/** alert_data *GetAlertData(FILE *fp) * Returns alert data for the file specified */ alert_data *GetAlertData(int flag, FILE *fp) { int _r = 0, log_size = 0, issyscheck = 0; char *p; char *alertid = NULL; char *date = NULL; char *comment = NULL; char *location = NULL; char *srcip = NULL; char *dstip = NULL; char *user = NULL; char *group = NULL; char *filename = NULL; char *old_md5 = NULL; char *new_md5 = NULL; char *old_sha1 = NULL; char *new_sha1 = NULL; char **log = NULL; #ifdef GEOIP char *geoipdatasrc = NULL; char *geoipdatadst = NULL; #endif int level, rule, srcport = 0, dstport = 0; char str[OS_BUFFER_SIZE+1]; str[OS_BUFFER_SIZE]='\0'; while(fgets(str, OS_BUFFER_SIZE, fp) != NULL) { /* Enf of alert */ if(strcmp(str, "\n") == 0 && log_size > 0) { /* Found in here */ if(_r == 2) { alert_data *al_data; os_calloc(1, sizeof(alert_data), al_data); al_data->alertid = alertid; al_data->level = level; al_data->rule = rule; al_data->location = location; al_data->comment = comment; al_data->group = group; al_data->log = log; al_data->srcip = srcip; al_data->srcport = srcport; al_data->dstip = dstip; al_data->dstport = dstport; al_data->user = user; al_data->date = date; al_data->filename = filename; #ifdef GEOIP al_data->geoipdatasrc = geoipdatasrc; al_data->geoipdatadst = geoipdatadst; #endif al_data->old_md5 = old_md5; al_data->new_md5 = new_md5; al_data->old_sha1 = old_sha1; al_data->new_sha1 = new_sha1; return(al_data); } _r = 0; } /* Checking for the header */ if(strncmp(ALERT_BEGIN, str, ALERT_BEGIN_SZ) == 0) { char *m; int z = 0; p = str + ALERT_BEGIN_SZ + 1; m = strstr(p, ":"); if (!m) { continue; } z = strlen(p) - strlen(m); os_realloc(alertid, (z + 1)*sizeof(char *), alertid); strncpy(alertid, p, z); alertid[z] = '\0'; /* Searching for email flag */ p = strchr(p, ' '); if(!p) { continue; } p++; /* Checking for the flags */ if((flag & CRALERT_MAIL_SET) && (strncmp(ALERT_MAIL, p, ALERT_MAIL_SZ) != 0)) { continue; } p = strchr(p, '-'); if(p) { p++; os_strdup(p, group); /* Cleaning new line from group */ os_clearnl(group, p); if(group != NULL && strstr(group, "syscheck") != NULL) { issyscheck = 1; } } /* Searching for active-response flag */ _r = 1; continue; } if(_r < 1) continue; /*** Extract information from the event ***/ /* r1 means: 2006 Apr 13 16:15:17 /var/log/auth.log */ if(_r == 1) { /* Clear new line */ os_clearnl(str, p); p = strchr(str, ':'); if(p) { p = strchr(p, ' '); if(p) { *p = '\0'; p++; } else { /* If p is null it is because strchr failed */ merror("ZZZ: 1() Merror date or location not NULL"); _r = 0; goto l_error; } } /* If not, str is date and p is the location */ if(date || location) merror("ZZZ Merror date or location not NULL"); os_strdup(str, date); os_strdup(p, location); _r = 2; log_size = 0; continue; } else if(_r == 2) { /* Rule begin */ if(strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + RULE_BEGIN_SZ; rule = atoi(p); p = strchr(p, ' '); if(p) { p++; p = strchr(p, ' '); if(p) p++; } if(!p) goto l_error; level = atoi(p); /* Getting the comment */ p = strchr(p, '\''); if(!p) goto l_error; p++; os_strdup(p, comment); /* Must have the closing \' */ p = strrchr(comment, '\''); if(p) { *p = '\0'; } else { goto l_error; } } /* srcip */ else if(strncmp(SRCIP_BEGIN, str, SRCIP_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + SRCIP_BEGIN_SZ; os_strdup(p, srcip); } #ifdef GEOIP /* GeoIP Source Location */ else if (strncmp(GEOIP_BEGIN_SRC, str, GEOIP_BEGIN_SRC_SZ) == 0) { os_clearnl(str,p); p = str + GEOIP_BEGIN_SRC_SZ; os_strdup(p, geoipdatasrc); } #endif /* srcport */ else if(strncmp(SRCPORT_BEGIN, str, SRCPORT_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + SRCPORT_BEGIN_SZ; srcport = atoi(p); } /* dstip */ else if(strncmp(DSTIP_BEGIN, str, DSTIP_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + DSTIP_BEGIN_SZ; os_strdup(p, dstip); } #ifdef GEOIP /* GeoIP Destination Location */ else if (strncmp(GEOIP_BEGIN_DST, str, GEOIP_BEGIN_DST_SZ) == 0) { os_clearnl(str,p); p = str + GEOIP_BEGIN_DST_SZ; os_strdup(p, geoipdatadst); } #endif /* dstport */ else if(strncmp(DSTPORT_BEGIN, str, DSTPORT_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + DSTPORT_BEGIN_SZ; dstport = atoi(p); } /* username */ else if(strncmp(USER_BEGIN, str, USER_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + USER_BEGIN_SZ; os_strdup(p, user); } /* Old MD5 */ else if(strncmp(OLDMD5_BEGIN, str, OLDMD5_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + OLDMD5_BEGIN_SZ; os_strdup(p, old_md5); } /* New MD5 */ else if(strncmp(NEWMD5_BEGIN, str, NEWMD5_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + NEWMD5_BEGIN_SZ; os_strdup(p, new_md5); } /* Old SHA1 */ else if(strncmp(OLDSHA1_BEGIN, str, OLDSHA1_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + OLDSHA1_BEGIN_SZ; os_strdup(p, old_sha1); } /* New SHA1 */ else if(strncmp(NEWSHA1_BEGIN, str, NEWSHA1_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + NEWSHA1_BEGIN_SZ; os_strdup(p, new_sha1); } /* It is a log message */ else if(log_size < 20) { os_clearnl(str,p); if(str != NULL && issyscheck == 1) { if(strncmp(str, "Integrity checksum changed for: '",33) == 0) { filename = strdup(str+33); if(filename) { filename[strlen(filename) -1] = '\0'; } } issyscheck = 0; } os_realloc(log, (log_size +2)*sizeof(char *), log); os_strdup(str, log[log_size]); log_size++; log[log_size] = NULL; } } continue; l_error: /* Freeing the memory */ _r = 0; if(date) { free(date); date = NULL; } if(location) { free(location); location = NULL; } if(comment) { free(comment); comment = NULL; } if(srcip) { free(srcip); srcip = NULL; } #ifdef GEOIP if(geoipdatasrc) { free(geoipdatasrc); geoipdatasrc = NULL; } if(geoipdatadst) { free(geoipdatadst); geoipdatadst = NULL; } #endif if(user) { free(user); user = NULL; } if(filename) { free(filename); filename = NULL; } if(group) { free(group); group = NULL; } if(old_md5) { free(old_md5); old_md5 = NULL; } if(new_md5) { free(new_md5); new_md5 = NULL; } if(old_sha1) { free(old_sha1); old_sha1 = NULL; } if(new_sha1) { free(new_sha1); new_sha1 = NULL; } while(log_size > 0) { log_size--; if(log[log_size]) { free(log[log_size]); log[log_size] = NULL; } } } if(alertid) { free(alertid); alertid = NULL; } /* We need to clean end of file before returning */ clearerr(fp); return(NULL); }
