1. Jeremy Rossi
  2. ossec-hids-brawndo

Commits

Jeremy Rossi  committed 3fec567

more waf

  • Participants
  • Parent commits dc0c815
  • Branches default

Comments (0)

Files changed (121)

File .hgignore

View file
  • Ignore whitespace
 src/headers/zconf.h
 src/headers/zlib.h
 src/isbigendian.c
-src/analysisd/compiled_rules/compiled_rules.h
+src/os_analysisd/compiled_rules/compiled_rules.h
 
 # Compiled programs
 bin/agent_control

File src/analysisd/Makefile

  • Ignore whitespace
-# Makefile for analysisd
-# Daniel B. Cid <daniel.cid@gmail.com>||<daniel@underlinux.com.br>
-# http://www.ossec.net/hids/
-
-PT=../
-NAME=ossec-analysisd
-
-include ../Config.Make
-
-OTHER   = stats.c lists.c lists_list.c rules.c rules_list.c config.c fts.c dodiff.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c picviz.c prelude.c compiled_rules/*.o ${OS_CONFIG}
-LOCAL   = analysisd.c ${OTHER}
-PLUGINS = decoders/decoders.a
-ALERTS  = alerts/alerts.a
-DBS     = cdb/cdb.a cdb/cdb_make.a
-
-loga_OBJS = ${LOCAL} ${PLUGINS} ${DBS} ${ALERTS} ${OS_XML} ${OS_REGEX} ${OS_NET} ${OS_SHARED} ${OS_ZLIB} ${CPRELUDE}
-lists_OBJS = lists_make.c ${OTHER} ${PLUGINS} ${DBS} ${ALERTS} ${OS_XML} ${OS_REGEX} ${OS_NET} ${OS_SHARED} ${OS_ZLIB} ${CPRELUDE}
-
-all: logaudit logtest makelists
-
-logaudit:
-	    cd ./cdb; make
-		cd ./alerts; make
-		cd ./decoders; make
-		cd ./compiled_rules; make;
-		$(CC) $(CFLAGS) ${OS_LINK} -I./ ${loga_OBJS} -o ${NAME}
-
-logtest:
-	    cd ./cdb; make
-		cd ./decoders; make logtest
-		cd ./compiled_rules; make;
-		$(CC) $(CFLAGS) ${OS_LINK} -DTESTRULE -I./ testrule.c ${loga_OBJS} -o ossec-logtest 
-
-makelists:
-		cd ./cdb; make
-		$(CC) $(CFLAGS) ${OS_LINK} -DTESTRULE -I./ makelists.c ${lists_OBJS}  -o ossec-makelists
-
-clean:
-	    cd ./cdb; make clean
-		cd ./alerts; make clean
-		cd ./decoders; make clean
-		cd ./compiled_rules; make clean
-		${CLEAN}
-
-build:
-		${BUILD}
-		cp -pr ossec-logtest ${PT}../bin
-		cp -pr ossec-makelists ${PT}../bin

File src/analysisd/active-response.c

  • Ignore whitespace
-/* @(#) $Id$ */
-
-/* Copyright (C) 2009 Trend Micro Inc.
- * All right reserved.
- *
- * This program is a free software; you can redistribute it
- * and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
- * Foundation
- */
-
- 
-#include "shared.h"
-#include "active-response.h"
-
-
-/** void AR_Init()
- * Initializing active response.
- */
-void AR_Init()
-{
-    ar_commands = OSList_Create();
-    active_responses = OSList_Create();
-    ar_flag = 0;
-
-    if(!ar_commands || !active_responses)
-    {
-        ErrorExit(LIST_ERROR, ARGV0);
-    }
-}
-
-
-/** int AR_ReadConfig(int test_config, char *cfgfile)
- * Reads active response configuration and write them
- * to the appropriate lists.
- */
-int AR_ReadConfig(int test_config, char *cfgfile)
-{
-    FILE *fp;
-    int modules = 0;
-
-    modules|= CAR;
-
-
-    /* Cleaning ar file */
-    fp = fopen(DEFAULTARPATH, "w");
-    if(!fp)
-    {
-        merror(FOPEN_ERROR, ARGV0, DEFAULTARPATH);
-        return(OS_INVALID);
-    }
-    fprintf(fp, "restart-ossec0 - restart-ossec.sh - 0\n");
-    fprintf(fp, "restart-ossec0 - restart-ossec.cmd - 0\n");
-    fclose(fp);
-
-
-    /* Setting right permission */
-    chmod(DEFAULTARPATH, 0444);
-
-
-    /* Reading configuration */
-    if(ReadConfig(modules, cfgfile, ar_commands, active_responses) < 0)
-    {
-        return(OS_INVALID);
-    }
-
-
-    return(0);
-}
-
-/* EOF */

File src/analysisd/active-response.h

  • Ignore whitespace
-/* @(#) $Id$ */
-
-/* Copyright (C) 2009 Trend Micro Inc.
- * All right reserved.
- *
- * This program is a free software; you can redistribute it
- * and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
- * Foundation
- */
-
- 
-#ifndef _AR__H
-#define _AR__H
-
-#include "config/config.h"
-#include "config/active-response.h"
-#include "list_op.h"
-
-
-/** void AR_Init()
- * Initializing active response.
-  */
-void AR_Init();
-
-/** int AR_ReadConfig(int test_config, char *cfgfile)
- * Reads active response configuration and write them
- * to the appropriate lists.
- */
-int AR_ReadConfig(int test_config, char *cfgfile);
-     
-
-/* Active response commands */
-OSList *ar_commands;
-
-/* Active response information */
-OSList *active_responses;
-
-
-#endif

File src/analysisd/alerts/Makefile

  • Ignore whitespace
-# Makefile for analysisd alerts
-# Daniel B. Cid <dcid@sourcefire.com>||<daniel.cid@gmail.com>
-# http://www.ossec.net/hids/
-
-PT=../../
-NAME=alerts
-
-include ../../Config.Make
-
-SRCS = mail.c log.c exec.c getloglocation.c
-OBJS = mail.o log.o exec.o getloglocation.o
-
-
-response:
-		$(CC) -I../ $(CFLAGS) -c $(SRCS)
-		ar cru alerts.a $(OBJS)
-		ranlib alerts.a
-
-clean:
-		${CLEAN}

File src/analysisd/alerts/alerts.h

  • Ignore whitespace
-/* @(#) $Id$ */
-
-/* Copyright (C) 2009 Trend Micro Inc.
- * All right reserved.
- *
- * This program is a free software; you can redistribute it
- * and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software 
- * Foundation
- */
-
-/* Global  alert header */
-
-#ifndef _ALERT__H
-
-#define _ALERT__H
-
-#include "log.h"
-#include "exec.h"
-#include "getloglocation.h"
-
-#endif

