source: branches/samhain-2_2-branch/src/sh_prelude_old.c@ 584

Last change on this file since 584 was 1, checked in by katerina, 19 years ago

Initial import

File size: 20.8 KB
Line 
1/*
2 *
3 * Copyright (C) 2004, 2005 Rainer Wichmann, Patrice Bourgin,
4 * Yoann Vandoorselaere
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2, or (at your option)
9 * any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; see the file COPYING. If not, write to
18 * the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
19 *
20 */
21
22/*
23 *
24 * 03/12/2004 : R.W.:
25 * fix more memory leaks in get_file_infos()
26 * workaround (re-init) for file descriptor closing problem with GPG
27 *
28 * R.W.: fix missing treatment of alternative XML-style messages
29 * fix get_value (if terminating '>' or '"' is not found, may
30 * overwrite the NULL terminator of the string ...)
31 * fix memory leaks in get_file_infos(), retrieve_time()
32 *
33 * 13/03/2004 : This file is modified by Patrice Bourgin
34 * <pbourgin@xpconseil.com>
35 *
36 * R.W.: Some problems with the patch by Patrice Bourgin fixed
37 * (e.g. memory leak)
38 *
39 * Modifications (13/03/2004) by Patrice bourgin (pbourgin@xpconseil.com) :
40 * Comment : thanks for memory leak fix :p
41 * 1 : remove translation of HTML tag
42 * 2 : send detailled information about files to prelude (with two
43 * functions : get_value and get_file_infos)
44 * these two functions were written by Yoann, but for future
45 * version of prelude, I adapt them to work
46 * with version 0.8.10 of libprelude
47 * 3 : send a heartbeat just after initialization, to alert prelude that
48 * samhain is started
49 * 4 : these modifications was tested successfully, and all informations are
50 * correctly transmitted to prelude and displayed with piwi
51 *
52 * Modifications (7/03/2004) by Patrice bourgin (pbourgin@xpconseil.com) :
53 * 1 : translation of HTML tag <> to tag () in alert to permit
54 * displaying alerts on piwi
55 * 2 : add the address in the source and in the target for displaying on piwi
56 * 3 : add information about the classification, because there was only
57 * one classification and it was not enough
58 * 4 : add impact field to classify alert in prelude, becuse impact is
59 * needed to treat information
60 * 5 : correct some errors with transmission to prelude with libprelude
61 */
62
63#include "config_xor.h"
64
65#include <stdio.h>
66#include <string.h>
67#include <sys/types.h>
68
69#if TIME_WITH_SYS_TIME
70#include <sys/time.h>
71#include <time.h>
72#else
73#if HAVE_SYS_TIME_H
74#include <sys/time.h>
75#else
76#include <time.h>
77#endif
78#endif
79#include <unistd.h>
80#include <syslog.h>
81
82#if defined(HAVE_LIBPRELUDE) && !defined(HAVE_LIBPRELUDE_9)
83
84/*
85 * _() macros are samhain specific; they are used to replace string
86 * constants at runtime. This is part of the samhain stealth mode
87 * (fill string constants with encoded strings, decode at runtime).
88 */
89#define FIL__ _("sh_prelude.c")
90
91#if defined(__GNUC__)
92extern char *strptime (const char * s,
93 const char * fmt, struct tm * tp);
94#endif
95
96#include <netdb.h>
97#include <netinet/in.h>
98#include <arpa/inet.h>
99#include <sys/utsname.h>
100#ifdef HAVE_LIBGEN_H
101#include <libgen.h>
102#endif
103
104#include <libprelude/list.h>
105#include <libprelude/idmef-tree.h>
106#include <libprelude/idmef-tree-func.h>
107#include <libprelude/prelude-io.h>
108#include <libprelude/prelude-message.h>
109#include <libprelude/prelude-message-buffered.h>
110#include <libprelude/idmef-msg-send.h>
111#include <libprelude/idmef-message-id.h>
112#include <libprelude/prelude-message-id.h>
113#include <libprelude/sensor.h>
114
115#ifndef HAVE_BASENAME
116#define basename(a) ((NULL == strrchr(a, '/')) ? (a) : (strrchr(a, '/')))
117#endif
118
119/*
120 * includes for samhain-specific functions (sl_strstr, sh_error_handle)
121 */
122#include "slib.h"
123#include "sh_mem.h"
124#include "sh_cat.h"
125#include "sh_error_min.h"
126#include "sh_prelude.h"
127#define SH_NEED_GETHOSTBYXXX
128#include "sh_static.h"
129
130static char programname[64];
131static idmef_heartbeat_t heartbeat;
132static prelude_msgbuf_t * hb_msgbuf = NULL;
133static struct utsname * uname_data = NULL;
134
135static char hostname[256];
136
137static char model[64];
138static char class[64];
139static char version[8];
140static char manufacturer[64];
141
142static char name[16];
143static char url[32];
144
145static char meaning[64];
146static char description[128];
147
148static char * path_basename = NULL;
149static char * path_fullname = NULL;
150
151/* safe string duplication function
152 */
153static char * xstrdup (const char * str)
154{
155 size_t len;
156 char * ret;
157
158 if (!str)
159 return NULL;
160 len = sl_strlen(str);
161 ret = SH_ALLOC(len+1);
162 sl_strlcpy (ret, str, len+1);
163 return (ret);
164}
165
166/* Get the value for a key. The key is built from toktmp + toksuffix.
