projects
/
ossec-hids.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
novi upstream verzije 2.8.3
[ossec-hids.git]
/
src
/
analysisd
/
decoders
/
plugins
/
ossecalert_decoder.c
diff --git
a/src/analysisd/decoders/plugins/ossecalert_decoder.c
b/src/analysisd/decoders/plugins/ossecalert_decoder.c
index
2514d48
..
182c9a6
100644
(file)
--- a/
src/analysisd/decoders/plugins/ossecalert_decoder.c
+++ b/
src/analysisd/decoders/plugins/ossecalert_decoder.c
@@
-1,14
+1,15
@@
-/* @(#) $Id: ossecalert_decoder.c,v 1.3 2009/06/24 17:06:24 dcid Exp $ */
+/* @(#) $Id: ./src/analysisd/decoders/plugins/ossecalert_decoder.c, 2012/03/28 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 3) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation.
*
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
* online at: http://www.ossec.net/en/licensing.html
*/
@@
-34,18
+35,19
@@
void *OSSECAlert_Decoder_Init()
#define oa_strchr(x,y,z) z = strchr(x,y); if(!z){ return(NULL); }
#define oa_strchr(x,y,z) z = strchr(x,y); if(!z){ return(NULL); }
-/* OSSECAlert decoder
+/* OSSECAlert decoder
* Will extract the rule_id and point back to the original rule.
* Will also extract srcip and username if available.
* Examples:
* Will extract the rule_id and point back to the original rule.
* Will also extract srcip and username if available.
* Examples:
- *
- */
+ *
+ */
void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
{
char *oa_id = 0;
char *oa_location;
char *oa_val;
char oa_newlocation[256];
void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
{
char *oa_id = 0;
char *oa_location;
char *oa_val;
char oa_newlocation[256];
+ char tmpstr_buffer[4096 + 1];
char *tmp_str = NULL;
void *rule_pointer;
char *tmp_str = NULL;
void *rule_pointer;
@@
-54,12
+56,13
@@
void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
/* Checking the alert level. */
/* Checking the alert level. */
- if(strncmp("Alert Level: ", lf->log, 12) != 0)
+ if(strncmp("Alert Level: ", lf->log, 12) != 0 &&
+ strncmp("ossec: Alert Level:", lf->log, 18) != 0)
{
return(NULL);
}
{
return(NULL);
}
-
+
/* Going past the level. */
oa_strchr(lf->log, ';', tmp_str);
tmp_str++;
/* Going past the level. */
oa_strchr(lf->log, ';', tmp_str);
tmp_str++;
@@
-71,10
+74,10
@@
void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
if(*tmp_str != ' ')
{
return(NULL);
if(*tmp_str != ' ')
{
return(NULL);
- }
+ }
tmp_str++;
tmp_str++;
-
+
/* Getting id. */
oa_id = tmp_str;
oa_strchr(tmp_str, ' ', tmp_str);
/* Getting id. */
oa_id = tmp_str;
oa_strchr(tmp_str, ' ', tmp_str);
@@
-104,7
+107,7
@@
void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
/* Setting location; */
oa_location = tmp_str;
/* Setting location; */
oa_location = tmp_str;
-
+
oa_strchr(tmp_str, ';', tmp_str);
*tmp_str = '\0';
oa_strchr(tmp_str, ';', tmp_str);
*tmp_str = '\0';
@@
-122,7
+125,7
@@
void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
}
else
{
}
else
{
- snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname,
+ snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname,
lf->location, oa_location);
free(lf->location);
os_strdup(oa_newlocation, lf->location);
lf->location, oa_location);
free(lf->location);
os_strdup(oa_newlocation, lf->location);
@@
-132,7
+135,7
@@
void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
*tmp_str = ';';
tmp_str++;
*tmp_str = ';';
tmp_str++;
-
+
/* Getting additional fields. */
while((*tmp_str == ' ') && (tmp_str[1] != ' '))
{
/* Getting additional fields. */
while((*tmp_str == ' ') && (tmp_str[1] != ' '))
{
@@
-158,18
+161,24
@@
void *OSSECAlert_Decoder_Exec(Eventinfo *lf)
*tmp_str = ';';
tmp_str++;
}
*tmp_str = ';';
tmp_str++;
}
-
+
/* Removing space. */
while(*tmp_str == ' ')
tmp_str++;
/* Removing space. */
while(*tmp_str == ' ')
tmp_str++;
-
-
- /* Creating new full log. */
+
+ /* Create new full log */
+ tmpstr_buffer[0] = '\0';
+ tmpstr_buffer[4095] = '\0';
+ strncpy(tmpstr_buffer, tmp_str, 4094);
+
+
free(lf->full_log);
free(lf->full_log);
- os_strdup(tmp_str, lf->full_log);
+ lf->full_log = NULL;
+ os_strdup(tmpstr_buffer, lf->full_log);
+
lf->log = lf->full_log;
lf->log = lf->full_log;
-
+
/* Rule that generated. */
lf->generated_rule = rule_pointer;
/* Rule that generated. */
lf->generated_rule = rule_pointer;