5 use Regexp::IPv6 qw($IPv6_re);
6 # ---------------------------------------------------------------------------
7 # Author: Meir Michanie (meirm@riunx.com)
8 # Co-Author: J.A.Senger (jorge@br10.com.br)
11 ## ---------------------------------------------------------------------------
12 # http://www.riunx.com/
13 # ---------------------------------------------------------------------------
15 # ---------------------------------------------------------------------------
17 # ---------------------------------------------------------------------------
19 # "Ossec to Mysql" records the OSSEC HIDS alert logs in MySQL database.
20 # It can run as a daemon (ossec2mysqld.pl), recording in real-time the logs in database or
21 # as a simple script (ossec2mysql.pl).
23 # ---------------------------------------------------------------------------
25 # ---------------------------------------------------------------------------
28 # Perl DBD::mysql module
31 # ---------------------------------------------------------------------------
33 # ---------------------------------------------------------------------------
35 # 1) Create new database
36 # 2a) Run ossec2mysql.sql to create MySQL tables in your database
37 # 2b) Create BASE tables with snort tables extention
38 # 3) Create a user to access the database;
39 # 4) Copy ossec2mysql.conf to /etc/ossec2mysql.conf with 0600 permissions
40 # 3) Edit /etc/ossec2mysql.conf according to your configuration:
51 # ---------------------------------------------------------------------------
53 # ---------------------------------------------------------------------------
55 # This program is free software; you can redistribute it and/or
56 # modify it under the terms of the GNU General Public License
57 # as published by the Free Software Foundation; either version 2
58 # of the License, or (at your option) any later version.
60 # This program is distributed in the hope that it will be useful,
61 # but WITHOUT ANY WARRANTY; without even the implied warranty of
62 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
63 # GNU General Public License for more details.
65 # You should have received a copy of the GNU General Public License
66 # along with this program; if not, write to the Free Software
67 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
69 # ---------------------------------------------------------------------------
71 # ---------------------------------------------------------------------------
73 # OSSEC HIDS is an Open Source Host-based Intrusion Detection System.
74 # It performs log analysis and correlation, integrity checking,
75 # rootkit detection, time-based alerting and active response.
76 # http://www.ossec.net
78 # ---------------------------------------------------------------------------
80 # ---------------------------------------------------------------------------
82 # ---------------------------------------------------------------------------
83 $SIG{TERM} = sub { &gracefulend('TERM')};
84 $SIG{INT} = sub { &gracefulend('INT')};
86 my ($DAEMONLOGFILE)='/var/log/ossec2mysql.log';
87 my ($DAEMONLOGERRORFILE) = '/var/log/ossec2mysql.err';
88 my ($LOGGER)='ossec2mysql';
92 $conf{dbhost}='localhost';
93 $conf{database}='snort';
96 $conf{dbpasswd}='password';
99 $conf{sensor}='sensor';
100 $conf{hids_interface}='ossec';
104 my($OCT) = '(?:25[012345]|2[0-4]\d|1?\d\d?)';
106 my($IP) = $OCT . '\.' . $OCT . '\.' . $OCT . '\.' . $OCT . '\|' . $IPv6_re;
110 &help() unless @ARGV;
112 my ($hids_id,$hids,$hids_interface,$last_cid)=(undef, 'localhost', 'ossec',0);
113 my ($tempvar,$VERBOSE)=(0,0);
114 # ---------------------------------------------------------------------------
116 # ---------------------------------------------------------------------------
120 if (m/^-d$|^--daemon$/){
122 }elsif ( m/^-h$|^--help$/){
124 }elsif ( m/^-n$|^--noname$/){
126 }elsif ( m/^-v$|^--verbose$/){
128 }elsif ( m/^--interface$/){
129 $conf{hids_interface}= shift @ARGV if @ARGV; # ossec-rt/ossec-feed
130 }elsif ( m/^--sensor$/){
131 $conf{sensor}= shift @ARGV if @ARGV; # monitor
132 }elsif ( m/^--conf$/){
133 $conf{conf}= shift @ARGV if @ARGV; # localhost
135 }elsif ( m/^--dbhost$/){
136 $conf{dbhost}= shift @ARGV if @ARGV; # localhost
137 }elsif ( m/^--dbport$/){
138 $conf{dbport}= shift @ARGV if @ARGV; # localhost
139 }elsif ( m/^--dbname$/){
140 $conf{database}= shift @ARGV if @ARGV; # snort
141 }elsif ( m/^--dbuser$/){
142 $conf{dbuser}= shift @ARGV if @ARGV; # root
143 }elsif ( m/^--dbpass$/){
144 $conf{dbpasswd}= shift @ARGV if @ARGV; # monitor
148 if ($conf{dbpasswd}=~ m/^--stdin$/){
151 chomp $conf{dbpasswd};
153 $hids=$conf{sensor} if exists($conf{sensor});
154 $hids_interface=$conf{hids_interface} if exists($conf{hids_interface});
156 &daemonize() if $conf{daemonize};
157 my $dbi= ossecmysql->new(%conf) || die ("Could not connect to $conf{dbhost}:$conf{dbport}:$conf{database} as $conf{dbpasswd}\n");
160 my ($query,$numrows,$row_ref);
163 $query= 'select sid,last_cid from sensor where hostname=? and interface=?';
164 $numrows= $dbi->execute($query,$hids,$hids_interface);
166 $row_ref=$dbi->{sth}->fetchrow_hashref;
167 $hids_id=$row_ref->{sid};
168 $last_cid=$row_ref->{last_cid};
170 $query="INSERT INTO sensor ( sid , hostname , interface , filter , detail , encoding , last_cid )
