static int add_analyzer(prelude_client_t *client, void *top, void *(*geta)(void *top, idmef_analyzer_t *analyzer), int (*insa)(void *top, idmef_analyzer_t *analyzer, int pos)) { prelude_string_t *str; uint64_t wanted_analyzerid, analyzerid; idmef_analyzer_t *analyzer = NULL, *canalyzer; canalyzer = prelude_client_get_analyzer(client); wanted_analyzerid = prelude_client_profile_get_analyzerid(prelude_client_get_profile(client)); while ( (analyzer = geta(top, analyzer)) && analyzer != canalyzer ) { str = idmef_analyzer_get_analyzerid(analyzer); if ( ! str ) continue; analyzerid = strtoull(prelude_string_get_string(str), NULL, 10); if ( analyzerid == wanted_analyzerid ) return 0; } return insa(top, idmef_analyzer_ref(prelude_client_get_analyzer(client)), IDMEF_LIST_PREPEND); }
void OS_PreludeLog(Eventinfo *lf) { int ret; int classification_counter = 0; int additional_data_counter = 0; char _prelude_section[128]; char _prelude_data[256]; idmef_message_t *idmef; RuleInfoDetail *last_info_detail; /* Generate prelude alert */ ret = idmef_message_new(&idmef); if ( ret < 0 ) { merror("%s: OSSEC2Prelude: Cannot create IDMEF message", ARGV0); return; } add_idmef_object(idmef, "alert.assessment.impact.description", lf->generated_rule->comment); add_idmef_object(idmef, "alert.assessment.impact.severity", (lf->generated_rule->level > 15) ? "high" : ossec2prelude_sev[lf->generated_rule->level]); add_idmef_object(idmef, "alert.assessment.impact.completion", "succeeded"); if (lf->action) { switch (*lf->action) { /* discard, drop, deny, */ case 'd': case 'D': /* reject, */ case 'r': case 'R': /* block */ case 'b': case 'B': snprintf(_prelude_data, 256, "DROP: %s", lf->action); break; /* Closed */ case 'c': case 'C': /* Teardown */ case 't': case 'T': snprintf(_prelude_data, 256, "CLOSED: %s", lf->action); break; /* allow, accept, */ case 'a': case 'A': /* pass/permitted */ case 'p': case 'P': /* open */ case 'o': case 'O': snprintf(_prelude_data, 256, "ALLOW: %s", lf->action); break; default: snprintf(_prelude_data, 256, "%s", lf->action); break; } add_idmef_object(idmef, "alert.assessment.action(0).category", "3"); add_idmef_object(idmef, "alert.assessment.action(0).description", _prelude_data); } /* Begin Classification Infomations */ { add_idmef_object(idmef, "alert.classification.text", lf->generated_rule->comment); /* The Common Vulnerabilities and Exposures (CVE) (http://www.cve.mitre.org/) * infomation if present in the triggering rule */ if (lf->generated_rule->cve) { snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin", classification_counter); add_idmef_object(idmef, _prelude_section, "cve"); snprintf(_prelude_section, 128, "alert.classification.reference(%d).name", classification_counter); add_idmef_object(idmef, _prelude_section, lf->generated_rule->cve); snprintf(_prelude_section, 128, "alert.classification.reference(%d).meaning", classification_counter); snprintf(_prelude_data, 256, "CVE:%s", lf->generated_rule->cve); add_idmef_object(idmef, _prelude_section, _prelude_data); classification_counter++; } /* Rule sid is used to create a link to the rule on the OSSEC wiki */ if (lf->generated_rule->sigid) { snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin", classification_counter); add_idmef_object(idmef, _prelude_section, "vendor-specific"); snprintf(_prelude_section, 128, "alert.classification.reference(%d).name", classification_counter); snprintf(_prelude_data, 256, "Rule:%d", lf->generated_rule->sigid); add_idmef_object(idmef, _prelude_section, _prelude_data); snprintf(_prelude_section, 128, "alert.classification.reference(%d).meaning", classification_counter); add_idmef_object(idmef, _prelude_section, "OSSEC Rule Wiki Documentation"); snprintf(_prelude_section, 128, "alert.classification.reference(%d).url", classification_counter); snprintf(_prelude_data, 256, "http://www.ossec.net/wiki/Rule:%d", lf->generated_rule->sigid); add_idmef_object(idmef, _prelude_section, _prelude_data); classification_counter++; } /* Extended Info Details */ for (last_info_detail = lf->generated_rule->info_details; last_info_detail != NULL; last_info_detail = last_info_detail->next) { if (last_info_detail->type == RULEINFODETAIL_LINK) { snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin", classification_counter); add_idmef_object(idmef, _prelude_section, "vendor-specific"); snprintf(_prelude_section, 128, "alert.classification.reference(%d).name", classification_counter); snprintf(_prelude_data, 256, "Rule:%d link", lf->generated_rule->sigid); add_idmef_object(idmef, _prelude_section, _prelude_data); snprintf(_prelude_section, 128, "alert.classification.reference(%d).url", classification_counter); add_idmef_object(idmef, _prelude_section, last_info_detail->data); classification_counter++; } else if (last_info_detail->type == RULEINFODETAIL_TEXT) { snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin", classification_counter); add_idmef_object(idmef, _prelude_section, "vendor-specific"); snprintf(_prelude_section, 