5 # ---------------------------------------------------------------------------
6 # Author: Meir Michanie (meirm@riunx.com)
7 # Co-Author: J.A.Senger (jorge@br10.com.br)
8 # $Id: ossec2mysqld.pl,v 1.11 2007/09/05 00:38:26 dcid Exp $
10 ## ---------------------------------------------------------------------------
11 # http://www.riunx.com/
12 # ---------------------------------------------------------------------------
14 # ---------------------------------------------------------------------------
16 # ---------------------------------------------------------------------------
18 # "Ossec to Mysql" records the OSSEC HIDS alert logs in MySQL database.
19 # It can run as a daemon (ossec2mysqld.pl), recording in real-time the logs in database or
20 # as a simple script (ossec2mysql.pl).
22 # ---------------------------------------------------------------------------
24 # ---------------------------------------------------------------------------
27 # Perl DBD::mysql module
30 # ---------------------------------------------------------------------------
32 # ---------------------------------------------------------------------------
34 # 1) Create new database
35 # 2a) Run ossec2mysql.sql to create MySQL tables in your database
36 # 2b) Create BASE tables with snort tables extention
37 # 3) Create a user to access the database;
38 # 4) Copy ossec2mysql.conf to /etc/ossec2mysql.conf with 0600 permissions
39 # 3) Edit /etc/ossec2mysql.conf according to your configuration:
50 # ---------------------------------------------------------------------------
52 # ---------------------------------------------------------------------------
54 # This program is free software; you can redistribute it and/or
55 # modify it under the terms of the GNU General Public License
56 # as published by the Free Software Foundation; either version 2
57 # of the License, or (at your option) any later version.
59 # This program is distributed in the hope that it will be useful,
60 # but WITHOUT ANY WARRANTY; without even the implied warranty of
61 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
62 # GNU General Public License for more details.
64 # You should have received a copy of the GNU General Public License
65 # along with this program; if not, write to the Free Software
66 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
68 # ---------------------------------------------------------------------------
70 # ---------------------------------------------------------------------------
72 # OSSEC HIDS is an Open Source Host-based Intrusion Detection System.
73 # It performs log analysis and correlation, integrity checking,
74 # rootkit detection, time-based alerting and active response.
75 # http://www.ossec.net
77 # ---------------------------------------------------------------------------
79 # ---------------------------------------------------------------------------
81 # ---------------------------------------------------------------------------
82 $SIG{TERM} = sub { &gracefulend('TERM')};
83 $SIG{INT} = sub { &gracefulend('INT')};
85 my ($DAEMONLOGFILE)='/var/log/ossec2mysql.log';
86 my ($DAEMONLOGERRORFILE) = '/var/log/ossec2mysql.err';
87 my ($LOGGER)='ossec2mysql';
91 $conf{dbhost}='localhost';
92 $conf{database}='snort';
95 $conf{dbpasswd}='password';
98 $conf{sensor}='sensor';
99 $conf{hids_interface}='ossec';
103 my($OCT) = '(?:25[012345]|2[0-4]\d|1?\d\d?)';
105 my($IP) = $OCT . '\.' . $OCT . '\.' . $OCT . '\.' . $OCT;
109 &help() unless @ARGV;
111 my ($hids_id,$hids,$hids_interface,$last_cid)=(undef, 'localhost', 'ossec',0);
112 my ($tempvar,$VERBOSE)=(0,0);
113 # ---------------------------------------------------------------------------
115 # ---------------------------------------------------------------------------
119 if (m/^-d$|^--daemon$/){
121 }elsif ( m/^-h$|^--help$/){
123 }elsif ( m/^-n$|^--noname$/){
125 }elsif ( m/^-v$|^--verbose$/){
127 }elsif ( m/^--interface$/){
128 $conf{hids_interface}= shift @ARGV if @ARGV; # ossec-rt/ossec-feed
129 }elsif ( m/^--sensor$/){
130 $conf{sensor}= shift @ARGV if @ARGV; # monitor
131 }elsif ( m/^--conf$/){
132 $conf{conf}= shift @ARGV if @ARGV; # localhost
134 }elsif ( m/^--dbhost$/){
135 $conf{dbhost}= shift @ARGV if @ARGV; # localhost
136 }elsif ( m/^--dbport$/){
137 $conf{dbport}= shift @ARGV if @ARGV; # localhost
138 }elsif ( m/^--dbname$/){
139 $conf{database}= shift @ARGV if @ARGV; # snort
140 }elsif ( m/^--dbuser$/){
141 $conf{dbuser}= shift @ARGV if @ARGV; # root
142 }elsif ( m/^--dbpass$/){
143 $conf{dbpasswd}= shift @ARGV if @ARGV; # monitor
147 if ($conf{dbpasswd}=~ m/^--stdin$/){
150 chomp $conf{dbpasswd};
152 $hids=$conf{sensor} if exists($conf{sensor});
153 $hids_interface=$conf{hids_interface} if exists($conf{hids_interface});
155 &daemonize() if $conf{daemonize};
156 my $dbi= ossecmysql->new(%conf) || die ("Could not connect to $conf{dbhost}:$conf{dbport}:$conf{database} as $conf{dbpasswd}\n");
159 my ($query,$numrows,$row_ref);
162 $query= 'select sid,last_cid from sensor where hostname=? and interface=?';
163 $numrows= $dbi->execute($query,$hids,$hids_interface);
165 $row_ref=$dbi->{sth}->fetchrow_hashref;
166 $hids_id=$row_ref->{sid};
167 $last_cid=$row_ref->{last_cid};
169 $query="INSERT INTO sensor ( sid , hostname , interface , filter , detail , encoding , last_cid )
