1 /* @(#) $Id: ./src/analysisd/decoders/plugins/sonicwall_decoder.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
12 * License details at the LICENSE file included with OSSEC or
13 * online at: http://www.ossec.net/en/licensing.html
18 #include "eventinfo.h"
21 /* Regex to extract the priority and event id */
22 #define SONICWALL_REGID "pri=(\\d) c=(\\d+) m=(\\d+) "
24 /* Regex to extract the srcip and dst ip */
25 #define SONICWALL_REGEX "src=(\\d+.\\d+.\\d+.\\d+):(\\d+):\\S+ " \
26 "dst=(\\d+.\\d+.\\d+.\\d+):(\\d+):"
28 /* Regex for the web proxy messages */
29 #define SONICWALL_PROXY "result=(\\d+) dstname=(\\S+) arg=(\\S+)$"
33 /** Global variables -- not thread safe. If we ever multi thread
34 * analysisd, these will need to be changed.
36 OSRegex *__sonic_regex_prid = NULL;
37 OSRegex *__sonic_regex_sdip = NULL;
38 OSRegex *__sonic_regex_prox = NULL;
42 /* SonicWall decoder init */
43 void *SonicWall_Decoder_Init()
45 debug1("%s: Initializing SonicWall decoder..", ARGV0);
48 /* Allocating memory */
49 os_calloc(1, sizeof(OSRegex), __sonic_regex_sdip);
50 os_calloc(1, sizeof(OSRegex), __sonic_regex_prid);
51 os_calloc(1, sizeof(OSRegex), __sonic_regex_prox);
53 /* Compiling our regexes */
54 if(!OSRegex_Compile(SONICWALL_REGEX, __sonic_regex_sdip, OS_RETURN_SUBSTRING))
56 merror(REGEX_COMPILE, ARGV0, SONICWALL_REGEX, __sonic_regex_sdip->error);
59 if(!OSRegex_Compile(SONICWALL_REGID, __sonic_regex_prid, OS_RETURN_SUBSTRING))
61 merror(REGEX_COMPILE, ARGV0, SONICWALL_REGID, __sonic_regex_prid->error);
64 if(!OSRegex_Compile(SONICWALL_PROXY, __sonic_regex_prox, OS_RETURN_SUBSTRING))
66 merror(REGEX_COMPILE, ARGV0, SONICWALL_PROXY, __sonic_regex_prox->error);
70 /* We must have the sub_strings to retrieve the nodes */
71 if(!__sonic_regex_sdip->sub_strings)
73 merror(REGEX_SUBS, ARGV0, SONICWALL_REGEX);
76 if(!__sonic_regex_prid->sub_strings)
78 merror(REGEX_SUBS, ARGV0, SONICWALL_REGID);
81 if(!__sonic_regex_prox->sub_strings)
83 merror(REGEX_SUBS, ARGV0, SONICWALL_PROXY);
87 /* There is nothing else to do over here */
94 * Will extract the id, severity, action, srcip, dstip, protocol,srcport,dstport
95 * severity will be extracted as status.
