void *DstIP_FP(Eventinfo *lf, char *field) { #ifdef TESTRULE if (!alert_only) { print_out(" dstip: '%s'", field); } #endif lf->dstip = field; #ifdef LIBGEOIP_ENABLED if(!lf->dstgeoip) { lf->dstgeoip = GetGeoInfobyIP(lf->dstip); } return (NULL); #endif }
void OS_LogOutput(Eventinfo *lf) { int i; #ifdef LIBGEOIP_ENABLED if (Config.geoipdb_file) { if (lf->srcip && !lf->srcgeoip) { lf->srcgeoip = GetGeoInfobyIP(lf->srcip); } if (lf->dstip && !lf->dstgeoip) { lf->dstgeoip = GetGeoInfobyIP(lf->dstip); } } #endif printf( "** Alert %ld.%ld:%s - %s\n" "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'" "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n", (long int)lf->time, __crt_ftell, lf->generated_rule->alert_opts & DO_MAILALERT ? " mail " : "", lf->generated_rule->group, lf->year, lf->mon, lf->day, lf->hour, lf->hostname != lf->location ? lf->hostname : "", lf->hostname != lf->location ? "->" : "", lf->location, lf->generated_rule->sigid, lf->generated_rule->level, lf->comment, lf->srcip == NULL ? "" : "\nSrc IP: ", lf->srcip == NULL ? "" : lf->srcip, #ifdef LIBGEOIP_ENABLED lf->srcgeoip == NULL ? "" : "\nSrc Location: ", lf->srcgeoip == NULL ? "" : lf->srcgeoip, #else "", "", #endif lf->srcport == NULL ? "" : "\nSrc Port: ", lf->srcport == NULL ? "" : lf->srcport, lf->dstip == NULL ? "" : "\nDst IP: ", lf->dstip == NULL ? "" : lf->dstip, #ifdef LIBGEOIP_ENABLED lf->dstgeoip == NULL ? "" : "\nDst Location: ", lf->dstgeoip == NULL ? "" : lf->dstgeoip, #else "", "", #endif lf->dstport == NULL ? "" : "\nDst Port: ", lf->dstport == NULL ? "" : lf->dstport, lf->dstuser == NULL ? "" : "\nUser: "******"" : lf->dstuser, lf->full_log); /* FIM events */ if (lf->filename) { printf("File: %s\n", lf->filename); if (lf->size_before) printf("Old size: %s\n", lf->size_before); if (lf->size_after) printf("New size: %s\n", lf->size_after); if (lf->perm_before) printf("Old permissions: %6o\n", lf->perm_before); if (lf->perm_after) printf("New permissions: %6o\n", lf->perm_after); if (lf->owner_before) { if (lf->uname_before) printf("Old user: %s (%s)\n", lf->uname_before, lf->owner_before); else printf("Old user: %s\n", lf->owner_before); } if (lf->owner_after) { if (lf->uname_after) printf("New user: %s (%s)\n", lf->uname_after, lf->owner_after); else printf("New user: %s\n", lf->owner_after); } if (lf->gowner_before) { if (lf->gname_before) printf("Old group: %s (%s)\n", lf->gname_before, lf->gowner_before); else printf("Old group: %s\n", lf->gowner_before); } if (lf->gowner_after) { if (lf->gname_after) printf("New group: %s (%s)\n", lf->gname_after, lf->gowner_after); else printf("New group: %s\n", lf->gowner_after); } if (lf->md5_before) printf("Old MD5: %s\n", lf->md5_before); if (lf->md5_after) printf("New MD5: %s\n", lf->md5_after); if (lf->sha1_before) printf("Old SHA1: %s\n", lf->sha1_before); if (lf->sha1_after) printf("New SHA1: %s\n", lf->sha1_after); if (lf->mtime_before) printf("Old date: %s", ctime(&lf->mtime_before)); if (lf->mtime_after) printf("New date: %s", ctime(&lf->mtime_after)); if (lf->inode_before) printf("Old inode: %ld\n", lf->inode_before); if (lf->inode_after) printf("New inode: %ld\n", lf->inode_after); if (lf->diff) printf("What changed: %s\n", lf->diff); } // Dynamic fields, except for syscheck events if (lf->fields && !lf->filename) { for (i = 0; i < lf->nfields; i++) { if (lf->fields[i].value) { printf("%s: %s\n", lf->fields[i].key, lf->fields[i].value); } } } /* Print the last events if present */ if (lf->generated_rule->last_events) { char **lasts = lf->generated_rule->last_events; while (*lasts) { printf("%.1256s\n", *lasts); lasts++; } lf->generated_rule->last_events[0] = NULL; } printf("\n"); fflush(stdout); return; }