File src/analysisd/alerts/exec.c

  • Ignore whitespace
-/* @(#) $Id$ */
-
-/* Copyright (C) 2009 Trend Micro Inc.
- * All right reserved.
- *
- * This program is a free software; you can redistribute it
- * and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software 
- * Foundation
- */
-
-/* Basic e-mailing operations */
-
-
-#include "shared.h"
-#include "rules.h"
-#include "alerts.h"
-#include "config.h"
-#include "active-response.h"
-
-#include "os_net/os_net.h"
-#include "os_regex/os_regex.h"
-#include "os_execd/execd.h"
-
-#include "eventinfo.h"
-
-
-/* OS_Exec v0.1 
- */
-void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
-{
-    char exec_msg[OS_SIZE_1024 +1];
-    char *ip;
-    char *user;
-
-
-    /* Cleaning the IP */
-    if(lf->srcip && (ar->ar_cmd->expect & SRCIP))
-    {
-        ip = strrchr(lf->srcip, ':');
-        if(ip)
-        {
-            ip++;
-        }
-        else
-        {
-            ip = lf->srcip;
-        }
-
-
-        /* Checking if IP is to ignored */
-        if(Config.white_list)
-        {
-            if(OS_IPFoundList(ip, Config.white_list))
-            {
-                return;
-            }
-        }
-
-        /* Checking if it is a hostname */
-        if(Config.hostname_white_list)
-        {
-            int srcip_size;
-            OSMatch **wl;
-
-            srcip_size = strlen(ip);
-        
-            wl = Config.hostname_white_list;
-            while(*wl)
-            {
-                if(OSMatch_Execute(ip, srcip_size, *wl))
-                    return;
-                wl++;
-            }
-        }
-    }
-    else
-    {
-        ip = "-";
-    }
-   
-   
-    /* Getting username */
-    if(lf->dstuser && (ar->ar_cmd->expect & USERNAME))
-    {
-        user = lf->dstuser;
-    }
-    else
-    {
-        user = "-";
-    }
-
-
-    /* active response on the server. 
-     * The response must be here if the ar->location is set to AS
-     * or the ar->location is set to local (REMOTE_AGENT) and the
-     * event location is from here.
-     */         
-    if((ar->location & AS_ONLY) ||
-      ((ar->location & REMOTE_AGENT) && (lf->location[0] != '(')) )
-    {
-        if(!(Config.ar & LOCAL_AR))
-            return;
-            
-        snprintf(exec_msg, OS_SIZE_1024,
-                "%s %s %s %d.%ld %d %s",
-                ar->name,
-                user,
-                ip,
-                lf->time,
-                __crt_ftell,
-                lf->generated_rule->sigid,
-                lf->location);
-
-        if(OS_SendUnix(*execq, exec_msg, 0) < 0)
-        {
-            merror("%s: Error communicating with execd.", ARGV0);
-        }
-    }
-   
-
-    /* Active response to the forwarder */ 
-    else if((Config.ar & REMOTE_AR) && (lf->location[0] == '('))
-    {
-        int rc;
-        snprintf(exec_msg, OS_SIZE_1024,
-                "%s %c%c%c %s %s %s %s %d.%ld %d %s",
-                lf->location,
-                (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
-                (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
-                (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
-                ar->agent_id != NULL? ar->agent_id: "(null)",
-                ar->name,
-                user,
-                ip,
-                lf->time,
-                __crt_ftell,
-                lf->generated_rule->sigid,
-                lf->location);
-       
-        if((rc = OS_SendUnix(*arq, exec_msg, 0)) < 0)
-        {
-            if(rc == OS_SOCKBUSY)
-            {
-                merror("%s: AR socket busy.", ARGV0);
-            }
-            else
-            {
-                merror("%s: AR socket error (shutdown?).", ARGV0);   
-            }
-            merror("%s: Error communicating with ar queue (%d).", ARGV0, rc);
-        }
-    }
-    
-    return;
-}
-
-/* EOF */

File src/analysisd/alerts/exec.h

  • Ignore whitespace
-/* @(#) $Id$ */
-
-/* Copyright (C) 2009 Trend Micro Inc.
- * All right reserved.
- *
- * This program is a free software; you can redistribute it
- * and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software 
- * Foundation
- */
-
-
-#ifndef _EXEC__H
-
-#define _EXEC__H
-
-#include "eventinfo.h"
-#include "active-response.h"
-
-void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar);
-
-#endif

