[Pkg-ossec-devel] [pkg-ossec] 04/05: Imported Upstream version 2.7.1 Conflicts: src/analysisd/alerts/log.c src/analysisd/lists_list.c
Jose Antonio Quevedo Muñoz
jaqm-guest at moszumanska.debian.org
Tue Mar 11 16:46:22 UTC 2014
This is an automated email from the git hooks/post-receive script.
jaqm-guest pushed a commit to branch master
in repository pkg-ossec.
commit 43b1c9dd8f00ef320eca1fa2884538aee9335f60
Author: Jose Antonio Quevedo <joseantonio.quevedo at gmail.com>
Date: Thu Mar 6 19:07:57 2014 +0100
Imported Upstream version 2.7.1
Conflicts:
src/analysisd/alerts/log.c
src/analysisd/lists_list.c
---
src/analysisd/alerts/log.c | 119 +++++++++++++++++++++++++++++++++++++++++++++
src/analysisd/lists_list.c | 54 ++++++++++++++++++--
src/analysisd/rules.c | 7 +++
src/client-agent/agentd.c | 4 +-
src/headers/defs.h | 2 +-
src/os_csyslogd/main.c | 2 +-
src/shared/file_op.c | 10 ++--
7 files changed, 187 insertions(+), 11 deletions(-)
diff --git a/src/analysisd/alerts/log.c b/src/analysisd/alerts/log.c
index 595c9b0..f5cb74a 100755
--- a/src/analysisd/alerts/log.c
+++ b/src/analysisd/alerts/log.c
@@ -354,6 +354,125 @@ void OS_CustomLog(Eventinfo *lf,char* format)
//Replace all the tokens:
os_strdup(format,log);
+ snprintf(tmp_buffer, 1024, "%d", lf->time);
+ tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_TIMESTAMP], tmp_buffer);
+ if(log)
+ {
+ os_free(log);
+ log=NULL;
+ }
+ snprintf(tmp_buffer, 1024, "%ld", __crt_ftell);
+ log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_FTELL], tmp_buffer);
+ if (tmp_log)
+ {
+ os_free(tmp_log);
+ tmp_log=NULL;
+ }
+
+
+ snprintf(tmp_buffer, 1024, "%s", (lf->generated_rule->alert_opts & DO_MAILALERT)?"mail " : "");
+ tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_ALERT_OPTIONS], tmp_buffer);
+ if(log)
+ {
+ os_free(log);
+ log=NULL;
+ }
+
+
+ snprintf(tmp_buffer, 1024, "%s",lf->hostname?lf->hostname:"None");
+ log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_HOSTNAME], tmp_buffer);
+ if (tmp_log)
+ {
+ os_free(tmp_log);
+ tmp_log=NULL;
+ }
+
+ snprintf(tmp_buffer, 1024, "%s",lf->location?lf->location:"None");
+ tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_LOCATION], tmp_buffer);
+ if(log)
+ {
+ os_free(log);
+ log=NULL;
+ }
+
+
+ snprintf(tmp_buffer, 1024, "%d", lf->generated_rule->sigid);
+ log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_ID], tmp_buffer);
+ if (tmp_log)
+ {
+ os_free(tmp_log);
+ tmp_log=NULL;
+ }
+
+ snprintf(tmp_buffer, 1024, "%d", lf->generated_rule->level);
+ tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_LEVEL], tmp_buffer);
+ if(log)
+ {
+ os_free(log);
+ log=NULL;
+ }
+
+ snprintf(tmp_buffer, 1024, "%s",lf->srcip?lf->srcip:"None");
+ log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_SRC_IP], tmp_buffer);
+ if (tmp_log)
+ {
+ os_free(tmp_log);
+ tmp_log=NULL;
+ }
+
+ snprintf(tmp_buffer, 1024, "%s",lf->srcuser?lf->srcuser:"None");
+
+ tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_DST_USER], tmp_buffer);
+ if(log)
+ {
+ os_free(log);
+ log=NULL;
+ }
+ char * escaped_log;
+ escaped_log = escape_newlines(lf->full_log);
+
+ log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_FULL_LOG],escaped_log );
+ if (tmp_log)
+ {
+ os_free(tmp_log);
+ tmp_log=NULL;
+ }
+
+ if(escaped_log)
+ {
+ os_free(escaped_log);
+ escaped_log=NULL;
+ }
+
+ snprintf(tmp_buffer, 1024, "%s",lf->generated_rule->comment?lf->generated_rule->comment:"");
+ tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_COMMENT], tmp_buffer);
+ if(log)
+ {
+ os_free(log);
+ log=NULL;
+ }
+
+ snprintf(tmp_buffer, 1024, "%s",lf->generated_rule->group?lf->generated_rule->group:"");
+ log = searchAndReplace(tmp_log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_RULE_GROUP], tmp_buffer);
+ if (tmp_log)
+ {
+ os_free(tmp_log);
+ tmp_log=NULL;
+ }
+
+
+ fprintf(_aflog,log);
+ fprintf(_aflog,"\n");
+ fflush(_aflog);
+
+ if(log)
+ {
+ os_free(log);
+ log=NULL;
+ }
+
+ return;
+}
void OS_InitFwLog()
{
diff --git a/src/analysisd/lists_list.c b/src/analysisd/lists_list.c
index aa07c3a..e5f8358 100644
--- a/src/analysisd/lists_list.c
+++ b/src/analysisd/lists_list.c
@@ -262,7 +262,53 @@ int OS_DBSeachKeyAddress(ListRule *lrule, char *key)
}
free(tmpkey);
}
- }
+ }
+ return 0;
+}
+
+int OS_DBSearchKeyAddressValue(ListRule *lrule, char *key)
+{
+ int result=-1;
+ char *val;
+ unsigned vlen, vpos;
+ if (lrule->db!= NULL)
+ {
+ if(_OS_CDBOpen(lrule->db) == -1) return 0;
+
+ // First lookup for a single IP address
+ if(cdb_find(&lrule->db->cdb, key, strlen(key)) > 0 ) {
+ vpos = cdb_datapos(&lrule->db->cdb);
+ vlen = cdb_datalen(&lrule->db->cdb);
+ val = malloc(vlen);
+ cdb_read(&lrule->db->cdb, val, vlen, vpos);
+ result = OSMatch_Execute(val, vlen, lrule->matcher);
+ free(val);
+ return result;
+ } else {
+ // IP address not found, look for matching subnets
+ char *tmpkey;
+ os_strdup(key, tmpkey);
+ while(strlen(tmpkey) > 0)
+ {
+ if(tmpkey[strlen(tmpkey) - 1] == '.')
