-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/cleanevent.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-
+
/* OS_CleanMSG v0.3: 2006/03/04
- * Format a received message in the
+ * Format a received message in the
* Eventinfo structure.
*/
int OS_CleanMSG(char *msg, Eventinfo *lf)
merror(FORMAT_ERROR, ARGV0);
return(-1);
}
-
+
*pieces = '\0';
- pieces++;
-
-
+ pieces++;
+
+
os_strdup(msg, lf->location);
-
-
+
+
/* Getting the log length */
loglen = strlen(pieces) + 1;
-
-
+
+
/* Assigning the values in the strucuture (lf->full_log) */
os_malloc((2*loglen) +1, lf->full_log);
-
-
- /* Setting the whole message at full_log */
+
+
+ /* Setting the whole message at full_log */
strncpy(lf->full_log, pieces, loglen);
lf->log = lf->full_log+loglen;
strncpy(lf->log, pieces, loglen);
-
-
- /* Checking for the syslog date format.
- * ( ex: Dec 29 10:00:01
+
+
+ /* Checking for the syslog date format.
+ * ( ex: Dec 29 10:00:01
* or 2007-06-14T15:48:55-04:00 for syslog-ng isodate
* or 2009-05-22T09:36:46.214994-07:00 for rsyslog )
*/
if(
(
- (loglen > 17) &&
- (pieces[3] == ' ') &&
- (pieces[6] == ' ') &&
- (pieces[9] == ':') &&
- (pieces[12] == ':') &&
+ (loglen > 17) &&
+ (pieces[3] == ' ') &&
+ (pieces[6] == ' ') &&
+ (pieces[9] == ':') &&
+ (pieces[12] == ':') &&
(pieces[15] == ' ') && (lf->log+=16)
- )
+ )
||
(
(loglen > 33) &&
(pieces[10] == 'T') &&
(pieces[13] == ':') &&
(pieces[16] == ':') &&
-
+
(
((pieces[22] == ':') &&
(pieces[25] == ' ') && (lf->log+=26)) ||
((pieces[19] == '.') &&
(pieces[29] == ':') && (lf->log+=32))
)
-
+
)
- )
+ )
{
/* Checking for an extra space in here */
if(*lf->log == ' ')
/* Hostname */
pieces = lf->hostname = lf->log;
-
-
+
+
/* Checking for a valid hostname */
while(isValidChar(*pieces) == 1)
{
pieces++;
}
-
-
+
+
/* Checking if it is a syslog without hostname (common on Solaris. */
if(*pieces == ':' && pieces[1] == ' ')
{
lf->log = pieces;
}
-
- /* Extracting the hostname */
+
+ /* Extracting the hostname */
else if(*pieces != ' ')
{
/* Invalid hostname */
/* Extracting program_name */
- /* Valid names:
- * p_name:
+ /* Valid names:
+ * p_name:
* p_name[pid]:
* p_name[pid]: [ID xx facility.severity]
* auth|security:info p_name:
- *
- */
+ *
+ */
while(isValidChar(*pieces) == 1)
{
pieces++;
*pieces = '\0';
pieces+=2;
}
-
+
/* Checking for the second format: p_name[pid]: */
else if((*pieces == '[') && (isdigit((int)pieces[1])))
{
pieces++;
while(isalnum((int)*pieces))
pieces++;
-
+
if(*pieces == ' ')
{
pieces++;
lf->program_name = NULL;
}
}
-
-
+
+
/* Removing [ID xx facility.severity] */
if(pieces)
{
/* Setting log after program name */
lf->log = pieces;
- if((pieces[0] == '[') &&
+ if((pieces[0] == '[') &&
(pieces[1] == 'I') &&
(pieces[2] == 'D') &&
(pieces[3] == ' '))
lf->p_name_size = strlen(lf->program_name);
}
}
-
- /* xferlog date format
+
+ /* xferlog date format
* Mon Apr 17 18:27:14 2006 1 64.160.42.130
*/
else if((loglen > 28) &&
/* Moving log to the beginning of the message */
lf->log+=24;
}
-
+
/* Checking for snort date format
- * ex: 01/28-09:13:16.240702 [**]
- */
- else if( (loglen > 24) &&
- (pieces[2] == '/') &&
+ * ex: 01/28-09:13:16.240702 [**]
+ */
+ else if( (loglen > 24) &&
+ (pieces[2] == '/') &&
(pieces[5] == '-') &&
- (pieces[8] == ':') &&
+ (pieces[8] == ':') &&
(pieces[11]== ':') &&
- (pieces[14]== '.') &&
+ (pieces[14]== '.') &&
(pieces[21] == ' ') )
{
lf->log+=23;
/* Checking for apache log format */
/* [Fri Feb 11 18:06:35 2004] [warn] */
- else if( (loglen > 27) &&
- (pieces[0] == '[') &&
+ else if( (loglen > 27) &&
+ (pieces[0] == '[') &&
(pieces[4] == ' ') &&
- (pieces[8] == ' ') &&
+ (pieces[8] == ' ') &&
(pieces[11]== ' ') &&
- (pieces[14]== ':') &&
+ (pieces[14]== ':') &&
(pieces[17]== ':') &&
- (pieces[20]== ' ') &&
+ (pieces[20]== ' ') &&
(pieces[25]== ']') )
{
lf->log+=27;
}
-
+
/* Checking for the osx asl log format.
* Examples:
* [Time 2006.12.28 15:53:55 UTC] [Facility auth] [Sender sshd] [PID 483] [Message error: PAM: Authentication failure for username from 192.168.0.2] [Level 3] [UID -2] [GID -2] [Host Hostname]
{
/* Do not read more than 1 message entry -> log tampering */
short unsigned int done_message = 0;
-
-
+
+
/* Removing the date */
lf->log+=25;
if(pieces)
{
*pieces = '\0';
-
+
/* Setting program_name size */
lf->p_name_size = strlen(lf->program_name);
-
+
pieces++;
}
/* Invalid program name */
break;
}
}
-
+
/* Getting message */
else if((strncmp(pieces, "Message ", 8) == 0) &&
(done_message == 0))
{
pieces+=8;
done_message = 1;
-
+
lf->log = pieces;
/* Getting the closing brackets */
*pieces = '\0';
pieces++;
}
-
+
/* Invalid hostname */
else
{
pieces = strchr(pieces, '[');
}
}
-
+
/* Checking for squid date format
* 1140804070.368 11623
* seconds from 00:00:00 1970-01-01 UTC
*/
- else if((loglen > 32) &&
+ else if((loglen > 32) &&
(pieces[0] == '1') &&
(pieces[10] == '.') &&
(pieces[14] == ' ') &&
}
- /* Every message must be in the format
+ /* Every message must be in the format
* hostname->location or
* (agent) ip->location.
*/
lf->hostname = __shost;
}
-
+
/* Setting up the event data */
lf->time = c_time;
p = localtime(&c_time);
-
+
/* Assign hour, day, year and month values */
lf->day = p->tm_mday;
lf->year = p->tm_year+1900;
p->tm_hour,
p->tm_min,
p->tm_sec);
-
+
/* Setting the global hour/weekday */
__crt_hour = p->tm_hour;
- __crt_wday = p->tm_wday;
-
-
+ __crt_wday = p->tm_wday;
+
+
#ifdef TESTRULE
if(!alert_only)