171 NULL , ?, ? , NULL , ? , ?, ?
173 $numrows= $dbi->execute($query,$hids,$hids_interface,1,2,0);
174 $hids_id=$dbi->lastid();
177 &forceprintlog ("SENSOR:$hids; feed:$hids_interface; id:$hids_id; last cid:$last_cid");
183 my ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
184 $srcip,$dstip,$user,$text)=();
187 ########################################################
188 my $datepath=`date "+%Y/%b/ossec-alerts-%d.log"`;
189 my $LOG='/var/ossec/logs/alerts/'. $datepath;
191 &taillog($last_cid,$LOG);
192 ###############################################################
200 my ($last_cid,$LOG)=@_;
201 my($offset, $line, $stall) = '';
203 $offset = (-s $LOG); # Don't start at beginning, go to end
210 $datepath=`date "+%Y/%b/ossec-alerts-%d.log"`;
211 $LOG='/var/ossec/logs/alerts/'. $datepath;
213 unless ( -f $LOG){&forceprintlog ("Error -f $LOG"); next; }
214 if ((-s $LOG) < $offset) {
215 &forceprintlog ("Log shrunk, resetting..");
219 unless (open(TAIL, $LOG)){ &forceprintlog ("Error opening $LOG: $!\n");next ;}
221 if (seek(TAIL, $offset, 0)) {
222 # found offset, log not rotated
226 seek(TAIL, $offset, 0);
231 next unless $timestamp;
232 $alerthostip=$alerthost if $alerthost=~ m/^$IP$/;
235 $resolv{$alerthost}=$dstip;
237 if (exists $resolv{$alerthost}){
238 $dstip=$resolv{$alerthost};
240 if ($conf{'resolve'}){
241 $dstip=`host $alerthost 2>/dev/null | grep 'has address' `;
242 if ($dstip =~m/(\d+\.\d+\.\d+\.\d+)/ ){
250 $resolv{$alerthost}=$dstip;
254 $last_cid= &prepair2basedata(
271 ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
272 $srcip,$dstip,$user,$text)=();
275 if (m/^\*\* Alert ([0-9]+).([0-9]+):(.*)$/){
277 if ( $timestamp == $lasttimestamp){
281 $lasttimestamp=$timestamp;
285 $mail=$mail ? $mail : 'nomail';
286 #2006 Aug 29 17:19:52 firewall -> /var/log/messages
287 #2006 Aug 30 11:52:14 192.168.0.45->/var/log/secure
288 #2006 Sep 12 11:12:16 92382-Snort1 -> 172.16.176.132
290 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+(\S+)\s*->(.*)$/){
294 if ($datasource=~ m/(\d+\.\d+\.\d+\.\d+)/){
296 $datasource="remoted";
299 #2006 Aug 29 17:33:31 (recepcao) 10.0.3.154 -> syscheck
300 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+\((.*?)\)\s+(\S+)\s*->(.*)$/){
305 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)$/){
307 $alerthost='localhost';
309 }elsif ( m/Rule: ([0-9]+) \(level ([0-9]+)\) -> (.*)$/ ){
313 }elsif ( m/Src IP:/){
319 }elsif ( m/User: (.*)$/){
326 } # End while read line
335 if ($ip=~ m/(\d+)\.(\d+)\.(\d+)\.(\d+)/){
336 my $num= ($1 * 256 ** 3) + ($2 * 256 ** 2)+ ($3 * 256 ** 1)+ ($4);
345 sub prepair2basedata(){
363 my ($count,$query,$row_ref,$sig_id);
366 # Get/Set signature id
367 $query = "SELECT sig_id FROM signature where sig_name=? and sig_class_id=? and sig_priority=? and sig_rev=? and sig_sid=? and sig_gid is NULL";
368 $dbi->execute($query,$description,1,$level,0,$rule);
369 $count=$dbi->{sth}->rows;
371 $row_ref=$dbi->{sth}->fetchrow_hashref;
372 $sig_id=$row_ref->{sig_id};
373 &printlog ("REUSING SIGNATURE\n");
375 $query="INSERT INTO signature ( sig_id , sig_name , sig_class_id , sig_priority , sig_rev , sig_sid , sig_gid )
377 NULL ,?, ? , ? , ? , ?, NULL
379 $dbi->execute($query,$description,1,$level,0,$rule);
380 $sig_id = $dbi->lastid();
383 &printlog ("SIGNATURE: $sig_id\n");
387 $query="INSERT INTO event ( sid , cid , signature , timestamp )
392 $dbi->execute($query,$hids_id,$last_cid,$sig_id,&fixdate2base($date));
394 &printlog ("EVENT: ($query,$hids_id,$last_cid,$sig_id,&fixdate2base($date)\n");
399 $query=" INSERT INTO acid_event ( sid , cid , signature , sig_name , sig_class_id , sig_priority , timestamp , ip_src , ip_dst , ip_proto , layer4_sport , layer4_dport )
401 ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?, ?
