Changeset 283

Timestamp:

May 4, 2010, 10:28:11 PM (15 years ago)

Author:

katerina

Message:

Patch for ticket #207 (server logs client reports to prelude).

Location:

trunk

Files:

• include/samhain.h (modified) (1 diff)
• include/sh_error.h (modified) (1 diff)
• include/sh_prelude.h (modified) (1 diff)
• src/sh_error.c (modified) (6 diffs)
• src/sh_forward.c (modified) (2 diffs)
• src/sh_prelude.c (modified) (10 diffs)

trunk/include/samhain.h

@@ -36 +36 @@
 #define REPLACE_OLD
 
-/* Standard buffer sizes.
- */
+/* Standard buffer sizes. 
+ * IPv6 is 8 groups of 4 hex digits seperated by colons.
+ */
+#define SH_IP_BUF        40
 #define SH_MINIBUF       64
 #define SH_BUFSIZE     1024

trunk/include/sh_error.h

@@ -101 +101 @@
 
 #ifdef SH_WITH_SERVER
+
 void sh_error_set_peer(const char * str);
+#ifdef HAVE_LIBPRELUDE
+void sh_error_set_peer_ip(const char * str);
+#endif
 int  set_flag_sep_log (const char * str);
 #endif

trunk/include/sh_prelude.h

@@ -9 +9 @@
 
 int sh_prelude_alert (int priority, int class, char * message,
-                      long msgflags, unsigned long msgid);
+                      long msgflags, unsigned long msgid, char * inet_peer_ip);
 
 /* map severity levels

trunk/src/sh_error.c

@@ -841 +841 @@
 #ifdef SH_WITH_SERVER
 static char inet_peer[SH_MINIBUF] = { '\0' };
+#ifdef HAVE_LIBPRELUDE
+static char inet_peer_ip[SH_IP_BUF] = { '\0' };
+
+void sh_error_set_peer_ip(const char * str)
+{
+  if (str == NULL)
+    inet_peer_ip[0] = '\0';
+  else
+    sl_strlcpy(inet_peer_ip, str, sizeof(inet_peer_ip));
+}
+#endif
 
 void sh_error_set_peer(const char * str)
@@ -847 +858 @@
     inet_peer[0] = '\0';
   else
-    sl_strlcpy(inet_peer, str, SH_MINIBUF);
+    sl_strlcpy(inet_peer, str, sizeof(inet_peer));
 }
 #endif
@@ -880 +891 @@
   int    class_inet = clt_class;      /* initialize from global */
   char   local_inet_peer[SH_MINIBUF];
+#ifdef HAVE_LIBPRELUDE
+  char   local_inet_peer_ip[SH_IP_BUF];
+#endif    
 #endif
 
@@ -924 +938 @@
   if ((msg_id == MSG_TCP_MSG) && (inet_peer[0] != '\0'))
     {
-      sl_strlcpy(local_inet_peer, inet_peer, SH_MINIBUF);
+      sl_strlcpy(local_inet_peer, inet_peer, sizeof(local_inet_peer));
       sh_error_set_peer(NULL);
     }
   else
     local_inet_peer[0] = '\0';
+
+#ifdef HAVE_LIBPRELUDE
+  if ((msg_id == MSG_TCP_MSG) && (inet_peer_ip[0] != '\0'))
+    {
+      sl_strlcpy(local_inet_peer_ip, inet_peer_ip, sizeof(local_inet_peer_ip));
+      sh_error_set_peer_ip(NULL);
+    }
+  else
+    local_inet_peer_ip[0] = '\0';
+#endif
 
   clt_class = (-1);      /* reset global */
@@ -1263 +1287 @@
                *  Reports first error after failure. Always tries.
                */
-              (void) sh_prelude_alert (severity, (int) class, lmsg->msg,
-                                       lmsg->status, msg_id);
-
+#if defined(HAVE_LIBPRELUDE) && defined(SH_WITH_SERVER) 
+              (void) sh_prelude_alert (severity, (int) class, 
+                                       lmsg->msg, lmsg->status, msg_id, 
+                                       local_inet_peer_ip);
+#else
+              (void) sh_prelude_alert (severity, (int) class, 
+                                       lmsg->msg, lmsg->status, msg_id, 
+                                       NULL);
+#endif
               prelude_block = 0;
             }
@@ -1301 +1331 @@
                     (void) sh_log_file (lmsg->msg, NULL);
                   else
-                    (void) sh_log_file (lmsg->msg, local_inet_peer);
+                    (void) sh_log_file (lmsg->msg, local_inet_peer);
                 }
 #else

