C++ (Cpp) idmef_analyzer_ref Beispiele

Programmiersprache: C++ (Cpp)

Methode / Funktion: idmef_analyzer_ref

Beispiele auf hotexamples.com: 2

C++ (Cpp) idmef_analyzer_ref - 2 Beispiele gefunden. Dies sind die am besten bewerteten C++ (Cpp) Beispiele für die idmef_analyzer_ref, die aus Open Source-Projekten extrahiert wurden. Sie können Beispiele bewerten, um die Qualität der Beispiele zu verbessern.

Beispiel #1

Datei anzeigen

Datei: common.c Projekt: Distrotech/libprelude

static int add_analyzer(prelude_client_t *client, void *top,
                        void *(*geta)(void *top, idmef_analyzer_t *analyzer),
                        int (*insa)(void *top, idmef_analyzer_t *analyzer, int pos))
{
        prelude_string_t *str;
        uint64_t wanted_analyzerid, analyzerid;
        idmef_analyzer_t *analyzer = NULL, *canalyzer;

        canalyzer = prelude_client_get_analyzer(client);
        wanted_analyzerid = prelude_client_profile_get_analyzerid(prelude_client_get_profile(client));

        while ( (analyzer = geta(top, analyzer)) && analyzer != canalyzer ) {
                str = idmef_analyzer_get_analyzerid(analyzer);
                if ( ! str )
                        continue;

                analyzerid = strtoull(prelude_string_get_string(str), NULL, 10);
                if ( analyzerid == wanted_analyzerid )
                        return 0;
        }

        return insa(top, idmef_analyzer_ref(prelude_client_get_analyzer(client)), IDMEF_LIST_PREPEND);
}

Beispiel #2

Datei anzeigen

Datei: prelude.c Projekt: nixfloyd/ossec-hids

void OS_PreludeLog(Eventinfo *lf)
{
    int ret;
    int classification_counter = 0;
    int additional_data_counter = 0;
    char _prelude_section[128];
    char _prelude_data[256];
    idmef_message_t *idmef;
    RuleInfoDetail *last_info_detail;

    /* Generate prelude alert */
    ret = idmef_message_new(&idmef);
    if ( ret < 0 ) {
        merror("%s: OSSEC2Prelude: Cannot create IDMEF message", ARGV0);
        return;
    }

    add_idmef_object(idmef, "alert.assessment.impact.description",
                     lf->generated_rule->comment);

    add_idmef_object(idmef, "alert.assessment.impact.severity",
                     (lf->generated_rule->level > 15) ? "high" :
                     ossec2prelude_sev[lf->generated_rule->level]);

    add_idmef_object(idmef, "alert.assessment.impact.completion", "succeeded");

    if (lf->action) {
        switch (*lf->action) {
            /* discard, drop, deny, */
            case 'd':
            case 'D':
            /* reject, */
            case 'r':
            case 'R':
            /* block */
            case 'b':
            case 'B':
                snprintf(_prelude_data, 256, "DROP: %s", lf->action);
                break;
            /* Closed */
            case 'c':
            case 'C':
            /* Teardown */
            case 't':
            case 'T':
                snprintf(_prelude_data, 256, "CLOSED: %s", lf->action);
                break;
            /* allow, accept, */
            case 'a':
            case 'A':
            /* pass/permitted */
            case 'p':
            case 'P':
            /* open */
            case 'o':
            case 'O':
                snprintf(_prelude_data, 256, "ALLOW: %s", lf->action);
                break;
            default:
                snprintf(_prelude_data, 256, "%s", lf->action);
                break;
        }
        add_idmef_object(idmef, "alert.assessment.action(0).category", "3");
        add_idmef_object(idmef, "alert.assessment.action(0).description", _prelude_data);
    }

    /* Begin Classification Infomations */
    {
        add_idmef_object(idmef, "alert.classification.text",
                         lf->generated_rule->comment);

