1 /* @(#) $Id: ./src/shared/read-alert.c, 2011/11/09 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
12 * License details at the LICENSE file included with OSSEC or
13 * online at: http://www.ossec.net/en/licensing.html
17 /* File monitoring functions */
20 #include "read-alert.h"
23 /* ** Alert xyz: email active-response ** */
25 #define ALERT_BEGIN "** Alert"
26 #define ALERT_BEGIN_SZ 8
27 #define RULE_BEGIN "Rule: "
28 #define RULE_BEGIN_SZ 6
29 #define SRCIP_BEGIN "Src IP: "
30 #define SRCIP_BEGIN_SZ 8
31 #define GEOIP_BEGIN_SRC "Src Location: "
32 #define GEOIP_BEGIN_SRC_SZ 14
33 #define GEOIP_BEGIN_DST "Dst Location: "
34 #define GEOIP_BEGIN_DST_SZ 14
35 #define SRCPORT_BEGIN "Src Port: "
36 #define SRCPORT_BEGIN_SZ 10
37 #define DSTIP_BEGIN "Dst IP: "
38 #define DSTIP_BEGIN_SZ 8
39 #define DSTPORT_BEGIN "Dst Port: "
40 #define DSTPORT_BEGIN_SZ 10
41 #define USER_BEGIN "User: "
42 #define USER_BEGIN_SZ 6
43 #define ALERT_MAIL "mail"
44 #define ALERT_MAIL_SZ 4
45 #define ALERT_AR "active-response"
46 #define OLDMD5_BEGIN "Old md5sum was: "
47 #define OLDMD5_BEGIN_SZ 16
48 #define NEWMD5_BEGIN "New md5sum is : "
49 #define NEWMD5_BEGIN_SZ 16
50 #define OLDSHA1_BEGIN "Old sha1sum was: "
51 #define OLDSHA1_BEGIN_SZ 17
52 #define NEWSHA1_BEGIN "New sha1sum is : "
53 #define NEWSHA1_BEGIN_SZ 17
56 /** void FreeAlertData(alert_data *al_data)
59 void FreeAlertData(alert_data *al_data)
65 free(al_data->alertid);
66 al_data->alertid = NULL;
75 free(al_data->location);
76 al_data->location = NULL;
80 free(al_data->comment);
81 al_data->comment = NULL;
86 al_data->group = NULL;
91 al_data->srcip = NULL;
96 al_data->dstip = NULL;
101 al_data->user = NULL;
103 if(al_data->filename)
105 free(al_data->filename);
106 al_data->filename = NULL;
110 free(al_data->old_md5);
111 al_data->old_md5 = NULL;
115 free(al_data->new_md5);
116 al_data->new_md5 = NULL;
118 if(al_data->old_sha1)
120 free(al_data->old_sha1);
121 al_data->old_sha1 = NULL;
123 if(al_data->new_sha1)
125 free(al_data->new_sha1);
126 al_data->new_sha1 = NULL;
142 if (al_data->geoipdatasrc)
144 free(al_data->geoipdatasrc);
145 al_data->geoipdatasrc = NULL;
147 if (al_data->geoipdatadst)
149 free(al_data->geoipdatadst);
150 al_data->geoipdatadst = NULL;
158 /** alert_data *GetAlertData(FILE *fp)
159 * Returns alert data for the file specified
161 alert_data *GetAlertData(int flag, FILE *fp)
163 int _r = 0, log_size = 0, issyscheck = 0;
166 char *alertid = NULL;
168 char *comment = NULL;
169 char *location = NULL;
174 char *filename = NULL;
175 char *old_md5 = NULL;
176 char *new_md5 = NULL;
177 char *old_sha1 = NULL;
178 char *new_sha1 = NULL;
181 char *geoipdatasrc = NULL;
182 char *geoipdatadst = NULL;
184 int level, rule, srcport = 0, dstport = 0;
187 char str[OS_BUFFER_SIZE+1];
188 str[OS_BUFFER_SIZE]='\0';
191 while(fgets(str, OS_BUFFER_SIZE, fp) != NULL)
195 if(strcmp(str, "\n") == 0 && log_size > 0)
201 os_calloc(1, sizeof(alert_data), al_data);
202 al_data->alertid = alertid;
203 al_data->level = level;
204 al_data->rule = rule;
205 al_data->location = location;
206 al_data->comment = comment;
207 al_data->group = group;
209 al_data->srcip = srcip;
210 al_data->srcport = srcport;
211 al_data->dstip = dstip;
212 al_data->dstport = dstport;
213 al_data->user = user;
214 al_data->date = date;
215 al_data->filename = filename;
217 al_data->geoipdatasrc = geoipdatasrc;
218 al_data->geoipdatadst = geoipdatadst;
220 al_data->old_md5 = old_md5;
221 al_data->new_md5 = new_md5;
222 al_data->old_sha1 = old_sha1;
223 al_data->new_sha1 = new_sha1;
232 /* Checking for the header */
233 if(strncmp(ALERT_BEGIN, str, ALERT_BEGIN_SZ) == 0)
237 p = str + ALERT_BEGIN_SZ + 1;
245 z = strlen(p) - strlen(m);
246 os_realloc(alertid, (z + 1)*sizeof(char *), alertid);
247 strncpy(alertid, p, z);
250 /* Searching for email flag */
260 /* Checking for the flags */
261 if((flag & CRALERT_MAIL_SET) &&
262 (strncmp(ALERT_MAIL, p, ALERT_MAIL_SZ) != 0))
273 /* Cleaning new line from group */
274 os_clearnl(group, p);
275 if(group != NULL && strstr(group, "syscheck") != NULL)
282 /* Searching for active-response flag */
291 /*** Extract information from the event ***/
293 /* r1 means: 2006 Apr 13 16:15:17 /var/log/auth.log */
299 p = strchr(str, ':');
310 /* If p is null it is because strchr failed */
311 merror("ZZZ: 1() Merror date or location not NULL");
318 /* If not, str is date and p is the location */
320 merror("ZZZ Merror date or location not NULL");
322 os_strdup(str, date);
323 os_strdup(p, location);
333 if(strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0)
337 p = str + RULE_BEGIN_SZ;
354 /* Getting the comment */
360 os_strdup(p, comment);
362 /* Must have the closing \' */
363 p = strrchr(comment, '\'');
375 else if(strncmp(SRCIP_BEGIN, str, SRCIP_BEGIN_SZ) == 0)
379 p = str + SRCIP_BEGIN_SZ;
383 /* GeoIP Source Location */
384 else if (strncmp(GEOIP_BEGIN_SRC, str, GEOIP_BEGIN_SRC_SZ) == 0)
387 p = str + GEOIP_BEGIN_SRC_SZ;
388 os_strdup(p, geoipdatasrc);
392 else if(strncmp(SRCPORT_BEGIN, str, SRCPORT_BEGIN_SZ) == 0)
396 p = str + SRCPORT_BEGIN_SZ;
400 else if(strncmp(DSTIP_BEGIN, str, DSTIP_BEGIN_SZ) == 0)
404 p = str + DSTIP_BEGIN_SZ;
408 /* GeoIP Destination Location */
409 else if (strncmp(GEOIP_BEGIN_DST, str, GEOIP_BEGIN_DST_SZ) == 0)
412 p = str + GEOIP_BEGIN_DST_SZ;
413 os_strdup(p, geoipdatadst);
417 else if(strncmp(DSTPORT_BEGIN, str, DSTPORT_BEGIN_SZ) == 0)
421 p = str + DSTPORT_BEGIN_SZ;
425 else if(strncmp(USER_BEGIN, str, USER_BEGIN_SZ) == 0)
429 p = str + USER_BEGIN_SZ;
433 else if(strncmp(OLDMD5_BEGIN, str, OLDMD5_BEGIN_SZ) == 0)
437 p = str + OLDMD5_BEGIN_SZ;
438 os_strdup(p, old_md5);
441 else if(strncmp(NEWMD5_BEGIN, str, NEWMD5_BEGIN_SZ) == 0)
445 p = str + NEWMD5_BEGIN_SZ;
446 os_strdup(p, new_md5);
449 else if(strncmp(OLDSHA1_BEGIN, str, OLDSHA1_BEGIN_SZ) == 0)
453 p = str + OLDSHA1_BEGIN_SZ;
454 os_strdup(p, old_sha1);
457 else if(strncmp(NEWSHA1_BEGIN, str, NEWSHA1_BEGIN_SZ) == 0)
461 p = str + NEWSHA1_BEGIN_SZ;
462 os_strdup(p, new_sha1);
464 /* It is a log message */
465 else if(log_size < 20)
469 if(str != NULL && issyscheck == 1)
471 if(strncmp(str, "Integrity checksum changed for: '",33) == 0)
473 filename = strdup(str+33);
476 filename[strlen(filename) -1] = '\0';
482 os_realloc(log, (log_size +2)*sizeof(char *), log);
483 os_strdup(str, log[log_size]);
485 log[log_size] = NULL;
492 /* Freeing the memory */
570 log[log_size] = NULL;
581 /* We need to clean end of file before returning */