--- /dev/null
+#!/usr/bin/perl -w\r
+use Socket;\r
+use POSIX 'setsid';\r
+use strict;\r
+use ossecmysql;\r
+# ---------------------------------------------------------------------------\r
+# Author: Meir Michanie (meirm@riunx.com)\r
+# Co-Author: J.A.Senger (jorge@br10.com.br)\r
+# $Id$\r
+# ---------------------------------------------------------------------------\r
+# http://www.riunx.com/\r
+# ---------------------------------------------------------------------------\r
+#\r
+# ---------------------------------------------------------------------------\r
+# About this script\r
+# ---------------------------------------------------------------------------\r
+#\r
+# "Ossec to Snorby" records the OSSEC HIDS alert logs in MySQL database.\r
+# It can run as a daemon (ossec2snorby.pl), recording in real-time the logs in database or\r
+# as a simple script (ossec2snorby.pl).\r
+#\r
+# ---------------------------------------------------------------------------\r
+# Snorby support by Jean-Pierre Zurbrugg (jp.zurbrugg@live.com)\r
+# ---------------------------------------------------------------------------\r
+# The original script by the Author and Co-author was taken as a template and\r
+# modified to work with Snorby (http://snorby.org) which uses a Snort DB schema.\r
+# Credit must go to the author\Co-author for the initial template. \r
+#\r
+########################### WARNING ###############################\r
+# My modifications are by far stable and worthy of a production environment\r
+# WHITHOUT INICIAL TWEAKING. Please setup your labs and make sure everything\r
+# works properly before using this script on a production environment.\r
+########################### WARNING ###############################\r
+#\r
+#\r
+# Changelog:\r
+# * Extra validations were added to make sure srcip\dstip do not remain with\r
+# a default value of "0" which causes GUI parsing errors if left unhandled.\r
+# * Validation against '$hostname'; if localhost then srcip="127.0.0.1"\r
+# * Snorby expects IP related data to be published on its "iphdr" table.\r
+# * Snorby expects OSSEC's logs to be converted to HEX and wordwrapped.\r
+# * Modified the scripts "Daemon" mode; it now uses "tail -Fn 0 <file>"\r
+#\r
+# ---------------------------------------------------------------------------\r
+# Prerequisites\r
+# ---------------------------------------------------------------------------\r
+#\r
+# MySQL Server\r
+# Perl DBD::mysql module\r
+# Perl DBI module\r
+#\r
+# Snorby prerequesites:\r
+# import ossec2snorby_category.sql from contrib directory\r
+# Populate "domain" in /etc/ossec2snorby.conf\r
+#\r
+# ---------------------------------------------------------------------------\r
+# Installation steps\r
+# ---------------------------------------------------------------------------\r
+# \r
+# 1) Create a user to access the database initially created by Snorby;\r
+# 2) Copy ossec2snorby.conf to /etc/ossec2snorby.conf with 0600 permissions\r
+# 3) Edit /etc/ossec2snorby.conf according to your needs:\r
+# dbhost=localhost\r