172 NULL , ?, ? , NULL , ? , ?, ?
174 $numrows= $dbi->execute($query,$hids,$hids_interface,1,2,0);
175 $hids_id=$dbi->lastid();
178 &forceprintlog ("SENSOR:$hids; feed:$hids_interface; id:$hids_id; last cid:$last_cid");
184 my ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
185 $srcip,$dstip,$user,$text)=();
188 ########################################################
189 my $datepath=`date "+%Y/%b/ossec-alerts-%d.log"`;
190 my $LOG='/var/ossec/logs/alerts/'. $datepath;
192 &taillog($last_cid,$LOG);
193 ###############################################################
201 my ($last_cid,$LOG)=@_;
202 my($offset, $line, $stall) = '';
204 $offset = (-s $LOG); # Don't start at beginning, go to end
211 $datepath=`date "+%Y/%b/ossec-alerts-%d.log"`;
212 $LOG='/var/ossec/logs/alerts/'. $datepath;
214 unless ( -f $LOG){&forceprintlog ("Error -f $LOG"); next; }
215 if ((-s $LOG) < $offset) {
216 &forceprintlog ("Log shrunk, resetting..");
220 unless (open(TAIL, $LOG)){ &forceprintlog ("Error opening $LOG: $!\n");next ;}
222 if (seek(TAIL, $offset, 0)) {
223 # found offset, log not rotated
227 seek(TAIL, $offset, 0);
232 next unless $timestamp;
233 $alerthostip=$alerthost if $alerthost=~ m/^$IP$/;
236 $resolv{$alerthost}=$dstip;
238 if (exists $resolv{$alerthost}){
239 $dstip=$resolv{$alerthost};
241 if ($conf{'resolve'}){
242 $dstip=`host $alerthost 2>/dev/null | grep 'has address\|has IPv6 address' `;
243 if ($dstip =~m/($IP)/ ){
251 $resolv{$alerthost}=$dstip;
255 $last_cid= &prepair2basedata(
272 ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
273 $srcip,$dstip,$user,$text)=();
276 if (m/^\*\* Alert ([0-9]+).([0-9]+):(.*)$/){
278 if ( $timestamp == $lasttimestamp){
282 $lasttimestamp=$timestamp;
286 $mail=$mail ? $mail : 'nomail';
287 #2006 Aug 29 17:19:52 firewall -> /var/log/messages
288 #2006 Aug 30 11:52:14 192.168.0.45->/var/log/secure
289 #2006 Sep 12 11:12:16 92382-Snort1 -> 172.16.176.132
291 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+(\S+)\s*->(.*)$/){
295 if ($datasource=~ m/($IP)/){
297 $datasource="remoted";
300 #2006 Aug 29 17:33:31 (recepcao) 10.0.3.154 -> syscheck
301 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+\((.*?)\)\s+(\S+)\s*->(.*)$/){
306 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)$/){
308 $alerthost='localhost';
310 }elsif ( m/Rule: ([0-9]+) \(level ([0-9]+)\) -> (.*)$/ ){
314 }elsif ( m/Src IP:/){
315 if ( m/Src IP: (\S+)/){
320 }elsif ( m/User: (.*)$/){
327 } # End while read line
334 sub prepair2basedata(){
352 my ($count,$query,$row_ref,$sig_id);
355 # Get/Set signature id
356 $query = "SELECT sig_id FROM signature where sig_name=? and sig_class_id=? and sig_priority=? and sig_rev=? and sig_sid=? and sig_gid is NULL";
357 $dbi->execute($query,$description,1,$level,0,$rule);
358 $count=$dbi->{sth}->rows;
360 $row_ref=$dbi->{sth}->fetchrow_hashref;
361 $sig_id=$row_ref->{sig_id};
362 &printlog ("REUSING SIGNATURE\n");
364 $query="INSERT INTO signature ( sig_id , sig_name , sig_class_id , sig_priority , sig_rev , sig_sid , sig_gid )
366 NULL ,?, ? , ? , ? , ?, NULL
368 $dbi->execute($query,$description,1,$level,0,$rule);
369 $sig_id = $dbi->lastid();
372 &printlog ("SIGNATURE: $sig_id\n");
376 $query="INSERT INTO event ( sid , cid , signature , timestamp )
381 $dbi->execute($query,$hids_id,$last_cid,$sig_id,&fixdate2base($date));
383 &printlog ("EVENT: ($query,$hids_id,$last_cid,$sig_id,&fixdate2base($date)\n");
388 $query=" INSERT INTO acid_event ( sid , cid , signature , sig_name , sig_class_id , sig_priority , timestamp , ip_src , ip_dst , ip_proto , layer4_sport , layer4_dport )
390 ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?, ?