File src/analysisd/alerts/getloglocation.c

  • Ignore whitespace
-/* @(#) $Id$ */
-
-/* Copyright (C) 2009 Trend Micro Inc.
- * All right reserved.
- *
- * This program is a free software; you can redistribute it
- * and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software 
- * Foundation
- */
-
-
-/* Get the log directory/file based on the day/month/year */
-
-
-/* analysisd headers */
-#include "getloglocation.h"
-
-int __crt_day;
-char __elogfile[OS_FLSIZE+1];
-char __alogfile[OS_FLSIZE+1];
-char __flogfile[OS_FLSIZE+1];
-	
-/* OS_InitLog */    
-void OS_InitLog()
-{
-    OS_InitFwLog();
-
-    __crt_day = 0;
-    
-    /* alerts and events log file */    
-    memset(__alogfile,'\0',OS_FLSIZE +1); 
-    memset(__elogfile,'\0',OS_FLSIZE +1); 
-    memset(__flogfile,'\0',OS_FLSIZE +1); 
-
-    _eflog = NULL;
-    _aflog = NULL;
-    _fflog = NULL;
-    
-    /* Setting the umask */
-    umask(0027);
-}
-
-
-/* gzips a log file 
-int OS_CompressLog(int yesterday, char *prev_month, int prev_year)
-
-  -- moved to monitord.	  
-*/      
-
-
-
-
-/* OS_GetLogLocation: v0.1, 2005/04/25 */
-int OS_GetLogLocation(Eventinfo *lf)
-{
-    /* Checking what directories to create 
-     * Checking if the year directory is there.
-     * If not, create it. Same for the month directory.
-     */
-     
-    /* For the events */
-    if(_eflog)
-    {
-        if(ftell(_eflog) == 0)
-            unlink(__elogfile);
-        fclose(_eflog);
-        _eflog = NULL;
-    }
-    
-    snprintf(__elogfile,OS_FLSIZE,"%s/%d/", EVENTS, lf->year);
-    if(IsDir(__elogfile) == -1)
-        if(mkdir(__elogfile,0770) == -1)
-        {
-            ErrorExit(MKDIR_ERROR,ARGV0,__elogfile);
-        }
-
-    snprintf(__elogfile,OS_FLSIZE,"%s/%d/%s", EVENTS, lf->year,lf->mon);
-
-    if(IsDir(__elogfile) == -1)
-        if(mkdir(__elogfile,0770) == -1)
-        {
-            ErrorExit(MKDIR_ERROR,ARGV0,__elogfile);
-        }
-
-
-    /* Creating the logfile name */
-    snprintf(__elogfile,OS_FLSIZE,"%s/%d/%s/ossec-%s-%02d.log",
-            EVENTS,
-            lf->year,
-            lf->mon,
-            "archive",
-            lf->day);
-
-
-    _eflog = fopen(__elogfile,"a");
-    if(!_eflog)
-        ErrorExit("%s: Error opening logfile: '%s'",ARGV0,__elogfile);
-    
-    /* Creating a symlink */
-    unlink(EVENTS_DAILY);
-    link(__elogfile, EVENTS_DAILY);
-    
-
-    /* for the alerts logs */
-    if(_aflog)
-    {
-        if(ftell(_aflog) == 0)
-            unlink(__alogfile);
-        fclose(_aflog);
-        _aflog = NULL;
-    }
-                            
-    snprintf(__alogfile,OS_FLSIZE,"%s/%d/", ALERTS, lf->year);
-    if(IsDir(__alogfile) == -1)
-        if(mkdir(__alogfile,0770) == -1)
-        {
-            ErrorExit(MKDIR_ERROR,ARGV0,__alogfile);
-        }
-
-    snprintf(__alogfile,OS_FLSIZE,"%s/%d/%s", ALERTS, lf->year,lf->mon);
-
-    if(IsDir(__alogfile) == -1)
-        if(mkdir(__alogfile,0770) == -1)
-        {
-            ErrorExit(MKDIR_ERROR,ARGV0,__alogfile);
-        }
-
-
-    /* Creating the logfile name */
-    snprintf(__alogfile,OS_FLSIZE,"%s/%d/%s/ossec-%s-%02d.log",
-            ALERTS,
-            lf->year,
-            lf->mon,
-            "alerts",
-            lf->day);
-
-    _aflog = fopen(__alogfile,"a");
-    
-    if(!_aflog)
-        ErrorExit("%s: Error opening logfile: '%s'",ARGV0,__alogfile);
-    
-    /* Creating a symlink */
-    unlink(ALERTS_DAILY);
-    link(__alogfile, ALERTS_DAILY);
-            
-
-    /* For the firewall events */
-    if(_fflog)
-    {
-        if(ftell(_fflog) == 0)
-            unlink(__flogfile);
-        fclose(_fflog);
-        _fflog = NULL;
-    }
-                            
-    snprintf(__flogfile,OS_FLSIZE,"%s/%d/", FWLOGS, lf->year);
-    if(IsDir(__flogfile) == -1)
-        if(mkdir(__flogfile,0770) == -1)
-        {
-            ErrorExit(MKDIR_ERROR,ARGV0,__flogfile);
-        }
-
-    snprintf(__flogfile,OS_FLSIZE,"%s/%d/%s", FWLOGS, lf->year,lf->mon);
-
-    if(IsDir(__flogfile) == -1)
-        if(mkdir(__flogfile,0770) == -1)
-        {
-            ErrorExit(MKDIR_ERROR,ARGV0,__flogfile);
-        }
-
-
-    /* Creating the logfile name */
-    snprintf(__flogfile,OS_FLSIZE,"%s/%d/%s/ossec-%s-%02d.log",
-            FWLOGS,
-            lf->year,
-            lf->mon,
-            "firewall",
-            lf->day);
-
-    _fflog = fopen(__flogfile,"a");
-
-    if(!_fflog)
-        ErrorExit("%s: Error opening logfile: '%s'",ARGV0,__flogfile);
-
-
-    /* Creating a symlink */
-    unlink(FWLOGS_DAILY);
-    link(__flogfile, FWLOGS_DAILY);
-            
-
-    /* Setting the new day */        
-    __crt_day = lf->day;
-
-    return(0);
-}
-
-/* EOF */

File src/analysisd/alerts/getloglocation.h

  • Ignore whitespace
-/* @(#) $Id$ */
-
-/* Copyright (C) 2009 Trend Micro Inc.
- * All right reserved.
- *
- * This program is a free software; you can redistribute it
- * and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
- * Foundation
- */
-
-
-#ifndef __GETLL_H
-
-#define __GETLL_H
-
-#include "eventinfo.h"
-
-/*
- * Start the log location (need to be called before getlog)
- *
- */
-void OS_InitLog();
-
-void OS_InitFwLog();
-
-/*
- * Get the log file based on the date/logtype/
- *
- * @param lf        Event structure
- *
- * @retval 0        success
- *         -1       error 
- */
-int OS_GetLogLocation(Eventinfo *lf);
-
-
-FILE *_eflog;
-FILE *_aflog;
-FILE *_fflog;
-
-#endif /* GETLL_H */

