static int add_int_data(idmef_alert_t *alert, const char *meaning, uint32_t data)
{
int ret;
prelude_string_t *str;
idmef_additional_data_t *ad;
ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
idmef_additional_data_set_integer(ad, data);
ret = idmef_additional_data_new_meaning(ad, &str);
if ( ret < 0 ) {
ErrorMessage("%s: error creating additional-data meaning: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 ) {
ErrorMessage("%s: error setting integer data meaning: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
return 0;
}
/**
* \brief Add integer data, to be stored in the Additional Data
* field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
*
* \return 0 if ok
*/
static int AddIntData(idmef_alert_t *alert, const char *meaning, uint32_t data)
{
int ret;
prelude_string_t *str;
idmef_additional_data_t *ad;
SCEnter();
ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
idmef_additional_data_set_integer(ad, data);
ret = idmef_additional_data_new_meaning(ad, &str);
if ( ret < 0 ) {
SCLogDebug("%s: error creating additional-data meaning: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(-1);
}
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 ) {
SCLogDebug("%s: error setting integer data meaning: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(-1);
}
SCReturnInt(0);
}
void prelude_start(char *profile, int argc, char **argv)
{
int ret;
prelude_client = NULL;
ret = prelude_init(&argc, argv);
if (ret < 0) {
merror("%s: %s: Unable to initialize the Prelude library: %s.",
ARGV0, prelude_strsource(ret), prelude_strerror(ret));
return;
}
ret = prelude_client_new(&prelude_client,
profile != NULL ? profile : DEFAULT_ANALYZER_NAME);
if (!prelude_client) {
merror("%s: %s: Unable to create a prelude client object: %s.",
ARGV0, prelude_strsource(ret), prelude_strerror(ret));
return;
}
ret = setup_analyzer(prelude_client_get_analyzer(prelude_client));
if (ret < 0) {
merror("%s: %s: Unable to setup analyzer: %s",
ARGV0, prelude_strsource(ret), prelude_strerror(ret));
prelude_client_destroy(prelude_client,
PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
return;
}
ret = prelude_client_set_flags(prelude_client,
prelude_client_get_flags(prelude_client)
| PRELUDE_CLIENT_FLAGS_ASYNC_TIMER);
if (ret < 0) {
merror("%s: %s: Unable to set prelude client flags: %s.",
ARGV0, prelude_strsource(ret), prelude_strerror(ret));
}
/* Set uid and gid of ossec */
prelude_client_profile_set_uid(prelude_client_get_profile(prelude_client),
Privsep_GetUser(USER));
prelude_client_profile_set_gid(prelude_client_get_profile(prelude_client),
Privsep_GetGroup(GROUPGLOBAL));
ret = prelude_client_start(prelude_client);
if (ret < 0) {
merror("%s: %s: Unable to initialize prelude client: %s.",
ARGV0, prelude_strsource(ret), prelude_strerror(ret));
prelude_client_destroy(prelude_client,
PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
return;
}
return;
}
static int
setup_analyzer(idmef_analyzer_t *analyzer)
{
int ret;
prelude_string_t *string;
ret = idmef_analyzer_new_model(analyzer, &string);
if ( ret < 0 )
goto err;
prelude_string_set_constant(string, ANALYZER_MODEL);
ret = idmef_analyzer_new_class(analyzer, &string);
if ( ret < 0 )
goto err;
prelude_string_set_constant(string, ANALYZER_CLASS);
ret = idmef_analyzer_new_manufacturer(analyzer, &string);
if ( ret < 0 )
goto err;
prelude_string_set_constant(string, ANALYZER_MANUFACTURER);
ret = idmef_analyzer_new_version(analyzer, &string);
if ( ret < 0 )
goto err;
prelude_string_set_constant(string, ANALYZER_VERSION);
return 0;
err:
merror("%s: OSSEC2Prelude: %s: IDMEF error: %s.",
ARGV0, prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
/**
* \brief Add binary data, to be stored in the Additional Data
* field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
*
* \return 0 if ok
*/
static int AddByteData(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size)
{
int ret;
prelude_string_t *str;
idmef_additional_data_t *ad;
SCEnter();
if ( ! data || ! size )
SCReturnInt(0);
ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(0);
ret = idmef_additional_data_set_byte_string_ref(ad, data, size);
if ( ret < 0 ) {
SCLogDebug("%s: error setting byte string data: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(-1);
}
ret = idmef_additional_data_new_meaning(ad, &str);
if ( ret < 0 ) {
SCLogDebug("%s: error creating additional-data meaning: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(-1);
}
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 ) {
SCLogDebug("%s: error setting byte string data meaning: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(-1);
}
SCReturnInt(0);
}
static int add_byte_data(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size)
{
int ret;
prelude_string_t *str;
idmef_additional_data_t *ad;
if ( ! data || ! size )
return 0;
ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_additional_data_set_byte_string_ref(ad, data, size);
if ( ret < 0 ) {
ErrorMessage("%s: error setting byte string data: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
ret = idmef_additional_data_new_meaning(ad, &str);
if ( ret < 0 ) {
ErrorMessage("%s: error creating additional-data meaning: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 ) {
ErrorMessage("%s: error setting byte string data meaning: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
return 0;
}
static int wait_connection(prelude_client_profile_t *cp, int sock,
struct pollfd *pfd, size_t size, int keepalive,
gnutls_x509_privkey_t key, gnutls_x509_crt_t cacrt, gnutls_x509_crt_t crt)
