static int addDecoder2list(const char *name)
{
if (os_decoder_store == NULL) {
os_decoder_store = OSStore_Create();
if (os_decoder_store == NULL) {
merror(LIST_ERROR, ARGV0);
return (0);
}
}
/* Store data */
if (!OSStore_Put(os_decoder_store, name, NULL)) {
merror(LIST_ADD_ERROR, ARGV0);
return (0);
}
return (1);
}
void os_ReportdStart(report_filter *r_filter)
{
int alerts_processed = 0;
int alerts_filtered = 0;
char *first_alert = NULL;
char *last_alert = NULL;
void **data_to_clean = NULL;
time_t tm;
struct tm *p;
file_queue *fileq;
alert_data *al_data;
/* Getting current time before starting */
tm = time(NULL);
p = localtime(&tm);
/* Initating file queue - to read the alerts */
os_calloc(1, sizeof(file_queue), fileq);
if(r_filter->report_type == REPORT_TYPE_DAILY && r_filter->filename)
{
fileq->fp = fopen(r_filter->filename, "r");
if(!fileq->fp)
{
merror("%s: ERROR: Unable to open alerts file to generate report.", __local_name);
return;
}
if(r_filter->fp)
{
__g_rtype = r_filter->fp;
}
}
else
{
fileq->fp = stdin;
}
/* Creating top hashes. */
r_filter->top_user = OSStore_Create();
r_filter->top_srcip = OSStore_Create();
r_filter->top_level = OSStore_Create();
r_filter->top_rule = OSStore_Create();
r_filter->top_group = OSStore_Create();
r_filter->top_location = OSStore_Create();
r_filter->top_files = OSStore_Create();
Init_FileQueue(fileq, p, CRALERT_READ_ALL|CRALERT_FP_SET);
/* Reading the alerts. */
while(1)
{
/* Get message if available */
al_data = Read_FileMon(fileq, p, 1);
if(!al_data)
{
break;
}
alerts_processed++;
/* Checking the filters. */
if(!_os_report_check_filters(al_data, r_filter))
{
FreeAlertData(al_data);
continue;
}
alerts_filtered++;
data_to_clean = os_AddPtArray(al_data, data_to_clean);
/* Setting first and last alert for summary. */
if(!first_alert)
first_alert = al_data->date;
last_alert = al_data->date;
/* Adding source ip if it is set properly. */
if(al_data->srcip != NULL && strcmp(al_data->srcip, "(none)") != 0)
_os_report_add_tostore(al_data->srcip, r_filter->top_srcip, al_data);
/* Adding user if it is set properly. */
if(al_data->user != NULL && strcmp(al_data->user, "(none)") != 0)
_os_report_add_tostore(al_data->user, r_filter->top_user, al_data);
/* Adding level and severity. */
{
char mlevel[16];
char mrule[76 +1];
mrule[76] = '\0';
snprintf(mlevel, 16, "Severity %d" , al_data->level);
snprintf(mrule, 76, "%d - %s" , al_data->rule, al_data->comment);
_os_report_add_tostore(strdup(mlevel), r_filter->top_level,
al_data);
_os_report_add_tostore(strdup(mrule), r_filter->top_rule,
al_data);
}
/* Dealing with the group. */
{
char *tmp_str;
char **mgroup;
mgroup = OS_StrBreak(',', al_data->group, 32);
if(mgroup)
{
while(*mgroup)
{
tmp_str = *mgroup;
while(*tmp_str == ' ')
tmp_str++;
if(*tmp_str == '\0')
{
mgroup++;
continue;
}
_os_report_add_tostore(tmp_str, r_filter->top_group,
al_data);
mgroup++;
}
}
else
{
tmp_str = al_data->group;
while(*tmp_str == ' ')
tmp_str++;
if(*tmp_str != '\0')
{
_os_report_add_tostore(tmp_str, r_filter->top_group,
al_data);
}
}
}
/* Adding to the location top filter. */
_os_report_add_tostore(al_data->location, r_filter->top_location,
al_data);
if(al_data->filename != NULL)
{
