1 /* Copyright (C) 2015 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
11 #include "json_extended.h"
16 #include <sys/resource.h>
20 /* Convert Eventinfo to json */
21 char *Eventinfo_to_jsonstr(const Eventinfo *lf)
29 extern long int __crt_ftell;
31 root = cJSON_CreateObject();
33 cJSON_AddItemToObject(root, "rule", rule = cJSON_CreateObject());
39 timestamp_ms = ((double)lf->time)*1000;
41 if((snprintf(alert_id, 22, "%ld.%ld", (long int)lf->time, __crt_ftell)) < 0) {
42 merror("snprintf failed");
45 cJSON_AddStringToObject(root, "id", alert_id);
46 cJSON_AddNumberToObject(root, "TimeStamp", timestamp_ms);
50 if(lf->generated_rule){
51 if(lf->generated_rule->level) {
52 cJSON_AddNumberToObject(rule, "level", lf->generated_rule->level);
54 if(lf->generated_rule->comment) {
55 cJSON_AddStringToObject(rule, "comment", lf->generated_rule->comment);
57 if(lf->generated_rule->sigid) {
58 cJSON_AddNumberToObject(rule, "sidid", lf->generated_rule->sigid);
60 if(lf->generated_rule->cve) {
61 cJSON_AddStringToObject(rule, "cve", lf->generated_rule->cve);
63 if(lf->generated_rule->info) {
64 cJSON_AddStringToObject(rule, "info", lf->generated_rule->info);
66 if(lf->generated_rule->frequency){
67 cJSON_AddNumberToObject(rule, "frequency", lf->generated_rule->frequency);
69 if(lf->generated_rule->firedtimes){
70 cJSON_AddNumberToObject(rule, "firedtimes", lf->generated_rule->firedtimes);
74 if( lf->decoder_info->name ) {
75 cJSON_AddStringToObject(root, "decoder", lf->decoder_info->name);
77 if( lf->decoder_info->parent ) {
78 cJSON_AddStringToObject(root, "decoder_parent", lf->decoder_info->parent);
82 cJSON_AddStringToObject(root, "action", lf->action);
85 cJSON_AddStringToObject(root, "protocol", lf->protocol);
88 cJSON_AddStringToObject(root, "srcip", lf->srcip);
91 #ifdef LIBGEOIP_ENABLED
92 if (lf->srcgeoip && Config.geoip_jsonout) {
93 cJSON_AddStringToObject(root, "srcgeoip", lf->srcgeoip);
98 cJSON_AddStringToObject(root, "srcport", lf->srcport);
101 cJSON_AddStringToObject(root, "srcuser", lf->srcuser);
104 cJSON_AddStringToObject(root, "dstip", lf->dstip);
106 #ifdef LIBGEOIP_ENABLED
107 if (lf->dstgeoip && Config.geoip_jsonout) {
108 cJSON_AddStringToObject(root, "dstgeoip", lf->dstgeoip);
113 cJSON_AddStringToObject(root, "dstport", lf->dstport);
116 cJSON_AddStringToObject(root, "dstuser", lf->dstuser);
119 cJSON_AddStringToObject(root, "location", lf->location);
122 cJSON_AddStringToObject(root, "full_log", lf->full_log);
124 if (lf->generated_rule->last_events && lf->generated_rule->last_events[1] && lf->generated_rule->last_events[1][0]) {
125 cJSON_AddStringToObject(root, "previous_output", lf->generated_rule->last_events[1]);
129 file_diff = cJSON_CreateObject();
130 cJSON_AddItemToObject(root, "SyscheckFile", file_diff);
132 cJSON_AddStringToObject(file_diff, "path", lf->filename);
134 if (lf->md5_before && lf->md5_after && strcmp(lf->md5_before, lf->md5_after) != 0 ) {
135 cJSON_AddStringToObject(file_diff, "md5_before", lf->md5_before);
136 cJSON_AddStringToObject(file_diff, "md5_after", lf->md5_after);
138 if(lf->sha1_before && lf->sha1_after && strcmp(lf->sha1_before, lf->sha1_after) != 0) {
139 cJSON_AddStringToObject(file_diff, "sha1_before", lf->sha1_before);
140 cJSON_AddStringToObject(file_diff, "sha1_after", lf->sha1_after);
