1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
10 /* File monitoring functions */
13 #include "read-alert.h"
15 /* ** Alert xyz: email active-response ** */
17 #define ALERT_BEGIN "** Alert"
18 #define ALERT_BEGIN_SZ 8
19 #define RULE_BEGIN "Rule: "
20 #define RULE_BEGIN_SZ 6
21 #define SRCIP_BEGIN "Src IP: "
22 #define SRCIP_BEGIN_SZ 8
24 #ifdef LIBGEOIP_ENABLED
25 #define GEOIP_BEGIN_SRC "Src Location: "
26 #define GEOIP_BEGIN_SRC_SZ 14
27 #define GEOIP_BEGIN_DST "Dst Location: "
28 #define GEOIP_BEGIN_DST_SZ 14
29 #endif /* LIBGEOIP_ENABLED */
31 #define SRCPORT_BEGIN "Src Port: "
32 #define SRCPORT_BEGIN_SZ 10
33 #define DSTIP_BEGIN "Dst IP: "
34 #define DSTIP_BEGIN_SZ 8
35 #define DSTPORT_BEGIN "Dst Port: "
36 #define DSTPORT_BEGIN_SZ 10
37 #define USER_BEGIN "User: "
38 #define USER_BEGIN_SZ 6
39 #define ALERT_MAIL "mail"
40 #define ALERT_MAIL_SZ 4
41 #define OLDMD5_BEGIN "Old md5sum was: "
42 #define OLDMD5_BEGIN_SZ 16
43 #define NEWMD5_BEGIN "New md5sum is : "
44 #define NEWMD5_BEGIN_SZ 16
45 #define OLDSHA1_BEGIN "Old sha1sum was: "
46 #define OLDSHA1_BEGIN_SZ 17
47 #define NEWSHA1_BEGIN "New sha1sum is : "
48 #define NEWSHA1_BEGIN_SZ 17
49 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
50 #define SIZE_BEGIN "Size changed from "
51 #define SIZE_BEGIN_SZ 18
52 #define OWNER_BEGIN "Ownership was "
53 #define OWNER_BEGIN_SZ 14
54 #define GROUP_BEGIN "Group ownership was "
55 #define GROUP_BEGIN_SZ 20
56 #define PERM_BEGIN "Permissions changed from "
57 #define PERM_BEGIN_SZ 25
58 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
61 void FreeAlertData(alert_data *al_data)
65 if (al_data->alertid) {
66 free(al_data->alertid);
67 al_data->alertid = NULL;
73 if (al_data->location) {
74 free(al_data->location);
75 al_data->location = NULL;
77 if (al_data->comment) {
78 free(al_data->comment);
79 al_data->comment = NULL;
83 al_data->group = NULL;
87 al_data->srcip = NULL;
91 al_data->dstip = NULL;
97 if (al_data->filename) {
98 free(al_data->filename);
99 al_data->filename = NULL;
101 if (al_data->old_md5) {
102 free(al_data->old_md5);
103 al_data->old_md5 = NULL;
105 if (al_data->new_md5) {
106 free(al_data->new_md5);
107 al_data->new_md5 = NULL;
109 if (al_data->old_sha1) {
110 free(al_data->old_sha1);
111 al_data->old_sha1 = NULL;
113 if (al_data->new_sha1) {
114 free(al_data->new_sha1);
115 al_data->new_sha1 = NULL;
117 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
118 if(al_data->file_size)
120 free(al_data->file_size);
121 al_data->file_size = NULL;
123 if(al_data->owner_chg)
125 free(al_data->owner_chg);
126 al_data->owner_chg = NULL;
128 if(al_data->group_chg)
130 free(al_data->group_chg);
131 al_data->group_chg = NULL;
133 if(al_data->perm_chg)
135 free(al_data->perm_chg);
136 al_data->perm_chg = NULL;
138 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
150 #ifdef LIBGEOIP_ENABLED
151 if (al_data->srcgeoip) {
152 free(al_data->srcgeoip);
153 al_data->srcgeoip = NULL;
155 if (al_data->dstgeoip) {