167 * msg is modified temporarily, so it should not be declared 'const'.
168 */
169static char *get_value (char *msg, const char *toktmp,
170 const char *toksuffix)
171{
172 char * ret = NULL, *ptr, tok[128];
173
174 snprintf(tok, sizeof(tok), "%s%s", toktmp, (toksuffix) ? toksuffix : "");
175
176 ptr = strstr(msg, tok);
177 if ( ! ptr )
178 return NULL;
179
180#ifdef SH_USE_XML
181 while (*ptr && *ptr != '"') ptr++;
182 if (*ptr) {
183 ret = ptr + 1; ptr = ret;
184 }
185 while (*ptr && *ptr != '"') ptr++;
186 if (*ptr)
187 {
188 *ptr = '\0';
189 if (ret) ret = xstrdup(ret);
190 *ptr = '"';
191 }
192 else
193 {
194 if (ret) ret = xstrdup(ret);
195 }
196#else
197 while (*ptr && *ptr != '<') ptr++;
198 if (*ptr) ret = ptr + 1;
199 while (*ptr && *ptr != '>') ptr++;
200 if (*ptr)
201 {
202 *ptr = '\0';
203 if (ret) ret = xstrdup(ret);
204 *ptr = '>';
205 }
206 else
207 {
208 if (ret) ret = xstrdup(ret);
209 }
210#endif
211
212 return ret;
213}
214
215int sh_prelude_init ()
216{
217 int ret = -1;
218
219 if (uname_data != NULL) {
220 SH_FREE(uname_data);
221 uname_data = NULL;
222 }
223 uname_data = SH_ALLOC(sizeof(struct utsname)); /* only once */
224 if (!uname_data) {
225 return -1;
226 }
227 ret = uname(uname_data);
228 if (ret < 0) {
229 uname_data = NULL;
230 return -1;
231 }
232
233 /* ------- LibPrelude Init -------
234 */
235 strncpy(programname, _("Samhain"), 64);
236 programname[63] = '\0';
237
238 if ( prelude_sensor_init(programname, NULL, 0, NULL) < 0)
239 {
240 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
241 _("Failed to initialize Prelude"),
242 _("sh_prelude_init"));
243 return -1;
244 }
245
246 strncpy(model, _("Samhain"), 64);
247 model[63] = '\0';
248 strncpy(class, _("Samhain Host Intrusion Detection System"), 64);
249 class[63] = '\0';
250 strncpy(version, VERSION, 8);
251 version[7] = '\0';
252 strncpy(manufacturer, _("Samhain by Rainer Wichmann"), 64);
253 manufacturer[63] = '\0';
254
255 /*
256 if (sh.host.name[0] != '\0') {
257 strncpy(hostname, sh.host.name, 256); hostname[255] = '\0';
258 } else {
259 gethostname (hostname, 256); hostname[255] = '\0';
260 }
261 */
262
263 /* According to the manpage, if gethostname returns a truncated hostname,
264 * it may or may not be NULL terminated. So we terminate explicitely.