142 if(lf->owner_before && lf->owner_after && strcmp(lf->owner_before, lf->owner_after) != 0) {
143 cJSON_AddStringToObject(file_diff, "owner_before", lf->owner_before);
144 cJSON_AddStringToObject(file_diff, "owner_after", lf->owner_after);
146 if(lf->gowner_before && lf->gowner_after && strcmp(lf->gowner_before, lf->gowner_after) != 0) {
147 cJSON_AddStringToObject(file_diff, "gowner_before", lf->gowner_before);
148 cJSON_AddStringToObject(file_diff, "gowner_after", lf->gowner_after);
150 if(lf->perm_before && lf->perm_after && (lf->perm_before != lf->perm_after)) {
151 cJSON_AddNumberToObject(file_diff, "perm_before", lf->perm_before);
152 cJSON_AddNumberToObject(file_diff, "perm_after", lf->perm_after);
155 if ( lf->hostname ) {
156 cJSON_AddStringToObject(root, "hostname", lf->hostname);
158 if ( lf->program_name ) {
159 cJSON_AddStringToObject(root, "program_name", lf->program_name);
162 cJSON_AddStringToObject(root, "status", lf->status);
165 cJSON_AddStringToObject(root, "command", lf->command);
168 cJSON_AddStringToObject(root, "url", lf->url);
171 cJSON_AddStringToObject(root, "data", lf->data);
173 if ( lf->systemname ) {
174 cJSON_AddStringToObject(root, "systemname", lf->systemname);
178 if(lf->decoder_info){
181 if (lf->decoder_info->fields) {
182 for (i = 0; i < Config.decoder_order_size; i++) {
183 if (lf->decoder_info->fields[i] && lf->fields[i]) {
184 cJSON_AddStringToObject(root, lf->decoder_info->fields[i], lf->fields[i]);
189 cJSON_AddItemToObject(root, "decoder", decoder = cJSON_CreateObject());
191 if (lf->decoder_info->fts)
192 cJSON_AddNumberToObject(decoder, "fts", lf->decoder_info->fts);
193 if (lf->decoder_info->accumulate)
194 cJSON_AddNumberToObject(decoder, "accumulate", lf->decoder_info->accumulate);
196 if (lf->decoder_info->parent)
197 cJSON_AddStringToObject(decoder, "parent", lf->decoder_info->parent);
198 if (lf->decoder_info->name)
199 cJSON_AddStringToObject(decoder, "name", lf->decoder_info->name);
200 if (lf->decoder_info->ftscomment)
201 cJSON_AddStringToObject(decoder, "ftscomment", lf->decoder_info->ftscomment);
206 W_ParseJSON(root, lf);
208 out = cJSON_PrintUnformatted(root);
213 /* Convert Archiveinfo to json */
214 char *Archiveinfo_to_jsonstr(const Eventinfo *lf)
220 root = cJSON_CreateObject();
223 cJSON_AddStringToObject(root, "program_name", lf->program_name);
226 cJSON_AddStringToObject(root, "log", lf->log);
229 cJSON_AddStringToObject(root, "srcip", lf->srcip);
232 cJSON_AddStringToObject(root, "dstip", lf->dstip);
235 cJSON_AddStringToObject(root, "srcport", lf->srcport);
238 cJSON_AddStringToObject(root, "dstport", lf->dstport);
241 cJSON_AddStringToObject(root, "protocol", lf->protocol);
244 cJSON_AddStringToObject(root, "action", lf->action);
247 cJSON_AddStringToObject(root, "srcuser", lf->srcuser);
250 cJSON_AddStringToObject(root, "dstuser", lf->dstuser);
253 cJSON_AddStringToObject(root, "id", lf->id);
256 cJSON_AddStringToObject(root, "status", lf->status);
259 cJSON_AddStringToObject(root, "command", lf->command);
262 cJSON_AddStringToObject(root, "url", lf->url);
265 cJSON_AddStringToObject(root, "data", lf->data);
268 cJSON_AddStringToObject(root, "systemname", lf->systemname);
272 cJSON_AddStringToObject(root, "filename", lf->filename);
274 if (lf->md5_before && lf->md5_after && strcmp(lf->md5_before, lf->md5_after) != 0) {