File src/analysisd/alerts/log.c

  • Ignore whitespace
-/* @(#) $Id$ */
-
-/* Copyright (C) 2009 Trend Micro Inc.
- * All right reserved.
- *
- * This program is a free software; you can redistribute it
- * and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software 
- * Foundation
- */
-
-
-#include "shared.h"
-#include "log.h"
-#include "alerts.h"
-#include "getloglocation.h"
-#include "rules.h"
-#include "eventinfo.h"
-#include "config.h"
-
-
-/* Drop/allow patterns */
-OSMatch FWDROPpm;
-OSMatch FWALLOWpm;
-
-
-/* OS_Store: v0.2, 2005/02/10 */
-/* Will store the events in a file 
- * The string must be null terminated and contain
- * any necessary new lines, tabs, etc.
- *
- */
-void OS_Store(Eventinfo *lf)
-{
-    fprintf(_eflog,
-            "%d %s %02d %s %s%s%s %s\n",
-            lf->year,
-            lf->mon,
-            lf->day,
-            lf->hour,
-            lf->hostname != lf->location?lf->hostname:"",
-            lf->hostname != lf->location?"->":"",
-            lf->location,
-            lf->full_log);
-
-    fflush(_eflog); 
-    return;	
-}
-
-
-
-void OS_LogOutput(Eventinfo *lf)
-{
-    printf(
-           "** Alert %d.%ld:%s - %s\n"
-            "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
-            "Src IP: %s\nUser: %s\n%.1256s\n",
-            lf->time,
-            __crt_ftell,
-            lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
-            lf->generated_rule->group,
-            lf->year,
-            lf->mon,
-            lf->day,
-            lf->hour,
-            lf->hostname != lf->location?lf->hostname:"",
-            lf->hostname != lf->location?"->":"",
-            lf->location,
-            lf->generated_rule->sigid,
-            lf->generated_rule->level,
-            lf->generated_rule->comment,
-            lf->srcip == NULL?"(none)":lf->srcip,
-            lf->dstuser == NULL?"(none)":lf->dstuser,
-            lf->full_log);
-
-
-    /* Printing the last events if present */
-    if(lf->generated_rule->last_events)
-    {
-        char **lasts = lf->generated_rule->last_events;
-        while(*lasts)
-        {
-            printf("%.1256s\n",*lasts);
-            lasts++;
-        }
-        lf->generated_rule->last_events[0] = NULL;
-    }
-
-    printf("\n");
-
-    fflush(stdout);
-    return;	
-}
-
-
-
-/* OS_Log: v0.3, 2006/03/04 */
-/* _writefile: v0.2, 2005/02/09 */
-void OS_Log(Eventinfo *lf)
-{
-    /* Writting to the alert log file */
-    fprintf(_aflog,
-            "** Alert %d.%ld:%s - %s\n"
-            "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
-            "Src IP: %s\nUser: %s\n%.1256s\n",
-            lf->time,
-            __crt_ftell,
-            lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
-            lf->generated_rule->group,
-            lf->year,
-            lf->mon,
-            lf->day,
-            lf->hour,
-            lf->hostname != lf->location?lf->hostname:"",
-            lf->hostname != lf->location?"->":"",
-            lf->location,
-            lf->generated_rule->sigid,
-            lf->generated_rule->level,
-            lf->generated_rule->comment,
-            lf->srcip == NULL?"(none)":lf->srcip,
-            lf->dstuser == NULL?"(none)":lf->dstuser,
-            lf->full_log);
-
-
-    /* Printing the last events if present */
-    if(lf->generated_rule->last_events)
-    {
-        char **lasts = lf->generated_rule->last_events;
-        while(*lasts)
-        {
-            fprintf(_aflog,"%.1256s\n",*lasts);
-            lasts++;
-        }
-        lf->generated_rule->last_events[0] = NULL;
-    }
-
-    fprintf(_aflog,"\n");
-
-    fflush(_aflog);
-    return;	
-}
-
-
-
-void OS_InitFwLog()
-{
-    /* Initializing fw log regexes */
-    if(!OSMatch_Compile(FWDROP, &FWDROPpm, 0))
-    {
-        ErrorExit(REGEX_COMPILE, ARGV0, FWDROP,
-                FWDROPpm.error);
-    }
-
-    if(!OSMatch_Compile(FWALLOW, &FWALLOWpm, 0))
-    {
-        ErrorExit(REGEX_COMPILE, ARGV0, FWALLOW,
-                FWALLOWpm.error);
-    }
-                    
-}
-
-
-/* FW_Log: v0.1, 2005/12/30 */
-int FW_Log(Eventinfo *lf)
-{
-    /* If we don't have the srcip or the
-     * action, there is no point in going
-     * forward over here
-     */
-    if(!lf->action || !lf->srcip)
-    {
-        return(0);
-    }
-
-
-    /* Setting the actions */
-    switch(*lf->action)
-    {
-        /* discard, drop, deny, */
-        case 'd':
-        case 'D':
-        /* reject, */
-        case 'r':
-        case 'R':
-        /* block */
-        case 'b':
-        case 'B':
-            os_free(lf->action);
-            os_strdup("DROP", lf->action);
-            break;
-        /* Closed */
-        case 'c':
-        case 'C':
-        /* Teardown */
-        case 't':
-        case 'T':
-            os_free(lf->action);
-            os_strdup("CLOSED", lf->action);
-            break;
-        /* allow, accept, */    
-        case 'a':
-        case 'A':
-        /* pass/permitted */
-        case 'p':
-        case 'P':
-        /* open */
-        case 'o':
-        case 'O':    
-            os_free(lf->action);
-            os_strdup("ALLOW", lf->action);        
-            break;
-        default:
-            if(OSMatch_Execute(lf->action,strlen(lf->action),&FWDROPpm))
-            {
-                os_free(lf->action);
-                os_strdup("DROP", lf->action);
-            }
-            if(OSMatch_Execute(lf->action,strlen(lf->action),&FWALLOWpm))
-            {
-                os_free(lf->action);
-                os_strdup("ALLOW", lf->action);
-            }
-            else
-            {
-                os_free(lf->action);
-                os_strdup("UNKNOWN", lf->action);
-            }
-            break;    
-    }
-
-
-    /* log to file */
-    fprintf(_fflog,
-            "%d %s %02d %s %s%s%s %s %s %s:%s->%s:%s\n",
-            lf->year,
-            lf->mon,
-            lf->day,
-            lf->hour,
-            lf->hostname != lf->location?lf->hostname:"",
-            lf->hostname != lf->location?"->":"",
-            lf->location,
-            lf->action,
-            lf->protocol,
-            lf->srcip,
-            lf->srcport,
-            lf->dstip,
-            lf->dstport);
-    
-    fflush(_fflog);
-
-    return(1);
-}
-
-/* EOF */

File src/analysisd/alerts/log.h

  • Ignore whitespace
-/* @(#) $Id$ */
-
-/* Copyright (C) 2009 Trend Micro Inc.
- * All right reserved.
- *
- * This program is a free software; you can redistribute it
- * and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software 
- * Foundation
- */
-
-/* Basic logging operations */
-
-#ifndef __LOG_H
-#define __LOG_H
-
-#include "eventinfo.h"
-
-#define FWDROP "drop"
-#define FWALLOW "accept"
-
-void OS_LogOutput(Eventinfo *lf);
-void OS_Log(Eventinfo *lf);
-void OS_Store(Eventinfo *lf);
-int FW_Log(Eventinfo *lf);
-
-#endif
-
-

File src/analysisd/alerts/mail.c

  • Ignore whitespace
-/*   $OSSEC, mail.c, v0.2, 2005/02/10, Daniel B. Cid$   */
-
-/* Copyright (C) 2009 Trend Micro Inc.
- * All right reserved.
- *
- * This program is a free software; you can redistribute it
- * and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software 
- * Foundation
- */
-
-/* Basic e-mailing operations */
-
-/* EOF */

File src/analysisd/analysisd.c

  • Ignore whitespace
-/* @(#) $Id$ */
-
-/* Copyright (C) 2010 Trend Micro Inc.
- * All rights reserved.
- *
- * This program is a free software; you can redistribute it
- * and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
- * Foundation.
- *
- * License details at the LICENSE file included with OSSEC or 
- * online at: http://www.ossec.net/en/licensing.html
- */
-
-
-/* Part of the OSSEC
- * Available at http://www.ossec.net
- */
-  
-
-/* ossec-analysisd.
- * Responsible for correlation and log decoding.
- */
-
-#ifndef ARGV0
-   #define ARGV0 "ossec-analysisd"
-#endif
-
-#include "shared.h"
-
-#include "alerts/alerts.h"
-#include "alerts/getloglocation.h"
-#include "os_execd/execd.h"
-
-#include "os_regex/os_regex.h"
-#include "os_net/os_net.h"
-
-
-/** Local headers **/
-#include "active-response.h"
-#include "config.h"
-#include "rules.h"
-#include "stats.h"
-
-#include "eventinfo.h"
-#include "analysisd.h"
-
-#include "picviz.h"
-
-#ifdef PRELUDE
-#include "prelude.h"
-#endif
-
-
-/** Global data **/
-
-/* execd queue */
-int execdq = 0;
-
-/* active response queue */
-int arq = 0;
-
-
-/** Internal Functions **/
-void OS_ReadMSG(int m_queue);
-RuleInfo *OS_CheckIfRuleMatch(Eventinfo *lf, RuleNode *curr_node);
-
-
-/** External functions prototypes (only called here) **/
-
-/* For config  */
-int GlobalConf(char * cfgfile);
-
-
-/* For rules */
-void Rules_OP_CreateRules();
-void Lists_OP_CreateLists();
-int Rules_OP_ReadRules(char * cfgfile);
-int _setlevels(RuleNode *node, int nnode);
-int AddHash_Rule(RuleNode *node);
-
-
-/* For cleanmsg */
-int OS_CleanMSG(char *msg, Eventinfo *lf);
-
-
-/* for FTS */
-int FTS_Init();
-int FTS(Eventinfo *lf);
-int AddtoIGnore(Eventinfo *lf);
-int IGnore(Eventinfo *lf);
-int doDiff(RuleInfo *currently_rule, Eventinfo *lf);
-
-
-/* For decoders */
-void DecodeEvent(Eventinfo *lf);
-int DecodeSyscheck(Eventinfo *lf);
-int DecodeRootcheck(Eventinfo *lf);
-int DecodeHostinfo(Eventinfo *lf);
- 
-
-/* For Decoders */
-int ReadDecodeXML(char *file);
-int SetDecodeXML();
-
-
-/* For syscheckd (integrity checking) */
-void SyscheckInit();
-void RootcheckInit();
-void HostinfoInit();
-
-
-/* For stats */
-int Start_Hour();
-int Check_Hour(Eventinfo *lf);
-void Update_Hour();
-void DumpLogstats();
-
-/* Hourly alerts */
-int hourly_alerts;
-int hourly_events;
-int hourly_syscheck;
-int hourly_firewall;
-
-
-/** int main(int argc, char **argv)
- */
-#ifndef TESTRULE 
-int main(int argc, char **argv)
-#else
-int main_analysisd(int argc, char **argv)
-#endif
-{
-    int c = 0, m_queue = 0, test_config = 0,run_foreground = 0;
-    char *dir = DEFAULTDIR;
-    char *user = USER;
-    char *group = GROUPGLOBAL;
-    int uid = 0,gid = 0;
-
-    char *cfg = DEFAULTCPATH;
-
-    /* Setting the name */
-    OS_SetName(ARGV0);
-
-    thishour = 0;
-    today = 0;
-    prev_year = 0;
-    memset(prev_month, '\0', 4);
-    hourly_alerts = 0;
-    hourly_events = 0;
-    hourly_syscheck = 0;
-    hourly_firewall = 0;
-
-    while((c = getopt(argc, argv, "Vtdhfu:g:D:c:")) != -1){
-        switch(c){
-	    case 'V':
-		print_version();
-		break;
-            case 'h':
-                help(ARGV0);
-                break;
-            case 'd':
-                nowDebug();
-                break;
-            case 'f':
-                run_foreground = 1;
-                break;
-            case 'u':
-                if(!optarg)
-                    ErrorExit("%s: -u needs an argument",ARGV0);
-                user = optarg;
-                break;
-            case 'g':
-                if(!optarg)
-                    ErrorExit("%s: -g needs an argument",ARGV0);
-                group = optarg;
-                break;
-            case 'D':
-                if(!optarg)
-                    ErrorExit("%s: -D needs an argument",ARGV0);
-                dir = optarg;
-            case 'c':
-                if(!optarg)
-                    ErrorExit("%s: -c needs an argument",ARGV0);
-                cfg = optarg;
-                break;
-            case 't':
-                test_config = 1;    
-                break;
-            default:
-                help(ARGV0);
-                break;
-        }
-
-    }
-
-
-    /* Starting daemon */
-    debug1(STARTED_MSG,ARGV0);
-    DEBUG_MSG("%s: DEBUG: Starting on debug mode - %d ", ARGV0, (int)time(0));
-
-    
-    /*Check if the user/group given are valid */
-    uid = Privsep_GetUser(user);
-    gid = Privsep_GetGroup(group);
-    if((uid < 0)||(gid < 0))
-        ErrorExit(USER_ERROR,ARGV0,user,group);
-
-
-    /* Found user */
-    debug1(FOUND_USER, ARGV0);
-
-    
-    /* Initializing Active response */
-    AR_Init();
-    if(AR_ReadConfig(test_config, cfg) < 0)
-    {
-        ErrorExit(CONFIG_ERROR,ARGV0, cfg);
-    }
-    debug1(ASINIT, ARGV0);
-    
-    
-    /* Reading configuration file */
-    if(GlobalConf(cfg) < 0)
-    {
-        ErrorExit(CONFIG_ERROR,ARGV0, cfg);
-    }
-
-    debug1(READ_CONFIG, ARGV0);
-        
-
-    /* Fixing Config.ar */
-    Config.ar = ar_flag;
-    if(Config.ar == -1)
-        Config.ar = 0;
-        
-    
-    /* Getting servers hostname */
-    memset(__shost, '\0', 512);
-    if(gethostname(__shost, 512 -1) != 0)
-    {
-        strncpy(__shost, OSSEC_SERVER, 512 -1);    
-    }
-    else
-    {
-        char *_ltmp;
-
-        /* Remove domain part if available */
-        _ltmp = strchr(__shost, '.');
-        if(_ltmp)
-            *_ltmp = '\0';
-    }
-    
-    /* going on Daemon mode */
-    if(!test_config || !run_foreground)
-    {
-        nowDaemon();
-        goDaemon();
-    }
-    
-
-    /* Starting prelude */
-    #ifdef PRELUDE
-    if(Config.prelude)
-    {
-        prelude_start(Config.prelude_profile, argc, argv);
-    }
-    #endif
-
-
-    /* Opening the Picviz socket */
-    if(Config.picviz)
-    {
-        OS_PicvizOpen(Config.picviz_socket);
-        chown(Config.picviz_socket, uid, gid);
-    }
-
-    /* Setting the group */	
-    if(Privsep_SetGroup(gid) < 0)
-        ErrorExit(SETGID_ERROR,ARGV0,group);
-
-    /* Chrooting */
-    if(Privsep_Chroot(dir) < 0)
-        ErrorExit(CHROOT_ERROR,ARGV0,dir);
-
-
-    nowChroot();
-    
-    
-