{
size_t i;
prelude_io_t *fd;
int ret, active_fd;
ret = prelude_io_new(&fd);
if ( ret < 0 ) {
fprintf(stderr, "%s: error creating a new IO object: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
do {
active_fd = poll(pfd, size, -1);
if ( active_fd < 0 ) {
if ( errno != EINTR )
fprintf(stderr, "poll error : %s.\n", strerror(errno));
return -1;
}
for ( i = 0; i < size && active_fd > 0; i++ ) {
if ( pfd[i].revents & POLLIN ) {
active_fd--;
ret = process_event(cp, pfd[i].fd, fd, key, cacrt, crt);
}
}
} while ( keepalive || ret < 0 );
prelude_io_destroy(fd);
return ret;
}
void prelude_logging(const char *filename, const char *virname, const char *virhash, int virsize){
int ret;
idmef_message_t *idmef = NULL;
idmef_alert_t *alert;
idmef_classification_t *class;
prelude_string_t *str;
idmef_target_t *target;
idmef_file_t *file;
ret = idmef_message_new(&idmef);
if ( ret < 0 )
goto err;
ret = idmef_message_new_alert(idmef, &alert);
if ( ret < 0 )
goto err;
ret = idmef_alert_new_classification(alert, &class);
if ( ret < 0 )
goto err;
ret = idmef_classification_new_text(class, &str);
if ( ret < 0 )
goto err;
prelude_string_set_constant(str, "Virus Found");
ret = idmef_alert_new_target(alert, &target, 0);
if ( ret < 0 )
goto err;
ret = idmef_target_new_file(target, &file, 0);
if ( ret < 0 )
goto err;
ret = idmef_file_new_path(file, &str);
if ( ret < 0 )
goto err;
prelude_string_set_ref(str, filename);
if ( virname != NULL ) {
ret = add_string_additional_data(alert, "virname", virname);
if ( ret < 0 )
goto err;
}
if ( virhash != NULL){
ret = add_string_additional_data(alert, "virhash", virhash);
if ( ret < 0 )
goto err;
}
ret = add_int_additional_data(alert, "virsize", virsize);
if ( ret < 0 )
goto err;
logg("le client : %s", prelude_client_get_config_filename(prelude_client));
prelude_client_send_idmef(prelude_client, idmef);
idmef_message_destroy(idmef);
return;
err:
if (idmef != NULL)
idmef_message_destroy(idmef);
logg("%s error: %s", prelude_strsource(ret), prelude_strerror(ret));
return;
}
/**
* \brief Create event impact description (see section
* 4.2.6.1 of RFC 4765).
* The impact contains the severity, completion (succeeded or failed)
* and basic classification of the attack type.
* Here, we don't set the completion since we don't know it (default
* is unknown).
*
* \return 0 if ok
*/
static int EventToImpact(const PacketAlert *pa, const Packet *p, idmef_alert_t *alert)
{
int ret;
prelude_string_t *str;
idmef_impact_t *impact;
idmef_assessment_t *assessment;
idmef_impact_severity_t severity;
SCEnter();
ret = idmef_alert_new_assessment(alert, &assessment);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating assessment: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = idmef_assessment_new_impact(assessment, &impact);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating assessment impact: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
if ( (unsigned int)pa->s->prio < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( (unsigned int)pa->s->prio < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( (unsigned int)pa->s->prio < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else
severity = IDMEF_IMPACT_SEVERITY_INFO;
idmef_impact_set_severity(impact, severity);
if (PACKET_TEST_ACTION(p, ACTION_DROP) ||
PACKET_TEST_ACTION(p, ACTION_REJECT) ||
PACKET_TEST_ACTION(p, ACTION_REJECT_DST) ||
PACKET_TEST_ACTION(p, ACTION_REJECT_BOTH) ) {
idmef_action_t *action;
ret = idmef_action_new(&action);
if (unlikely(ret < 0))
SCReturnInt(ret);
idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED);
idmef_assessment_set_action(assessment, action, 0);
}
if (pa->s->class_msg) {
ret = idmef_impact_new_description(impact, &str);
if (unlikely(ret < 0))
SCReturnInt(ret);
prelude_string_set_ref(str, pa->s->class_msg);
}
SCReturnInt(0);
}
/**
* \brief Initialize analyzer description
*
* \return 0 if ok
*/
static int SetupAnalyzer(idmef_analyzer_t *analyzer)
{
int ret;
prelude_string_t *string;
SCEnter();
ret = idmef_analyzer_new_model(analyzer, &string);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating analyzer model: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = prelude_string_set_constant(string, ANALYZER_MODEL);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error setting analyzer model: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = idmef_analyzer_new_class(analyzer, &string);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating analyzer class: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = prelude_string_set_constant(string, ANALYZER_CLASS);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error setting analyzer class: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = idmef_analyzer_new_manufacturer(analyzer, &string);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating analyzer manufacturer: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = prelude_string_set_constant(string, ANALYZER_MANUFACTURER);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error setting analyzer manufacturer: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = idmef_analyzer_new_version(analyzer, &string);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating analyzer version: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = prelude_string_set_constant(string, VERSION);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error setting analyzer version: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
SCReturnInt(0);
}