97 * Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000
98 * Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN
100 void *SonicWall_Decoder_Exec(Eventinfo *lf)
104 char *tmp_str = NULL;
107 /* Zeroing category */
109 lf->decoder_info->type = SYSLOG;
113 /** We first run our regex to extract the severity, cat and id. **/
114 if(!(tmp_str = OSRegex_Execute(lf->log, __sonic_regex_prid)))
119 /* Getting severity, id and category */
120 if(__sonic_regex_prid->sub_strings[0] &&
121 __sonic_regex_prid->sub_strings[1] &&
122 __sonic_regex_prid->sub_strings[2])
124 lf->status = __sonic_regex_prid->sub_strings[0];
125 lf->id = __sonic_regex_prid->sub_strings[2];
128 /* Getting category */
129 strncpy(category, __sonic_regex_prid->sub_strings[1], 7);
132 /* Clearing all substrings */
133 __sonic_regex_prid->sub_strings[0] = NULL;
134 __sonic_regex_prid->sub_strings[2] = NULL;
136 free(__sonic_regex_prid->sub_strings[1]);
137 __sonic_regex_prid->sub_strings[1] = NULL;
142 while(__sonic_regex_prid->sub_strings[i])
144 free(__sonic_regex_prid->sub_strings[i]);
145 __sonic_regex_prid->sub_strings[i] = NULL;
155 /** Getting ips and ports **/
156 if(!(tmp_str = OSRegex_Execute(tmp_str, __sonic_regex_sdip)))
160 if(__sonic_regex_sdip->sub_strings[0] &&
161 __sonic_regex_sdip->sub_strings[1] &&
162 __sonic_regex_sdip->sub_strings[2] &&
163 __sonic_regex_sdip->sub_strings[3])
165 /* Setting all the values */
166 lf->srcip = __sonic_regex_sdip->sub_strings[0];
167 lf->srcport = __sonic_regex_sdip->sub_strings[1];
168 lf->dstip = __sonic_regex_sdip->sub_strings[2];
169 lf->dstport = __sonic_regex_sdip->sub_strings[3];
172 /* Clearing substrings */
173 __sonic_regex_sdip->sub_strings[0] = NULL;
174 __sonic_regex_sdip->sub_strings[1] = NULL;
175 __sonic_regex_sdip->sub_strings[2] = NULL;
176 __sonic_regex_sdip->sub_strings[3] = NULL;
179 /* Looking for protocol */
180 tmp_str = strchr(tmp_str, ' ');
184 if(strncmp(tmp_str, "proto=", 6) == 0)
192 /* Allocating memory for the protocol */
193 os_calloc(8, sizeof(char), proto);
194 while(isValidChar(*tmp_str) && (*tmp_str != '/'))
206 /* Setting protocol to event info structure */
207 lf->protocol = proto;
214 while(__sonic_regex_sdip->sub_strings[i])
216 free(__sonic_regex_sdip->sub_strings[i]);
217 __sonic_regex_sdip->sub_strings[i] = 0;
227 /** Setting the category/action based on the id. **/
230 if(strcmp(category, "32") == 0)
232 lf->decoder_info->type = IDS;
235 /* Firewall connection opened */
236 else if((strcmp(lf->id, "98") == 0) ||
237 (strcmp(lf->id, "597") == 0) ||
238 (strcmp(lf->id, "598") == 0))
240 lf->decoder_info->type = FIREWALL;
241 os_strdup("pass", lf->action);
244 /* Firewall connection dropped */
245 else if((strcmp(lf->id, "38") == 0) ||
246 (strcmp(lf->id, "36") == 0) ||
247 (strcmp(lf->id, "173") == 0) ||
248 (strcmp(lf->id, "174") == 0) ||
249 (strcmp(lf->id, "37") == 0))
251 lf->decoder_info->type = FIREWALL;
252 os_strdup("drop", lf->action);
255 /* Firewall connection closed */
256 else if(strcmp(lf->id, "537") == 0)
258 lf->decoder_info->type = FIREWALL;
259 os_strdup("close", lf->action);
263 else if(strcmp(lf->id, "97") == 0)
265 lf->decoder_info->type = SQUID;
268 /* Checking if tmp_str is valid */
275 /* We first run our regex to extract the severity and id. */
276 if(!OSRegex_Execute(tmp_str, __sonic_regex_prox))
282 /* Getting HTTP responde code as id */
283 if(__sonic_regex_prox->sub_strings[0])
286 lf->id = __sonic_regex_prox->sub_strings[0];
287 __sonic_regex_prox->sub_strings[0] = NULL;
295 /* Getting HTTP page */
296 if(__sonic_regex_prox->sub_strings[1] &&
297 __sonic_regex_prox->sub_strings[2])
300 int url_size = strlen(__sonic_regex_prox->sub_strings[1]) +
301 strlen(__sonic_regex_prox->sub_strings[2]) + 2;
303 os_calloc(url_size +1, sizeof(char), final_url);
304 snprintf(final_url, url_size, "%s%s",
305 __sonic_regex_prox->sub_strings[1],
306 __sonic_regex_prox->sub_strings[2]);
309 /* Clearing the memory */
310 free(__sonic_regex_prox->sub_strings[1]);
311 free(__sonic_regex_prox->sub_strings[2]);
312 __sonic_regex_prox->sub_strings[1] = NULL;
313 __sonic_regex_prox->sub_strings[2] = NULL;
316 /* Setting the url */
321 merror("%s: Error getting regex - SonicWall." , ARGV0);