Index: trunk/src/sh_cat.c =================================================================== --- trunk/src/sh_cat.c (revision 205) +++ trunk/src/sh_cat.c (revision 206) @@ -135,7 +135,7 @@ #ifdef SH_USE_PORTCHECK { MSG_PORT_MISS, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServiceMissing] %s\"")}, - { MSG_PORT_NEW, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServiceNew] %s\" path=\"%s\" userid=\"%s\"")}, - { MSG_PORT_RESTART,SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServiceRestarted] %s\" path=\"%s\" userid=\"%s\"")}, - { MSG_PORT_NEWPORT,SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServicePortSwitch] %s\" path=\"%s\" userid=\"%s\"")}, + { MSG_PORT_NEW, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServiceNew] %s\" path=\"%s\" pid=\"%lu\" userid=\"%s\"")}, + { MSG_PORT_RESTART,SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServiceRestarted] %s\" path=\"%s\" pid=\"%lu\" userid=\"%s\"")}, + { MSG_PORT_NEWPORT,SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [ServicePortSwitch] %s\" path=\"%s\" pid=\"%lu\" userid=\"%s\"")}, #endif @@ -464,7 +464,7 @@ #ifdef SH_USE_PORTCHECK { MSG_PORT_MISS, SH_ERR_SEVERE, EVENT, N_("msg=")}, - { MSG_PORT_NEW, SH_ERR_SEVERE, EVENT, N_("msg= path=<%s> userid=<%s>")}, - { MSG_PORT_RESTART,SH_ERR_SEVERE, EVENT, N_("msg= path=<%s> userid=<%s>")}, - { MSG_PORT_NEWPORT,SH_ERR_SEVERE, EVENT, N_("msg= path=<%s> userid=<%s>")}, + { MSG_PORT_NEW, SH_ERR_SEVERE, EVENT, N_("msg= path=<%s> pid=<%lu> userid=<%s>")}, + { MSG_PORT_RESTART,SH_ERR_SEVERE, EVENT, N_("msg= path=<%s> pid=<%lu> userid=<%s>")}, + { MSG_PORT_NEWPORT,SH_ERR_SEVERE, EVENT, N_("msg= path=<%s> pid=<%lu> userid=<%s>")}, #endif Index: trunk/src/sh_port2proc.c =================================================================== --- trunk/src/sh_port2proc.c (revision 205) +++ trunk/src/sh_port2proc.c (revision 206) @@ -311,5 +311,5 @@ /* returns the command and fills the 'user' array */ -char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport, +char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport, unsigned long * pid, char * user, size_t userlen) { @@ -320,4 +320,6 @@ else fd = fopen("/proc/net/udp", "r"); + + *pid = 0; if (fd) @@ -345,4 +347,5 @@ { fclose(fd); + *pid = (unsigned long) new->pid; if (new->path) { @@ -363,5 +366,5 @@ } err_out: - sl_strlcpy(user, "0", userlen); + sl_strlcpy(user, "-", userlen); return sh_util_strdup("-"); } @@ -750,5 +753,5 @@ char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport, - char * user, size_t userlen) + unsigned long * pid, char * user, size_t userlen) { int n, hash; @@ -756,4 +759,6 @@ struct in_addr * haddr; struct sock * s; + + *pid = 0; for (xf = xfiles, n = 0; n < nxfiles; ++n, ++xf) { @@ -796,4 +801,6 @@ struct sock_store try; + *pid = xf->xf_pid; + try.pid = xf->xf_pid; try.path = NULL; @@ -862,5 +869,5 @@ char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport, - char * user, size_t userlen) + unsigned long * pid, char * user, size_t userlen) { (void) proto; @@ -868,4 +875,6 @@ (void) sport; + *pid = 0; + sl_strlcpy(user, "-", userlen); return sh_util_strdup("-"); Index: trunk/src/sh_portcheck.c =================================================================== --- trunk/src/sh_portcheck.c (revision 205) +++ trunk/src/sh_portcheck.c (revision 206) @@ -137,5 +137,5 @@ extern char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport, - char * user, size_t userlen); + unsigned long * pid, char * user, size_t userlen); extern int sh_port2proc_prepare(); @@ -515,4 +515,5 @@ { char * path; + unsigned long qpid; char user[USER_MAX]; @@ -523,8 +524,8 @@ inet_ntoa(haddr), port, SH_PROTO_STR(proto), service); #else - path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user)); + path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user)); SH_MUTEX_LOCK(mutex_thread_nolog); sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, - MSG_PORT_NEW, errbuf, path, user); + MSG_PORT_NEW, errbuf, path, qpid, user); SH_MUTEX_UNLOCK(mutex_thread_nolog); SH_FREE(path); @@ -538,4 +539,5 @@ { char * path; + unsigned long qpid; char user[USER_MAX]; @@ -545,8 +547,8 @@ fprintf(stderr, _("service: %s\n"), errbuf); #else - path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user)); + path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user)); SH_MUTEX_LOCK(mutex_thread_nolog); sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, - MSG_PORT_RESTART, errbuf, path, user); + MSG_PORT_RESTART, errbuf, path, qpid, user); SH_MUTEX_UNLOCK(mutex_thread_nolog); SH_FREE(path); @@ -558,4 +560,5 @@ { char * path; + unsigned long qpid; char user[USER_MAX]; @@ -565,8 +568,8 @@ fprintf(stderr, _("service: %s\n"), errbuf); #else - path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user)); + path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user)); SH_MUTEX_LOCK(mutex_thread_nolog); sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, - MSG_PORT_NEWPORT, errbuf, path, user); + MSG_PORT_NEWPORT, errbuf, path, qpid, user); SH_MUTEX_UNLOCK(mutex_thread_nolog); SH_FREE(path); @@ -585,4 +588,5 @@ { char * path; + unsigned long qpid; char user[USER_MAX]; @@ -593,8 +597,8 @@ inet_ntoa(haddr), port, SH_PROTO_STR(proto), check_services(port, proto)); #else - path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user)); + path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user)); SH_MUTEX_LOCK(mutex_thread_nolog); sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, - MSG_PORT_NEW, errbuf, path, user); + MSG_PORT_NEW, errbuf, path, qpid, user); SH_MUTEX_UNLOCK(mutex_thread_nolog); SH_FREE(path); @@ -608,4 +612,5 @@ { char * path; + unsigned long qpid; char user[USER_MAX]; @@ -615,8 +620,8 @@ fprintf(stderr, _("port : %s\n"), errbuf); #else - path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user)); + path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user)); SH_MUTEX_LOCK(mutex_thread_nolog); sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, - MSG_PORT_RESTART, errbuf, path, user); + MSG_PORT_RESTART, errbuf, path, qpid, user); SH_MUTEX_UNLOCK(mutex_thread_nolog); SH_FREE(path); Index: trunk/src/sh_prelude.c =================================================================== --- trunk/src/sh_prelude.c (revision 205) +++ trunk/src/sh_prelude.c (revision 206) @@ -696,5 +696,5 @@ int ret; long port; - char *ptr, *new, *tmp, *ip, *srv, *end; + char *ptr, *new, *tmp, *ip, *srv, *protocol, *end; prelude_string_t *str; idmef_address_t *address; @@ -704,4 +704,9 @@ idmef_service_t *service; idmef_source_t *source = idmef_alert_get_next_source(alert, NULL); + struct passwd *pw; +#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R) + struct passwd pwd; + char buffer[SH_PWBUF_SIZE]; +#endif new = sh_util_strdup(msg); @@ -778,8 +783,9 @@ if ( *ptr && *end == '\0' && port >= 0 && port < 65536) { + char * tmpw; + if ( ! source ) { ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND); if ( ret < 0 ) { - free(srv); SH_FREE( new ); return ret; @@ -789,5 +795,4 @@ ret = idmef_source_new_service(source, &service); if ( ret < 0 ) { - free(srv); SH_FREE( new ); return ret; @@ -795,4 +800,22 @@ idmef_service_set_port(service, port); + + ret = idmef_service_new_protocol(service, &str); + if ( ret < 0 ) { + SH_FREE( new ); + return ret; + } + + ++tmp; + if (*tmp) { + char * tmpw = tmp; + char tmpw_store; + while (*tmpw && !isblank((int) *tmpw)) ++tmpw; + tmpw_store = *tmpw; *tmpw = '\0'; + protocol = strdup(tmp); + *tmpw = tmpw_store; + prelude_string_set_nodup(str, protocol); + } + } @@ -850,8 +873,10 @@ SH_FREE( new ); - ptr = get_value(msg, _("user"), NULL); + ptr = get_value(msg, _("userid"), NULL); if ( ptr ) { + idmef_user_id_t * user_id; + ret = idmef_source_new_user(source, &user); if ( ret < 0 ) { @@ -860,13 +885,33 @@ } - ret = idmef_user_new_ident(user, &str); - if ( ret < 0 ) { - free(ptr); - return ret; - } + idmef_user_set_category(user, IDMEF_USER_CATEGORY_APPLICATION); + + ret = idmef_user_new_user_id(user, &user_id, IDMEF_LIST_APPEND); + if ( ret < 0 ) { + free(ptr); + return ret; + } + + idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_CURRENT_USER); + +#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R) + sh_getpwnam_r(ptr, &pwd, buffer, sizeof(buffer), &pw); +#else + pw = sh_getpwnam(ptr); +#endif + if ( pw ) + idmef_user_id_set_number(user_id, pw->pw_uid); + + ret = idmef_user_id_new_name(user_id, &str); + if ( ret < 0 ) { + free(ptr); + return ret; + } prelude_string_set_nodup(str, ptr); + } ptr = get_value(msg, _("path"), NULL); + tmp = get_value(msg, _("pid"), NULL); if ( ptr ) { @@ -889,12 +934,23 @@ prelude_string_set_nodup(str, ptr); - ptr = strrchr(ptr, '/'); - if ( ptr ) { + + if ( NULL != strrchr(ptr, '/') ) { ret = idmef_process_new_name(process, &str); if ( ret == 0 ) { + ptr = strrchr(ptr, '/'); prelude_string_set_dup(str, ptr + 1); } - } - } + } else { + ret = idmef_process_new_name(process, &str); + if ( ret == 0 ) { + prelude_string_set_dup(str, ptr); + } + } + + idmef_process_set_pid(process, strtoul(tmp, NULL, 0)); + } + + if (tmp) + free(tmp); return 0;