1 /* @(#) $Id: read-alert.c,v 1.10 2009/06/24 18:53:08 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
11 * License details at the LICENSE file included with OSSEC or
12 * online at: http://www.ossec.net/en/licensing.html
16 /* File monitoring functions */
19 #include "read-alert.h"
22 /* ** Alert xyz: email active-response ** */
24 #define ALERT_BEGIN "** Alert"
25 #define ALERT_BEGIN_SZ 8
26 #define RULE_BEGIN "Rule: "
27 #define RULE_BEGIN_SZ 6
28 #define SRCIP_BEGIN "Src IP: "
29 #define SRCIP_BEGIN_SZ 8
30 #define USER_BEGIN "User: "
31 #define USER_BEGIN_SZ 6
32 #define ALERT_MAIL "mail"
33 #define ALERT_MAIL_SZ 4
34 #define ALERT_AR "active-response"
37 /** void FreeAlertData(alert_data *al_data)
40 void FreeAlertData(alert_data *al_data)
48 free(al_data->location);
52 free(al_data->comment);
68 while(*(al_data->log))
70 free(*(al_data->log));
79 /** alert_data *GetAlertData(FILE *fp)
80 * Returns alert data for the file specified
82 alert_data *GetAlertData(int flag, FILE *fp)
89 char *location = NULL;
96 char str[OS_BUFFER_SIZE+1];
97 str[OS_BUFFER_SIZE]='\0';
100 while(fgets(str, OS_BUFFER_SIZE, fp) != NULL)
104 if(strcmp(str, "\n") == 0)
110 os_calloc(1, sizeof(alert_data), al_data);
111 al_data->level = level;
112 al_data->rule = rule;
113 al_data->location = location;
114 al_data->comment = comment;
115 al_data->group = group;
117 al_data->srcip = srcip;
118 al_data->user = user;
119 al_data->date = date;
127 /* Checking for the header */
128 if(strncmp(ALERT_BEGIN, str, ALERT_BEGIN_SZ) == 0)
130 p = str + ALERT_BEGIN_SZ + 1;
132 /* Searching for email flag */
142 /* Checking for the flags */
143 if((flag & CRALERT_MAIL_SET) &&
144 (strncmp(ALERT_MAIL, p, ALERT_MAIL_SZ) != 0))
155 /* Cleaning new line from group */
156 os_clearnl(group, p);
160 /* Searching for active-response flag */
169 /*** Extract information from the event ***/
171 /* r1 means: 2006 Apr 13 16:15:17 /var/log/auth.log */
177 p = strchr(str, ':');
188 /* If p is null it is because strchr failed */
189 merror("ZZZ: 1() Merror date or location not NULL");
196 /* If not, str is date and p is the location */
198 merror("ZZZ Merror date or location not NULL");
200 os_strdup(str, date);
201 os_strdup(p, location);
211 if(strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0)
215 p = str + RULE_BEGIN_SZ;
232 /* Getting the comment */
238 os_strdup(p, comment);
240 /* Must have the closing \' */
241 p = strrchr(comment, '\'');
253 else if(strncmp(SRCIP_BEGIN, str, SRCIP_BEGIN_SZ) == 0)
257 p = str + SRCIP_BEGIN_SZ;
261 else if(strncmp(USER_BEGIN, str, USER_BEGIN_SZ) == 0)
265 p = str + USER_BEGIN_SZ;
268 /* It is a log message */
269 else if(log_size < 10)
273 os_realloc(log, (log_size +2)*sizeof(char *), log);
274 os_strdup(str, log[log_size]);
276 log[log_size] = NULL;
283 /* Freeing the memory */
321 log[log_size] = NULL;
326 /* We need to clean end of file before returning */