265 */
266 gethostname (hostname, 256); hostname[255] = '\0';
267
268 strncpy (name, _("Samhain HIDS"), 16);
269 name[15] = '\0';
270 strncpy (url, _("http://www.la-samhna.de/samhain/"), 32);
271 url[31] = '\0';
272
273 strncpy (meaning, _("Message generated by Samhain"), 64);
274 meaning[63] = '\0';
275
276 /* analyzer information */
277 idmef_string_set (&heartbeat.analyzer.model, model);
278 idmef_string_set (&heartbeat.analyzer.class, class);
279 idmef_string_set (&heartbeat.analyzer.version, version);
280
281 /* analyzer address */
282 idmef_analyzer_node_new(&heartbeat.analyzer);
283 idmef_string_set (&heartbeat.analyzer.node->name, hostname);
284
285 /* analyzer type */
286 idmef_string_set(&heartbeat.analyzer.ostype, uname_data->sysname);
287 idmef_string_set(&heartbeat.analyzer.osversion, uname_data->release);
288
289
290 INIT_LIST_HEAD(&heartbeat.additional_data_list);
291
292 if (hb_msgbuf != NULL)
293 {
294 prelude_msgbuf_close (hb_msgbuf);
295 hb_msgbuf = NULL;
296 }
297 hb_msgbuf = prelude_msgbuf_new(0);
298 if (!hb_msgbuf) {
299 return -1;
300 }
301
302 /* prelude_heartbeat_register_cb(&SendHeartbeat, NULL); */
303 return 1;
304}
305
306/* Retrieve the content of "msg=" for adding informations on
307 * impact tag with prelude
308 */
309char *RetrieveImpact(const char *msg)
310{
311 char *tmp1;
312 char *tmp2;
313 char *tmp0;
314 char *ret = NULL;
315
316 tmp2 = xstrdup(msg);
317 /*
318 * don't use strtok - strtok (str, delim) is 'one of the chars
319 * in delim', not the full 'delim' string
320 */
321 if (tmp2)
322 tmp1 = sl_strstr (tmp2, _("msg="));
323 else
324 return NULL;
325
326 if (tmp1)
327 {
328 tmp1 += 5;
329#ifdef SH_USE_XML
330 tmp0 = strchr(tmp1, '"');
331#else
332 tmp0 = strchr(tmp1, '>');
333#endif
334 if (tmp0)
335 *tmp0 = '\0';
336 ret = xstrdup(tmp1);
337 }
338 SH_FREE(tmp2); /* fix memory leak */
339
340 return ret;
341}
342
343/* Transform the string time from the event into time
344 */
345time_t retrieve_time(char *stime)
346{
347#ifdef HAVE_STRPTIME
348 struct tm tmptime;
349 time_t rettime = -1;
350 char *tmp0, *tmp1, *tmp2;
351
352 /* fix more memory leaks
353 */
354 if ( stime )
355 {
356 tmp0 = xstrdup(stime);
357 tmp1 = tmp0;
358 tmp2 = tmp1 + 1;
359
360 while (*tmp1 && *tmp1 != ']') tmp1++;
361 if (*tmp1)
362 {
363 *tmp1 = '\0';
364 tmp2 = xstrdup(tmp2);
365 SH_FREE (tmp0);
366 }
367 else
368 {
369 tmp2 = xstrdup(tmp2);
370 SH_FREE (tmp0);
371 }
372
373 memset (&tmptime, '\0', sizeof(struct tm));
374 strptime(tmp2,"%Y-%m-%dT%H:%M:%S", &tmptime);
375 rettime = mktime(&tmptime);
376
377 SH_FREE(tmp2);
378
379 if ( rettime != -1 )
380 return rettime;
381 else
382 return 0;
383 }
384#endif
385 return 0;
386}
387
388/* msg is modified temporarily in get_value(),
389 * so it should not be declared 'const'.
