3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 2) as published by the FSF - Free Software
16 #include "getloglocation.h"
18 #include "eventinfo.h"
22 /* Drop/allow patterns */
27 /* OS_Store: v0.2, 2005/02/10 */
28 /* Will store the events in a file
29 * The string must be null terminated and contain
30 * any necessary new lines, tabs, etc.
33 void OS_Store(Eventinfo *lf)
36 "%d %s %02d %s %s%s%s %s\n",
41 lf->hostname != lf->location?lf->hostname:"",
42 lf->hostname != lf->location?"->":"",
52 void OS_LogOutput(Eventinfo *lf)
55 "** Alert %d.%ld:%s - %s\n"
56 "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
57 "Src IP: %s\nUser: %s\n%.1256s\n",
60 lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
61 lf->generated_rule->group,
66 lf->hostname != lf->location?lf->hostname:"",
67 lf->hostname != lf->location?"->":"",
69 lf->generated_rule->sigid,
70 lf->generated_rule->level,
71 lf->generated_rule->comment,
72 lf->srcip == NULL?"(none)":lf->srcip,
73 lf->dstuser == NULL?"(none)":lf->dstuser,
77 /* Printing the last events if present */
78 if(lf->generated_rule->last_events)
80 char **lasts = lf->generated_rule->last_events;
83 printf("%.1256s\n",*lasts);
86 lf->generated_rule->last_events[0] = NULL;
97 /* OS_Log: v0.3, 2006/03/04 */
98 /* _writefile: v0.2, 2005/02/09 */
99 void OS_Log(Eventinfo *lf)
101 /* Writting to the alert log file */
103 "** Alert %d.%ld:%s - %s\n"
104 "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
105 "Src IP: %s\nUser: %s\n%.1256s\n",
108 lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
109 lf->generated_rule->group,
114 lf->hostname != lf->location?lf->hostname:"",
115 lf->hostname != lf->location?"->":"",
117 lf->generated_rule->sigid,
118 lf->generated_rule->level,
119 lf->generated_rule->comment,
120 lf->srcip == NULL?"(none)":lf->srcip,
121 lf->dstuser == NULL?"(none)":lf->dstuser,
125 /* Printing the last events if present */
126 if(lf->generated_rule->last_events)
128 char **lasts = lf->generated_rule->last_events;
131 fprintf(_aflog,"%.1256s\n",*lasts);
134 lf->generated_rule->last_events[0] = NULL;
137 fprintf(_aflog,"\n");
147 /* Initializing fw log regexes */
148 if(!OSMatch_Compile(FWDROP, &FWDROPpm, 0))
150 ErrorExit(REGEX_COMPILE, ARGV0, FWDROP,
154 if(!OSMatch_Compile(FWALLOW, &FWALLOWpm, 0))
156 ErrorExit(REGEX_COMPILE, ARGV0, FWALLOW,
163 /* FW_Log: v0.1, 2005/12/30 */
164 int FW_Log(Eventinfo *lf)
166 /* If we don't have the srcip or the
167 * action, there is no point in going
170 if(!lf->action || !lf->srcip)
176 /* Setting the actions */
179 /* discard, drop, deny, */
189 os_strdup("DROP", lf->action);
198 os_strdup("CLOSED", lf->action);
210 os_strdup("ALLOW", lf->action);
213 if(OSMatch_Execute(lf->action,strlen(lf->action),&FWDROPpm))
216 os_strdup("DROP", lf->action);
218 if(OSMatch_Execute(lf->action,strlen(lf->action),&FWALLOWpm))
221 os_strdup("ALLOW", lf->action);
226 os_strdup("UNKNOWN", lf->action);
234 "%d %s %02d %s %s%s%s %s %s %s:%s->%s:%s\n",
239 lf->hostname != lf->location?lf->hostname:"",
240 lf->hostname != lf->location?"->":"",