275 cJSON_AddStringToObject(root, "md5_before", lf->md5_before);
276 cJSON_AddStringToObject(root, "md5_after", lf->md5_after);
278 if (lf->sha1_before && lf->sha1_after && !strcmp(lf->sha1_before, lf->sha1_after) != 0) {
279 cJSON_AddStringToObject(root, "sha1_before", lf->sha1_before);
280 cJSON_AddStringToObject(root, "sha1_after", lf->sha1_after);
282 if (lf->owner_before && lf->owner_after && !strcmp(lf->owner_before, lf->owner_after) != 0) {
283 cJSON_AddStringToObject(root, "owner_before", lf->owner_before);
284 cJSON_AddStringToObject(root, "owner_after", lf->owner_after);
286 if (lf->gowner_before && lf->gowner_after && !strcmp(lf->gowner_before, lf->gowner_after) != 0) {
287 cJSON_AddStringToObject(root, "gowner_before", lf->gowner_before);
288 cJSON_AddStringToObject(root, "gowner_after", lf->gowner_after);
290 if (lf->perm_before && lf->perm_after && lf->perm_before != lf->perm_after) {
291 cJSON_AddNumberToObject(root, "perm_before", lf->perm_before);
292 cJSON_AddNumberToObject(root, "perm_after", lf->perm_after);
298 if(lf->generated_rule){
301 cJSON_AddItemToObject(root, "rule", rule = cJSON_CreateObject());
303 if (lf->generated_rule->level)
304 cJSON_AddNumberToObject(rule, "level", lf->generated_rule->level);
306 if (lf->generated_rule->comment)
307 cJSON_AddStringToObject(rule, "comment", lf->generated_rule->comment);
309 if (lf->generated_rule->sigid)
310 cJSON_AddNumberToObject(rule, "sidid", lf->generated_rule->sigid);
312 if (lf->generated_rule->cve)
313 cJSON_AddStringToObject(rule, "cve", lf->generated_rule->cve);
315 if (lf->generated_rule->info)
316 cJSON_AddStringToObject(rule, "info", lf->generated_rule->info);
318 if (lf->generated_rule->frequency)
319 cJSON_AddNumberToObject(rule, "frequency", lf->generated_rule->frequency);
321 if (lf->generated_rule->firedtimes)
322 cJSON_AddNumberToObject(rule, "firedtimes", lf->generated_rule->firedtimes);
324 if (lf->generated_rule->group) {
325 W_JSON_ParseGroups(root,lf,1);
328 if (lf->full_log && W_isRootcheck(root,1)) {
329 W_JSON_ParseRootcheck(root,lf,1);
335 if(lf->decoder_info){
338 if (lf->decoder_info->fields) {
339 for (i = 0; i < Config.decoder_order_size; i++) {
340 if (lf->decoder_info->fields[i] && lf->fields[i]) {
341 cJSON_AddStringToObject(root, lf->decoder_info->fields[i], lf->fields[i]);
346 cJSON_AddItemToObject(root, "decoder", decoder = cJSON_CreateObject());
348 if (lf->decoder_info->fts)
349 cJSON_AddNumberToObject(decoder, "fts", lf->decoder_info->fts);
350 if (lf->decoder_info->accumulate)
351 cJSON_AddNumberToObject(decoder, "accumulate", lf->decoder_info->accumulate);
353 if (lf->decoder_info->parent)
354 cJSON_AddStringToObject(decoder, "parent", lf->decoder_info->parent);
355 if (lf->decoder_info->name)
356 cJSON_AddStringToObject(decoder, "name", lf->decoder_info->name);
357 if (lf->decoder_info->ftscomment)
358 cJSON_AddStringToObject(decoder, "ftscomment", lf->decoder_info->ftscomment);
364 cJSON_AddStringToObject(root, "full_log", lf->full_log);
366 if(lf->year && strnlen(lf->mon, 4) && lf->day && strnlen(lf->hour, 10))
367 W_JSON_ParseTimestamp(root, lf);
370 W_JSON_ParseHostname(root, lf->hostname);
371 W_JSON_ParseAgentIP(root, lf);
375 W_JSON_ParseLocation(root,lf,0);
380 out = cJSON_PrintUnformatted(root);