-/* @(#) $Id: ./src/analysisd/decoders/plugins/sonicwall_decoder.c, 2011/09/08 dcid Exp $
- */
-
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*
* and/or modify it under the terms of the GNU General Public
* License (version 2) as published by the FSF - Free Software
* Foundation.
- *
- * License details at the LICENSE file included with OSSEC or
- * online at: http://www.ossec.net/en/licensing.html
*/
+#include "../plugin_decoders.h"
#include "shared.h"
#include "eventinfo.h"
-
/* Regex to extract the priority and event id */
#define SONICWALL_REGID "pri=(\\d) c=(\\d+) m=(\\d+) "
/* Regex for the web proxy messages */
#define SONICWALL_PROXY "result=(\\d+) dstname=(\\S+) arg=(\\S+)$"
-
-
-/** Global variables -- not thread safe. If we ever multi thread
+/* Global variables -- not thread safe. If we ever multi thread
* analysisd, these will need to be changed.
*/
-OSRegex *__sonic_regex_prid = NULL;
-OSRegex *__sonic_regex_sdip = NULL;
-OSRegex *__sonic_regex_prox = NULL;
-
+static OSRegex *__sonic_regex_prid = NULL;
+static OSRegex *__sonic_regex_sdip = NULL;
+static OSRegex *__sonic_regex_prox = NULL;
-/* SonicWall decoder init */
void *SonicWall_Decoder_Init()
{
debug1("%s: Initializing SonicWall decoder..", ARGV0);
-
- /* Allocating memory */
+ /* Allocate memory */
os_calloc(1, sizeof(OSRegex), __sonic_regex_sdip);
os_calloc(1, sizeof(OSRegex), __sonic_regex_prid);
os_calloc(1, sizeof(OSRegex), __sonic_regex_prox);
- /* Compiling our regexes */
- if(!OSRegex_Compile(SONICWALL_REGEX, __sonic_regex_sdip, OS_RETURN_SUBSTRING))
- {
+ /* Compile our regexes */
+ if (!OSRegex_Compile(SONICWALL_REGEX, __sonic_regex_sdip, OS_RETURN_SUBSTRING)) {
merror(REGEX_COMPILE, ARGV0, SONICWALL_REGEX, __sonic_regex_sdip->error);
- return(0);
+ return (0);
}
- if(!OSRegex_Compile(SONICWALL_REGID, __sonic_regex_prid, OS_RETURN_SUBSTRING))
- {
+ if (!OSRegex_Compile(SONICWALL_REGID, __sonic_regex_prid, OS_RETURN_SUBSTRING)) {
merror(REGEX_COMPILE, ARGV0, SONICWALL_REGID, __sonic_regex_prid->error);
- return(0);
+ return (0);
}
- if(!OSRegex_Compile(SONICWALL_PROXY, __sonic_regex_prox, OS_RETURN_SUBSTRING))
- {
+ if (!OSRegex_Compile(SONICWALL_PROXY, __sonic_regex_prox, OS_RETURN_SUBSTRING)) {
merror(REGEX_COMPILE, ARGV0, SONICWALL_PROXY, __sonic_regex_prox->error);
- return(0);
+ return (0);
}
/* We must have the sub_strings to retrieve the nodes */
- if(!__sonic_regex_sdip->sub_strings)
- {
+ if (!__sonic_regex_sdip->sub_strings) {
merror(REGEX_SUBS, ARGV0, SONICWALL_REGEX);
- return(0);
+ return (0);
}
- if(!__sonic_regex_prid->sub_strings)
- {
+ if (!__sonic_regex_prid->sub_strings) {
merror(REGEX_SUBS, ARGV0, SONICWALL_REGID);
- return(0);
+ return (0);
}
- if(!__sonic_regex_prox->sub_strings)
- {
+ if (!__sonic_regex_prox->sub_strings) {
merror(REGEX_SUBS, ARGV0, SONICWALL_PROXY);
- return(0);
+ return (0);
}
/* There is nothing else to do over here */
- return(NULL);
+ return (NULL);
}
-
-
/* SonicWall decoder
* Will extract the id, severity, action, srcip, dstip, protocol,srcport,dstport
* severity will be extracted as status.