/** alert_data *GetAlertData(FILE *fp) * Returns alert data for the file specified */ alert_data *GetAlertData(int flag, FILE *fp) { int _r = 0, log_size; char *p; char *date = NULL; char *comment = NULL; char *location = NULL; char *srcip = NULL; char *user = NULL; char *group = NULL; char **log = NULL; int level, rule; char str[OS_BUFFER_SIZE+1]; str[OS_BUFFER_SIZE]='\0'; while(fgets(str, OS_BUFFER_SIZE, fp) != NULL) { /* Enf of alert */ if(strcmp(str, "\n") == 0) { /* Found in here */ if(_r == 2) { alert_data *al_data; os_calloc(1, sizeof(alert_data), al_data); al_data->level = level; al_data->rule = rule; al_data->location = location; al_data->comment = comment; al_data->group = group; al_data->log = log; al_data->srcip = srcip; al_data->user = user; al_data->date = date; return(al_data); } _r = 0; } /* Checking for the header */ if(strncmp(ALERT_BEGIN, str, ALERT_BEGIN_SZ) == 0) { p = str + ALERT_BEGIN_SZ + 1; /* Searching for email flag */ p = strchr(p, ' '); if(!p) { continue; } p++; /* Checking for the flags */ if((flag & CRALERT_MAIL_SET) && (strncmp(ALERT_MAIL, p, ALERT_MAIL_SZ) != 0)) { continue; } p = strchr(p, '-'); if(p) { p++; os_strdup(p, group); /* Cleaning new line from group */ os_clearnl(group, p); } /* Searching for active-response flag */ _r = 1; continue; } if(_r < 1) continue; /*** Extract information from the event ***/ /* r1 means: 2006 Apr 13 16:15:17 /var/log/auth.log */ if(_r == 1) { /* Clear new line */ os_clearnl(str, p); p = strchr(str, ':'); if(p) { p = strchr(p, ' '); if(p) { *p = '\0'; p++; } else { /* If p is null it is because strchr failed */ merror("ZZZ: 1() Merror date or location not NULL"); _r = 0; goto l_error; } } /* If not, str is date and p is the location */ if(date || location) merror("ZZZ Merror date or location not NULL"); os_strdup(str, date); os_strdup(p, location); _r = 2; log_size = 0; continue; } else if(_r == 2) { /* Rule begin */ if(strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + RULE_BEGIN_SZ; rule = atoi(p); p = strchr(p, ' '); if(p) { p++; p = strchr(p, ' '); if(p) p++; } if(!p) goto l_error; level = atoi(p); /* Getting the comment */ p = strchr(p, '\''); if(!p) goto l_error; p++; os_strdup(p, comment); /* Must have the closing \' */ p = strrchr(comment, '\''); if(p) { *p = '\0'; } else { goto l_error; } } /* srcip */ else if(strncmp(SRCIP_BEGIN, str, SRCIP_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + SRCIP_BEGIN_SZ; os_strdup(p, srcip); } /* username */ else if(strncmp(USER_BEGIN, str, USER_BEGIN_SZ) == 0) { os_clearnl(str,p); p = str + USER_BEGIN_SZ; os_strdup(p, user); } /* It is a log message */ else if(log_size < 20) { os_clearnl(str,p); os_realloc(log, (log_size +2)*sizeof(char *), log); os_strdup(str, log[log_size]); log_size++; log[log_size] = NULL; } } continue; l_error: /* Freeing the memory */ _r = 0; if(date) { free(date); date = NULL; } if(location) { free(location); location = NULL; } if(comment) { free(comment); comment = NULL; } if(srcip) { free(srcip); srcip = NULL; } if(user) { free(user); user = NULL; } if(group) { free(group); group = NULL; } while(log_size > 0) { log_size--; if(log[log_size]) { free(log[log_size]); log[log_size] = NULL; } } } /* We need to clean end of file before returning */ clearerr(fp); return(NULL); }