5 use Regexp::IPv6 qw($IPv6_re);
6 # ---------------------------------------------------------------------------
7 # Author: Meir Michanie (meirm@riunx.com)
9 # Version 0.1 (09/2006)
11 # ---------------------------------------------------------------------------
13 # ---------------------------------------------------------------------------
15 # This program is free software; you can redistribute it and/or
16 # modify it under the terms of the GNU General Public License
17 # as published by the Free Software Foundation; either version 2
18 # of the License, or (at your option) any later version.
20 # This program is distributed in the hope that it will be useful,
21 # but WITHOUT ANY WARRANTY; without even the implied warranty of
22 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 # GNU General Public License for more details.
25 # You should have received a copy of the GNU General Public License
26 # along with this program; if not, write to the Free Software
27 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
29 # ---------------------------------------------------------------------------
31 # ---------------------------------------------------------------------------
33 # OSSEC HIDS is an Open Source Host-based Intrusion Detection System.
34 # It performs log analysis and correlation, integrity checking,
35 # rootkit detection, time-based alerting and active response.
36 # http://www.ossec.net
38 # ---------------------------------------------------------------------------
40 # ---------------------------------------------------------------------------
42 # ---------------------------------------------------------------------------
43 $SIG{TERM} = sub { &gracefulend('TERM')};
44 $SIG{INT} = sub { &gracefulend('INT')};
50 my($OCT) = '(?:25[012345]|2[0-4]\d|1?\d\d?)';
52 my($IP) = $OCT . '\.' . $OCT . '\.' . $OCT . '\.' . $OCT . '\|' . $IPv6_re;
57 my ($hids_id,$hids,$hids_interface,$last_cid)=(undef, 'localhost', 'ossec',0);
58 my ($tempvar,$VERBOSE)=(0,0);
59 # ---------------------------------------------------------------------------
61 # ---------------------------------------------------------------------------
65 if ( m/^-h$|^--help$/){
67 }elsif ( m/^-n$|^--noname$/){
76 my ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
77 $srcip,$dstip,$user,$text)=();
80 ########################################################
81 my $datepath=`date "+%Y/%b/ossec-alerts-%d.log"`;
82 my $LOG='/var/ossec/logs/alerts/'. $datepath;
86 ==========================================================================================================================
88 ==========================================================================================================================
89 | Alert | Date | SRC | DST | LVL | Name |
90 ==========================================================================================================================
93 |@<<<<< |@<<<<<<<<<<<<<<<<<<<<< |@<<<<<<<<<<<< |@<<<<<<<<<<<< |@<<< |@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< |
94 $rule,$date,$srcip,$dstip,$level,$description
100 ###############################################################
102 my($offset, $line, $stall) = '';
104 $offset = (-s $LOG); # Don't start at beginning, go to end
112 $datepath=`date "+%Y/%b/ossec-alerts-%d.log"`;
113 $LOG='/var/ossec/logs/alerts/'. $datepath;
115 unless ( -f $LOG){print "Error -f $LOG\n"; next; }
116 if ((-s $LOG) < $offset) {
120 unless (open(TAIL, $LOG)){ print "Error opening $LOG: $!\n";next ;}
122 if (seek(TAIL, $offset, 0)) {
123 # found offset, log not rotated
127 seek(TAIL, $offset, 0);
132 next unless $timestamp;
141 $alerthostip=$alerthost if $alerthost=~ m/^$IP$/;
144 $resolv{$alerthost}=$dstip;
146 if (exists $resolv{$alerthost}){
147 $dstip=$resolv{$alerthost};
149 if ($conf{'resolve'}){
150 $dstip=`host $alerthost 2>/dev/null | grep 'has address\|has IPv6 address' `;
151 if ($dstip =~m/($IP)/ ){
159 $resolv{$alerthost}=$dstip;
165 ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,
166 $srcip,$dstip,$user,$text)=();
169 if (m/^\*\* Alert ([0-9]+).([0-9]+):(.*)$/){
171 if ( $timestamp == $lasttimestamp){
175 $lasttimestamp=$timestamp;
179 $mail=$mail ? $mail : 'nomail';
180 #2006 Aug 29 17:19:52 firewall -> /var/log/messages
181 #2006 Aug 30 11:52:14 192.168.0.45->/var/log/secure
183 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+(\S+)\s*->(.*)$/){
187 #2006 Aug 29 17:33:31 (recepcao) 10.0.3.154 -> syscheck
188 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+\((.*?)\)\s+(\S+)\s*->(.*)$/){
193 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)$/){
195 $alerthost='localhost';
197 }elsif ( m/Rule: ([0-9]+) \(level ([0-9]+)\) -> '(.*)'$/ ){
201 }elsif ( m/Src IP:/){
202 if ( m/Src IP: (\S+)/){
207 }elsif ( m/User: (.*)$/){
214 } # End while read line
221 print "OSSEC report tool $VERSION\n";
222 print "Licensed under GPL\n";
223 print "Contributor Meir Michanie\n";
228 print "List alerts generated by ossec."
229 . " More info in the doc directory .\n";
231 print "$0 [-h|--help] # This text you read now\n";
233 print "\t-n|--noname\n";