#207 closed enhancement (fixed)
Server should be able to log client reports to prelude
| Reported by: | rainer | Owned by: | rainer |
|---|---|---|---|
| Priority: | major | Milestone: | 2.7.1 |
| Component: | main | Version: | 2.7.0 |
| Keywords: | Cc: |
Description
Requested by J. Ventura: to concentrate all logs to a unique prelude analyzer, instead of one analyzer per client, the server should support logging of client messages to prelude. The patch below has been developed and contributed by J. Ventura.
diff -dur samhain-2.7.0-orig/include/sh_error.h samhain-2.7.0/include/sh_error.h
--- samhain-2.7.0-orig/include/sh_error.h 2010-05-02 14:20:45.000000000 +0100
+++ samhain-2.7.0/include/sh_error.h 2010-05-02 14:23:29.000000000 +0100
@@ -100,7 +100,11 @@
void sh_error_dbg_switch(void);
#ifdef SH_WITH_SERVER
+
void sh_error_set_peer(const char * str);
+#ifdef HAVE_LIBPRELUDE
+void sh_error_set_peer_ip(const char * str);
+#endif
int set_flag_sep_log (const char * str);
#endif
diff -dur samhain-2.7.0-orig/include/sh_prelude.h samhain-2.7.0/include/sh_prelude.h
--- samhain-2.7.0-orig/include/sh_prelude.h 2010-05-02 14:20:45.000000000 +0100
+++ samhain-2.7.0/include/sh_prelude.h 2010-05-02 14:23:29.000000000 +0100
@@ -8,7 +8,7 @@
int sh_prelude_set_profile(const char *arg);
int sh_prelude_alert (int priority, int class, char * message,
- long msgflags, unsigned long msgid);
+ long msgflags, unsigned long msgid, char * inet_peer_ip);
/* map severity levels
*/
diff -dur samhain-2.7.0-orig/src/sh_error.c samhain-2.7.0/src/sh_error.c
--- samhain-2.7.0-orig/src/sh_error.c 2010-05-02 14:20:45.000000000 +0100
+++ samhain-2.7.0/src/sh_error.c 2010-05-02 14:23:29.000000000 +0100
@@ -840,6 +840,17 @@
#ifdef SH_WITH_SERVER
static char inet_peer[SH_MINIBUF] = { '\0' };
+#ifdef HAVE_LIBPRELUDE
+static char inet_peer_ip[16] = { '\0' };
+
+void sh_error_set_peer_ip(const char * str)
+{
+ if (str == NULL)
+ inet_peer_ip[0] = '\0';
+ else
+ sl_strlcpy(inet_peer_ip, str, 16);
+}
+#endif
void sh_error_set_peer(const char * str)
{
@@ -879,6 +890,9 @@
#ifdef SH_WITH_SERVER
int class_inet = clt_class; /* initialize from global */
char local_inet_peer[SH_MINIBUF];
+#ifdef HAVE_LIBPRELUDE
+ char local_inet_peer_ip[16];
+#endif
#endif
#if defined(SH_WITH_CLIENT) || defined(SH_WITH_SERVER)
@@ -928,6 +942,15 @@
}
else
local_inet_peer[0] = '\0';
+#ifdef HAVE_LIBPRELUDE
+ if ((msg_id == MSG_TCP_MSG) && (inet_peer_ip[0] != '\0'))
+ {
+ sl_strlcpy(local_inet_peer_ip, inet_peer_ip, 16);
+ sh_error_set_peer_ip(NULL);
+ }
+ else
+ local_inet_peer_ip[0] = '\0';
+#endif
clt_class = (-1); /* reset global */
#endif
@@ -1262,9 +1285,11 @@
/*
* Reports first error after failure. Always tries.
