id summary reporter owner description type status priority milestone component version resolution keywords cc 207 Server should be able to log client reports to prelude rainer rainer "Requested by J. Ventura: to concentrate all logs to a unique prelude analyzer, instead of one analyzer per client, the server should support logging of client messages to prelude. The patch below has been developed and contributed by J. Ventura. {{{ diff -dur samhain-2.7.0-orig/include/sh_error.h samhain-2.7.0/include/sh_error.h --- samhain-2.7.0-orig/include/sh_error.h 2010-05-02 14:20:45.000000000 +0100 +++ samhain-2.7.0/include/sh_error.h 2010-05-02 14:23:29.000000000 +0100 @@ -100,7 +100,11 @@ void sh_error_dbg_switch(void); #ifdef SH_WITH_SERVER + void sh_error_set_peer(const char * str); +#ifdef HAVE_LIBPRELUDE +void sh_error_set_peer_ip(const char * str); +#endif int set_flag_sep_log (const char * str); #endif diff -dur samhain-2.7.0-orig/include/sh_prelude.h samhain-2.7.0/include/sh_prelude.h --- samhain-2.7.0-orig/include/sh_prelude.h 2010-05-02 14:20:45.000000000 +0100 +++ samhain-2.7.0/include/sh_prelude.h 2010-05-02 14:23:29.000000000 +0100 @@ -8,7 +8,7 @@ int sh_prelude_set_profile(const char *arg); int sh_prelude_alert (int priority, int class, char * message, - long msgflags, unsigned long msgid); + long msgflags, unsigned long msgid, char * inet_peer_ip); /* map severity levels */ diff -dur samhain-2.7.0-orig/src/sh_error.c samhain-2.7.0/src/sh_error.c --- samhain-2.7.0-orig/src/sh_error.c 2010-05-02 14:20:45.000000000 +0100 +++ samhain-2.7.0/src/sh_error.c 2010-05-02 14:23:29.000000000 +0100 @@ -840,6 +840,17 @@ #ifdef SH_WITH_SERVER static char inet_peer[SH_MINIBUF] = { '\0' }; +#ifdef HAVE_LIBPRELUDE +static char inet_peer_ip[16] = { '\0' }; + +void sh_error_set_peer_ip(const char * str) +{ + if (str == NULL) + inet_peer_ip[0] = '\0'; + else + sl_strlcpy(inet_peer_ip, str, 16); +} +#endif void sh_error_set_peer(const char * str) { @@ -879,6 +890,9 @@ #ifdef SH_WITH_SERVER int class_inet = clt_class; /* initialize from global */ char local_inet_peer[SH_MINIBUF]; +#ifdef HAVE_LIBPRELUDE + char local_inet_peer_ip[16]; +#endif #endif #if defined(SH_WITH_CLIENT) || defined(SH_WITH_SERVER) @@ -928,6 +942,15 @@ } else local_inet_peer[0] = '\0'; +#ifdef HAVE_LIBPRELUDE + if ((msg_id == MSG_TCP_MSG) && (inet_peer_ip[0] != '\0')) + { + sl_strlcpy(local_inet_peer_ip, inet_peer_ip, 16); + sh_error_set_peer_ip(NULL); + } + else + local_inet_peer_ip[0] = '\0'; +#endif clt_class = (-1); /* reset global */ #endif @@ -1262,9 +1285,11 @@ /* * Reports first error after failure. Always tries. */ - (void) sh_prelude_alert (severity, (int) class, lmsg->msg, - lmsg->status, msg_id); - +#if defined (HAVE_LIBPRELUDE) && defined (SH_WITH_SERVER) + (void) sh_prelude_alert (severity, (int) class, lmsg->msg, lmsg->status, msg_id, local_inet_peer_ip); +#else + (void) sh_prelude_alert (severity, (int) class, lmsg->msg, lmsg->status, msg_id, NULL); +#endif prelude_block = 0; } } @@ -1300,7 +1325,7 @@ if (local_inet_peer[0] == '\0') (void) sh_log_file (lmsg->msg, NULL); else - (void) sh_log_file (lmsg->msg, local_inet_peer); + (void) sh_log_file (lmsg->msg, local_inet_peer); } #else (void) sh_log_file (lmsg->msg, NULL); diff -dur samhain-2.7.0-orig/src/sh_forward.c samhain-2.7.0/src/sh_forward.c --- samhain-2.7.0-orig/src/sh_forward.c 2010-05-02 14:20:45.000000000 +0100 +++ samhain-2.7.0/src/sh_forward.c 2010-05-02 14:23:29.000000000 +0100 @@ -3660,12 +3660,18 @@ /* push client name to error routine */ +#if defined (SH_WITH_SERVER) && defined (HAVE_LIBPRELUDE) + sh_error_set_peer_ip( inet_ntoa (*(struct in_addr *) &(conn->addr_peer.sin_addr)) ); +#endif sh_error_set_peer(sh_strip_domain (conn->peer)); sh_error_handle(clt_sev, FIL__, __LINE__, 