+# database=snorby\r
+# debug=5\r
+# dbport=3306\r
+# dbpasswd=mypassword\r
+# dbuser=ossecuser\r
+# daemonize=0\r
+# resolve=1\r
+# domain=mydomain.local\r
+#\r
+# NOTE: It is recommended to keep "resolve" as "1" and populate "domain" with\r
+# your actual domain. Not doing so will restrict the script and force it\r
+# to populate IPs as "0.0.0.1" for events whose SRC or DST IP are unknown.\r
+#\r
+# ---------------------------------------------------------------------------\r
+# License\r
+# ---------------------------------------------------------------------------\r
+#\r
+# This program is free software; you can redistribute it and/or\r
+# modify it under the terms of the GNU General Public License\r
+# as published by the Free Software Foundation; either version 2\r
+# of the License, or (at your option) any later version.\r
+#\r
+# This program is distributed in the hope that it will be useful,\r
+# but WITHOUT ANY WARRANTY; without even the implied warranty of\r
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r
+# GNU General Public License for more details.\r
+#\r
+# You should have received a copy of the GNU General Public License\r
+# along with this program; if not, write to the Free Software\r
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\r
+#\r
+# ---------------------------------------------------------------------------\r
+# About OSSEC HIDS\r
+# ---------------------------------------------------------------------------\r
+#\r
+# OSSEC HIDS is an Open Source Host-based Intrusion Detection System.\r
+# It performs log analysis and correlation, integrity checking,\r
+# rootkit detection, time-based alerting and active response.\r
+# http://www.ossec.net\r
+#\r
+# ---------------------------------------------------------------------------\r
+\r
+# ---------------------------------------------------------------------------\r
+# Parameters\r
+# ---------------------------------------------------------------------------\r
+my $VERSION="0.4";\r
+$SIG{TERM} = sub { &gracefulend('TERM')};\r
+$SIG{INT} = sub { &gracefulend('INT')};\r
+\r
+# If no ARGV are given then present &help().\r
+&help() unless @ARGV;\r
+\r
+my ($RUNASDAEMON)=0;\r
+my ($DAEMONLOGFILE)='/var/log/ossec2snorby.log';\r
+my ($DAEMONLOGERRORFILE) = '/var/log/ossec2snorby.err';\r
+# Declare OSSEC's log path and filename format.\r
+my $LOG='/var/ossec/logs/alerts/alerts.log'; # we need to tail this file instead of the old.\r
+ # With this we can survive file rotations while\r
+ # running in daemon mode.\r
+\r
+my ($LOGGER)='ossec2snorby';\r
+my($OCT) = '(?:25[012345]|2[0-4]\d|1?\d\d?)';\r
+my($IP) = $OCT . '\.' . $OCT . '\.' . $OCT . '\.' . $OCT;\r
+my $dump=0;\r
+my ($hids_id,$hids,$hids_interface,$last_cid)=(undef, 'localhost', 'ossec',0);\r
+my ($tempvar,$VERBOSE)=(0,0); \r
+\r
+my %conf;\r
+$conf{dbhost}='localhost';\r
+$conf{database}='snort';\r
+$conf{debug}=5;\r
+$conf{dbport}='3306';\r
+$conf{dbpasswd}='password';\r
+$conf{dbuser}='user';\r
+$conf{daemonize}=0;\r
+$conf{sensor}='sensor';\r
+$conf{hids_interface}='ossec';\r
