5 # ---------------------------------------------------------------------------
6 # Author: Meir Michanie (meirm@riunx.com)
8 # Version 0.1 (09/2006)
10 # ---------------------------------------------------------------------------
12 # ---------------------------------------------------------------------------
14 # This program is free software; you can redistribute it and/or
15 # modify it under the terms of the GNU General Public License
16 # as published by the Free Software Foundation; either version 2
17 # of the License, or (at your option) any later version.
19 # This program is distributed in the hope that it will be useful,
20 # but WITHOUT ANY WARRANTY; without even the implied warranty of
21 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 # GNU General Public License for more details.
24 # You should have received a copy of the GNU General Public License
25 # along with this program; if not, write to the Free Software
26 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
28 # ---------------------------------------------------------------------------
30 # ---------------------------------------------------------------------------
32 # OSSEC HIDS is an Open Source Host-based Intrusion Detection System.
33 # It performs log analysis and correlation, integrity checking,
34 # rootkit detection, time-based alerting and active response.
35 # http://www.ossec.net
37 # ---------------------------------------------------------------------------
39 # ---------------------------------------------------------------------------
41 # ---------------------------------------------------------------------------
42 $SIG{TERM} = sub { &gracefulend('TERM')};
43 $SIG{INT} = sub { &gracefulend('INT')};
49 my($OCT) = '(?:25[012345]|2[0-4]\d|1?\d\d?)';
51 my($IP) = $OCT . '\.' . $OCT . '\.' . $OCT . '\.' . $OCT;
56 my ($hids_id,$hids,$hids_interface,$last_cid)=(undef, 'localhost', 'ossec',0);
57 my ($tempvar,$VERBOSE)=(0,0);
58 # ---------------------------------------------------------------------------
60 # ---------------------------------------------------------------------------
64 if ( m/^-h$|^--help$/){
66 }elsif ( m/^-n$|^--noname$/){
75 my ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
76 $srcip,$dstip,$user,$text)=();
79 ########################################################
80 my $datepath=`date "+%Y/%b/ossec-alerts-%d.log"`;
81 my $LOG='/var/ossec/logs/alerts/'. $datepath;
85 ==========================================================================================================================
87 ==========================================================================================================================
88 | Alert | Date | SRC | DST | LVL | Name |
89 ==========================================================================================================================
92 |@<<<<< |@<<<<<<<<<<<<<<<<<<<<< |@<<<<<<<<<<<< |@<<<<<<<<<<<< |@<<< |@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< |
93 $rule,$date,$srcip,$dstip,$level,$description
99 ###############################################################
101 my($offset, $line, $stall) = '';
103 $offset = (-s $LOG); # Don't start at beginning, go to end
111 $datepath=`date "+%Y/%b/ossec-alerts-%d.log"`;
112 $LOG='/var/ossec/logs/alerts/'. $datepath;
114 unless ( -f $LOG){print "Error -f $LOG\n"; next; }
115 if ((-s $LOG) < $offset) {
119 unless (open(TAIL, $LOG)){ print "Error opening $LOG: $!\n";next ;}
121 if (seek(TAIL, $offset, 0)) {
122 # found offset, log not rotated
126 seek(TAIL, $offset, 0);
131 next unless $timestamp;
140 $alerthostip=$alerthost if $alerthost=~ m/^$IP$/;
143 $resolv{$alerthost}=$dstip;
145 if (exists $resolv{$alerthost}){
146 $dstip=$resolv{$alerthost};
148 if ($conf{'resolve'}){
149 $dstip=`host $alerthost 2>/dev/null | grep 'has address' `;
150 if ($dstip =~m/(\d+\.\d+\.\d+\.\d+)/ ){
158 $resolv{$alerthost}=$dstip;
164 ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
165 $srcip,$dstip,$user,$text)=();
168 if (m/^\*\* Alert ([0-9]+).([0-9]+):(.*)$/){
170 if ( $timestamp == $lasttimestamp){
174 $lasttimestamp=$timestamp;
178 $mail=$mail ? $mail : 'nomail';
179 #2006 Aug 29 17:19:52 firewall -> /var/log/messages
180 #2006 Aug 30 11:52:14 192.168.0.45->/var/log/secure
182 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+(\S+)\s*->(.*)$/){
186 #2006 Aug 29 17:33:31 (recepcao) 10.0.3.154 -> syscheck
187 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+\((.*?)\)\s+(\S+)\s*->(.*)$/){
192 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)$/){
194 $alerthost='localhost';
196 }elsif ( m/Rule: ([0-9]+) \(level ([0-9]+)\) -> '(.*)'$/ ){
200 }elsif ( m/Src IP:/){
206 }elsif ( m/User: (.*)$/){
213 } # End while read line
220 print "OSSEC report tool $VERSION\n";
221 print "Licensed under GPL\n";
222 print "Contributor Meir Michanie\n";
227 print "List alerts generated by ossec."
228 . " More info in the doc directory .\n";
230 print "$0 [-h|--help] # This text you read now\n";
232 print "\t-n|--noname\n";