static int add_int_data(idmef_alert_t *alert, const char *meaning, uint32_t data) { int ret; prelude_string_t *str; idmef_additional_data_t *ad; ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; idmef_additional_data_set_integer(ad, data); ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { ErrorMessage("%s: error creating additional-data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting integer data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } return 0; }
/** * \brief Add integer data, to be stored in the Additional Data * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765). * * \return 0 if ok */ static int AddIntData(idmef_alert_t *alert, const char *meaning, uint32_t data) { int ret; prelude_string_t *str; idmef_additional_data_t *ad; SCEnter(); ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) SCReturnInt(ret); idmef_additional_data_set_integer(ad, data); ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { SCLogDebug("%s: error creating additional-data meaning: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(-1); } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { SCLogDebug("%s: error setting integer data meaning: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(-1); } SCReturnInt(0); }
void prelude_start(char *profile, int argc, char **argv) { int ret; prelude_client = NULL; ret = prelude_init(&argc, argv); if (ret < 0) { merror("%s: %s: Unable to initialize the Prelude library: %s.", ARGV0, prelude_strsource(ret), prelude_strerror(ret)); return; } ret = prelude_client_new(&prelude_client, profile != NULL ? profile : DEFAULT_ANALYZER_NAME); if (!prelude_client) { merror("%s: %s: Unable to create a prelude client object: %s.", ARGV0, prelude_strsource(ret), prelude_strerror(ret)); return; } ret = setup_analyzer(prelude_client_get_analyzer(prelude_client)); if (ret < 0) { merror("%s: %s: Unable to setup analyzer: %s", ARGV0, prelude_strsource(ret), prelude_strerror(ret)); prelude_client_destroy(prelude_client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE); return; } ret = prelude_client_set_flags(prelude_client, prelude_client_get_flags(prelude_client) | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER); if (ret < 0) { merror("%s: %s: Unable to set prelude client flags: %s.", ARGV0, prelude_strsource(ret), prelude_strerror(ret)); } /* Set uid and gid of ossec */ prelude_client_profile_set_uid(prelude_client_get_profile(prelude_client), Privsep_GetUser(USER)); prelude_client_profile_set_gid(prelude_client_get_profile(prelude_client), Privsep_GetGroup(GROUPGLOBAL)); ret = prelude_client_start(prelude_client); if (ret < 0) { merror("%s: %s: Unable to initialize prelude client: %s.", ARGV0, prelude_strsource(ret), prelude_strerror(ret)); prelude_client_destroy(prelude_client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE); return; } return; }
static int setup_analyzer(idmef_analyzer_t *analyzer) { int ret; prelude_string_t *string; ret = idmef_analyzer_new_model(analyzer, &string); if ( ret < 0 ) goto err; prelude_string_set_constant(string, ANALYZER_MODEL); ret = idmef_analyzer_new_class(analyzer, &string); if ( ret < 0 ) goto err; prelude_string_set_constant(string, ANALYZER_CLASS); ret = idmef_analyzer_new_manufacturer(analyzer, &string); if ( ret < 0 ) goto err; prelude_string_set_constant(string, ANALYZER_MANUFACTURER); ret = idmef_analyzer_new_version(analyzer, &string); if ( ret < 0 ) goto err; prelude_string_set_constant(string, ANALYZER_VERSION); return 0; err: merror("%s: OSSEC2Prelude: %s: IDMEF error: %s.", ARGV0, prelude_strsource(ret), prelude_strerror(ret)); return -1; }
/** * \brief Add binary data, to be stored in the Additional Data * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765). * * \return 0 if ok */ static int AddByteData(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size) { int ret; prelude_string_t *str; idmef_additional_data_t *ad; SCEnter(); if ( ! data || ! size ) SCReturnInt(0); ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) SCReturnInt(0); ret = idmef_additional_data_set_byte_string_ref(ad, data, size); if ( ret < 0 ) { SCLogDebug("%s: error setting byte string data: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(-1); } ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { SCLogDebug("%s: error creating additional-data meaning: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(-1); } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { SCLogDebug("%s: error setting byte string data meaning: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(-1); } SCReturnInt(0); }
static int add_byte_data(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size) { int ret; prelude_string_t *str; idmef_additional_data_t *ad; if ( ! data || ! size ) return 0; ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_additional_data_set_byte_string_ref(ad, data, size); if ( ret < 0 ) { ErrorMessage("%s: error setting byte string data: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { ErrorMessage("%s: error creating additional-data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting byte string data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } return 0; }
