Opened 10 years ago

Closed 10 years ago

Last modified 4 years ago

#207 closed enhancement (fixed)

Server should be able to log client reports to prelude

Reported by: rainer Owned by: rainer
Priority: major Milestone: 2.7.1
Component: main Version: 2.7.0
Keywords: Cc:

Description

Requested by J. Ventura: to concentrate all logs to a unique prelude analyzer, instead of one analyzer per client, the server should support logging of client messages to prelude. The patch below has been developed and contributed by J. Ventura.

diff -dur samhain-2.7.0-orig/include/sh_error.h samhain-2.7.0/include/sh_error.h
--- samhain-2.7.0-orig/include/sh_error.h	2010-05-02 14:20:45.000000000 +0100
+++ samhain-2.7.0/include/sh_error.h	2010-05-02 14:23:29.000000000 +0100
@@ -100,7 +100,11 @@
 void sh_error_dbg_switch(void);
 
 #ifdef SH_WITH_SERVER
+
 void sh_error_set_peer(const char * str);
+#ifdef HAVE_LIBPRELUDE
+void sh_error_set_peer_ip(const char * str);
+#endif
 int  set_flag_sep_log (const char * str);
 #endif
 
diff -dur samhain-2.7.0-orig/include/sh_prelude.h samhain-2.7.0/include/sh_prelude.h
--- samhain-2.7.0-orig/include/sh_prelude.h	2010-05-02 14:20:45.000000000 +0100
+++ samhain-2.7.0/include/sh_prelude.h	2010-05-02 14:23:29.000000000 +0100
@@ -8,7 +8,7 @@
 int sh_prelude_set_profile(const char *arg);
 
 int sh_prelude_alert (int priority, int class, char * message,
-		      long msgflags, unsigned long msgid);
+		      long msgflags, unsigned long msgid, char * inet_peer_ip);
 
 /* map severity levels
  */
diff -dur samhain-2.7.0-orig/src/sh_error.c samhain-2.7.0/src/sh_error.c
--- samhain-2.7.0-orig/src/sh_error.c	2010-05-02 14:20:45.000000000 +0100
+++ samhain-2.7.0/src/sh_error.c	2010-05-02 14:23:29.000000000 +0100
@@ -840,6 +840,17 @@
 
 #ifdef SH_WITH_SERVER
 static char inet_peer[SH_MINIBUF] = { '\0' };
+#ifdef HAVE_LIBPRELUDE
+static char inet_peer_ip[16] = { '\0' };
+
+void sh_error_set_peer_ip(const char * str)
+{
+  if (str == NULL)
+    inet_peer_ip[0] = '\0';
+  else
+    sl_strlcpy(inet_peer_ip, str, 16);
+}
+#endif
 
 void sh_error_set_peer(const char * str)
 {
@@ -879,6 +890,9 @@
 #ifdef SH_WITH_SERVER
   int    class_inet = clt_class;      /* initialize from global */
   char   local_inet_peer[SH_MINIBUF];
+#ifdef HAVE_LIBPRELUDE
+  char   local_inet_peer_ip[16];
+#endif    
 #endif
 
 #if defined(SH_WITH_CLIENT) || defined(SH_WITH_SERVER)
@@ -928,6 +942,15 @@
     }
   else
     local_inet_peer[0] = '\0';
+#ifdef HAVE_LIBPRELUDE
+  if ((msg_id == MSG_TCP_MSG) && (inet_peer_ip[0] != '\0'))
+    {
+      sl_strlcpy(local_inet_peer_ip, inet_peer_ip, 16);
+      sh_error_set_peer_ip(NULL);
+    }
+  else
+    local_inet_peer_ip[0] = '\0';
+#endif
 
   clt_class = (-1);      /* reset global */
 #endif
@@ -1262,9 +1285,11 @@
 	      /*
 	       *  Reports first error after failure. Always tries.
 	       */
-	      (void) sh_prelude_alert (severity, (int) class, lmsg->msg,
-				       lmsg->status, msg_id);
-
+#if defined (HAVE_LIBPRELUDE) && defined (SH_WITH_SERVER) 
+                (void) sh_prelude_alert (severity, (int) class, lmsg->msg, lmsg->status, msg_id, local_inet_peer_ip);
+#else
+                (void) sh_prelude_alert (severity, (int) class, lmsg->msg, lmsg->status, msg_id, NULL);
+#endif
 	      prelude_block = 0;
 	    }
 	}
@@ -1300,7 +1325,7 @@
 		  if (local_inet_peer[0] == '\0')
 		    (void) sh_log_file (lmsg->msg, NULL);
 		  else
-		    (void) sh_log_file (lmsg->msg, local_inet_peer);
+                    (void) sh_log_file (lmsg->msg, local_inet_peer);
 		}
 #else
               (void) sh_log_file (lmsg->msg, NULL);
diff -dur samhain-2.7.0-orig/src/sh_forward.c samhain-2.7.0/src/sh_forward.c
--- samhain-2.7.0-orig/src/sh_forward.c	2010-05-02 14:20:45.000000000 +0100
+++ samhain-2.7.0/src/sh_forward.c	2010-05-02 14:23:29.000000000 +0100
@@ -3660,12 +3660,18 @@
 
