#207 closed enhancement (fixed)
Server should be able to log client reports to prelude
Reported by: | rainer | Owned by: | rainer |
---|---|---|---|
Priority: | major | Milestone: | 2.7.1 |
Component: | main | Version: | 2.7.0 |
Keywords: | Cc: |
Description
Requested by J. Ventura: to concentrate all logs to a unique prelude analyzer, instead of one analyzer per client, the server should support logging of client messages to prelude. The patch below has been developed and contributed by J. Ventura.
diff -dur samhain-2.7.0-orig/include/sh_error.h samhain-2.7.0/include/sh_error.h --- samhain-2.7.0-orig/include/sh_error.h 2010-05-02 14:20:45.000000000 +0100 +++ samhain-2.7.0/include/sh_error.h 2010-05-02 14:23:29.000000000 +0100 @@ -100,7 +100,11 @@ void sh_error_dbg_switch(void); #ifdef SH_WITH_SERVER + void sh_error_set_peer(const char * str); +#ifdef HAVE_LIBPRELUDE +void sh_error_set_peer_ip(const char * str); +#endif int set_flag_sep_log (const char * str); #endif diff -dur samhain-2.7.0-orig/include/sh_prelude.h samhain-2.7.0/include/sh_prelude.h --- samhain-2.7.0-orig/include/sh_prelude.h 2010-05-02 14:20:45.000000000 +0100 +++ samhain-2.7.0/include/sh_prelude.h 2010-05-02 14:23:29.000000000 +0100 @@ -8,7 +8,7 @@ int sh_prelude_set_profile(const char *arg); int sh_prelude_alert (int priority, int class, char * message, - long msgflags, unsigned long msgid); + long msgflags, unsigned long msgid, char * inet_peer_ip); /* map severity levels */ diff -dur samhain-2.7.0-orig/src/sh_error.c samhain-2.7.0/src/sh_error.c --- samhain-2.7.0-orig/src/sh_error.c 2010-05-02 14:20:45.000000000 +0100 +++ samhain-2.7.0/src/sh_error.c 2010-05-02 14:23:29.000000000 +0100 @@ -840,6 +840,17 @@ #ifdef SH_WITH_SERVER static char inet_peer[SH_MINIBUF] = { '\0' }; +#ifdef HAVE_LIBPRELUDE +static char inet_peer_ip[16] = { '\0' }; + +void sh_error_set_peer_ip(const char * str) +{ + if (str == NULL) + inet_peer_ip[0] = '\0'; + else + sl_strlcpy(inet_peer_ip, str, 16); +} +#endif void sh_error_set_peer(const char * str) { @@ -879,6 +890,9 @@ #ifdef SH_WITH_SERVER int class_inet = clt_class; /* initialize from global */ char local_inet_peer[SH_MINIBUF]; +#ifdef HAVE_LIBPRELUDE + char local_inet_peer_ip[16]; +#endif #endif #if defined(SH_WITH_CLIENT) || defined(SH_WITH_SERVER) @@ -928,6 +942,15 @@ } else local_inet_peer[0] = '\0'; +#ifdef HAVE_LIBPRELUDE + if ((msg_id == MSG_TCP_MSG) && (inet_peer_ip[0] != '\0')) + { + sl_strlcpy(local_inet_peer_ip, inet_peer_ip, 16); + sh_error_set_peer_ip(NULL); + } + else + local_inet_peer_ip[0] = '\0'; +#endif clt_class = (-1); /* reset global */ #endif @@ -1262,9 +1285,11 @@ /* * Reports first error after failure. Always tries. */ - (void) sh_prelude_alert (severity, (int) class, lmsg->msg, - lmsg->status, msg_id); - +#if defined (HAVE_LIBPRELUDE) && defined (SH_WITH_SERVER) + (void) sh_prelude_alert (severity, (int) class, lmsg->msg, lmsg->status, msg_id, local_inet_peer_ip); +#else + (void) sh_prelude_alert (severity, (int) class, lmsg->msg, lmsg->status, msg_id, NULL); +#endif prelude_block = 0; } } @@ -1300,7 +1325,7 @@ if (local_inet_peer[0] == '\0') (void) sh_log_file (lmsg->msg, NULL); else - (void) sh_log_file (lmsg->msg, local_inet_peer); + (void) sh_log_file (lmsg->msg, local_inet_peer); } #else (void) sh_log_file (lmsg->msg, NULL); diff -dur samhain-2.7.0-orig/src/sh_forward.c samhain-2.7.0/src/sh_forward.c --- samhain-2.7.0-orig/src/sh_forward.c 2010-05-02 14:20:45.000000000 +0100 +++ samhain-2.7.0/src/sh_forward.c 2010-05-02 14:23:29.000000000 +0100 @@ -3660,12 +3660,18 @@ /* push client name to error routine */ +#if defined (SH_WITH_SERVER) && defined (HAVE_LIBPRELUDE) + sh_error_set_peer_ip( inet_ntoa (*(struct in_addr *) &(conn->addr_peer.sin_addr)) ); +#endif sh_error_set_peer(sh_strip_domain (conn->peer)); sh_error_handle(clt_sev, FIL__, __LINE__, 0, MSG_TCP_MSG, sh_strip_domain (conn->peer), ptok); sh_error_set_peer(NULL); - +#ifdef