_os_report_add_tostore(al_data->filename, r_filter->top_files,
al_data);
}
}
/* No report available */
if(alerts_filtered == 0)
{
if(!r_filter->report_name)
merror("%s: INFO: Report completed and zero alerts post-filter.", __local_name);
else
merror("%s: INFO: Report '%s' completed and zero alerts post-filter.", __local_name, r_filter->report_name);
return;
}
if(r_filter->report_name)
verbose("%s: INFO: Report '%s' completed. Creating output...", __local_name, r_filter->report_name);
else
verbose("%s: INFO: Report completed. Creating output...", __local_name);
l_print_out(" ");
if(r_filter->report_name)
l_print_out("Report '%s' completed.", r_filter->report_name);
else
l_print_out("Report completed. ==");
l_print_out("------------------------------------------------");
l_print_out("->Processed alerts: %d", alerts_processed);
l_print_out("->Post-filtering alerts: %d", alerts_filtered);
l_print_out("->First alert: %s", first_alert);
l_print_out("->Last alert: %s", last_alert);
l_print_out(" ");
l_print_out(" ");
OSStore_Sort(r_filter->top_srcip, _os_report_sort_compare);
OSStore_Sort(r_filter->top_user, _os_report_sort_compare);
OSStore_Sort(r_filter->top_level, _os_report_sort_compare);
OSStore_Sort(r_filter->top_group, _os_report_sort_compare);
OSStore_Sort(r_filter->top_location, _os_report_sort_compare);
OSStore_Sort(r_filter->top_rule, _os_report_sort_compare);
OSStore_Sort(r_filter->top_files, _os_report_sort_compare);
if(r_filter->top_srcip)
os_report_printtop(r_filter->top_srcip, "Source ip", 0);
if(r_filter->top_user)
os_report_printtop(r_filter->top_user, "Username", 0);
if(r_filter->top_level)
os_report_printtop(r_filter->top_level, "Level", 0);
if(r_filter->top_group)
os_report_printtop(r_filter->top_group, "Group", 0);
if(r_filter->top_location)
os_report_printtop(r_filter->top_location, "Location", 0);
if(r_filter->top_rule)
os_report_printtop(r_filter->top_rule, "Rule", 0);
if(r_filter->top_files)
os_report_printtop(r_filter->top_files, "Filenames", 0);
/* Print related events. */
if(r_filter->related_srcip)
os_report_printtop(r_filter->top_srcip, "Source ip",
r_filter->related_srcip);
if(r_filter->related_user)
os_report_printtop(r_filter->top_user, "Username",
r_filter->related_user);
if(r_filter->related_level)
os_report_printtop(r_filter->top_level, "Level",
r_filter->related_level);
if(r_filter->related_group)
os_report_printtop(r_filter->top_group, "Group",
r_filter->related_group);
if(r_filter->related_location)
os_report_printtop(r_filter->top_location, "Location",
r_filter->related_location);
if(r_filter->related_rule)
os_report_printtop(r_filter->top_rule, "Rule",
r_filter->related_rule);
if(r_filter->related_file)
os_report_printtop(r_filter->top_files, "Filename",
r_filter->related_file);
/* If we have to dump the alerts. */
if(data_to_clean)
{
int i = 0;
if(r_filter->show_alerts)
{
l_print_out("Log dump:");
l_print_out("------------------------------------------------");
}
while(data_to_clean[i])
{
alert_data *md = data_to_clean[i];
if(r_filter->show_alerts)
l_print_out("%s %s\nRule: %d (level %d) -> '%s'\n%s\n\n", md->date, md->location, md->rule, md->level, md->comment, md->log[0]);
FreeAlertData(md);
i++;
}
free(data_to_clean);
data_to_clean = NULL;
}
}