 		  /* push client name to error routine
                    */
+#if defined (SH_WITH_SERVER) && defined (HAVE_LIBPRELUDE)
+                  sh_error_set_peer_ip( inet_ntoa (*(struct in_addr *) &(conn->addr_peer.sin_addr)) );                        
+#endif
                   sh_error_set_peer(sh_strip_domain (conn->peer));
 		  sh_error_handle(clt_sev, FIL__, __LINE__, 0, MSG_TCP_MSG,
 				  sh_strip_domain (conn->peer), 
 				  ptok);
                   sh_error_set_peer(NULL);
-
+#ifdef SH_WITH_SERVER && HAVE_LIBPRELUDE
+                  sh_error_set_peer_ip(NULL);
+#endif
+                  
 		  TPT((0, FIL__, __LINE__, _("msg=<%s>\n"), ptok));
 		  SH_FREE(ptok);
 		  clt_class = (-1);
diff -dur samhain-2.7.0-orig/src/sh_prelude.c samhain-2.7.0/src/sh_prelude.c
--- samhain-2.7.0-orig/src/sh_prelude.c	2010-05-02 14:20:45.000000000 +0100
+++ samhain-2.7.0/src/sh_prelude.c	2010-05-02 14:23:29.000000000 +0100
@@ -218,14 +218,30 @@
 static char *do_get_value(char *ptr, char delim_start, char delim_end)
 {
         char *ret = NULL;
-        
+#if defined(SH_WITH_SERVER)
+        int delim_start_count = 0;
+        int found = 0;
+#endif                
+
         ptr = strchr(ptr, delim_start);
         if ( ! ptr )
                 return NULL;
 
         ret = ++ptr;
-
+#if defined(SH_WITH_SERVER)
+        while ((*ptr != '\0') && (!found)){
+            if (*ptr == delim_end) {
+                if (delim_start_count == 0)
+                    found = 1;
+                delim_start_count--;
+            }
+            else if (*ptr == delim_start ) delim_start_count++;
+            ptr++;
+        }
+        ptr = (found) ? ptr-1 : NULL ;
+#else
         ptr = strchr(ptr, delim_end);
+#endif
         if ( ! ptr )
                 return NULL;
         
@@ -682,7 +698,13 @@
                                 _("could not format Samhain message"), _("map_policy_to_class"));
                 return -1;
         }
-        
+#if defined(SH_WITH_SERVER)
+        /* when using yule, theres a msg=<... msg=<...> >*/
+        msg = ptr;
+        ptr = get_value(msg, _("msg"), NULL);
+        if ( ! ptr )
+            ptr = msg;
+#endif        
         ret = prelude_string_cat(out, ptr);
         free(ptr);
         
@@ -1114,8 +1136,37 @@
 }
 
 
+static int node_set_address(idmef_node_t *node, const char *addr)
+{
+      int ret;
+      prelude_string_t *prelude_str;
+      idmef_address_t *idmef_addr;
+
+      ret = prelude_string_new(&prelude_str);
+      if ( ret < 0 ) 
+          goto err;
+      
+      ret = prelude_string_set_ref(prelude_str, addr);
+      if ( ret < 0 ) 
+          goto err;
+
+      ret = idmef_address_new(&idmef_addr);
+      if ( ret < 0 ) 
+          goto err;
+      
+      idmef_address_set_category(idmef_addr, IDMEF_ADDRESS_CATEGORY_IPV4_ADDR);
+      idmef_address_set_address(idmef_addr, prelude_str);
+      idmef_node_set_address(node, idmef_addr, 0);
+
+      return 0;
+ err:
+        return -1;
+}
+
+                                          
+
 static int samhain_alert_prelude(int priority, int sh_class, 
-				 char *message, unsigned long msgid)
+				 char *message, unsigned long msgid, char * inet_peer_ip)
 {
         int ret;
         idmef_time_t *time;
@@ -1161,12 +1212,28 @@
                 goto err;
 
         idmef_target_set_decoy(target, IDMEF_TARGET_DECOY_NO);
+#if defined(SH_WITH_SERVER)
+        idmef_node_t *node;
+        if ( inet_peer_ip != NULL){
+          ret = idmef_target_new_node(target, &node);
         
+          ret = node_set_address(node, inet_peer_ip); 
+          if ( ret < 0 )
+                          goto err;
+                          
+          idmef_target_set_node(target, idmef_node_ref(node));
+        }
+        else
         if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) {
                 idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
                 idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
         }
-        
+#else        
+        if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) {
+                idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
+                idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client)));
+        }
+#endif        
         if ( strstr(message, _("path=")) ) {
 #if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE)
                 if ( msgid != MSG_FI_ADD && msgid != MSG_FI_ADD2 )
@@ -1247,7 +1314,7 @@
 }
 
 
-int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid)
+int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid, char *inet_peer_ip)
 {
         int ret;
         
@@ -1256,7 +1323,7 @@
         if ( initialized < 1 )
                 return -1;
         
-        ret = samhain_alert_prelude(priority, sh_class, message, msgid);
+        ret = samhain_alert_prelude(priority, sh_class, message, msgid, inet_peer_ip);
         if ( ret < 0 ) {
                 sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN,
                                 _("Problem with IDMEF for prelude-ids support: alert lost"), 

Change History (2)

comment:1 Changed 10 years ago by rainer

  • Status changed from new to assigned

The patch leaks memory, and doesn't handle server-to-server relay. Needs the following fix:

#if defined(SH_WITH_SERVER)
        /* when using yule, theres a msg=<... msg=<...> >*/
	do {
	        msg = ptr;
		ptr = get_value(msg, _("msg"), NULL);
		if ( ! ptr ) {
		        ptr = msg;
			break;
		} else {
		        free(msg);
		}
	} while (1);
#endif        

comment:2 Changed 10 years ago by rainer

  • Resolution set to fixed
  • Status changed from assigned to closed

It is believed that the problem is solved by the aforementioned patches.

Note: See TracTickets for help on using tickets.