SH_WITH_SERVER && HAVE_LIBPRELUDE + sh_error_set_peer_ip(NULL); +#endif + TPT((0, FIL__, __LINE__, _("msg=<%s>\n"), ptok)); SH_FREE(ptok); clt_class = (-1); diff -dur samhain-2.7.0-orig/src/sh_prelude.c samhain-2.7.0/src/sh_prelude.c --- samhain-2.7.0-orig/src/sh_prelude.c 2010-05-02 14:20:45.000000000 +0100 +++ samhain-2.7.0/src/sh_prelude.c 2010-05-02 14:23:29.000000000 +0100 @@ -218,14 +218,30 @@ static char *do_get_value(char *ptr, char delim_start, char delim_end) { char *ret = NULL; - +#if defined(SH_WITH_SERVER) + int delim_start_count = 0; + int found = 0; +#endif + ptr = strchr(ptr, delim_start); if ( ! ptr ) return NULL; ret = ++ptr; - +#if defined(SH_WITH_SERVER) + while ((*ptr != '\0') && (!found)){ + if (*ptr == delim_end) { + if (delim_start_count == 0) + found = 1; + delim_start_count--; + } + else if (*ptr == delim_start ) delim_start_count++; + ptr++; + } + ptr = (found) ? ptr-1 : NULL ; +#else ptr = strchr(ptr, delim_end); +#endif if ( ! ptr ) return NULL; @@ -682,7 +698,13 @@ _("could not format Samhain message"), _("map_policy_to_class")); return -1; } - +#if defined(SH_WITH_SERVER) + /* when using yule, theres a msg=<... msg=<...> >*/ + msg = ptr; + ptr = get_value(msg, _("msg"), NULL); + if ( ! ptr ) + ptr = msg; +#endif ret = prelude_string_cat(out, ptr); free(ptr); @@ -1114,8 +1136,37 @@ } +static int node_set_address(idmef_node_t *node, const char *addr) +{ + int ret; + prelude_string_t *prelude_str; + idmef_address_t *idmef_addr; + + ret = prelude_string_new(&prelude_str); + if ( ret < 0 ) + goto err; + + ret = prelude_string_set_ref(prelude_str, addr); + if ( ret < 0 ) + goto err; + + ret = idmef_address_new(&idmef_addr); + if ( ret < 0 ) + goto err; + + idmef_address_set_category(idmef_addr, IDMEF_ADDRESS_CATEGORY_IPV4_ADDR); + idmef_address_set_address(idmef_addr, prelude_str); + idmef_node_set_address(node, idmef_addr, 0); + + return 0; + err: + return -1; +} + + + static int samhain_alert_prelude(int priority, int sh_class, - char *message, unsigned long msgid) + char *message, unsigned long msgid, char * inet_peer_ip) { int ret; idmef_time_t *time; @@ -1161,12 +1212,28 @@ goto err; idmef_target_set_decoy(target, IDMEF_TARGET_DECOY_NO); +#if defined(SH_WITH_SERVER) + idmef_node_t *node; + if ( inet_peer_ip != NULL){ + ret = idmef_target_new_node(target, &node); + ret = node_set_address(node, inet_peer_ip); + if ( ret < 0 ) + goto err; + + idmef_target_set_node(target, idmef_node_ref(node)); + } + else if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) { idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client))); idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client))); } - +#else + if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) { + idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client))); + idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client))); + } +#endif if ( strstr(message, _("path=")) ) { #if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE) if ( msgid != MSG_FI_ADD && msgid != MSG_FI_ADD2 ) @@ -1247,7 +1314,7 @@ } -int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid) +int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid, char *inet_peer_ip) { int ret; @@ -1256,7 +1323,7 @@ if ( initialized < 1 ) return -1; - ret = samhain_alert_prelude(priority, sh_class, message, msgid); + ret = samhain_alert_prelude(priority, sh_class, message, msgid, inet_peer_ip); if ( ret < 0 ) { sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN, _("Problem with IDMEF for prelude-ids support: alert lost"),
Change History (2)
comment:1 by , 15 years ago
Status: | new → assigned |
---|
comment:2 by , 15 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
It is believed that the problem is solved by the aforementioned patches.
Note:
See TracTickets
for help on using tickets.
The patch leaks memory, and doesn't handle server-to-server relay. Needs the following fix: