[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-cvs] ossec-hids: symantecws_decoder.c (NEW) pf_decoder.c (HEAD) [dcid]

To: ossec-cvs@xxxxxxxxx
Subject: [ossec-cvs] ossec-hids: symantecws_decoder.c (NEW) pf_decoder.c (HEAD) [dcid]
From: OSSEC CVS <cvs-commit@xxxxxxxxx>
Date: Thu, 19 Jul 2007 21:19:57 -0300 (ADT)
Content-transfer-encoding: 8bit

Module name:	ossec-hids
Changes by:	dcid	07/07/19 21:19:25

Modified files:
	pf_decoder.c
Added files:
	symantecws_decoder.c

Log message:
Description: Adding better error messages, symantec ws rule, fixing a issue on the e-mail subjects (when do_not_group option is used) and changing parts of the code to gplv3 (more comming).
Reviewed by: dcid
Bug:

--- NEW FILE: symantecws_decoder.c ---
/* @(#) $Id: symantecws_decoder.c,v 1.1 2007/07/20 00:19:25 dcid Exp $ */

/* Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
 * All rights reserved.
 *
 * This program is a free software; you can redistribute it
 * and/or modify it under the terms of the GNU General Public
 * License (version 3) as published by the FSF - Free Software
 * Foundation.
 *
 * License details at the LICENSE file included with OSSEC or 
 * online at: http://www.ossec.net/en/licensing.html
 */

#include "shared.h"
#include "eventinfo.h"


/* Symantec Web Security decoder init */
void *SymantecWS_Decoder_Init()
{
    debug1("%s: Initializing SymantecWS decoder..");

    /* There is nothing to do over here */
    return(NULL);
}


/* Symantec Web Security decoder 
 * Will extract the action, srcip, id, url and username.
 *
 * Examples (also online at 
 * http://www.ossec.net/wiki/index.php/Symantec_WebSecurity ).
 * 20070717,73613,1=5,11=10.1.1.3,10=userc,3=1,2=1
 * 20070717,73614,1=5,11=1.2.3.4,1106=News,60=http://news.bbc.co.uk/,10=userX,1000=212.58.240.42,2=27
 */                             
void *SymantecWS_Decoder_Exec(Eventinfo *lf)
{
    int count = 0;
    char buf_str[OS_SIZE_1024 +1];
    char *tmp_str = NULL;
    
    /* Initializing buffer */
    buf_str[0] = '\0';
    buf_str[OS_SIZE_1024] = '\0';
    
    
    /* Removing date and time */
    if(!(tmp_str = strchr(lf->log, ',')))
    {
        return(NULL);
    }
    if(!(tmp_str = strchr(tmp_str, ',')))
    {
        return(NULL);
    }
    tmp_str++;
    
    
    /* Getting all the values */
    while(tmp_str != NULL)
    {
        /* Checking if we have the username */
        if(strncmp(tmp_str, "10=", 3) == 0)
        {
            count = 0;
            tmp_str+=3;
            while(*tmp_str != '\0' && count < 128 && *tmp_str != ',') 
            {
                buf_str[count] = *tmp_str; 
                count++; tmp_str++;
            }
            buf_str[count] = '\0';

            if(!lf->user)
            {
                os_strdup(buf_str, lf->user);
            }
        }
        
        /* Checking the ip address */
        else if(strncmp(tmp_str, "11=", 3) == 0)
        {
            count = 0;
            tmp_str+=3;
            while(*tmp_str != '\0' && count < 128 && *tmp_str != ',') 
            {
                buf_str[count] = *tmp_str; 
                count++; tmp_str++;
            }
            buf_str[count] = '\0';

            /* Avoiding memory leaks -- only adding the first one */
            if(!lf->srcip)
            {
                os_strdup(buf_str, lf->srcip);
            }
        }

        /* Getting the URL */
        else if(strncmp(tmp_str, "60=", 3) == 0)
        {
            count = 0;
            tmp_str+=3;
            while(*tmp_str != '\0' && count < OS_SIZE_1024 && *tmp_str != ',') 
            {
                buf_str[count] = *tmp_str; 
                count++; tmp_str++;
            }
            buf_str[count] = '\0';

            /* Avoiding memory leaks -- only adding the first one */
            if(!lf->url)
            {
                os_strdup(buf_str, lf->url);
            }
        }

        /* Getting ID */
        else if((strncmp(tmp_str, "3=", 2) == 0) ||
                (strncmp(tmp_str, "2=", 2) == 0))
        {
            count = 0;
            while(*tmp_str != '\0' && count < 9)
            {
                buf_str[count] = *tmp_str;
                count++; tmp_str++;
            }
            buf_str[count] = '\0';

            /* Avoiding memory leaks -- only adding the first one */
            if(!lf->id)
            {
                os_strdup(buf_str, lf->id);
            }
        }

        /* Getting next entry */
        tmp_str = strchr(tmp_str, ',');
        if(tmp_str)
        {
            tmp_str++;
        }
    }
    
    return(NULL);
}

/* END Decoder */

Index: pf_decoder.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/decoders/plugins/pf_decoder.c,v
diff -u -r1.1 -r1.2
--- pf_decoder.c	3 Apr 2007 22:17:12 -0000	1.1
+++ pf_decoder.c	20 Jul 2007 00:19:25 -0000	1.2
@@ -1,3 +1,18 @@
+/* @(#) $Id$ */
+
+/* Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ * All rights reserved.
+ *
+ * This program is a free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 3) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * License details at the LICENSE file included with OSSEC or 
+ * online at: http://www.ossec.net/en/licensing.html
+ */
+
+
 #include "shared.h"
 #include "eventinfo.h"

Prev by Date: [ossec-cvs] ossec-hids: sec.c (HEAD) [dcid]
Next by Date: [ossec-cvs] ossec-hids: make.bat (HEAD) ossec-installer.nsi (HEAD) [dcid]
Previous by thread: [ossec-cvs] ossec-hids: sec.c (HEAD) [dcid]
Next by thread: [ossec-cvs] ossec-hids: make.bat (HEAD) ossec-installer.nsi (HEAD) [dcid]
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.