static int wait_connection(prelude_client_profile_t *cp, int sock, struct pollfd *pfd, size_t size, int keepalive, gnutls_x509_privkey_t key, gnutls_x509_crt_t cacrt, gnutls_x509_crt_t crt) { size_t i; prelude_io_t *fd; int ret, active_fd; ret = prelude_io_new(&fd); if ( ret < 0 ) { fprintf(stderr, "%s: error creating a new IO object: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } do { active_fd = poll(pfd, size, -1); if ( active_fd < 0 ) { if ( errno != EINTR ) fprintf(stderr, "poll error : %s.\n", strerror(errno)); return -1; } for ( i = 0; i < size && active_fd > 0; i++ ) { if ( pfd[i].revents & POLLIN ) { active_fd--; ret = process_event(cp, pfd[i].fd, fd, key, cacrt, crt); } } } while ( keepalive || ret < 0 ); prelude_io_destroy(fd); return ret; }
void prelude_logging(const char *filename, const char *virname, const char *virhash, int virsize){ int ret; idmef_message_t *idmef = NULL; idmef_alert_t *alert; idmef_classification_t *class; prelude_string_t *str; idmef_target_t *target; idmef_file_t *file; ret = idmef_message_new(&idmef); if ( ret < 0 ) goto err; ret = idmef_message_new_alert(idmef, &alert); if ( ret < 0 ) goto err; ret = idmef_alert_new_classification(alert, &class); if ( ret < 0 ) goto err; ret = idmef_classification_new_text(class, &str); if ( ret < 0 ) goto err; prelude_string_set_constant(str, "Virus Found"); ret = idmef_alert_new_target(alert, &target, 0); if ( ret < 0 ) goto err; ret = idmef_target_new_file(target, &file, 0); if ( ret < 0 ) goto err; ret = idmef_file_new_path(file, &str); if ( ret < 0 ) goto err; prelude_string_set_ref(str, filename); if ( virname != NULL ) { ret = add_string_additional_data(alert, "virname", virname); if ( ret < 0 ) goto err; } if ( virhash != NULL){ ret = add_string_additional_data(alert, "virhash", virhash); if ( ret < 0 ) goto err; } ret = add_int_additional_data(alert, "virsize", virsize); if ( ret < 0 ) goto err; logg("le client : %s", prelude_client_get_config_filename(prelude_client)); prelude_client_send_idmef(prelude_client, idmef); idmef_message_destroy(idmef); return; err: if (idmef != NULL) idmef_message_destroy(idmef); logg("%s error: %s", prelude_strsource(ret), prelude_strerror(ret)); return; }
/** * \brief Create event impact description (see section * 4.2.6.1 of RFC 4765). * The impact contains the severity, completion (succeeded or failed) * and basic classification of the attack type. * Here, we don't set the completion since we don't know it (default * is unknown). * * \return 0 if ok */ static int EventToImpact(const PacketAlert *pa, const Packet *p, idmef_alert_t *alert) { int ret; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; SCEnter(); ret = idmef_alert_new_assessment(alert, &assessment); if (unlikely(ret < 0)) { SCLogDebug("%s: error creating assessment: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } ret = idmef_assessment_new_impact(assessment, &impact); if (unlikely(ret < 0)) { SCLogDebug("%s: error creating assessment impact: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } if ( (unsigned int)pa->s->prio < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( (unsigned int)pa->s->prio < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( (unsigned int)pa->s->prio < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); if (PACKET_TEST_ACTION(p, ACTION_DROP) || PACKET_TEST_ACTION(p, ACTION_REJECT) || PACKET_TEST_ACTION(p, ACTION_REJECT_DST) || PACKET_TEST_ACTION(p, ACTION_REJECT_BOTH) ) { idmef_action_t *action; ret = idmef_action_new(&action); if (unlikely(ret < 0)) SCReturnInt(ret); idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED); idmef_assessment_set_action(assessment, action, 0); } if (pa->s->class_msg) { ret = idmef_impact_new_description(impact, &str); if (unlikely(ret < 0)) SCReturnInt(ret); prelude_string_set_ref(str, pa->s->class_msg); } SCReturnInt(0); }
/** * \brief Initialize analyzer description * * \return 0 if ok */ static int SetupAnalyzer(idmef_analyzer_t *analyzer) { int ret; prelude_string_t *string; SCEnter(); ret = idmef_analyzer_new_model(analyzer, &string); if (unlikely(ret < 0)) { SCLogDebug("%s: error creating analyzer model: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } ret = prelude_string_set_constant(string, ANALYZER_MODEL); if (unlikely(ret < 0)) { SCLogDebug("%s: error setting analyzer model: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } ret = idmef_analyzer_new_class(analyzer, &string); if (unlikely(ret < 0)) { SCLogDebug("%s: error creating analyzer class: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } ret = prelude_string_set_constant(string, ANALYZER_CLASS); if (unlikely(ret < 0)) { SCLogDebug("%s: error setting analyzer class: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } ret = idmef_analyzer_new_manufacturer(analyzer, &string); if (unlikely(ret < 0)) { SCLogDebug("%s: error creating analyzer manufacturer: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } ret = prelude_string_set_constant(string, ANALYZER_MANUFACTURER); if (unlikely(ret < 0)) { SCLogDebug("%s: error setting analyzer manufacturer: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } ret = idmef_analyzer_new_version(analyzer, &string); if (unlikely(ret < 0)) { SCLogDebug("%s: error creating analyzer version: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } ret = prelude_string_set_constant(string, VERSION); if (unlikely(ret < 0)) { SCLogDebug("%s: error setting analyzer version: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } SCReturnInt(0); }