403 $dbi->execute($query,$hids_id,$last_cid,$sig_id,$description,1,$level,&fixdate2base($date),&ossec_aton($srcip),&ossec_aton($dstip),undef,undef,undef);
404 &printlog ("ACID_EVENT: ($query,$hids_id,$last_cid,$sig_id,$description,1,$level,&fixdate2base($date),&ossec_aton($srcip),&ossec_aton($dstip),undef,undef)\n");
411 $text = "** Alert $timestamp.$sec:\t$mail\n$date $alerthost -> $datasource\nRule: $rule (level $level) -> $description\nSrc IP: ($srcip)\nUser: $user\n$text";
412 $query=" INSERT INTO data ( sid , cid , data_payload )
415 $dbi->execute($query,$hids_id,$last_cid,$text);
416 &printlog ("DATA: ($query,$hids_id,$last_cid,$text)\n");
420 $query="UPDATE sensor SET last_cid=? where sid=? limit 1";
421 $numrows= $dbi->execute($query,$last_cid,$hids_id);
429 $date=~ s/ Jan /-01-/;
430 $date=~ s/ Feb /-02-/;
431 $date=~ s/ Mar /-03-/;
432 $date=~ s/ Apr /-04-/;
433 $date=~ s/ May /-05-/;
434 $date=~ s/ Jun /-06-/;
435 $date=~ s/ Jul /-07-/;
436 $date=~ s/ Aug /-08-/;
437 $date=~ s/ Sep /-09-/;
438 $date=~ s/ Oct /-10-/;
439 $date=~ s/ Nov /-11-/;
440 $date=~ s/ Dec /-12-/;
445 print "OSSEC report tool $VERSION\n";
446 print "Licensed under GPL\n";
447 print "Contributor Meir Michanie\n";
452 print "This tool helps you import into base the alerts generated by ossec."
453 . " More info in the doc directory .\n";
455 print "$0 [-h|--help] # This text you read now\n";
457 print "\t--dbhost <hostname>\n";
458 print "\t--dbname <database>\n";
459 print "\t--dbport <[0-9]+>\n";
460 print "\t--dbpass <dbpasswd>\n";
461 print "\t--dbuser <dbuser>\n";
462 print "\t-d|--daemonize\n";
463 print "\t-n|--noname\n";
464 print "\t-v|--verbose\n";
465 print "\t--conf <ossec2based-config>\n";
466 print "\t--sensor <sensor-name>\n";
467 print "\t--interface <ifname>\n";
474 chdir '/' or die "Can't chdir to /: $!";
475 open STDIN, '/dev/null' or die "Can't read /dev/null: $!";
476 open STDOUT, ">>$DAEMONLOGFILE"
477 or die "Can't write to $DAEMONLOGFILE: $!";
478 defined(my $pid = fork) or die "Can't fork: $!";
480 open (PIDFILE , ">/var/run/ossec2base2.pid") ;
481 print PIDFILE "$pid\n";
485 setsid or die "Can't start a new session: $!";
486 open STDERR, ">>$DAEMONLOGERRORFILE" or die "Can't write to $DAEMONLOGERRORFILE: $!";
491 &forceprintlog ("Terminating upon signal $signal");
493 &forceprintlog ("Daemon halted");
500 return unless $VERBOSE;
502 foreach my $line(@lines){
504 my ($date)=scalar localtime;
505 $date=~ s/^\S+\s+(\S+.*\s[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}).*$/$1/;
506 print "$date $LOGGER: $line\n";
513 my $conf=$hash_ref->{conf};
514 unless (-f $conf) { &printlog ("ERROR: I can't find config file $conf"); exit 1;}
515 unless (open ( CONF , "$conf")){ &printlog ("ERROR: I can't open file $conf");exit 1;}
518 if ( m/^(\S+)\s?=\s?(.*?)$/) {
519 $hash_ref->{$1} = $2;