char category[8];
const char *tmp_str = NULL;
-
- /* Zeroing category */
+ /* Zero category */
category[0] = '\0';
lf->decoder_info->type = SYSLOG;
-
-
- /** We first run our regex to extract the severity, cat and id. **/
- if(!(tmp_str = OSRegex_Execute(lf->log, __sonic_regex_prid)))
- {
- return(NULL);
+ /* First run regex to extract the severity, cat and id */
+ if (!(tmp_str = OSRegex_Execute(lf->log, __sonic_regex_prid))) {
+ return (NULL);
}
- /* Getting severity, id and category */
- if(__sonic_regex_prid->sub_strings[0] &&
- __sonic_regex_prid->sub_strings[1] &&
- __sonic_regex_prid->sub_strings[2])
- {
+ /* Get severity, id and category */
+ if (__sonic_regex_prid->sub_strings[0] &&
+ __sonic_regex_prid->sub_strings[1] &&
+ __sonic_regex_prid->sub_strings[2]) {
lf->status = __sonic_regex_prid->sub_strings[0];
lf->id = __sonic_regex_prid->sub_strings[2];
-
- /* Getting category */
+ /* Get category */
strncpy(category, __sonic_regex_prid->sub_strings[1], 7);
-
- /* Clearing all substrings */
+ /* Clear all substrings */
__sonic_regex_prid->sub_strings[0] = NULL;
__sonic_regex_prid->sub_strings[2] = NULL;
free(__sonic_regex_prid->sub_strings[1]);
__sonic_regex_prid->sub_strings[1] = NULL;
- }
- else
- {
+ } else {
i = 0;
- while(__sonic_regex_prid->sub_strings[i])
- {
+ while (__sonic_regex_prid->sub_strings[i]) {
free(__sonic_regex_prid->sub_strings[i]);
__sonic_regex_prid->sub_strings[i] = NULL;
i++;
}
- return(NULL);
+ return (NULL);
}
-
-
-
- /** Getting ips and ports **/
- if(!(tmp_str = OSRegex_Execute(tmp_str, __sonic_regex_sdip)))
- {
- return(NULL);
+ /* Get ips and ports */
+ if (!(tmp_str = OSRegex_Execute(tmp_str, __sonic_regex_sdip))) {
+ return (NULL);
}
- if(__sonic_regex_sdip->sub_strings[0] &&
- __sonic_regex_sdip->sub_strings[1] &&
- __sonic_regex_sdip->sub_strings[2] &&
- __sonic_regex_sdip->sub_strings[3])
- {
- /* Setting all the values */
+ if (__sonic_regex_sdip->sub_strings[0] &&
+ __sonic_regex_sdip->sub_strings[1] &&
+ __sonic_regex_sdip->sub_strings[2] &&
+ __sonic_regex_sdip->sub_strings[3]) {
+ /* Set all the values */
lf->srcip = __sonic_regex_sdip->sub_strings[0];
lf->srcport = __sonic_regex_sdip->sub_strings[1];
lf->dstip = __sonic_regex_sdip->sub_strings[2];
lf->dstport = __sonic_regex_sdip->sub_strings[3];
-
- /* Clearing substrings */
+ /* Clear substrings */
__sonic_regex_sdip->sub_strings[0] = NULL;
__sonic_regex_sdip->sub_strings[1] = NULL;
__sonic_regex_sdip->sub_strings[2] = NULL;
__sonic_regex_sdip->sub_strings[3] = NULL;
-
- /* Looking for protocol */
+ /* Look for protocol */
tmp_str = strchr(tmp_str, ' ');
- if(tmp_str)
- {
+ if (tmp_str) {
tmp_str++;
- if(strncmp(tmp_str, "proto=", 6) == 0)
- {
+ if (strncmp(tmp_str, "proto=", 6) == 0) {
char *proto = NULL;
i = 0;
tmp_str += 6;
-
- /* Allocating memory for the protocol */
+ /* Allocate memory for the protocol */
os_calloc(8, sizeof(char), proto);
- while(isValidChar(*tmp_str) && (*tmp_str != '/'))
- {
+ while (isValidChar(*tmp_str) && (*tmp_str != '/')) {
proto[i] = *tmp_str;
i++;
tmp_str++;
- if(i >= 6)
- {
+ if (i >= 6) {
break;
}
}
- /* Setting protocol to event info structure */
+ /* Set protocol to event info structure */
lf->protocol = proto;
}
}
- }
- else
- {
+ } else {
i = 0;
- while(__sonic_regex_sdip->sub_strings[i])
- {
+ while (__sonic_regex_sdip->sub_strings[i]) {
