void *DstIP_FP(Eventinfo *lf, char *field)
{
#ifdef TESTRULE
if (!alert_only) {
print_out(" dstip: '%s'", field);
}
#endif
lf->dstip = field;
#ifdef LIBGEOIP_ENABLED
if(!lf->dstgeoip) {
lf->dstgeoip = GetGeoInfobyIP(lf->dstip);
}
return (NULL);
#endif
}
void OS_LogOutput(Eventinfo *lf)
{
int i;
#ifdef LIBGEOIP_ENABLED
if (Config.geoipdb_file) {
if (lf->srcip && !lf->srcgeoip) {
lf->srcgeoip = GetGeoInfobyIP(lf->srcip);
}
if (lf->dstip && !lf->dstgeoip) {
lf->dstgeoip = GetGeoInfobyIP(lf->dstip);
}
}
#endif
printf(
"** Alert %ld.%ld:%s - %s\n"
"%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'"
"%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
(long int)lf->time,
__crt_ftell,
lf->generated_rule->alert_opts & DO_MAILALERT ? " mail " : "",
lf->generated_rule->group,
lf->year,
lf->mon,
lf->day,
lf->hour,
lf->hostname != lf->location ? lf->hostname : "",
lf->hostname != lf->location ? "->" : "",
lf->location,
lf->generated_rule->sigid,
lf->generated_rule->level,
lf->comment,
lf->srcip == NULL ? "" : "\nSrc IP: ",
lf->srcip == NULL ? "" : lf->srcip,
#ifdef LIBGEOIP_ENABLED
lf->srcgeoip == NULL ? "" : "\nSrc Location: ",
lf->srcgeoip == NULL ? "" : lf->srcgeoip,
#else
"",
"",
#endif
lf->srcport == NULL ? "" : "\nSrc Port: ",
lf->srcport == NULL ? "" : lf->srcport,
lf->dstip == NULL ? "" : "\nDst IP: ",
lf->dstip == NULL ? "" : lf->dstip,
#ifdef LIBGEOIP_ENABLED
lf->dstgeoip == NULL ? "" : "\nDst Location: ",
lf->dstgeoip == NULL ? "" : lf->dstgeoip,
#else
"",
"",
#endif
lf->dstport == NULL ? "" : "\nDst Port: ",
lf->dstport == NULL ? "" : lf->dstport,
lf->dstuser == NULL ? "" : "\nUser: "******"" : lf->dstuser,
lf->full_log);
/* FIM events */
if (lf->filename) {
printf("File: %s\n", lf->filename);
if (lf->size_before)
printf("Old size: %s\n", lf->size_before);
if (lf->size_after)
printf("New size: %s\n", lf->size_after);
if (lf->perm_before)
printf("Old permissions: %6o\n", lf->perm_before);
if (lf->perm_after)
printf("New permissions: %6o\n", lf->perm_after);
if (lf->owner_before) {
if (lf->uname_before)
printf("Old user: %s (%s)\n", lf->uname_before, lf->owner_before);
else
printf("Old user: %s\n", lf->owner_before);
}
if (lf->owner_after) {
if (lf->uname_after)
printf("New user: %s (%s)\n", lf->uname_after, lf->owner_after);
else
printf("New user: %s\n", lf->owner_after);
}
if (lf->gowner_before) {
if (lf->gname_before)
printf("Old group: %s (%s)\n", lf->gname_before, lf->gowner_before);
else
printf("Old group: %s\n", lf->gowner_before);
}
if (lf->gowner_after) {
if (lf->gname_after)
printf("New group: %s (%s)\n", lf->gname_after, lf->gowner_after);
else
printf("New group: %s\n", lf->gowner_after);
}
if (lf->md5_before)
printf("Old MD5: %s\n", lf->md5_before);
if (lf->md5_after)
printf("New MD5: %s\n", lf->md5_after);
if (lf->sha1_before)
printf("Old SHA1: %s\n", lf->sha1_before);
if (lf->sha1_after)
printf("New SHA1: %s\n", lf->sha1_after);
if (lf->mtime_before)
printf("Old date: %s", ctime(&lf->mtime_before));
if (lf->mtime_after)
printf("New date: %s", ctime(&lf->mtime_after));
if (lf->inode_before)
printf("Old inode: %ld\n", lf->inode_before);
if (lf->inode_after)
printf("New inode: %ld\n", lf->inode_after);
if (lf->diff)
printf("What changed: %s\n", lf->diff);
}
// Dynamic fields, except for syscheck events
if (lf->fields && !lf->filename) {
for (i = 0; i < lf->nfields; i++) {
if (lf->fields[i].value) {
printf("%s: %s\n", lf->fields[i].key, lf->fields[i].value);
}
}
}
/* Print the last events if present */
if (lf->generated_rule->last_events) {
char **lasts = lf->generated_rule->last_events;
while (*lasts) {
printf("%.1256s\n", *lasts);
lasts++;
}
lf->generated_rule->last_events[0] = NULL;
}
printf("\n");
fflush(stdout);
return;
}