+$conf{resolve}=1;\r
+$conf{domain}='';\r
+\r
+# OSSEC's default class_ID\r
+# We will categorize events as "unknown" if a match could not be found...\r
+my $sig_class_id=2; # We will try to fetch the correct class_id later.\r
+\r
+my($sig_class_name,$taillog);\r
+# ---------------------------------------------------------------------------\r
+# Arguments parsing\r
+# ---------------------------------------------------------------------------\r
+while (@ARGV){\r
+ $_= shift @ARGV;\r
+ if (m/^-d$|^--daemon$/){\r
+ $conf{daemonize}=1;\r
+ }elsif ( m/^-h$|^--help$/){\r
+ &help();\r
+ }elsif ( m/^-n$|^--noname$/){\r
+ $conf{'resolve'}=0;\r
+ }elsif ( m/^-v$|^--verbose$/){\r
+ $VERBOSE=1;\r
+ }elsif ( m/^--interface$/){\r
+ $conf{hids_interface}= shift @ARGV if @ARGV; # ossec-rt/ossec-feed\r
+ }elsif ( m/^--sensor$/){\r
+ $conf{sensor}= shift @ARGV if @ARGV; # monitor\r
+ }elsif ( m/^--conf$/){\r
+ $conf{conf}= shift @ARGV if @ARGV; # localhost\r
+ &loadconf(\%conf);\r
+ }elsif ( m/^--dbhost$/){\r
+ $conf{dbhost}= shift @ARGV if @ARGV; # localhost\r
+ }elsif ( m/^--dbport$/){\r
+ $conf{dbport}= shift @ARGV if @ARGV; # localhost\r
+ }elsif ( m/^--dbname$/){\r
+ $conf{database}= shift @ARGV if @ARGV; # snort\r
+ }elsif ( m/^--dbuser$/){\r
+ $conf{dbuser}= shift @ARGV if @ARGV; # root\r
+ }elsif ( m/^--dbpass$/){\r
+ $conf{dbpasswd}= shift @ARGV if @ARGV; # monitor\r
+ }\r
+\r
+}\r
+if ($conf{dbpasswd}=~ m/^--stdin$/){\r
+ print "dbpassword:";\r
+ $conf{dbpasswd}=<>;\r
+ chomp $conf{dbpasswd};\r
+}\r
+$hids=$conf{sensor} if exists($conf{sensor});\r
+$hids_interface=$conf{hids_interface} if exists($conf{hids_interface});\r
+\r
+# START IN DAEMON MODE ?\r
+&daemonize() if $conf{daemonize};\r
+\r
+my $dbi= ossecmysql->new(%conf) || die ("Could not connect to $conf{dbhost}:$conf{dbport}:$conf{database} as $conf{dbpasswd}\n");\r
+\r
+####\r
+# SQL vars;\r
+my ($query,$numrows,$row_ref);\r
+\r
+####\r
+#get sensor id\r
+$query= 'select sid,last_cid from sensor where hostname=? and interface=?';\r
+$numrows= $dbi->execute($query,$hids,$hids_interface);\r
+if (1==$numrows){\r
+ $row_ref=$dbi->{sth}->fetchrow_hashref;\r
+ $hids_id=$row_ref->{sid};\r
+ $last_cid=$row_ref->{last_cid};\r
+}else{\r
+ $query="INSERT INTO sensor ( sid , hostname , interface , filter , detail , encoding , last_cid )\r
+VALUES (\r
+NULL , ?, ? , NULL , ? , ?, ?\r
+)";\r
+ $numrows= $dbi->execute($query,$hids,$hids_interface,1,2,0);\r
+ $hids_id=$dbi->lastid();\r
+}\r
+$dbi->{sth}->finish;\r
+&forceprintlog ("SENSOR:$hids; feed:$hids_interface; id:$hids_id; last cid:$last_cid");\r
+\r
+my $newrecord=0;\r
+my %stats;\r
+my %resolv;\r
+my ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,\r
+ $srcip,$dstip,$user,$text,$filtered,$osseclevel)=();\r
+my $lasttimestamp=0;\r
+my $delta=0;\r
+\r
+&taillog($last_cid,$LOG);\r
+################################################################\r
+sub forceprintlog(){\r
+ $tempvar=$VERBOSE;\r
+ $VERBOSE=1;\r
+ &printlog (@_);\r
+ $VERBOSE=$tempvar;\r
+}\r
+\r
+sub taillog {\r
+ my ($last_cid,$LOG)=@_;\r