        /* The Common Vulnerabilities and Exposures (CVE) (http://www.cve.mitre.org/)
         * infomation if present in the triggering rule
         */
        if (lf->generated_rule->cve) {
            snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin",
                     classification_counter);
            add_idmef_object(idmef, _prelude_section, "cve");
            snprintf(_prelude_section, 128, "alert.classification.reference(%d).name",
                     classification_counter);
            add_idmef_object(idmef, _prelude_section, lf->generated_rule->cve);
            snprintf(_prelude_section, 128, "alert.classification.reference(%d).meaning",
                     classification_counter);
            snprintf(_prelude_data, 256, "CVE:%s", lf->generated_rule->cve);
            add_idmef_object(idmef, _prelude_section, _prelude_data);
            classification_counter++;
        }

        /* Rule sid is used to create a link to the rule on the OSSEC wiki */
        if (lf->generated_rule->sigid) {
            snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin",
                     classification_counter);
            add_idmef_object(idmef, _prelude_section, "vendor-specific");

            snprintf(_prelude_section, 128, "alert.classification.reference(%d).name",
                     classification_counter);
            snprintf(_prelude_data, 256, "Rule:%d", lf->generated_rule->sigid);
            add_idmef_object(idmef, _prelude_section, _prelude_data);

            snprintf(_prelude_section, 128, "alert.classification.reference(%d).meaning",
                     classification_counter);
            add_idmef_object(idmef, _prelude_section, "OSSEC Rule Wiki Documentation");

            snprintf(_prelude_section, 128, "alert.classification.reference(%d).url",
                     classification_counter);
            snprintf(_prelude_data, 256, "http://www.ossec.net/wiki/Rule:%d",
                     lf->generated_rule->sigid);
            add_idmef_object(idmef, _prelude_section, _prelude_data);

            classification_counter++;
        }

        /* Extended Info Details */
        for (last_info_detail = lf->generated_rule->info_details;
                last_info_detail != NULL;
                last_info_detail = last_info_detail->next) {
            if (last_info_detail->type == RULEINFODETAIL_LINK) {
                snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin",
                         classification_counter);
                add_idmef_object(idmef, _prelude_section, "vendor-specific");

                snprintf(_prelude_section, 128, "alert.classification.reference(%d).name",
                         classification_counter);
                snprintf(_prelude_data, 256, "Rule:%d link", lf->generated_rule->sigid);
                add_idmef_object(idmef, _prelude_section, _prelude_data);
                snprintf(_prelude_section, 128, "alert.classification.reference(%d).url",
                         classification_counter);
                add_idmef_object(idmef, _prelude_section, last_info_detail->data);

                classification_counter++;
            } else if (last_info_detail->type == RULEINFODETAIL_TEXT) {
                snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin",
                         classification_counter);
                add_idmef_object(idmef, _prelude_section, "vendor-specific");

                snprintf(_prelude_section, 128, "alert.classification.reference(%d).name",
                         classification_counter);
                snprintf(_prelude_data, 256, "Rule:%d info", lf->generated_rule->sigid);
                add_idmef_object(idmef, _prelude_section, _prelude_data);

                snprintf(_prelude_section, 128, "alert.classification.reference(%d).meaning",
                         classification_counter);
                add_idmef_object(idmef, _prelude_section, last_info_detail->data);
                classification_counter++;
            } else {
                snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin",
                         classification_counter);
                switch (last_info_detail->type) {
                    case RULEINFODETAIL_CVE:
                        add_idmef_object(idmef, _prelude_section, "cve");
                        break;
                    case RULEINFODETAIL_OSVDB:
                        add_idmef_object(idmef, _prelude_section, "osvdb");
                        break;
                    case RULEINFODETAIL_BUGTRACK:
                        add_idmef_object(idmef, _prelude_section, "bugtraqid");
                        break;
                    default:
                        add_idmef_object(idmef, _prelude_section, "vendor-specific");
                        break;
                }
                snprintf(_prelude_section, 128, "alert.classification.reference(%d).name",
                         classification_counter);
                add_idmef_object(idmef, _prelude_section, last_info_detail->data);
            }
        }

