 print PIDFILE "$pid\n";
456 setsid or die "Can't start a new session: $!";
457 open STDERR, ">>$DAEMONLOGERRORFILE" or die "Can't write to $DAEMONLOGERRORFILE: $!";
462 &forceprintlog ("Terminating upon signal $signal");
463 &forceprintlog ("Daemon halted");
470 return unless $VERBOSE;
472 foreach my $line(@lines){
474 my ($date)=scalar localtime;
475 $date=~ s/^\S+\s+(\S+.*\s[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}).*$/$1/;
476 print "$date $LOGGER: $line\n";
483 my $conf=$hash_ref->{conf};
484 unless (-f $conf) { &printlog ("ERROR: I can't find config file $conf"); exit 1;}
485 unless (open ( CONF , "$conf")){ &printlog ("ERROR: I can't open file $conf");exit 1;}
488 if ( m/^(\S+)\s?=\s?(.*?)$/) {
489 $hash_ref->{$1} = $2;