+ {
+ if( cdb_find(&lrule->db->cdb, tmpkey, strlen(tmpkey)) > 0 ) {
+ vpos = cdb_datapos(&lrule->db->cdb);
+ vlen = cdb_datalen(&lrule->db->cdb);
+ val = malloc(vlen);
+ cdb_read(&lrule->db->cdb, val, vlen, vpos);
+ result = OSMatch_Execute(val, vlen, lrule->matcher);
+ free(val);
+ free(tmpkey);
+ return result;
+ }
+ }
+ tmpkey[strlen(tmpkey) - 1] = '\0';
+ }
+ free(tmpkey);
+ return 0;
+ }
+ }
return 0;
}
@@ -310,8 +356,10 @@ int OS_DBSearch(ListRule *lrule, char *key)
break;
case LR_ADDRESS_MATCH_VALUE:
//debug1("LR_ADDRESS_MATCH_VALUE");
- // XXX TODO
- return 0;
+ if (OS_DBSearchKeyAddressValue(lrule, key) == 0)
+ return 1;
+ else
+ return 0;
break;
default:
debug1("lists_list.c::OS_DBSearch should never hit default");
diff --git a/src/analysisd/rules.c b/src/analysisd/rules.c
index f22682c..5ada268 100755
--- a/src/analysisd/rules.c
+++ b/src/analysisd/rules.c
@@ -316,6 +316,13 @@ int Rules_OP_ReadRules(char * rulefile)
return(-1);
}
+ if(overwrite != 1 && doesRuleExist(id, NULL))
+ {
+ merror("%s: Duplicate rule ID:%d",ARGV0, id);
+ OS_ClearXML(&xml);
+ return(-1);
+ }
+
/* Allocating memory and initializing structure */
config_ruleinfo = zerorulemember(id, level, maxsize,
frequency,timeframe,
diff --git a/src/client-agent/agentd.c b/src/client-agent/agentd.c
index b18fc95..ca33dd5 100755
--- a/src/client-agent/agentd.c
+++ b/src/client-agent/agentd.c
@@ -172,7 +172,9 @@ void AgentdStart(char *dir, int uid, int gid, char *user, char *group)
fdtimeout.tv_sec = 120;
fdtimeout.tv_usec = 0;
-
+ /* Continuesly send notifications */
+ run_notify();
+
/* Wait for 120 seconds at a maximum for any descriptor */
rc = select(maxfd, &fdset, NULL, NULL, &fdtimeout);
if(rc == -1)
diff --git a/src/headers/defs.h b/src/headers/defs.h
index 3d491a7..880cd8d 100755
--- a/src/headers/defs.h
+++ b/src/headers/defs.h
@@ -52,7 +52,7 @@
/* Some Global names */
#define __name "OSSEC HIDS"
-#define __version "v2.7-beta1"
+#define __version "v2.7.1"
#define __author "Trend Micro Inc."
#define __contact "contact at ossec.net"
#define __site "http://www.ossec.net"
diff --git a/src/os_csyslogd/main.c b/src/os_csyslogd/main.c
index df3dd5a..5d110f5 100755
--- a/src/os_csyslogd/main.c
+++ b/src/os_csyslogd/main.c
@@ -87,7 +87,7 @@ int main(int argc, char **argv)
/* Starting daemon */
- merror(STARTED_MSG, ARGV0);
+ debug1(STARTED_MSG, ARGV0);
/* Check if the user/group given are valid */
diff --git a/src/shared/file_op.c b/src/shared/file_op.c
index a799a1d..6ed6b07 100755
--- a/src/shared/file_op.c
+++ b/src/shared/file_op.c
@@ -291,9 +291,9 @@ int DeletePID(char *name)
if(File_DateofChange(file) < 0)
return(-1);
-
- unlink(file);
-
+
+ unlink(file);
+
return(0);
}
@@ -446,7 +446,7 @@ int MergeAppendFile(char *finalpath, char *files)
finalfp = fopen(finalpath, "a");
if(!finalfp)
{
- merror("%s: ERROR: Unable to create merged file: '%s'.",
+ merror("%s: ERROR: Unable to append merged file: '%s'.",
__local_name, finalpath);
return(0);
}
@@ -741,7 +741,7 @@ int checkVista()
strstr(m_uname, "Windows 7"))
{
isVista = 1;
- verbose("%s: INFO: System is Vista or Windows Server 2008.",
+ verbose("%s: INFO: System is Vista, Windows 7 or Windows Server 2008.",
__local_name);
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ossec/pkg-ossec.git
More information about the Pkg-ossec-devel
mailing list