-    /*
-     * Anonymous Section: Load rules, decoders, and lists 
-     *
-     * As lists require two pass loading of rules that make use of list lookups
-     * are created with blank database structs, and need to be filled in after 
-     * completion of all rules and lists. 
-     */
-    {
-        {
-            /* Initializing the decoders list */
-            OS_CreateOSDecoderList();
-
-            if(!Config.decoders) 
-            { /* Legacy loading */
-                /* Reading decoders */
-                if(!ReadDecodeXML(XML_DECODER))
-                {
-                    ErrorExit(CONFIG_ERROR, ARGV0,  XML_DECODER);
-                }
-
-                /* Reading local ones. */
-                c = ReadDecodeXML(XML_LDECODER);
-                if(!c)
-                {
-                    if((c != -2))
-                        ErrorExit(CONFIG_ERROR, ARGV0,  XML_LDECODER);
-                }
-                else
-                {
-                    if(!test_config)
-                        verbose("%s: INFO: Reading local decoder file.", ARGV0);
-                }
-            }
-            else
-            { /* New loaded based on file speified in ossec.conf */
-                char **decodersfiles;
-                decodersfiles = Config.decoders;
-                while( decodersfiles && *decodersfiles)
-                {
-                    if(!test_config)
-                        verbose("%s: INFO: Reading decoder file %s.", ARGV0, *decodersfiles);
-                    if(!ReadDecodeXML(*decodersfiles))
-                        ErrorExit(CONFIG_ERROR, ARGV0, *decodersfiles);
-                    
-                    free(*decodersfiles);    
-                    decodersfiles++;    
-                }
-            }
-
-            /* Load decoders */
-            SetDecodeXML();
-        }
-        { /* Load Lists */
-            /* Initializing the lists of list struct */
-            Lists_OP_CreateLists(); 
-            /* Load each list into list struct */
-            {
-                char **listfiles;
-                listfiles = Config.lists;
-                while(listfiles && *listfiles)
-                {
-                    if(!test_config)
-                        verbose("%s: INFO: Reading loading the lists file: '%s'", ARGV0, *listfiles);
-                    if(Lists_OP_LoadList(*listfiles) < 0)
-                        ErrorExit(LISTS_ERROR, ARGV0, *listfiles);
-                    free(*listfiles);
-                    listfiles++;
-                }
-                free(Config.lists);
-                Config.lists = NULL;
-            }
-        }
-        { /* Load Rules */
-            /* Creating the rules list */
-            Rules_OP_CreateRules();
-
-            /* Reading the rules */
-            {
-                char **rulesfiles;
-                rulesfiles = Config.includes;
-                while(rulesfiles && *rulesfiles)
-                {
-                    if(!test_config)
-                        verbose("%s: INFO: Reading rules file: '%s'", ARGV0, *rulesfiles);
-                    if(Rules_OP_ReadRules(*rulesfiles) < 0)
-                        ErrorExit(RULES_ERROR, ARGV0, *rulesfiles);
-                        
-                    free(*rulesfiles);    
-                    rulesfiles++;    
-                }
-
-                free(Config.includes);
-                Config.includes = NULL;
-            }
-            
-            /* Find all rules with that require list lookups and attache the
-             * the correct list struct to the rule.  This keeps rules from having to 
-             * search thought the list of lists for the correct file during rule evaluation.
-             */
-            OS_ListLoadRules();
-        }
-    }
-
-    
-    /* Fixing the levels/accuracy */
-    {
-        int total_rules;
-        RuleNode *tmp_node = OS_GetFirstRule();
-
-        total_rules = _setlevels(tmp_node, 0);
-        if(!test_config)
-            verbose("%s: INFO: Total rules enabled: '%d'", ARGV0, total_rules);    
-    }
-
-
-
-    /* Creating a rules hash (for reading alerts from other servers). */
-    {
-        RuleNode *tmp_node = OS_GetFirstRule();
-        Config.g_rules_hash = OSHash_Create();
-        if(!Config.g_rules_hash)
-        {
-            ErrorExit(MEM_ERROR, ARGV0);
-        }
-        AddHash_Rule(tmp_node);
-    }
-
-   
-   
-    /* Ignored files on syscheck */
-    {
-        char **files;
-        files = Config.syscheck_ignore;
-        while(files && *files)
-        {
-            if(!test_config)
-                verbose("%s: INFO: Ignoring file: '%s'", ARGV0, *files);
-            files++;    
-        }
-    }
-
-
-    /* Checking if log_fw is enabled. */
-    Config.logfw = getDefine_Int("analysisd",
-                                 "log_fw",
-                                 0, 1);
-
-    
-    /* Success on the configuration test */
-    if(test_config)
-        exit(0);
-
-        
-    /* Verbose message */
-    debug1(PRIVSEP_MSG, ARGV0, dir, user);
-
-
-    /* Signal manipulation	*/
-    StartSIG(ARGV0);
-
-
-    /* Setting the user */ 
-    if(Privsep_SetUser(uid) < 0)
-        ErrorExit(SETUID_ERROR,ARGV0,user);
-    
-    
-    /* Creating the PID file */
-    if(CreatePID(ARGV0, getpid()) < 0)
-        ErrorExit(PID_ERROR,ARGV0);
-
-
-    /* Setting the queue */
-    if((m_queue = StartMQ(DEFAULTQUEUE,READ)) < 0)
-        ErrorExit(QUEUE_ERROR, ARGV0, DEFAULTQUEUE, strerror(errno));
-
-
-    /* White list */
-    if(Config.white_list == NULL)
-    {
-        if(Config.ar)
-            verbose("%s: INFO: No IP in the white list for active reponse.", ARGV0);
-    }
-    else
-    {
-        if(Config.ar)
-        {
-            os_ip **wl;
-            int wlc = 0;
-            wl = Config.white_list;
-            while(*wl)
-            {
-                verbose("%s: INFO: White listing IP: '%s'",ARGV0, (*wl)->ip);
-                wl++;wlc++;
-            }
-            verbose("%s: INFO: %d IPs in the white list for active response.",
-                    ARGV0, wlc);
-        }
-    }
-
-    /* Hostname White list */
-    if(Config.hostname_white_list == NULL)
-    {
-        if(Config.ar)