trunk/src/sh_forward.c

@@ -3661 +3661 @@
                   /* push client name to error routine
                    */
+#if defined(SH_WITH_SERVER) && defined(HAVE_LIBPRELUDE)
+                  sh_error_set_peer_ip( inet_ntoa (*(struct in_addr *) &(conn->addr_peer.sin_addr)) );                        
+#endif
                   sh_error_set_peer(sh_strip_domain (conn->peer));
                   sh_error_handle(clt_sev, FIL__, __LINE__, 0, MSG_TCP_MSG,
@@ -3666 +3669 @@
                                   ptok);
                   sh_error_set_peer(NULL);
-
+#if defined(SH_WITH_SERVER) && defined(HAVE_LIBPRELUDE)
+                  sh_error_set_peer_ip(NULL);
+#endif
+                  
                   TPT((0, FIL__, __LINE__, _("msg=<%s>\n"), ptok));
                   SH_FREE(ptok);

trunk/src/sh_prelude.c

@@ -219 +219 @@
 {
         char *ret = NULL;
-        
+#if defined(SH_WITH_SERVER)
+        int    delim_start_count = 0;
+        int    found = 0;
+#endif                
+
         ptr = strchr(ptr, delim_start);
         if ( ! ptr )
@@ -225 +229 @@
 
         ret = ++ptr;
-
+#if defined(SH_WITH_SERVER)
+        while ((*ptr != '\0') && (!found)){
+                if (*ptr == delim_end) {
+                        if (delim_start_count == 0)
+                                found = 1;
+                        delim_start_count--;
+                }
+                else if (*ptr == delim_start) 
+                        delim_start_count++;
+                ptr++;
+        }
+        ptr = (found) ? ptr-1 : NULL ;
+#else
         ptr = strchr(ptr, delim_end);
+#endif
         if ( ! ptr )
                 return NULL;
@@ -555 +572 @@
 
                 free(uid);
+                /* Don't free(ptr) because of prelude_string_set_nodup(str, ptr) */
         }
 
@@ -597 +615 @@
 
                 free(gid);
+                /* Don't free(ptr) because of prelude_string_set_nodup(str, ptr) */
         }
 
@@ -683 +702 @@
                 return -1;
         }
-        
+
+#if defined(SH_WITH_SERVER)
+        /* when using yule, theres a msg=<... msg=<...> >*/
+        do {
+                msg = ptr;
+                ptr = get_value(msg, _("msg"), NULL);
+                if ( ! ptr ) {
+                        ptr = msg;
+                        break;
+                } else {
+                        free(msg);
+                }
+        } while (1);
+#endif        
+
         ret = prelude_string_cat(out, ptr);
         free(ptr);
@@ -1115 +1148 @@
 
 
+static int node_set_address(idmef_node_t *node, const char *addr)
+{
+        int ret;
+        prelude_string_t *prelude_str;
+        idmef_address_t *idmef_addr;
+
+        ret = prelude_string_new(&prelude_str);
+        if ( ret < 0 ) 
+                goto err;
+      
+        ret = prelude_string_set_ref(prelude_str, addr);
+        if ( ret < 0 ) 
+                goto err;
+
+        ret = idmef_address_new(&idmef_addr);
+        if ( ret < 0 ) 
+                goto err;
+      
+        idmef_address_set_category(idmef_addr, IDMEF_ADDRESS_CATEGORY_IPV4_ADDR);
+        idmef_address_set_address(idmef_addr, prelude_str);
+        idmef_node_set_address(node, idmef_addr, 0);
+
+        return 0;
+ err:
+        return -1;
+}
+
+                                          
+
 static int samhain_alert_prelude(int priority, int sh_class, 
-                                 char *message, unsigned long msgid)
+                                 char *message, unsigned long msgid, char * inet_peer_ip)
 {
         int ret;
@@ -1129 +1191 @@
         idmef_confidence_t *confidence;
         prelude_string_t *str;
+#if defined(SH_WITH_SERVER)
+        idmef_node_t *node;
+#endif
                 
         if ( !client || sh_class == STAMP)
@@ -1162 +1227 @@
 
         idmef_target_set_decoy(target, IDMEF_TARGET_DECOY_NO);
-        
+
+#if defined(SH_WITH_SERVER)
+        if ( inet_peer_ip != NULL){
+                ret = idmef_target_new_node(target, &node);
+        
+                ret = node_set_address(node, inet_peer_ip); 
+                if ( ret < 0 )
+                          goto err;
+                          
+                idmef_target_set_node(target, idmef_node_ref(node));
+        }
+        else
         if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) {
                 idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
                 idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
         }
-        
+#else        
+        if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) {
+                idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
+                idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
+        }
+#endif        
         if ( strstr(message, _("path=")) ) {
 #if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
@@ -1248 +1329 @@
 
 
-int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid)
+int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid, char *inet_peer_ip)
 {
         int ret;
@@ -1257 +1338 @@
                 return -1;
         
-        ret = samhain_alert_prelude(priority, sh_class, message, msgid);
+        ret = samhain_alert_prelude(priority, sh_class, message, msgid, inet_peer_ip);
         if ( ret < 0 ) {
                 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,