128, "alert.classification.reference(%d).name", classification_counter); snprintf(_prelude_data, 256, "Rule:%d info", lf->generated_rule->sigid); add_idmef_object(idmef, _prelude_section, _prelude_data); snprintf(_prelude_section, 128, "alert.classification.reference(%d).meaning", classification_counter); add_idmef_object(idmef, _prelude_section, last_info_detail->data); classification_counter++; } else { snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin", classification_counter); switch (last_info_detail->type) { case RULEINFODETAIL_CVE: add_idmef_object(idmef, _prelude_section, "cve"); break; case RULEINFODETAIL_OSVDB: add_idmef_object(idmef, _prelude_section, "osvdb"); break; case RULEINFODETAIL_BUGTRACK: add_idmef_object(idmef, _prelude_section, "bugtraqid"); break; default: add_idmef_object(idmef, _prelude_section, "vendor-specific"); break; } snprintf(_prelude_section, 128, "alert.classification.reference(%d).name", classification_counter); add_idmef_object(idmef, _prelude_section, last_info_detail->data); } } /* Break up the list of groups on the "," boundary * For each section create a prelude reference classification * that points back to the the OSSEC wiki for more infomation. */ if (lf->generated_rule->group) { char *copy_group; char new_generated_rule_group[256]; new_generated_rule_group[255] = '\0'; strncpy(new_generated_rule_group, lf->generated_rule->group, 255); copy_group = strtok(new_generated_rule_group, ","); while (copy_group) { snprintf(_prelude_section, 128, "alert.classification.reference(%d).origin", classification_counter); add_idmef_object(idmef, _prelude_section, "vendor-specific"); snprintf(_prelude_section, 128, "alert.classification.reference(%d).name", classification_counter); snprintf(_prelude_data, 256, "Group:%s", copy_group); add_idmef_object(idmef, _prelude_section, _prelude_data); snprintf(_prelude_section, 128, "alert.classification.reference(%d).meaning", classification_counter); add_idmef_object(idmef, _prelude_section, "OSSEC Group Wiki Documenation"); snprintf(_prelude_section, 128, "alert.classification.reference(%d).url", classification_counter); snprintf(_prelude_data, 256, "http://www.ossec.net/wiki/Group:%s", copy_group); add_idmef_object(idmef, _prelude_section, _prelude_data); classification_counter++; copy_group = strtok(NULL, ","); } } } /* end classification block */ /* Begin Node infomation block */ { /* Set source info */ add_idmef_object(idmef, "alert.source(0).Spoofed", "no"); add_idmef_object(idmef, "alert.source(0).Node.Address(0).address", lf->srcip); add_idmef_object(idmef, "alert.source(0).Service.port", lf->srcport); if (lf->srcuser) { add_idmef_object(idmef, "alert.source(0).User.UserId(0).name", lf->srcuser); } /* Set target */ add_idmef_object(idmef, "alert.target(0).Service.name", lf->program_name); add_idmef_object(idmef, "alert.target(0).Spoofed", "no"); if (lf->dstip) { add_idmef_object(idmef, "alert.target(0).Node.Address(0).address", lf->dstip); } else { char *tmp_str; char new_prelude_target[256]; new_prelude_target[255] = '\0'; strncpy(new_prelude_target, lf->hostname, 255); /* The messages can have the file, so we need to remove it * Formats can be: * enigma->/var/log/authlog * (esqueleto2) 192.168.2.99->/var/log/squid/access.log */ tmp_str = strstr(new_prelude_target, "->"); if (tmp_str) { *tmp_str = '\0'; } add_idmef_object(idmef, "alert.target(0).Node.Address(0).address", new_prelude_target); } add_idmef_object(idmef, "alert.target(0).Service.name", lf->hostname); add_idmef_object(idmef, "alert.target(0).Service.port", lf->dstport); if (lf->dstuser) { add_idmef_object(idmef, "alert.target(0).User.category", "2"); add_idmef_object(idmef, "alert.target(0).User.UserId(0).name", lf->dstuser); } } /* end Node infomation block */ /* Set source file */ add_idmef_object(idmef, "alert.additional_data(0).type", "string"); add_idmef_object(idmef, "alert.additional_data(0).meaning", "Source file"); add_idmef_object(idmef, "alert.additional_data(0).data", lf->location); additional_data_counter++; /* Set full log */ add_idmef_object(idmef, "alert.additional_data(1).type", "string"); add_idmef_object(idmef, "alert.additional_data(1).meaning", "Full Log"); add_idmef_object(idmef, "alert.additional_data(1).data", lf->full_log); additional_data_counter++; idmef_alert_set_analyzer(idmef_message_get_alert(idmef), idmef_analyzer_ref (prelude_client_get_analyzer(prelude_client)), IDMEF_LIST_PREPEND); debug1("%s: DEBUG: lf->filename = %s.", ARGV0, lf->filename); if (lf->filename) { FileAccess_PreludeLog(idmef, 0, lf->filename, lf->md5_before, lf->sha1_before, lf->owner_before, lf->gowner_before, lf->perm_before); FileAccess_PreludeLog(idmef, 1, lf->filename, lf->md5_after, lf->sha1_after, lf->owner_after, lf->gowner_after, lf->perm_after); debug1("%s: DEBUG: done with alert.target(0).file(1)", ARGV0); } debug1("%s: DEBUG: Sending IDMEF alert", ARGV0); prelude_client_send_idmef(prelude_client, idmef); debug1("%s: DEBUG: destroying IDMEF alert", ARGV0); idmef_message_destroy(idmef); }