0, MSG_TCP_MSG, sh_strip_domain (conn->peer), ptok); sh_error_set_peer(NULL); - +#ifdef SH_WITH_SERVER && HAVE_LIBPRELUDE + sh_error_set_peer_ip(NULL); +#endif + TPT((0, FIL__, __LINE__, _(""msg=<%s>\n""), ptok)); SH_FREE(ptok); clt_class = (-1); diff -dur samhain-2.7.0-orig/src/sh_prelude.c samhain-2.7.0/src/sh_prelude.c --- samhain-2.7.0-orig/src/sh_prelude.c 2010-05-02 14:20:45.000000000 +0100 +++ samhain-2.7.0/src/sh_prelude.c 2010-05-02 14:23:29.000000000 +0100 @@ -218,14 +218,30 @@ static char *do_get_value(char *ptr, char delim_start, char delim_end) { char *ret = NULL; - +#if defined(SH_WITH_SERVER) + int delim_start_count = 0; + int found = 0; +#endif + ptr = strchr(ptr, delim_start); if ( ! ptr ) return NULL; ret = ++ptr; - +#if defined(SH_WITH_SERVER) + while ((*ptr != '\0') && (!found)){ + if (*ptr == delim_end) { + if (delim_start_count == 0) + found = 1; + delim_start_count--; + } + else if (*ptr == delim_start ) delim_start_count++; + ptr++; + } + ptr = (found) ? ptr-1 : NULL ; +#else ptr = strchr(ptr, delim_end); +#endif if ( ! ptr ) return NULL; @@ -682,7 +698,13 @@ _(""could not format Samhain message""), _(""map_policy_to_class"")); return -1; } - +#if defined(SH_WITH_SERVER) + /* when using yule, theres a msg=<... msg=<...> >*/ + msg = ptr; + ptr = get_value(msg, _(""msg""), NULL); + if ( ! ptr ) + ptr = msg; +#endif ret = prelude_string_cat(out, ptr); free(ptr); @@ -1114,8 +1136,37 @@ } +static int node_set_address(idmef_node_t *node, const char *addr) +{ + int ret; + prelude_string_t *prelude_str; + idmef_address_t *idmef_addr; + + ret = prelude_string_new(&prelude_str); + if ( ret < 0 ) + goto err; + + ret = prelude_string_set_ref(prelude_str, addr); + if ( ret < 0 ) + goto err; + + ret = idmef_address_new(&idmef_addr); + if ( ret < 0 ) + goto err; + + idmef_address_set_category(idmef_addr, IDMEF_ADDRESS_CATEGORY_IPV4_ADDR); + idmef_address_set_address(idmef_addr, prelude_str); + idmef_node_set_address(node, idmef_addr, 0); + + return 0; + err: + return -1; +} + + + static int samhain_alert_prelude(int priority, int sh_class, - char *message, unsigned long msgid) + char *message, unsigned long msgid, char * inet_peer_ip) { int ret; idmef_time_t *time; @@ -1161,12 +1212,28 @@ goto err; idmef_target_set_decoy(target, IDMEF_TARGET_DECOY_NO); +#if defined(SH_WITH_SERVER) + idmef_node_t *node; + if ( inet_peer_ip != NULL){ + ret = idmef_target_new_node(target, &node); + ret = node_set_address(node, inet_peer_ip); + if ( ret < 0 ) + goto err; + + idmef_target_set_node(target, idmef_node_ref(node)); + } + else if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) { idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client))); idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client))); } - +#else + if ( idmef_analyzer_get_node(prelude_client_get_analyzer(client)) ) { + idmef_node_ref(idmef_analyzer_get_node(prelude_client_get_analyzer(client))); + idmef_target_set_node(target, idmef_analyzer_get_node(prelude_client_get_analyzer(client))); + } +#endif if ( strstr(message, _(""path="")) ) { #if defined(SH_WITH_CLIENT) || defined(SH_STANDALONE) if ( msgid != MSG_FI_ADD && msgid != MSG_FI_ADD2 ) @@ -1247,7 +1314,7 @@ } -int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid) +int sh_prelude_alert(int priority, int sh_class, char *message, long msgflags, unsigned long msgid, char *inet_peer_ip) { int ret; @@ -1256,7 +1323,7 @@ if ( initialized < 1 ) return -1; - ret = samhain_alert_prelude(priority, sh_class, message, msgid); + ret = samhain_alert_prelude(priority, sh_class, message, msgid, inet_peer_ip); if ( ret < 0 ) { sh_error_handle((-1), FIL__, __LINE__, -1, MSG_E_SUBGEN, _(""Problem with IDMEF for prelude-ids support: alert lost""), }}}" enhancement closed major 2.7.1 main 2.7.0 fixed