392 $dbi->execute($query,$hids_id,$last_cid,$sig_id,$description,1,$level,&fixdate2base($date),$srcip,$dstip,undef,undef,undef);
393 &printlog ("ACID_EVENT: ($query,$hids_id,$last_cid,$sig_id,$description,1,$level,&fixdate2base($date),$srcip,$dstip,undef,undef)\n");
400 $text = "** Alert $timestamp.$sec:\t$mail\n$date $alerthost -> $datasource\nRule: $rule (level $level) -> $description\nSrc IP: ($srcip)\nUser: $user\n$text";
401 $query=" INSERT INTO data ( sid , cid , data_payload )
404 $dbi->execute($query,$hids_id,$last_cid,$text);
405 &printlog ("DATA: ($query,$hids_id,$last_cid,$text)\n");
409 $query="UPDATE sensor SET last_cid=? where sid=? limit 1";
410 $numrows= $dbi->execute($query,$last_cid,$hids_id);
418 $date=~ s/ Jan /-01-/;
419 $date=~ s/ Feb /-02-/;
420 $date=~ s/ Mar /-03-/;
421 $date=~ s/ Apr /-04-/;
422 $date=~ s/ May /-05-/;
423 $date=~ s/ Jun /-06-/;
424 $date=~ s/ Jul /-07-/;
425 $date=~ s/ Aug /-08-/;
426 $date=~ s/ Sep /-09-/;
427 $date=~ s/ Oct /-10-/;
428 $date=~ s/ Nov /-11-/;
429 $date=~ s/ Dec /-12-/;
434 print "OSSEC report tool $VERSION\n";
435 print "Licensed under GPL\n";
436 print "Contributor Meir Michanie\n";
441 print "This tool helps you import into base the alerts generated by ossec."
442 . " More info in the doc directory .\n";
444 print "$0 [-h|--help] # This text you read now\n";
446 print "\t--dbhost <hostname>\n";
447 print "\t--dbname <database>\n";
448 print "\t--dbport <[0-9]+>\n";
449 print "\t--dbpass <dbpasswd>\n";
450 print "\t--dbuser <dbuser>\n";
451 print "\t-d|--daemonize\n";
452 print "\t-n|--noname\n";
453 print "\t-v|--verbose\n";
454 print "\t--conf <ossec2based-config>\n";
455 print "\t--sensor <sensor-name>\n";
456 print "\t--interface <ifname>\n";
463 chdir '/' or die "Can't chdir to /: $!";
464 open STDIN, '/dev/null' or die "Can't read /dev/null: $!";
465 open STDOUT, ">>$DAEMONLOGFILE"
466 or die "Can't write to $DAEMONLOGFILE: $!";
467 defined(my $pid = fork) or die "Can't fork: $!";
469 open (PIDFILE , ">/var/run/ossec2base2.pid") ;
470 print PIDFILE "$pid\n";
474 setsid or die "Can't start a new session: $!";
475 open STDERR, ">>$DAEMONLOGERRORFILE" or die "Can't write to $DAEMONLOGERRORFILE: $!";
480 &forceprintlog ("Terminating upon signal $signal");
482 &forceprintlog ("Daemon halted");
489 return unless $VERBOSE;
491 foreach my $line(@lines){
493 my ($date)=scalar localtime;
494 $date=~ s/^\S+\s+(\S+.*\s[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}).*$/$1/;
495 print "$date $LOGGER: $line\n";
502 my $conf=$hash_ref->{conf};
503 unless (-f $conf) { &printlog ("ERROR: I can't find config file $conf"); exit 1;}
504 unless (open ( CONF , "$conf")){ &printlog ("ERROR: I can't open file $conf");exit 1;}
507 if ( m/^(\S+)\s?=\s?(.*?)$/) {
508 $hash_ref->{$1} = $2;