390 */
391void get_file_infos(idmef_target_t *target, char *msg,
392 idmef_file_category_t category)
393{
394 char *ptr;
395 idmef_file_t *file;
396 idmef_time_t *temps;
397 idmef_inode_t *inode;
398 const char *suffix = (category == current) ? "_new" : "_old";
399
400 file = idmef_target_file_new(target);
401 if ( ! file )
402 return;
403
404 file->category = category;
405 /*
406 * Fix memory leak - the pointer to get_value(msg, "path", NULL) is lost
407 * libprelude does not strdup, only sets a pointer, so need a global pointer
408 * to keep track of this :(
409 */
410 if (category == original)
411 path_fullname = get_value(msg, "path", NULL);
412 idmef_string_set (&file->path, path_fullname);
413
414 if (category == original)
415 path_basename = get_value(msg, "path", NULL);
416 if (path_basename) {
417 idmef_string_set (&file->name, basename(path_basename));
418 }
419
420 ptr = get_value(msg, "size", suffix);
421 if ( ptr ) {
422 file->data_size = strtoul(ptr, NULL, 10);
423 SH_FREE(ptr);
424 }
425
426 ptr = get_value(msg, "mtime", suffix);
427 if ( ptr ) {
428 temps = idmef_file_modify_time_new(file);
429 temps->sec = retrieve_time(ptr);
430 SH_FREE(ptr);
431 }
432
433 ptr = get_value(msg, "ctime", suffix);
434 if ( ptr ) {
435 temps = idmef_file_create_time_new(file);
436 temps->sec = retrieve_time(ptr);
437 SH_FREE(ptr);
438 }
439
440 ptr = get_value(msg, "atime", suffix);
441 if ( ptr ) {
442 temps = idmef_file_access_time_new(file);
443 temps->sec = retrieve_time(ptr);
444 SH_FREE(ptr);
445 }
446
447 ptr = get_value(msg, "inode", suffix);
448 if ( ptr ) {
449 inode = idmef_file_inode_new(file);
450 inode->number = strtoul(ptr, NULL, 10);
451 SH_FREE(ptr);
452 }
453}
454
455void sh_prelude_reset()
456{
457 (void) sh_prelude_alert (0, 0, NULL, 0, 0);
458 return;
459}
460
461int sh_prelude_alert (int priority, int sh_class, char * message,
462 long msgflags, unsigned long msgid)
463{
464 static int initialized = 0;
465 struct timeval tv;
466
467 idmef_alert_t * alert;
468 idmef_message_t * idmef;
469 prelude_msgbuf_t * msgbuf;
470 idmef_classification_t * classification;
471 idmef_target_t * target;
472 idmef_address_t * taddr;
473 idmef_source_t * source;
474 idmef_assessment_t * assessment;
475 idmef_additional_data_t * data;
476 /* To store impact */
477 char * impactmsg = NULL;
478 struct hostent * myhost;
479 char * src_ip = NULL;
480
481 static int some_error = 0;
482
483 (void) msgflags;
484 (void) msgid;
485
486 /* Workaround for the file closing bug
487 */
488 if (message == NULL && priority == 0 && sh_class == 0)
489 {
490 initialized = 0;
491 return 0;
492 }
493
494 if (initialized == 0)
495 {
496 /* initialize
497 */
498 initialized = sh_prelude_init();
499
500 /* send a heartbeat after initialization to say to prelude "I'm alive" */
501
502 gettimeofday(&tv, NULL);
503 heartbeat.create_time.sec = tv.tv_sec;
504 heartbeat.create_time.usec = tv.tv_usec;
505
506 /*
507 * we could use additional data to send stats.
508 */
509 prelude_msgbuf_set_header(hb_msgbuf, PRELUDE_MSG_IDMEF, 0);
510 idmef_send_heartbeat(hb_msgbuf, &heartbeat);
511 prelude_msgbuf_mark_end(hb_msgbuf);
512 }
513 if (initialized == -1)
514 {
515 /* init failed
516 */
517 if (some_error == 0)
518 {
519 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
520 _("Problem with prelude-ids support: init failed"),
521 _("sh_prelude_alert"));
522 }
523 some_error = 1;
524 return -1;
525 }
526
527 if (sh_class == STAMP)
528 {
529 gettimeofday(&tv, NULL);
530 heartbeat.create_time.sec = tv.tv_sec;
531 heartbeat.create_time.usec = tv.tv_usec;
532
533 /*
534 * we could use additional data to send stats.
535 */
536 prelude_msgbuf_set_header(hb_msgbuf, PRELUDE_MSG_IDMEF, 0);
537 idmef_send_heartbeat(hb_msgbuf, &heartbeat);
538 prelude_msgbuf_mark_end(hb_msgbuf);
539 return 0;
540 }
541
542 /* This function serves to initialize a message structure.