*/
- (void) sh_prelude_alert (severity, (int) class, lmsg->msg,
- lmsg->status, msg_id);
-
+#if defined (HAVE_LIBPRELUDE) && defined (SH_WITH_SERVER)
+ (void) sh_prelude_alert (severity, (int) class, lmsg->msg, lmsg->status, msg_id, local_inet_peer_ip);
+#else
+ (void) sh_prelude_alert (severity, (int) class, lmsg->msg, lmsg->status, msg_id, NULL);
+#endif
prelude_block = 0;
}
}
@@ -1300,7 +1325,7 @@
if (local_inet_peer[0] == '\0')
(void) sh_log_file (lmsg->msg, NULL);
else
- (void) sh_log_file (lmsg->msg, local_inet_peer);
+ (void) sh_log_file (lmsg->msg, local_inet_peer);
}
#else
(void) sh_log_file (lmsg->msg, NULL);
diff -dur samhain-2.7.0-orig/src/sh_forward.c samhain-2.7.0/src/sh_forward.c
--- samhain-2.7.0-orig/src/sh_forward.c 2010-05-02 14:20:45.000000000 +0100
+++ samhain-2.7.0/src/sh_forward.c 2010-05-02 14:23:29.000000000 +0100
@@ -3660,12 +3660,18 @@
/* push client name to error routine
*/
+#if defined (SH_WITH_SERVER) && defined (HAVE_LIBPRELUDE)
+ sh_error_set_peer_ip( inet_ntoa (*(struct in_addr *) &(conn->addr_peer.sin_addr)) );
+#endif
sh_error_set_peer(sh_strip_domain (conn->peer));
sh_error_handle(clt_sev, FIL__, __LINE__, 0, MSG_TCP_MSG,
sh_strip_domain (conn->peer),
ptok);
sh_error_set_peer(NULL);
-
+#ifdef SH_WITH_SERVER && HAVE_LIBPRELUDE
+ sh_error_set_peer_ip(NULL);
+#endif
+
TPT((0, FIL__, __LINE__, _("msg=<%s>\n"), ptok));
SH_FREE(ptok);
clt_class = (-1);
diff -dur samhain-2.7.0-orig/src/sh_prelude.c samhain-2.7.0/src/sh_prelude.c
--- samhain-2.7.0-orig/src/sh_prelude.c 2010-05-02 14:20:45.000000000 +0100
+++ samhain-2.7.0/src/sh_prelude.c 2010-05-02 14:23:29.000000000 +0100
@@ -218,14 +218,30 @@
static char *do_get_value(char *ptr, char delim_start, char delim_end)
{
char *ret = NULL;
-
+#if defined(SH_WITH_SERVER)
+ int delim_start_count = 0;
+ int found = 0;
+#endif
+
ptr = strchr(ptr, delim_start);
if ( ! ptr )
return NULL;
ret = ++ptr;
-
+#if defined(SH_WITH_SERVER)
+ while ((*ptr != '\0') && (!found)){
+ if (*ptr == delim_end) {
+ if (delim_start_count == 0)
+ found = 1;
+ delim_start_count--;
+ }
+ else if (*ptr == delim_start ) delim_start_count++;
+ ptr++;
+ }
+ ptr = (found) ? ptr-1 : NULL ;
+#else
ptr = strchr(ptr, delim_end);
+#endif
if ( ! ptr )
return NULL;
@@ -682,7 +698,13 @@
_("could not format Samhain message"), _("map_policy_to_class"));
return -1;
}
-
+#if defined(SH_WITH_SERVER)
+ /* when using yule, theres a msg=<... msg=<...> >*/
+ msg = ptr;
+ ptr = get_value(msg, _("msg"), NULL);
+ if ( ! ptr )
+ ptr = msg;
+#endif
ret = prelude_string_cat(out, ptr);
free(ptr);
@@ -1114,8 +1136,37 @@
}
+static int node_set_address(idmef_node_t *node, const char *addr)
+{
+ int ret;
+ prelude_string_t *prelude_str;
+ idmef_address_t *idmef_addr;
+
+ ret = prelude_string_new(&prelude_str);
+ if ( ret < 0 )
+ goto err;
+
+ ret = prelude_string_set_ref(prelude_str, addr);
+ if ( ret < 0 )
+ goto err;
+
+ ret = idmef_address_new(&idmef_addr);
+ if ( ret < 0 )
+ goto err;
+
+ idmef_address_set_category(idmef_addr, IDMEF_ADDRESS_CATEGORY_IPV4_ADDR);
+ idmef_address_set_address(idmef_addr, prelude_str);
+ idmef_node_set_address(node, idmef_addr, 0);
+
+ return 0;
+ err:
+ return -1;
+}
+
+
+
static int samhain_alert_prelude(int priority, int sh_class,
- char *message, unsigned long msgid)
+ char *message, unsigned long msgid, char * inet_peer_ip)
{
int ret;
idmef_time_t *time;
@@ -1161,12 +1212,28 @@
goto err;
idmef_target_set_decoy(target, IDMEF_TARGET_DECOY_NO);
+#if defined(SH_WITH_SERVER)
+ idmef_node_t *node;
+ if ( inet_peer_ip != NULL){
+ ret = idmef_target_new_node(target, &node);
+ ret = node_set_address(node, inet_peer_ip);
+ if ( ret < 0 )
+ goto err;
+
+ idmef_target_set_node(target, idmef_node_ref(node));
+ }
+ else
if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) {
idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
}
-
+#else
+ if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) {
+ idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
+ idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
+ }
+#endif
if ( strstr(message, _("path=")) ) {
#if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
if ( msgid != MSG_FI_ADD && msgid != MSG_FI_ADD2 )
@@ -1247,7 +1314,7 @@
}
-int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid)
+int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid, char *inet_peer_ip)
{
int ret;
@@ -1256,7 +1323,7 @@
if ( initialized < 1 )
return -1;
- ret = samhain_alert_prelude(priority, sh_class, message, msgid);
+ ret = samhain_alert_prelude(priority, sh_class, message, msgid, inet_peer_ip);
if ( ret < 0 ) {
sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
_("Problem with IDMEF for prelude-ids support: alert lost"),
Change History (2)
comment:1 by , 15 years ago
| Status: | new → assigned |
|---|
comment:2 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
It is believed that the problem is solved by the aforementioned patches.
Note:
See TracTickets
for help on using tickets.
The patch leaks memory, and doesn't handle server-to-server relay. Needs the following fix:
#if defined(SH_WITH_SERVER) /* when using yule, theres a msg=<... msg=<...> >*/ do { msg = ptr; ptr = get_value(msg, _("msg"), NULL); if ( ! ptr ) { ptr = msg; break; } else { free(msg); } } while (1); #endif