-            verbose("%s: INFO: No Hostname in the white list for active reponse.", 
-            ARGV0);
-    }
-    else
-    {
-        if(Config.ar)
-        {
-            int wlc = 0;
-            OSMatch **wl;
-            
-            wl = Config.hostname_white_list;
-            while(*wl)
-            {
-                char **tmp_pts = (*wl)->patterns;
-                while(*tmp_pts)
-                {
-                    verbose("%s: INFO: White listing Hostname: '%s'",ARGV0,*tmp_pts);
-                    wlc++;
-                    tmp_pts++;
-                }
-                wl++;
-            }
-            verbose("%s: INFO: %d Hostname(s) in the white list for active response.",
-                    ARGV0, wlc);
-        }
-    }
-
-
-    /* Start up message */
-    verbose(STARTUP_MSG, ARGV0, (int)getpid());
-
-
-    /* Going to main loop */	
-    OS_ReadMSG(m_queue);
-
-    if (Config.picviz) 
-    {
-        OS_PicvizClose();
-    }
-
-    exit(0);
-    
-}
-
-
-
-/* OS_ReadMSG.
- * Main function. Receives the messages(events)
- * and analyze them all.
- */
-#ifndef TESTRULE 
-void OS_ReadMSG(int m_queue)
-#else
-void OS_ReadMSG_analysisd(int m_queue)
-#endif
-{
-    int i;
-    char msg[OS_MAXSTR +1];
-    Eventinfo *lf;
-
-    RuleInfo *stats_rule;
-    
-
-    /* Null to global currently pointers */
-    currently_rule = NULL;
-
-    /* Initiating the logs */
-    OS_InitLog();
-
-
-    /* Initiating the integrity database */
-    SyscheckInit();
-
-
-    /* Initializing Rootcheck */
-    RootcheckInit();
-    
-   
-    /* Initializing host info */
-    HostinfoInit();
-    
-    
-    /* Creating the event list */
-    OS_CreateEventList(Config.memorysize);
-
-
-    /* Initiating the FTS list */
-    if(!FTS_Init())
-    {
-        ErrorExit(FTS_LIST_ERROR, ARGV0);
-    }
-    
-
-    /* Starting the active response queues */
-    if(Config.ar)
-    {
-        /* Waiting the ARQ to settle .. */
-        sleep(3);
-
-        
-        #ifndef LOCAL
-        if(Config.ar & REMOTE_AR)
-        {
-            if((arq = StartMQ(ARQUEUE, WRITE)) < 0)
-            {
-                merror(ARQ_ERROR, ARGV0);
-                
-                /* If LOCAL_AR is set, keep it there */
-                if(Config.ar & LOCAL_AR)
-                {
-                    Config.ar = 0;
-                    Config.ar|=LOCAL_AR;
-                }
-                else
-                {
-                    Config.ar = 0;
-                }
-            }
-            else
-            {
-                verbose(CONN_TO, ARGV0, ARQUEUE, "active-response");
-            }
-        }
-        
-        #else
-        /* Only for LOCAL_ONLY installs */
-        if(Config.ar & REMOTE_AR)
-        {
-            if(Config.ar & LOCAL_AR)
-            {
-                Config.ar = 0;
-                Config.ar|=LOCAL_AR;
-            }
-            else
-            {
-                Config.ar = 0;
-            }
-        }
-        #endif
-        
-        if(Config.ar & LOCAL_AR)
-        {
-            if((execdq = StartMQ(EXECQUEUE, WRITE)) < 0)
-            {
-                merror(ARQ_ERROR, ARGV0);
-                
-                /* If REMOTE_AR is set, keep it there */
-                if(Config.ar & REMOTE_AR)
-                {
-                    Config.ar = 0;
-                    Config.ar|=REMOTE_AR;
-                }
-                else
-                {
-                    Config.ar = 0;
-                }
-            }
-            else
-            {
-                verbose(CONN_TO, ARGV0, EXECQUEUE, "exec");
-            }
-        }
-    }
-    debug1("%s: DEBUG: Active response Init completed.", ARGV0);
-
-
-    /* Getting currently time before starting */
-    c_time = time(NULL);
-
-
-    /* Starting the hourly/weekly stats */
-    if(Start_Hour() < 0)
-        Config.stats = 0;
-    else
-    {
-        /* Initializing stats rules */
-        stats_rule = zerorulemember(
-                STATS_MODULE,
-                Config.stats,
-                0,0,0,0,0,0);
-
-        if(!stats_rule)
-        {
-            ErrorExit(MEM_ERROR, ARGV0);
-        }
-        stats_rule->group = "stats,";
-        stats_rule->comment = "Excessive number of events (above normal).";
-    }
-
-
-    /* Doing some cleanup */
-    memset(msg, '\0', OS_MAXSTR +1);
-    
-    
-    /* Initializing the logs */
-    {
-        lf = (Eventinfo *)calloc(1,sizeof(Eventinfo));
-        if(!lf)
-            ErrorExit(MEM_ERROR, ARGV0);
-        lf->year = prev_year;
-        strncpy(lf->mon, prev_month, 3);
-        lf->day = today;
-
-        if(OS_GetLogLocation(lf) < 0)
-        {
-            ErrorExit("%s: Error allocating log files", ARGV0);
-        }
-
-        Free_Eventinfo(lf);
-    }
-    
-    
-    debug1("%s: DEBUG: Startup completed. Waiting for new messages..",ARGV0);
-    
-
-    /* Daemon loop */
-    while(1)
-    {
-        lf = (Eventinfo *)calloc(1,sizeof(Eventinfo));
-        
-        /* This shouldn't happen .. */
-        if(lf == NULL)
-        {
-            ErrorExit(MEM_ERROR,ARGV0);
-        }
-    
-        DEBUG_MSG("%s: DEBUG: Waiting for msgs - %d ", ARGV0, (int)time(0));
-
-        
-        /* Receive message from queue */
-        if((i = OS_RecvUnix(m_queue, OS_MAXSTR, msg)))
-        {
-            RuleNode *rulenode_pt;
-
-            /* Getting the time we received the event */
-            c_time = time(NULL);
-
-
-            /* Default values for the log info */
-            Zero_Eventinfo(lf);
-
-
-            /* Checking for a valid message. */
-            if(i < 4)
-            {
-                merror(IMSG_ERROR, ARGV0, msg);
-                Free_Eventinfo(lf);
-                continue;
-            }
-            
-
-            /* Message before extracting header */
-            DEBUG_MSG("%s: DEBUG: Received msg: %s ", ARGV0, msg);
-
-            
-            /* Clean the msg appropriately */
-            if(OS_CleanMSG(msg, lf) < 0)
-            {
-                merror(IMSG_ERROR,ARGV0, msg);
-                Free_Eventinfo(lf);
-                continue;
-            }
-
-
-            /* Msg cleaned */
-            DEBUG_MSG("%s: DEBUG: Msg cleanup: %s ", ARGV0, lf->log);
