1 /* @(#) $Id: pf_decoder.c,v 1.5 2009/06/24 17:06:24 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
11 * License details at the LICENSE file included with OSSEC or
12 * online at: http://www.ossec.net/en/licensing.html
17 #include "eventinfo.h"
20 /* OpenBSD PF decoder init */
21 void *PF_Decoder_Init()
23 debug1("%s: Initializing PF decoder..", ARGV0);
25 /* There is nothing to do over here */
31 * Will extract the action,srcip,dstip,protocol,srcport,dstport
34 * Mar 30 15:33:26 enigma pf: Mar 30 15:32:33.483712 rule 2/(match) pass in on xl0: 140.211.166.3.6667 > 192.168.2.10.16290: P 7408:7677(269) ack 1773 win 2520 <nop,nop,timestamp 3960674784 2860123562> (DF)
35 * Mar 30 15:47:05.522341 rule 4/(match) block in on lo0: 127.0.0.1.48784 > 127.0.0.1.23: S 1381529123:1381529123(0) win 16384 <mss 33184,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF) [tos 0x10]
36 * Mar 30 15:54:22.171929 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030: udp 73
37 * Mar 30 15:54:22.174412 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030: udp 89
38 * Mar 30 17:47:40.390143 rule 2/(match) pass in on lo0: 127.0.0.1 > 127.0.0.1: icmp: echo reply
39 * Mar 30 17:47:41.400075 rule 3/(match) pass out on lo0: 127.0.0.1 > 127.0.0.1: icmp: echo request
41 void *PF_Decoder_Exec(Eventinfo *lf)
48 /* tmp_str should be: Mar 30 15:54:22.171929 rule 3/(match) pass out .. */
49 tmp_str = strchr(lf->log, ')');
58 /* Going to the action entry */
67 /* tmp_str should be: pass out on xl0: 192.168.2.10.1514 .. */
73 os_strdup("pass", lf->action);
75 else if(*tmp_str == 'b')
77 os_strdup("block", lf->action);
86 /* Jumping to the src ip */
87 tmp_str = strchr(tmp_str, ':');
101 /* tmp_str should be: 192.168.2.10.1514 > .. */
102 aux_str = strchr(tmp_str, ' ');
107 /* Setting aux_str to 0 for strdup */
110 os_strdup(tmp_str, lf->srcip);
112 /* Aux str has a valid pointer to lf->log now */
118 /* Setting the source port if present */
120 while(*tmp_str != '\0')
131 os_strdup(tmp_str, lf->srcport);
139 /* Invalid rest of log */
150 /* tmp_str should be: 192.168.2.10.1514: .. .. */
151 tmp_str = strchr(aux_str, ':');
156 /* Setting aux_str to 0 for strdup */
159 os_strdup(aux_str, lf->dstip);
162 /* tmp str has a valid pointer to lf->log now */
167 /* Getting destination port */
170 while(*aux_str != '\0')
181 os_strdup(aux_str, lf->dstport);
189 /* Getting protocol */
190 while(*tmp_str != '\0')
197 else if(*tmp_str == 'u')
199 os_strdup("UDP", lf->protocol);
201 else if(*tmp_str == 'i')
203 os_strdup("ICMP", lf->protocol);
207 os_strdup("TCP", lf->protocol);