+ while (<>) {\r
+ if (m/^$/){\r
+ # we reached a newline, finish up with current record.\r
+ $newrecord=1;\r
+ next unless $timestamp;\r
+ $alerthostip=$alerthost if $alerthost=~ m/^$IP$/;\r
+ \r
+ # Populate DST IP\r
+ if ($alerthostip){\r
+ $dstip=$alerthostip;\r
+ $resolv{$alerthost}=$dstip;\r
+\r
+ }else{\r
+ if (exists $resolv{$alerthost}){\r
+ $dstip=$resolv{$alerthost};\r
+ }else{\r
+ if ($conf{'resolve'}){\r
+ if ($alerthost =~m/(\d+\.\d+\.\d+\.\d+)/ ){\r
+ $dstip=$1;\r
+ }else{\r
+ # the "host" command doesn't work with Flatname\NetBIOS names.\r
+ # The server's hostname is almost always a flatname and OSSEC\r
+ # doesn't return an IP for alerts generated from localhost.\r
+ # Ex. 2013 Jan 24 15:51:36 ubuntu->/var/log/auth.log \r
+ my $x = `cat /etc/hostname`; # get Host's hostname\r
+ chomp $x; # remove extra lines, if any.\r
+ if ($x eq $alerthost) { # Validate if $alerthost is us, localhost.\r
+ $dstip='127.0.0.1'; # Snorby does not allow empty\"0" as IP value.\r
+ }else{\r
+ my $fetch=&host2ip($alerthost);\r
+ \r
+ if (defined $fetch){\r
+ $dstip=$fetch;\r
+ }else{\r
+ $dstip=$srcip;\r
+ }\r
+ }\r
+ }\r
+ }\r
+ $resolv{$alerthost}=$dstip;\r
+ }\r
+ }\r
+ \r
+ #Populate SRC IP (requires dstip to be populated)\r
+ if (! defined $srcip) {\r
+ if (defined $dstip) {\r
+ #Feb 6 15:18:21 1.1.1.1 %ASA-3-313001: Denied ICMP type=3, code=3 from 111.111.1.1 on interface OUTSIDE\r
+ $filtered =~ s/$dstip//; # filter out known dstip from log output.\r
+ $srcip=$1 if $filtered=~ m/\s($IP)\s/; # Search all text for an IP address.\r
+ # This could easily bug out with logs that contains\r
+ # version numbering such as mysql 1.3.4.5.\r
+ }\r
+ # Windows logs include "User Name" in their log output. Some companies name their employees's PCs after its users which is\r
+ # resolvable via DNS.\r
+ # Windows logs may state a computer name as "User Name". Lets strip out the "$" from the computer name...\r
+ if (defined $user and ! defined $srcip) {\r
+ my $u=$user;\r
+ $u=~ s/\$//; # remove "$" from computer names.\r
+\r
+ my $fetch=&host2ip($u);\r
+ $srcip=$fetch if (defined $fetch);\r
+ }\r
+ if (! defined $srcip or $srcip eq '') {\r
+ # NO recognizable IPs or User Names were found on log output,\r
+ # this suggests the log was generated by dstip.\r
+ $srcip=$dstip; \r
+ }\r
+ }\r
+ #\r
+ $last_cid= &prepair2basedata(\r
+ $hids_id,\r
+ $last_cid,\r
+ $timestamp,\r
+ $sec,\r
+ $mail,\r
+ $date,\r
+ $alerthost,\r
+ $datasource,\r
+ $rule,\r
+ $level,\r
+ $description,\r
+ $srcip,\r
+ $dstip,\r
+ $user,\r
+ $text\r
+ );\r
+ ($timestamp,$sec,$mail,$date,$alerthost,$alerthostip,$datasource,$rule,$level,$description,\r
+ $srcip,$dstip,$user,$text)=();\r
+ next ;\r
+ }\r
+ if (m/^\*\* Alert ([0-9]+).([0-9]+):(.*)$/){\r
+ $timestamp=$1;\r
+ if ( $timestamp == $lasttimestamp){\r
+ $delta++;\r
+ }else{\r
+ $delta=0;\r
+ $lasttimestamp=$timestamp;\r
+ }\r
+ $sec=$2;\r
+ $mail=$3;\r
+ $mail=$mail ? $mail : 'nomail';\r
+#2006 Aug 29 17:19:52 firewall -> /var/log/messages\r
+#2006 Aug 30 11:52:14 192.168.0.45->/var/log/secure\r
