static int normalize_run(requiem_msg_t *msg, idmef_message_t *idmef)
{
if ( idmef_message_get_type(idmef) == IDMEF_MESSAGE_TYPE_ALERT )
sanitize_alert(idmef_message_get_alert(idmef));
else
sanitize_heartbeat(idmef_message_get_heartbeat(idmef));
return 0;
}
int _idmef_message_assign_missing(prelude_client_t *client, idmef_message_t *msg)
{
idmef_alert_t *alert;
idmef_heartbeat_t *heartbeat;
prelude_ident_t *ident = prelude_client_get_unique_ident(client);
if ( idmef_message_get_type(msg) == IDMEF_MESSAGE_TYPE_ALERT ) {
alert = idmef_message_get_alert(msg);
if ( ! idmef_alert_get_messageid(alert) )
idmef_alert_set_messageid(alert, get_message_ident(ident));
add_analyzer(client, alert, (void *) idmef_alert_get_next_analyzer, (void *) idmef_alert_set_analyzer);
} else {
heartbeat = idmef_message_get_heartbeat(msg);
if ( ! idmef_heartbeat_get_messageid(heartbeat) )
idmef_heartbeat_set_messageid(heartbeat, get_message_ident(ident));
add_analyzer(client, heartbeat, (void *) idmef_heartbeat_get_next_analyzer, (void *)idmef_heartbeat_set_analyzer);
}
return 0;
}
void OS_PreludeLog(Eventinfo *lf)
{
int ret;
int classification_counter = 0;
int additional_data_counter = 0;
char _prelude_section[128];
char _prelude_data[256];
idmef_message_t *idmef;
RuleInfoDetail *last_info_detail;
/* Generate prelude alert */
ret = idmef_message_new(&idmef);
if ( ret < 0 ) {
merror("%s: OSSEC2Prelude: Cannot create IDMEF message", ARGV0);
return;
}
add_idmef_object(idmef, "alert.assessment.impact.description",
lf->generated_rule->comment);
add_idmef_object(idmef, "alert.assessment.impact.severity",
(lf->generated_rule->level > 15) ? "high" :
ossec2prelude_sev[lf->generated_rule->level]);
add_idmef_object(idmef, "alert.assessment.impact.completion", "succeeded");
if (lf->action) {
switch (*lf->action) {
/* discard, drop, deny, */
case 'd':
case 'D':
/* reject, */
case 'r':
case 'R':
/* block */
case 'b':
case 'B':
snprintf(_prelude_data, 256, "DROP: %s", lf->action);
break;
/* Closed */
case 'c':
case 'C':
/* Teardown */
case 't':
case 'T':
snprintf(_prelude_data, 256, "CLOSED: %s", lf->action);
break;
/* allow, accept, */
case 'a':
case 'A':
/* pass/permitted */
case 'p':
case 'P':
/* open */
case 'o':
case 'O':
snprintf(_prelude_data, 256, "ALLOW: %s", lf->action);
break;
default:
snprintf(_prelude_data, 256, "%s", lf->action);
break;
}
add_idmef_object(idmef, "alert.assessment.action(0).category", "3");
add_idmef_object(idmef, "alert.assessment.action(0).description", _prelude_data);
}
/* Begin Classification Infomations */
{
add_idmef_object(idmef, "alert.classification.text",
lf->generated_rule->comment);
/* The Common Vulnerabilities and Exposures (CVE) (http://www.cve.mitre.org/)
* infomation if present in the triggering rule
*/
if (lf->generated_rule->cve) {
snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin",
classification_counter);
add_idmef_object(idmef, _prelude_section, "cve");
snprintf(_prelude_section, 128, "alert.classification.reference(%d).name",
classification_counter);
add_idmef_object(idmef, _prelude_section, lf->generated_rule->cve);
snprintf(_prelude_section, 128, "alert.classification.reference(%d).meaning",
classification_counter);
snprintf(_prelude_data, 256, "CVE:%s", lf->generated_rule->cve);