        /* Break up the list of groups on the "," boundary
         * For each section create a prelude reference classification
         * that points back to the the OSSEC wiki for more infomation.
         */
        if (lf->generated_rule->group) {
            char *copy_group;
            char new_generated_rule_group[256];
            new_generated_rule_group[255] = '\0';
            strncpy(new_generated_rule_group, lf->generated_rule->group, 255);
            copy_group = strtok(new_generated_rule_group, ",");
            while (copy_group) {
                snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin",
                         classification_counter);
                add_idmef_object(idmef, _prelude_section, "vendor-specific");

                snprintf(_prelude_section, 128, "alert.classification.reference(%d).name",
                         classification_counter);
                snprintf(_prelude_data, 256, "Group:%s", copy_group);
                add_idmef_object(idmef, _prelude_section, _prelude_data);

                snprintf(_prelude_section, 128, "alert.classification.reference(%d).meaning",
                         classification_counter);
                add_idmef_object(idmef, _prelude_section, "OSSEC Group Wiki Documenation");

                snprintf(_prelude_section, 128, "alert.classification.reference(%d).url",
                         classification_counter);
                snprintf(_prelude_data, 256, "http://www.ossec.net/wiki/Group:%s",
                         copy_group);
                add_idmef_object(idmef, _prelude_section, _prelude_data);

                classification_counter++;
                copy_group = strtok(NULL, ",");
            }
        }
    } /* end classification block */

    /* Begin Node infomation block */
    {
        /* Set source info */
        add_idmef_object(idmef, "alert.source(0).Spoofed", "no");
        add_idmef_object(idmef, "alert.source(0).Node.Address(0).address",
                         lf->srcip);
        add_idmef_object(idmef, "alert.source(0).Service.port", lf->srcport);

        if (lf->srcuser) {
            add_idmef_object(idmef, "alert.source(0).User.UserId(0).name", lf->srcuser);
        }

        /* Set target */
        add_idmef_object(idmef, "alert.target(0).Service.name", lf->program_name);
        add_idmef_object(idmef, "alert.target(0).Spoofed", "no");

        if (lf->dstip) {
            add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",
                             lf->dstip);
        } else {
            char *tmp_str;
            char new_prelude_target[256];

            new_prelude_target[255] = '\0';
            strncpy(new_prelude_target, lf->hostname, 255);

            /* The messages can have the file, so we need to remove it
             * Formats can be:
             *   enigma->/var/log/authlog
             *   (esqueleto2) 192.168.2.99->/var/log/squid/access.log
             */
            tmp_str = strstr(new_prelude_target, "->");
            if (tmp_str) {
                *tmp_str = '\0';
            }
            add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",
                             new_prelude_target);
        }
        add_idmef_object(idmef, "alert.target(0).Service.name", lf->hostname);
        add_idmef_object(idmef, "alert.target(0).Service.port", lf->dstport);

        if (lf->dstuser) {
            add_idmef_object(idmef, "alert.target(0).User.category", "2");
            add_idmef_object(idmef, "alert.target(0).User.UserId(0).name", lf->dstuser);
        }
    } /* end Node infomation block */

    /* Set source file */
    add_idmef_object(idmef, "alert.additional_data(0).type", "string");
    add_idmef_object(idmef, "alert.additional_data(0).meaning", "Source file");
    add_idmef_object(idmef, "alert.additional_data(0).data", lf->location);
    additional_data_counter++;

    /* Set full log */
    add_idmef_object(idmef, "alert.additional_data(1).type", "string");
    add_idmef_object(idmef, "alert.additional_data(1).meaning", "Full Log");
    add_idmef_object(idmef, "alert.additional_data(1).data", lf->full_log);
    additional_data_counter++;

    idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
                             idmef_analyzer_ref
                             (prelude_client_get_analyzer(prelude_client)),
                             IDMEF_LIST_PREPEND);
    debug1("%s: DEBUG: lf->filename = %s.", ARGV0, lf->filename);
    if (lf->filename) {
        FileAccess_PreludeLog(idmef,
                              0,
                              lf->filename,
                              lf->md5_before,
                              lf->sha1_before,
                              lf->owner_before,
                              lf->gowner_before,
                              lf->perm_before);
        FileAccess_PreludeLog(idmef,
                              1,
                              lf->filename,
                              lf->md5_after,
                              lf->sha1_after,
                              lf->owner_after,
                              lf->gowner_after,
                              lf->perm_after);
        debug1("%s: DEBUG: done with alert.target(0).file(1)", ARGV0);
    }

    debug1("%s: DEBUG: Sending IDMEF alert", ARGV0);
    prelude_client_send_idmef(prelude_client, idmef);
    debug1("%s: DEBUG: destroying IDMEF alert", ARGV0);
    idmef_message_destroy(idmef);
}