+#2006 Sep 12 11:12:16 92382-Snort1 -> 172.16.176.132\r
+ }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+(\S+)\s*->(.*)$/){\r
+ $date=$1;\r
+ $alerthost=$2;\r
+ $datasource=$3;\r
+ if ($datasource=~ m/(\d+\.\d+\.\d+\.\d+)/){\r
+ $alerthost=$1;\r
+ $datasource="remoted";\r
+ }\r
+#2006 Aug 29 17:33:31 (recepcao) 10.0.3.154 -> syscheck\r
+ }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+\((.*?)\)\s+(\S+)\s*->(.*)$/){\r
+ $date=$1;\r
+ $alerthost=$2;\r
+ $alerthostip=$3;\r
+ $datasource=$4;\r
+ }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)$/){\r
+ $date=$1;\r
+ $alerthost='localhost';\r
+ $datasource=$2;\r
+ }elsif ( m/Rule: ([0-9]+) \(level ([0-9]+)\) -> \'(.*)\'$/ ){\r
+ $rule=$1;\r
+ $level=$2;\r
+ $osseclevel=$level; # Keep copy of OSSEC level as it will later be converted to snort level.\r
+ $description= $3;\r
+ }elsif ( m/src\s?ip:/i){\r
+ if ( m/($IP)/){\r
+ $srcip=$1;\r
+ }else{\r
+ $srcip='1'; # Snorby doesn't like srcip\dstip = 0\null.\r
+ }\r
+ }elsif ( m/User: (.*)$/){\r
+ $user=$1;\r
+ }elsif ( m/(.*)$/){\r
+ my $x=$1;\r
+ \r
+ # Get IP from User Name + DNS query.\r
+ if (! defined $user){\r
+ if ( m/User\s?Name:\s?(\S+)\s/i){\r
+ my $u=$1;\r
+ $user="$u";\r
+ }\r
+ }\r
+ $x =~ s/(.$)/$1\r\n/; # lets multiline this string for cleaner output once $payload wordwraps it.\r
+ $text .=$x;\r
+ \r
+ # This variable will be used to populate srcip once we reach the end of the current log entry.\r
+ $filtered=$text;\r
+ }\r
+ } # End of while read line\r
+}\r
+\r
+sub ossec_aton(){\r
+ my ($ip)=@_;\r
+ if ($ip=~ m/(\d+)\.(\d+)\.(\d+)\.(\d+)/){\r
+ my $num= ($1 * 256 ** 3) + ($2 * 256 ** 2)+ ($3 * 256 ** 1)+ ($4);\r
+\r
+ return "$num";\r
+ }else{\r
+ return "1"; # Snorby has a bug where it wont ouput "N\A" on the IP columns if srcip\dstip = 0\null\r
+ }\r
+\r
+}\r
+\r
+sub prepair2basedata(){\r
+ my (\r
+ $hids_id,\r
+ $last_cid,\r
+ $timestamp,\r
+ $sec,\r
+ $mail,\r
+ $date,\r
+ $alerthost,\r
+ $datasource,\r
+ $rule,\r
+ $level,\r
+ $description,\r
+ $srcip,\r
+ $dstip,\r
+ $user,\r
+ $text\r
+ )=@_;\r
+ my ($payload,$count,$query,$row_ref,$sig_id);\r
+ \r
+ \r
+###\r
+# Get sig_class_id\r
+#\r
+# Note: the original script stated sig_class_id as "1" by default which in BASE might be ok but for \r
+# snorby it maps to a category of "not-suspicious" which is not efficient when stats are ran based on\r
+# event categories alone...\r
+#\r
+# Furthermore, OSSEC allows a rule to have multiple categories assigned to it which snorby was not prepared to handle GUI\r
+# wize. (The event details contains a small section where the category value can be shown, this section is too small\r
+# to show OSSEC's sometimes long category results such as :\r
+# syslog,sshd,invalid_login,authentication_failed,)\r
+#\r
+# We will use the last category shown only...This isn't the correct approach but my programing skills prevent me\r
+# from providing a better solution.\r
+\r
+ # ex: - syslog,sshd,invalid_login,authentication_failed,\r
+ if ($mail=~ m/\.*\,?(\w+\_?\w+)\,?$/){ # $mail contains the rule's categories. No clue why its named $mail...\r