add_idmef_object(idmef, _prelude_section, _prelude_data);
classification_counter++;
}
/* Rule sid is used to create a link to the rule on the OSSEC wiki */
if (lf->generated_rule->sigid) {
snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin",
classification_counter);
add_idmef_object(idmef, _prelude_section, "vendor-specific");
snprintf(_prelude_section, 128, "alert.classification.reference(%d).name",
classification_counter);
snprintf(_prelude_data, 256, "Rule:%d", lf->generated_rule->sigid);
add_idmef_object(idmef, _prelude_section, _prelude_data);
snprintf(_prelude_section, 128, "alert.classification.reference(%d).meaning",
classification_counter);
add_idmef_object(idmef, _prelude_section, "OSSEC Rule Wiki Documentation");
snprintf(_prelude_section, 128, "alert.classification.reference(%d).url",
classification_counter);
snprintf(_prelude_data, 256, "http://www.ossec.net/wiki/Rule:%d",
lf->generated_rule->sigid);
add_idmef_object(idmef, _prelude_section, _prelude_data);
classification_counter++;
}
/* Extended Info Details */
for (last_info_detail = lf->generated_rule->info_details;
last_info_detail != NULL;
last_info_detail = last_info_detail->next) {
if (last_info_detail->type == RULEINFODETAIL_LINK) {
snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin",
classification_counter);
add_idmef_object(idmef, _prelude_section, "vendor-specific");
snprintf(_prelude_section, 128, "alert.classification.reference(%d).name",
classification_counter);
snprintf(_prelude_data, 256, "Rule:%d link", lf->generated_rule->sigid);
add_idmef_object(idmef, _prelude_section, _prelude_data);
snprintf(_prelude_section, 128, "alert.classification.reference(%d).url",
classification_counter);
add_idmef_object(idmef, _prelude_section, last_info_detail->data);
classification_counter++;
} else if (last_info_detail->type == RULEINFODETAIL_TEXT) {
snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin",
classification_counter);
add_idmef_object(idmef, _prelude_section, "vendor-specific");
snprintf(_prelude_section, 128, "alert.classification.reference(%d).name",
classification_counter);
snprintf(_prelude_data, 256, "Rule:%d info", lf->generated_rule->sigid);
add_idmef_object(idmef, _prelude_section, _prelude_data);
snprintf(_prelude_section, 128, "alert.classification.reference(%d).meaning",
classification_counter);
add_idmef_object(idmef, _prelude_section, last_info_detail->data);
classification_counter++;
} else {
snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin",
classification_counter);
switch (last_info_detail->type) {
case RULEINFODETAIL_CVE:
add_idmef_object(idmef, _prelude_section, "cve");
break;
case RULEINFODETAIL_OSVDB:
add_idmef_object(idmef, _prelude_section, "osvdb");
break;
case RULEINFODETAIL_BUGTRACK:
add_idmef_object(idmef, _prelude_section, "bugtraqid");
break;
default:
add_idmef_object(idmef, _prelude_section, "vendor-specific");
break;
}
snprintf(_prelude_section, 128, "alert.classification.reference(%d).name",
classification_counter);
add_idmef_object(idmef, _prelude_section, last_info_detail->data);
}
}
/* Break up the list of groups on the "," boundary
* For each section create a prelude reference classification
* that points back to the the OSSEC wiki for more infomation.