156 free(al_data->dstgeoip);
157 al_data->dstgeoip = NULL;
164 /* Return alert data for the file specified */
165 alert_data *GetAlertData(int flag, FILE *fp)
167 int _r = 0, issyscheck = 0;
171 char *alertid = NULL;
173 char *comment = NULL;
174 char *location = NULL;
179 char *filename = NULL;
180 char *old_md5 = NULL;
181 char *new_md5 = NULL;
182 char *old_sha1 = NULL;
183 char *new_sha1 = NULL;
185 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
186 char *file_size = NULL;
187 char *owner_chg = NULL;
188 char *group_chg = NULL;
189 char *perm_chg = NULL;
190 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
191 #ifdef LIBGEOIP_ENABLED
192 char *srcgeoip = NULL;
193 char *dstgeoip = NULL;
195 int level = 0, rule = 0, srcport = 0, dstport = 0;
197 char str[OS_BUFFER_SIZE + 1];
198 str[OS_BUFFER_SIZE] = '\0';
200 while (fgets(str, OS_BUFFER_SIZE, fp) != NULL) {
202 if (strcmp(str, "\n") == 0 && log_size > 0) {
206 os_calloc(1, sizeof(alert_data), al_data);
207 al_data->alertid = alertid;
208 al_data->level = level;
209 al_data->rule = rule;
210 al_data->location = location;
211 al_data->comment = comment;
212 al_data->group = group;
214 al_data->srcip = srcip;
215 al_data->srcport = srcport;
216 al_data->dstip = dstip;
217 al_data->dstport = dstport;
218 al_data->user = user;
219 al_data->date = date;
220 al_data->filename = filename;
221 #ifdef LIBGEOIP_ENABLED
222 al_data->srcgeoip = srcgeoip ;
223 al_data->dstgeoip = dstgeoip;
225 al_data->old_md5 = old_md5;
226 al_data->new_md5 = new_md5;
227 al_data->old_sha1 = old_sha1;
228 al_data->new_sha1 = new_sha1;
229 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
230 al_data->file_size = file_size;
231 al_data->owner_chg = owner_chg;
232 al_data->group_chg = group_chg;
233 al_data->perm_chg = perm_chg;
234 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
242 /* Check for the header */
243 if (strncmp(ALERT_BEGIN, str, ALERT_BEGIN_SZ) == 0) {
246 p = str + ALERT_BEGIN_SZ + 1;
253 z = strlen(p) - strlen(m);
254 os_realloc(alertid, (z + 1)*sizeof(char), alertid);
255 strncpy(alertid, p, z);
258 /* Search for email flag */
266 /* Check for the flags */
267 if ((flag & CRALERT_MAIL_SET) &&
268 (strncmp(ALERT_MAIL, p, ALERT_MAIL_SZ) != 0)) {
278 /* Clean newline from group */
279 os_clearnl(group, p);
280 if (group != NULL && strstr(group, "syscheck") != NULL) {
285 /* Search for active-response flag */
294 /*** Extract information from the event ***/
296 /* r1 means: 2006 Apr 13 16:15:17 /var/log/auth.log */
301 p = strchr(str, ':');
308 /* If p is null it is because strchr failed */
309 merror("%s: ERROR: date or location not NULL", __local_name);
314 /* If not, str is date and p is the location */
315 if (date || location || !p) {
316 merror("%s: ERROR: date or location not NULL or p is NULL", __local_name);
320 os_strdup(str, date);
321 os_strdup(p, location);
325 } else if (_r == 2) {
327 if (strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0) {