+ $sig_class_name=$1;\r
+ &printlog ("SIG_CLASS_NAME: $sig_class_name \n");\r
+ $query = "SELECT sig_class_id FROM category WHERE cat_name=?";\r
+ $dbi->execute($query,$sig_class_name);\r
+ $count=$dbi->{sth}->rows;\r
+ if ($count){\r
+ $row_ref=$dbi->{sth}->fetchrow_hashref;\r
+ $sig_class_id=$row_ref->{sig_class_id};\r
+ &printlog ("SIG_CLASS_ID: $sig_class_id");\r
+ }else{\r
+ &printlog ("SIG_CLASS_ID NOT FOUND. USING DEFAULT SIG.");\r
+ $sig_class_id=2;\r
+ }\r
+ }else{\r
+ &printlog ("COULD NOT GET A RULE CATEGORY. USING DEFAULT SIG.");\r
+ $sig_class_id=2;\r
+ }\r
+\r
+###\r
+#\r
+# Get/Set signature id\r
+\r
+ # Convert OSSEC Severity to Snort Severity.\r
+ # Dont modify this after having live data on Snorby as it will create duplicated\r
+ # sig_names.\r
+ $level=4 if ($level <= 4); # Informational only.\r
+ $level=3 if ($level == 5); # User generated errors \ low severity.\r
+ $level=2 if (($level >= 6) && ($level <=11)); # Low to mid severity attacks.\r
+ $level=1 if ($level >= 12); # High importance events \ Successfull attacks \ all our bases belong to them!\r
+\r
+ $query = "SELECT sig_id FROM signature where sig_name=? and sig_class_id=? and sig_priority=? and sig_rev=? and sig_sid=? and sig_gid is NULL";\r
+ $dbi->execute($query,$description,$sig_class_id,$level,0,$rule);\r
+ $count=$dbi->{sth}->rows;\r
+ if ($count){\r
+ $row_ref=$dbi->{sth}->fetchrow_hashref;\r
+ $sig_id=$row_ref->{sig_id};\r
+ &printlog ("REUSING SIGNATURE\n");\r
+ }else{\r
+ $query="INSERT INTO signature ( sig_id , sig_name , sig_class_id , sig_priority , sig_rev , sig_sid , sig_gid )\r
+VALUES (\r
+NULL ,?, ? , ? , ? , ?, NULL\r
+)";\r
+ $dbi->execute($query,$description,$sig_class_id,$level,0,$rule);\r
+ $sig_id = $dbi->lastid();\r
+ }\r
+ $dbi->{sth}->finish;\r
+ &printlog ("SIGNATURE: $sig_id\n");\r
+ \r
+ \r
+ ############################\r
+ ############################\r
+ #DEBUG\r
+ # &printlog ("filtered: $filtered \n");\r
+ # &printlog ("SRC IP: $srcip \n");\r
+ # &printlog ("DST IP: $dstip \n");\r
+ # &printlog ("mail: $mail \n");\r
+ # &printlog ("sig_class_name: $sig_class_name");\r
+ # &printlog ("date: $date \n");\r
+ # &printlog ("alerthost: $alerthost \n");\r
+ # &printlog ("rule: $rule \n");\r
+ # &printlog ("level: $level \n");\r
+ # &printlog ("OSSEC level: $osseclevel \n");\r
+ # &printlog ("USER: $user \n");\r
+ # &printlog ("text: $text \n");\r
+ # &printlog ("sec?: $sec \n");\r
+ # &printlog ("datasource: $datasource \n");\r
+ # &printlog ("description: $description \n");\r
+ # exit 1;\r
+ ############################\r
+ \r
+ \r
+#######\r
+#\r
+# Set event\r
+ $query="INSERT INTO event ( sid , cid , signature , timestamp )\r
+VALUES (\r
+? , ? , ? ,? \r
+)";\r
+ $last_cid++;\r
+ $dbi->execute($query,$hids_id,$last_cid,$sig_id,&fixdate2base($date));\r
+\r
+ &printlog ("EVENT: ($query,$hids_id,$last_cid,$sig_id,&fixdate2base($date)\n");\r
+ $dbi->{sth}->finish;\r
+#########\r
+#\r
+# Set iphdr\r
+\r
+ # And yet again,Snorby doesn't like empty IP fields; Validate if srcip or dstip are empty.\r