543 * The returned idmef_message_t structure is a static variable
544 * declared in idmef_message_new().
545 */
546 idmef = idmef_message_new();
547 if ( ! idmef )
548 goto err;
549
550 /* 'alert' is a static variable that gets initialized and
551 * associated with the idmef_message_t idmef_alert_t member.
552 * -> no new memory allocated; not signal-safe or thread-safe.
553 */
554 idmef_alert_new(idmef);
555 alert = idmef->message.alert;
556
557 /* Set the 'detect time'. idmef_alert_new() will already set the
558 * 'create time', whatever the difference is supposed to be.
559 */
560 gettimeofday(&tv, NULL);
561 idmef_alert_detect_time_new(alert);
562 alert->detect_time->sec = tv.tv_sec;
563 alert->detect_time->usec = tv.tv_usec;
564
565 /* ------- Analyzer. -------
566 *
567 * This apparently is supposed to provide some information
568 * about the sensor to the server (what sensor process ? where ?).
569 *
570 * idmef_string_set (x, y) is a macro that will make x
571 * a pointer to y. Therefore the caller must guarantee that y will
572 * never be overwritten until the alert is sent.
573 * With the samhain _() macros, this means we must copy to another
574 * storage region.
575 *
576 * N.B.: with constant strings, you can use idmef_string_set_constant()
577 * instead.
578 */
579 idmef_string_set (&alert->analyzer.model, model);
580 idmef_string_set (&alert->analyzer.class, class);
581 idmef_string_set (&alert->analyzer.version, version);
582 idmef_string_set (&alert->analyzer.manufacturer, manufacturer);
583
584 /* Here we add some information on the host OS.
585 */
586 idmef_string_set (&alert->analyzer.ostype, uname_data->sysname);
587 idmef_string_set (&alert->analyzer.osversion, uname_data->release);
588
589 /* ------- Analyzer / Process -------
590 *
591 * Fill in minimal info about the process. Apparently one could also
592 * supply things like path, argv, env (?).
593 */
594 idmef_analyzer_process_new (&alert->analyzer);
595 alert->analyzer.process->pid = getpid();
596
597 /* ------- Analyzer / Node -------
598 *
599 * Provide the name of this node, i.e. host.
600 */
601 idmef_analyzer_node_new (&alert->analyzer);
602 idmef_string_set (&alert->analyzer.node->name, hostname);
603
604
605
606 /* ------- Classification -------
607 *
608 * Apparently 'classification' provides details about the sensor
609 * program.
610 *
611 * For reasons unbeknown to me (did not care to investigate),
612 * this function does allocate memory, instead of using a static variable.
613 *
614 */
615 classification = idmef_alert_classification_new(alert);
616 if ( ! classification )
617 goto err;
618
619
620 impactmsg = RetrieveImpact(message);
621 if (impactmsg)
622 idmef_string_set (&classification->name, impactmsg);
623 idmef_string_set (&classification->url, url);
624
625 classification->origin = vendor_specific;
626
627 /* Get information about ip address */
628
629 myhost = sh_gethostbyname(hostname);
630 src_ip = xstrdup(inet_ntoa(*((struct in_addr *)myhost->h_addr_list[0])));
631
632
633 /* ------- Target -------
634 *
635 * Purpose ? To provide informations about destination of alert
636 *
637 * Allocates memory.
638 *
639 */
640 target = idmef_alert_target_new(alert);
641 if ( ! target )
642 goto err;
643 idmef_target_node_new(target);
644 idmef_string_set(&target->node->name, hostname);
645
646 if ( strstr(message, "path=") ) {
647 get_file_infos(target, message, original);
648 get_file_infos(target, message, current);
649 }
650
651 if (src_ip)
652 {
653 taddr = idmef_node_address_new(target->node);
654 if (!taddr)
655 goto err;
656
657 taddr->category = ipv4_addr;
658 idmef_string_set(&taddr->address, src_ip);
659 }
660
661 /* ------- Source -------
662 *
663 * Purpose ? To provide informations about source of alert
664 *
665 * Allocates memory.