free(__sonic_regex_sdip->sub_strings[i]);
__sonic_regex_sdip->sub_strings[i] = 0;
i++;
}
- return(NULL);
+ return (NULL);
}
-
-
-
- /** Setting the category/action based on the id. **/
+ /* Set the category/action based on the id */
/* IDS event */
- if(strcmp(category, "32") == 0)
- {
+ if (strcmp(category, "32") == 0) {
lf->decoder_info->type = IDS;
}
/* Firewall connection opened */
- else if((strcmp(lf->id, "98") == 0) ||
- (strcmp(lf->id, "597") == 0) ||
- (strcmp(lf->id, "598") == 0))
- {
+ else if ((strcmp(lf->id, "98") == 0) ||
+ (strcmp(lf->id, "597") == 0) ||
+ (strcmp(lf->id, "598") == 0)) {
lf->decoder_info->type = FIREWALL;
os_strdup("pass", lf->action);
}
/* Firewall connection dropped */
- else if((strcmp(lf->id, "38") == 0) ||
- (strcmp(lf->id, "36") == 0) ||
- (strcmp(lf->id, "173") == 0) ||
- (strcmp(lf->id, "174") == 0) ||
- (strcmp(lf->id, "37") == 0))
- {
+ else if ((strcmp(lf->id, "38") == 0) ||
+ (strcmp(lf->id, "36") == 0) ||
+ (strcmp(lf->id, "173") == 0) ||
+ (strcmp(lf->id, "174") == 0) ||
+ (strcmp(lf->id, "37") == 0)) {
lf->decoder_info->type = FIREWALL;
os_strdup("drop", lf->action);
}
/* Firewall connection closed */
- else if(strcmp(lf->id, "537") == 0)
- {
+ else if (strcmp(lf->id, "537") == 0) {
lf->decoder_info->type = FIREWALL;
os_strdup("close", lf->action);
}
/* Proxy msg */
- else if(strcmp(lf->id, "97") == 0)
- {
+ else if (strcmp(lf->id, "97") == 0) {
lf->decoder_info->type = SQUID;
-
- /* Checking if tmp_str is valid */
- if(!tmp_str)
- {
- return(NULL);
+ /* Check if tmp_str is valid */
+ if (!tmp_str) {
+ return (NULL);
}
-
- /* We first run our regex to extract the severity and id. */
- if(!OSRegex_Execute(tmp_str, __sonic_regex_prox))
- {
- return(NULL);
+ /* First run regex to extract the severity and id */
+ if (!OSRegex_Execute(tmp_str, __sonic_regex_prox)) {
+ return (NULL);
}
-
- /* Getting HTTP responde code as id */
- if(__sonic_regex_prox->sub_strings[0])
- {
+ /* Get HTTP responde code as id */
+ if (__sonic_regex_prox->sub_strings[0]) {
free(lf->id);
lf->id = __sonic_regex_prox->sub_strings[0];
__sonic_regex_prox->sub_strings[0] = NULL;
- }
- else
- {
- return(NULL);
+ } else {
+ return (NULL);
}
-
- /* Getting HTTP page */
- if(__sonic_regex_prox->sub_strings[1] &&
- __sonic_regex_prox->sub_strings[2])
- {
+ /* Get HTTP page */
+ if (__sonic_regex_prox->sub_strings[1] &&
+ __sonic_regex_prox->sub_strings[2]) {
char *final_url;
- int url_size = strlen(__sonic_regex_prox->sub_strings[1]) +
+ size_t url_size = strlen(__sonic_regex_prox->sub_strings[1]) +
strlen(__sonic_regex_prox->sub_strings[2]) + 2;
- os_calloc(url_size +1, sizeof(char), final_url);
+ os_calloc(url_size + 1, sizeof(char), final_url);
snprintf(final_url, url_size, "%s%s",
- __sonic_regex_prox->sub_strings[1],
- __sonic_regex_prox->sub_strings[2]);
+ __sonic_regex_prox->sub_strings[1],
+ __sonic_regex_prox->sub_strings[2]);
- /* Clearing the memory */
+ /* Clear memory */
free(__sonic_regex_prox->sub_strings[1]);
free(__sonic_regex_prox->sub_strings[2]);
__sonic_regex_prox->sub_strings[1] = NULL;
__sonic_regex_prox->sub_strings[2] = NULL;
-
- /* Setting the url */
+ /* Set the URL */
lf->url = final_url;
- }
- else
- {
+ } else {
merror("%s: Error getting regex - SonicWall." , ARGV0);
}
- return(NULL);
+ return (NULL);
}
-
- return(NULL);
+ return (NULL);
}
-/* END Decoder */