+ $srcip = "1" if !defined $srcip; # leaving the fields srcip / dstip with a value = 0\r
+ $dstip = "1" if !defined $dstip; # causes output to get messed up on the GUI. \r
+\r
+ $query=" INSERT INTO iphdr ( sid , cid , ip_src , ip_dst , ip_ver , ip_hlen , ip_tos , ip_len , ip_id , ip_flags , ip_off , ip_ttl , ip_proto , ip_csum )\r
+VALUES (\r
+? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?\r
+) ";\r
+ $dbi->execute($query,$hids_id,$last_cid,&ossec_aton($srcip),&ossec_aton($dstip),4,5,0,20,0,0,0,0,0,0);\r
+ &printlog ("iphdr: ($query,$hids_id,$last_cid,&ossec_aton($srcip),&ossec_aton($dstip),4,5,0,undef,undef,undef,undef,undef,undef,undef)\n");\r
+ $dbi->{sth}->finish;\r
+\r
+#########\r
+#\r
+#\r
+# Set data\r
+ $payload = "$date ($alerthost) $dstip->$datasource\r\nRule: $rule (OSSEC level $osseclevel) -> $description\r\n$text";\r
+ $payload =~ s/(.{1,109}\S|\S+)\s+/$1\r\n/mg; # Snorby does not wordwrap the payload, lets wrap the first 109 non-whitespace chars. \r
+ $payload = unpack("H*",$payload); # Convert to HEX\r
+\r
+ $query=" INSERT INTO data ( sid , cid , data_payload ) \r
+VALUES (\r
+?,?,?)";\r
+ $dbi->execute($query,$hids_id,$last_cid,$payload);\r
+ &printlog ("DATA: ($query,$hids_id,$last_cid,$payload)\n");\r
+ $dbi->{sth}->finish;\r
+##########\r
+#\r
+ $query="UPDATE sensor SET last_cid=? where sid=? limit 1";\r
+ $numrows= $dbi->execute($query,$last_cid,$hids_id);\r
+\r
+ $dbi->{sth}->finish;\r
+ return $last_cid;\r
+} # end sub\r
+\r
+sub host2ip {\r
+ # This sub requires argument 0 to be a named host. We also need to know\r
+ # the domain to which we belong to in order to append it to the host if\r
+ # its a flatname host.\r
+ my $host=$_[0];\r
+ my $domain=$conf{domain} if exists($conf{domain});\r
+ my $CMD;\r
+\r
+ # Validate if we were fed a flatnamed host or a FQDN.\r
+ if ($host =~ m/.*\..+/){\r
+ # FQDN\r
+ $CMD=`host $host 2>/dev/null | grep 'has address' `;\r
+ if ($CMD =~m/(\d+\.\d+\.\d+\.\d+)/ ){\r
+ return($1);\r
+ }else{\r
+ return undef; # return False.\r
+ }\r
+ \r
+ }else{\r
+ # FLATNAME\r
+ if (! defined $domain or $domain eq ''){\r
+ &printlog ('[WARNING]: domain value was not populated on ossec2snorby.conf." . \r
+ " DNS resolutions cannot be completed for NetBIOS\Flatname hosts.');\r
+ return undef;\r
+ }\r
+\r
+ # There is an extra "." after $domain, this is to ensure linux\r
+ # does not append "localdomain" at the end of the host.\r
+ $CMD=`host $host.$domain. 2>/dev/null | grep 'has address' `;\r
+ if ($CMD =~m/(\d+\.\d+\.\d+\.\d+)/ ){\r
+ return($1);\r
+ }else{\r
+ return undef; # return False.\r
+ }\r
+ }\r
+}\r
+\r
+sub fixdate2base(){\r
+ my ($date)=@_;\r
+ $date=~ s/ Jan /-01-/;\r
+ $date=~ s/ Feb /-02-/;\r
+ $date=~ s/ Mar /-03-/;\r
+ $date=~ s/ Apr /-04-/;\r
+ $date=~ s/ May /-05-/;\r
+ $date=~ s/ Jun /-06-/;\r
+ $date=~ s/ Jul /-07-/;\r
+ $date=~ s/ Aug /-08-/;\r
+ $date=~ s/ Sep /-09-/;\r
+ $date=~ s/ Oct /-10-/;\r
+ $date=~ s/ Nov /-11-/;\r
+ $date=~ s/ Dec /-12-/;\r
+ $date=~ s/\s$//g;\r
+ return $date;\r