330 p = str + RULE_BEGIN_SZ;
348 /* Get the comment */
356 os_strdup(p, comment);
358 /* Must have the closing \' */
359 p = strrchr(comment, '\'');
368 else if (strncmp(SRCIP_BEGIN, str, SRCIP_BEGIN_SZ) == 0) {
371 p = str + SRCIP_BEGIN_SZ;
375 #ifdef LIBGEOIP_ENABLED
376 /* GeoIP Source Location */
377 else if (strncmp(GEOIP_BEGIN_SRC, str, GEOIP_BEGIN_SRC_SZ) == 0) {
379 p = str + GEOIP_BEGIN_SRC_SZ;
381 os_strdup(p, srcgeoip);
385 else if (strncmp(SRCPORT_BEGIN, str, SRCPORT_BEGIN_SZ) == 0) {
388 p = str + SRCPORT_BEGIN_SZ;
392 else if (strncmp(DSTIP_BEGIN, str, DSTIP_BEGIN_SZ) == 0) {
395 p = str + DSTIP_BEGIN_SZ;
399 #ifdef LIBGEOIP_ENABLED
400 /* GeoIP Destination Location */
401 else if (strncmp(GEOIP_BEGIN_DST, str, GEOIP_BEGIN_DST_SZ) == 0) {
403 p = str + GEOIP_BEGIN_DST_SZ;
405 os_strdup(p, dstgeoip);
409 else if (strncmp(DSTPORT_BEGIN, str, DSTPORT_BEGIN_SZ) == 0) {
412 p = str + DSTPORT_BEGIN_SZ;
416 else if (strncmp(USER_BEGIN, str, USER_BEGIN_SZ) == 0) {
419 p = str + USER_BEGIN_SZ;
424 else if (strncmp(OLDMD5_BEGIN, str, OLDMD5_BEGIN_SZ) == 0) {
427 p = str + OLDMD5_BEGIN_SZ;
429 os_strdup(p, old_md5);
432 else if (strncmp(NEWMD5_BEGIN, str, NEWMD5_BEGIN_SZ) == 0) {
435 p = str + NEWMD5_BEGIN_SZ;
437 os_strdup(p, new_md5);
440 else if (strncmp(OLDSHA1_BEGIN, str, OLDSHA1_BEGIN_SZ) == 0) {
443 p = str + OLDSHA1_BEGIN_SZ;
445 os_strdup(p, old_sha1);
448 else if (strncmp(NEWSHA1_BEGIN, str, NEWSHA1_BEGIN_SZ) == 0) {
451 p = str + NEWSHA1_BEGIN_SZ;
453 os_strdup(p, new_sha1);
455 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
457 else if(strncmp(SIZE_BEGIN, str, SIZE_BEGIN_SZ) == 0)
461 p = str + SIZE_BEGIN_SZ;
465 os_strdup(p, file_size);
468 else if(strncmp(OWNER_BEGIN, str, OWNER_BEGIN_SZ) == 0)
472 p = str + OWNER_BEGIN_SZ;
476 os_strdup(p, owner_chg);
478 /* File Group Ownership */
479 else if(strncmp(GROUP_BEGIN, str, GROUP_BEGIN_SZ) == 0)
483 p = str + GROUP_BEGIN_SZ;
487 os_strdup(p, group_chg);
489 /* File Permissions */
490 else if(strncmp(PERM_BEGIN, str, PERM_BEGIN_SZ) == 0)
494 p = str + PERM_BEGIN_SZ;
498 os_strdup(p, perm_chg);
500 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
501 /* It is a log message */
502 else if (log_size < 20) {
505 if (issyscheck == 1) {
506 if (strncmp(str, "Integrity checksum changed for: '", 33) == 0) {
507 filename = strdup(str + 33);
509 filename[strlen(filename) - 1] = '\0';
515 os_realloc(log, (log_size + 2)*sizeof(char *), log);
516 os_strdup(str, log[log_size]);
518 log[log_size] = NULL;
524 /* Free the memory */
542 #ifdef LIBGEOIP_ENABLED
583 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
604 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
605 while (log_size > 0) {
609 log[log_size] = NULL;
631 while (log_size > 0) {
635 log[log_size] = NULL;
649 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
654 /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
655 #ifdef LIBGEOIP_ENABLED
660 /* We need to clean end of file before returning */