*/
if (lf->generated_rule->group) {
char *copy_group;
char new_generated_rule_group[256];
new_generated_rule_group[255] = '\0';
strncpy(new_generated_rule_group, lf->generated_rule->group, 255);
copy_group = strtok(new_generated_rule_group, ",");
while (copy_group) {
snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin",
classification_counter);
add_idmef_object(idmef, _prelude_section, "vendor-specific");
snprintf(_prelude_section, 128, "alert.classification.reference(%d).name",
classification_counter);
snprintf(_prelude_data, 256, "Group:%s", copy_group);
add_idmef_object(idmef, _prelude_section, _prelude_data);
snprintf(_prelude_section, 128, "alert.classification.reference(%d).meaning",
classification_counter);
add_idmef_object(idmef, _prelude_section, "OSSEC Group Wiki Documenation");
snprintf(_prelude_section, 128, "alert.classification.reference(%d).url",
classification_counter);
snprintf(_prelude_data, 256, "http://www.ossec.net/wiki/Group:%s",
copy_group);
add_idmef_object(idmef, _prelude_section, _prelude_data);
classification_counter++;
copy_group = strtok(NULL, ",");
}
}
} /* end classification block */
/* Begin Node infomation block */
{
/* Set source info */
add_idmef_object(idmef, "alert.source(0).Spoofed", "no");
add_idmef_object(idmef, "alert.source(0).Node.Address(0).address",
lf->srcip);
add_idmef_object(idmef, "alert.source(0).Service.port", lf->srcport);
if (lf->srcuser) {
add_idmef_object(idmef, "alert.source(0).User.UserId(0).name", lf->srcuser);
}
/* Set target */
add_idmef_object(idmef, "alert.target(0).Service.name", lf->program_name);
add_idmef_object(idmef, "alert.target(0).Spoofed", "no");
if (lf->dstip) {
add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",
lf->dstip);
} else {
char *tmp_str;
char new_prelude_target[256];
new_prelude_target[255] = '\0';
strncpy(new_prelude_target, lf->hostname, 255);
/* The messages can have the file, so we need to remove it
* Formats can be:
* enigma->/var/log/authlog
* (esqueleto2) 192.168.2.99->/var/log/squid/access.log
*/
tmp_str = strstr(new_prelude_target, "->");
if (tmp_str) {
*tmp_str = '\0';
}
add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",
new_prelude_target);
}
add_idmef_object(idmef, "alert.target(0).Service.name", lf->hostname);
add_idmef_object(idmef, "alert.target(0).Service.port", lf->dstport);
if (lf->dstuser) {
add_idmef_object(idmef, "alert.target(0).User.category", "2");
add_idmef_object(idmef, "alert.target(0).User.UserId(0).name", lf->dstuser);
}
} /* end Node infomation block */
/* Set source file */
add_idmef_object(idmef, "alert.additional_data(0).type", "string");
add_idmef_object(idmef, "alert.additional_data(0).meaning", "Source file");
add_idmef_object(idmef, "alert.additional_data(0).data", lf->location);
additional_data_counter++;
/* Set full log */
add_idmef_object(idmef, "alert.additional_data(1).type", "string");
add_idmef_object(idmef, "alert.additional_data(1).meaning", "Full Log");
add_idmef_object(idmef, "alert.additional_data(1).data", lf->full_log);
additional_data_counter++;
idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
idmef_analyzer_ref
(prelude_client_get_analyzer(prelude_client)),
IDMEF_LIST_PREPEND);
debug1("%s: DEBUG: lf->filename = %s.", ARGV0, lf->filename);
if (lf->filename) {
FileAccess_PreludeLog(idmef,
0,
lf->filename,
lf->md5_before,
lf->sha1_before,
lf->owner_before,
lf->gowner_before,
lf->perm_before);
FileAccess_PreludeLog(idmef,
1,
lf->filename,
lf->md5_after,
lf->sha1_after,
lf->owner_after,
lf->gowner_after,
lf->perm_after);
debug1("%s: DEBUG: done with alert.target(0).file(1)", ARGV0);
}
debug1("%s: DEBUG: Sending IDMEF alert", ARGV0);
prelude_client_send_idmef(prelude_client, idmef);
debug1("%s: DEBUG: destroying IDMEF alert", ARGV0);
idmef_message_destroy(idmef);
}