+}\r
+sub version(){\r
+ print "OSSEC report tool $VERSION\n";\r
+ print "Licensed under GPL\n";\r
+ print "Contributor Meir Michanie\n";\r
+}\r
+\r
+sub help(){\r
+ &version();\r
+ print "This tool helps you import into base the alerts generated by ossec."\r
+ . " More info in the doc directory .\n";\r
+ print "Usage:\n";\r
+ print "$0 [-h|--help] # This text you read now\n";\r
+ print "Options:\n";\r
+ print "\t--dbhost <hostname>\n";\r
+ print "\t--dbname <database>\n";\r
+ print "\t--dbport <[0-9]+>\n";\r
+ print "\t--dbpass <dbpasswd>\n";\r
+ print "\t--dbuser <dbuser>\n";\r
+ print "\t-d|--daemonize\n";\r
+ print "\t-n|--noname\n";\r
+ print "\t-v|--verbose\n";\r
+ print "\t--conf <ossec2based-config>\n";\r
+ print "\t--sensor <sensor-name>\n";\r
+ print "\t--interface <ifname>\n";\r
+ \r
+ exit 0;\r
+}\r
+\r
+\r
+sub daemonize {\r
+ my $running = kill 0, `cat /var/run/ossec2base2.pid`;\r
+ if ($running){\r
+ print "OSSEC2SNORBY is already running...\n";\r
+ exit 1;\r
+ }\r
+\r
+ chdir '/' or die "Can't chdir to /: $!";\r
+ \r
+ open STDOUT, ">>$DAEMONLOGFILE"\r
+ or die "Can't write to $DAEMONLOGFILE: $!";\r
+\r
+ # I may be mistaken but the original script didn't seem to actually\r
+ # tail the logs. It would run until it hit EOF and then exit script.\r
+ $taillog= open STDIN,"-|", "/usr/bin/tail", "-Fn 0", "$LOG";\r
+ if ($taillog){\r
+ &forceprintlog ("Daemon started TAIL PID: $taillog");\r
+ &forceprintlog ("NOW MONITORING: $LOG");\r
+ }else{\r
+ &forceprintlog ("Could not start daemon on $LOG: $!");\r
+ exit 1;\r
+ }\r
+\r
+ defined(my $pid = fork) or die "Can't fork: $!";\r
+ if ($pid){\r
+ open (PIDFILE , ">/var/run/ossec2snorby.pid") ;\r
+ print PIDFILE "$pid\n";\r
+ close (PIDFILE);\r
+ exit 0;\r
+ }\r
+ setsid or die "Can't start a new session: $!";\r
+ open STDERR, ">>$DAEMONLOGERRORFILE" or die "Can't write to $DAEMONLOGERRORFILE: $!";\r
+}\r
+\r
+sub gracefulend(){\r
+ my ($signal)=@_;\r
+ &forceprintlog ("Terminating upon signal $signal");\r
+ &forceprintlog ("Daemon halted");\r
+ # This might be paranoid or simply useless but better safe than sorry.\r
+ close STDOUT or die "WARNING: Closing STDOUT failed.";\r
+ close STDERR or die "WARNING: Closing STDERR failed.";\r
+ kill 3, $taillog or die "WARNING: Closing $taillog failed.";\r
+ close STDIN or die "WARNING: Closing STDIN failed.";\r
+ exit 0;\r
+}\r
+\r
+sub printlog(){\r
+ return unless $VERBOSE;\r
+ my (@lines)=@_;\r
+ foreach my $line(@lines){\r
+ chomp $line;\r
+ my ($date)=scalar localtime;\r
+ $date=~ s/^\S+\s+(\S+.*\s[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}).*$/$1/;\r
+ print "$date $LOGGER: $line\n";\r
+ }\r
+ }\r
+\r
+\r
+sub loadconf(){\r
+ my ($hash_ref)=@_;\r
+ my $conf=$hash_ref->{conf};\r
+ unless (-f $conf) { &printlog ("ERROR: I can't find config file $conf"); exit 1;}\r
+ unless (open ( CONF , "$conf")){ &printlog ("ERROR: I can't open file $conf");exit 1;}\r
+ while (<CONF>){\r
+ next if m/^$|^#/;\r
+ if ( m/^(\S+)\s?=\s?(.*?)$/) {\r
+ $hash_ref->{$1} = $2;\r
+ }\r
+ }\r
+ close CONF;\r
+}\r