666 *
667 */
668 source = idmef_alert_source_new(alert);
669 if ( ! source )
670 goto err;
671
672 /* ------- Impact -------
673 */
674 idmef_alert_assessment_new(alert);
675 assessment = alert->assessment;
676 idmef_assessment_impact_new(assessment);
677
678 if ((priority == SH_ERR_SEVERE) || (priority == SH_ERR_FATAL))
679 {
680 assessment->impact->severity = impact_high;
681 }
682 else if ((priority == SH_ERR_ALL) || (priority == SH_ERR_INFO) ||
683 (priority == SH_ERR_NOTICE))
684 {
685 assessment->impact->severity = impact_low;
686 }
687 else
688 {
689 assessment->impact->severity = impact_medium;
690 }
691
692 if (NULL != sl_strstr(message, _("POLICY")))
693 {
694 if (NULL != sl_strstr(message, _("POLICY KERNEL")))
695 {
696 assessment->impact->severity = impact_high;
697 assessment->impact->completion = succeeded;
698 assessment->impact->type = other;
699 strncpy(description,
700 _("Kernel modification detected by Samhain."),
701 128);
702 description[127] = '\0';
703 }
704 else
705 {
706 assessment->impact->severity = impact_high;
707 assessment->impact->completion = succeeded;
708 assessment->impact->type = file;
709 strncpy(description,
710 _("File system modification detected by Samhain."),
711 128);
712 description[127] = '\0';
713 }
714 }
715 else
716 {
717 if ( ((NULL != sl_strstr(message, _("Login"))) ||
718 (NULL != sl_strstr(message, _("Multiple login"))) ||
719 (NULL != sl_strstr(message, _("Logout")))) &&
720 (NULL == sl_strstr(message, _("Checking"))))
721 {
722 assessment->impact->completion = succeeded;
723 assessment->impact->type = user;
724 strncpy(description,
725 _("Login/logout detected by Samhain."),
726 128);
727 description[127] = '\0';
728 }
729 else
730 {
731 /* assessment->impact->severity = impact_low; */
732 assessment->impact->completion = succeeded;
733 assessment->impact->type = other;
734 strncpy(description,
735 _("Message by Samhain."),
736 128);
737 description[127] = '\0';
738 }
739 }
740 idmef_string_set (&assessment->impact->description, description);
741 idmef_assessment_confidence_new(assessment);
742 assessment->confidence->rating = high;
743
744 /* ------- Additional Data -------
745 *
746 * Here we supply the log message.
747 *
748 */
749 data = idmef_alert_additional_data_new(alert);
750 if ( ! data )
751 goto err;
752
753 data->type = string;
754 idmef_string_set (&data->meaning, meaning);
755 if (message)
756 idmef_additional_data_set_data (data, string, message,
757 strlen(message) + 1);
758
759 /* ------- Send -------
760 *
761 * Finally, the preparated message is sent.
762 */
763 msgbuf = prelude_msgbuf_new(0);
764 if ( ! msgbuf )
765 goto err;
766
767 /* Always return 0 (in libprelude 0.8.10); i.e. no useful
768 * exit status
769 */
770 idmef_msg_send(msgbuf, idmef, PRELUDE_MSG_PRIORITY_HIGH);
771
772 /* Cleanup
773 */
774 idmef_message_free(idmef);
775 prelude_msgbuf_close(msgbuf);
776 if (path_basename)
777 {
778 SH_FREE(path_basename);
779 path_basename = NULL;
780 }
781 if (path_fullname)
782 {
783 SH_FREE(path_fullname);
784 path_fullname = NULL;
785 }
786 if (impactmsg)
787 SH_FREE(impactmsg);
788 if (src_ip)
789 SH_FREE(src_ip);
790
791 some_error = 0;
792
793 return 0;
794
795 err:
796 /* Cleanup
797 */
798 idmef_message_free(idmef);
799 if (0 == some_error)
800 {
801 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
802 _("Problem with IDMEF for prelude-ids support: alert lost"),
803 _("sh_prelude_alert"));
804 }
805 if (path_basename)
806 {
807 SH_FREE(path_basename);
808 path_basename = NULL;
809 }
810 if (path_fullname)
811 {
812 SH_FREE(path_fullname);
813 path_fullname = NULL;
814 }
815 if (impactmsg)
816 SH_FREE(impactmsg);
817 if (src_ip)
818 SH_FREE(src_ip);
819 some_error = 1;
820 return -1;
821
822}
823
824/* HAVE_LIBPRELUDE */
825#endif
Note: See TracBrowser for help on using the repository browser.