void Sagan_Alert_File( _SaganEvent *Event )
{
char *tmpref = NULL;
counters->alert_total++;
fprintf(config->sagan_alert_stream, "\n[**] [%lu:%s] %s [**]\n", Event->generatorid, Event->sid, Event->f_msg);
fprintf(config->sagan_alert_stream, "[Classification: %s] [Priority: %d] [%s] [%s]\n", Event->class, Event->pri, Event->from, Event->host );
fprintf(config->sagan_alert_stream, "%s %s %s:%d -> %s:%d %s %s\n", Event->date, Event->time, Event->ip_src, Event->src_port, Event->ip_dst, Event->dst_port, Event->facility, Event->priority);
fprintf(config->sagan_alert_stream, "Message: %s\n", Event->message);
if ( Event->found != 0 )
{
tmpref = Reference_Lookup( Event->found, 0 );
if (strcmp(tmpref, "" ))
{
fprintf(config->sagan_alert_stream, "%s\n", Reference_Lookup( Event->found, 0 ));
}
}
fflush(config->sagan_alert_stream);
}
void Sagan_Alert_File( _SaganEvent *Event ) {
char tmpref[2048]="";
fprintf(config->sagan_alert_stream, "\n[**] [%lu:%s] %s [**]\n", Event->generatorid, Event->sid, Event->f_msg);
fprintf(config->sagan_alert_stream, "[Classification: %s] [Priority: %d]\n", Event->class, Event->pri );
fprintf(config->sagan_alert_stream, "%s %s %s:%d -> %s:%d %s %s\n", Event->date, Event->time, Event->ip_src, Event->src_port, Event->ip_dst, Event->dst_port, Event->facility, Event->priority);
fprintf(config->sagan_alert_stream, "Message: %s\n", Event->message);
/*
printf("\n[**] [%lu:%s] %s [**]\n", Event->generatorid, Event->sid, Event->f_msg); fflush(stdout);
printf("[Classification: %s] [Priority: %d]\n", Event->class, Event->pri ); fflush(stdout);
printf("%s %s %s:%d -> %s:%d %s %s\n", Event->date, Event->time, Event->ip_src, Event->src_port, Event->ip_dst, Event->dst_port, Event->facility, Event->priority); fflush(stdout);
printf("Message: %s\n", Event->message); fflush(stdout);
*/
if ( Event->found != 0 ) {
snprintf(tmpref, sizeof(tmpref), "%s", Reference_Lookup( Event->found, 0 ));
if ( strcmp(tmpref, "")) fprintf(config->sagan_alert_stream, "%s\n", tmpref);
}
fflush(config->sagan_alert_stream);
}
void sagan_ext_thread ( _SaganEvent *Event )
{
int in[2];
int out[2];
int n, pid;
char buf[MAX_SYSLOGMSG];
char data[MAX_SYSLOGMSG];
char *tmpref = NULL;
char tmp[6];
if ( debug->debugexternal ) Sagan_Log(S_WARN, "[%s, line %d] In sagan_ext_thread()", __FILE__, __LINE__);
if ( config->sagan_exttype == 1 )
{
/* Parsable */
tmpref = Reference_Lookup( Event->found, 1 );
if ( Event->drop == 1 )
{
snprintf(tmp, sizeof(tmp), "True");
}
else
{
snprintf(tmp, sizeof(tmp), "False");
}
snprintf(data, sizeof(data), "\nID:%lu:%s\nMessage:%s\nClassification:%s\nDrop:%s\nPriority:%d\nDate:%s\nTime:%s\nSource:%s\nSource Port:%d\nDestination:%s\nDestination Port:%d\nFacility:%s\nSyslog Priority:%s\n%sSyslog message:%s\n", Event->generatorid, Event->sid, Event->f_msg, Event->class, tmp, Event->pri, Event->date, Event->time, Event->ip_src, Event->src_port, Event->ip_dst, Event->dst_port, Event->facility, Event->priority, tmpref, Event->message);
}
void Sagan_Ext_Thread ( _SaganEvent *Event, char *execute_script )
{
int in[2];
int out[2];
int n, pid;
char buf[MAX_SYSLOGMSG];
char data[MAX_SYSLOGMSG];
char *tmpref = NULL;
char tmp[6];
if ( debug->debugexternal )
{
Sagan_Log(S_WARN, "[%s, line %d] In sagan_ext_thread()", __FILE__, __LINE__);
}
tmpref = Reference_Lookup( Event->found, 1 );
if ( Event->drop == 1 )
{
snprintf(tmp, sizeof(tmp), "True");
}
else
{
snprintf(tmp, sizeof(tmp), "False");
}
snprintf(data, sizeof(data), "\n\
ID:%lu:%s\n\
Message:%s\n\
Classification:%s\n\
Drop:%s\n\
Priority:%d\n\
Date:%s\n\
Time:%s\n\
Source:%s\n\
Source Port:%d\n\
Destination:%s\n\
Destination Port:%d\n\
Facility:%s\n\
Syslog Priority:%s\n\
%sSyslog message:%s\n"\
\
,Event->generatorid\
,Event->sid,\
Event->f_msg,\
Event->class,\
tmp,\
Event->pri,\
Event->date,\
Event->time,\
Event->ip_src,\
Event->src_port,\
Event->ip_dst,\
Event->dst_port,\
Event->facility,\
Event->priority,\
tmpref,\
Event->message);
pthread_mutex_lock( &ext_mutex );
if ( pipe(in) < 0 )
{
Remove_Lock_File();
Sagan_Log(S_ERROR, "[%s, line %d] Cannot create input pipe!", __FILE__, __LINE__);
}
if ( pipe(out) < 0 )
{
Remove_Lock_File();
Sagan_Log(S_ERROR, "[%s, line %d] Cannot create output pipe!", __FILE__, __LINE__);
}
pid=fork();
if ( pid < 0 )
{
Sagan_Log(S_ERROR, "[%s, line %d] Cannot create external program process", __FILE__, __LINE__);
}
else if ( pid == 0 )
{
/* Causes problems with alert.log */
close(0);
close(1);
close(2);
dup2(in[0],0); // Stdin..
dup2(out[1],1);
dup2(out[1],2);
close(in[1]);
close(out[0]);
//ret=execl(config->sagan_extern, config->sagan_extern, NULL, (char *)NULL);
//execl(config->sagan_extern, config->sagan_extern, NULL, (char *)NULL);
execl(execute_script, execute_script, NULL, (char *)NULL);
Remove_Lock_File();
Sagan_Log(S_WARN, "[%s, line %d] Cannot execute %s", __FILE__, __LINE__, config->sagan_extern);
}
close(in[0]);
close(out[1]);
/* Write to child input */
n = write(in[1], data, strlen(data));
close(in[1]);
n = read(out[0], buf, sizeof(buf));
close(out[0]);
buf[n] = 0;
waitpid(pid, NULL, 0);
pthread_mutex_unlock( &ext_mutex );
if ( debug->debugexternal == 1 )
{
Sagan_Log(S_DEBUG, "[%s, line %d] Executed %s", __FILE__, __LINE__, config->sagan_extern);
}
}
