1 /* @(#) $Id: ./src/analysisd/decoders/plugins/symantecws_decoder.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
12 * License details at the LICENSE file included with OSSEC or
13 * online at: http://www.ossec.net/en/licensing.html
17 #include "eventinfo.h"
20 /* Symantec Web Security decoder init */
21 void *SymantecWS_Decoder_Init()
23 debug1("%s: Initializing SymantecWS decoder..", ARGV0);
25 /* There is nothing to do over here */
30 /* Symantec Web Security decoder
31 * Will extract the action, srcip, id, url and username.
33 * Examples (also online at
34 * http://www.ossec.net/wiki/index.php/Symantec_WebSecurity ).
35 * 20070717,73613,1=5,11=10.1.1.3,10=userc,3=1,2=1
36 * 20070717,73614,1=5,11=1.2.3.4,1106=News,60=http://news.bbc.co.uk/,10=userX,1000=212.58.240.42,2=27
38 void *SymantecWS_Decoder_Exec(Eventinfo *lf)
41 char buf_str[OS_SIZE_1024 +1];
44 /* Initializing buffer */
46 buf_str[OS_SIZE_1024] = '\0';
49 /* Removing date and time */
50 if(!(tmp_str = strchr(lf->log, ',')))
54 if(!(tmp_str = strchr(tmp_str, ',')))
61 /* Getting all the values */
62 while(tmp_str != NULL)
64 /* Checking if we have the username */
65 if(strncmp(tmp_str, "10=", 3) == 0)
69 while(*tmp_str != '\0' && count < 128 && *tmp_str != ',')
71 buf_str[count] = *tmp_str;
74 buf_str[count] = '\0';
78 os_strdup(buf_str, lf->dstuser);
82 /* Checking the ip address */
83 else if(strncmp(tmp_str, "11=", 3) == 0)
87 while(*tmp_str != '\0' && count < 128 && *tmp_str != ',')
89 buf_str[count] = *tmp_str;
92 buf_str[count] = '\0';
94 /* Avoiding memory leaks -- only adding the first one */
97 os_strdup(buf_str, lf->srcip);
101 /* Getting the URL */
102 else if(strncmp(tmp_str, "60=", 3) == 0)
106 while(*tmp_str != '\0' && count < OS_SIZE_1024 && *tmp_str != ',')
108 buf_str[count] = *tmp_str;
111 buf_str[count] = '\0';
113 /* Avoiding memory leaks -- only adding the first one */
116 os_strdup(buf_str, lf->url);
121 else if((strncmp(tmp_str, "3=", 2) == 0) ||
122 (strncmp(tmp_str, "2=", 2) == 0))
125 while(*tmp_str != '\0' && count < 9)
127 buf_str[count] = *tmp_str;
130 buf_str[count] = '\0';
132 /* Avoiding memory leaks -- only adding the first one */
135 os_strdup(buf_str, lf->id);
139 /* Getting next entry */
140 tmp_str = strchr(tmp_str, ',');