-
-            
-            /* Currently rule must be null in here */
-            currently_rule = NULL;
-
-
-            /** Checking the date/hour changes **/
-
-            /* Update the hour */
-            if(thishour != __crt_hour)
-            {
-                /* Search all the rules and print the number
-                 * of alerts that each one fired.
-                 */
-                DumpLogstats();
-                thishour = __crt_hour;
-
-                /* Check if the date has changed */
-                if(today != lf->day)
-                {
-                    if(Config.stats)
-                    {
-                        /* Update the hourly stats (done daily) */
-                        Update_Hour();
-                    }
-
-                    if(OS_GetLogLocation(lf) < 0)
-                    {
-                        ErrorExit("%s: Error allocating log files", ARGV0);
-                    }
-
-                    today = lf->day;
-                    strncpy(prev_month, lf->mon, 3);
-                    prev_year = lf->year;
-                }
-            }
-            
-            
-            /* Incrementing number of events received */
-            hourly_events++;
-
-
-            /***  Running decoders ***/
-
-            /* Integrity check from syscheck */
-            if(msg[0] == SYSCHECK_MQ)
-            {
-                hourly_syscheck++;
-                
-                if(!DecodeSyscheck(lf))
-                {
-                    /* We don't process syscheck events further */
-                    goto CLMEM;
-                }
-
-                /* Getting log size */
-                lf->size = strlen(lf->log);
-            }
-
-            /* Rootcheck decoding */
-            else if(msg[0] == ROOTCHECK_MQ)
-            {
-                if(!DecodeRootcheck(lf))
-                {
-                    /* We don't process rootcheck events further */
-                    goto CLMEM;
-                }
-                lf->size = strlen(lf->log);
-            }
-
-            /* Host information special decoder */
-            else if(msg[0] == HOSTINFO_MQ)
-            {
-                if(!DecodeHostinfo(lf))
-                {
-                    /* We don't process hostinfo events further */
-                    goto CLMEM;
-                }
-                lf->size = strlen(lf->log);
-            }
-
-            /* Run the general Decoders  */
-            else
-            {
-                /* Getting log size */
-                lf->size = strlen(lf->log);
-
-                DecodeEvent(lf);
-            }
-            
-
-            /* Firewall event */
-            if(lf->decoder_info->type == FIREWALL)
-            {
-                /* If we could not get any information from
-                 * the log, just ignore it
-                 */
-                hourly_firewall++;  
-                if(Config.logfw)
-                {
-                    if(!FW_Log(lf))
-                    {
-                        goto CLMEM;
-                    }
-                }
-            }
-
-
-            /* We only check if the last message is
-             * duplicated on syslog.
-             */
-            else if(lf->decoder_info->type == SYSLOG)
-            {
-                /* Checking if the message is duplicated */
-                if(LastMsg_Stats(lf->full_log) == 1)
-                    goto CLMEM;
-                else
-                    LastMsg_Change(lf->full_log);
-            }
-
-
-            /* Stats checking */
-            if(Config.stats)
-            {
-                if(Check_Hour(lf) == 1)
-                {
-                    void *saved_rule = lf->generated_rule;
-                    char *saved_log;
-                    
-                    /* Saving previous log */
-                    saved_log = lf->full_log;
-                    
-                    lf->generated_rule = stats_rule;
-                    lf->full_log = __stats_comment;
-
-
-                    /* alert for statistical analysis */
-                    if(stats_rule->alert_opts & DO_LOGALERT)
-                    {
-                        __crt_ftell = ftell(_aflog);
-                        OS_Log(lf);
-                    }
-
-
-                    /* Set lf to the old values */
-                    lf->generated_rule = saved_rule;
-                    lf->full_log = saved_log;
-                }
-            }
-
-
-            /* Checking the rules */
-            DEBUG_MSG("%s: DEBUG: Checking the rules - %d ", 
-                           ARGV0, lf->decoder_info->type);
-
-            
-            /* Looping all the rules */
-            rulenode_pt = OS_GetFirstRule();
-            if(!rulenode_pt) 
-            {
-                ErrorExit("%s: Rules in an inconsistent state. Exiting.",
-                        ARGV0);
-            }
-
-
-            do
-            {
-                if(lf->decoder_info->type == OSSEC_ALERT)
-                {
-                    if(!lf->generated_rule)
-                    {
-                        goto CLMEM;            
-                    }
-                    
-                    /* We go ahead in here and process the alert. */
-                    currently_rule = lf->generated_rule;
-                }
-                
-                /* The categories must match */
-                else if(rulenode_pt->ruleinfo->category != 
-                        lf->decoder_info->type)
-                {
-                    continue;
-                }
-
-                /* Checking each rule. */
-                else if((currently_rule = OS_CheckIfRuleMatch(lf, rulenode_pt)) 
-                        == NULL)
-                {
-                    continue;
-                }
-
-
-                /* Ignore level 0 */
-                if(currently_rule->level == 0)
-                {
-                    break;
-                }
-
-
-                /* Checking ignore time */ 
-                if(currently_rule->ignore_time)
-                {
-                    if(currently_rule->time_ignored == 0)
-                    {
-                        currently_rule->time_ignored = lf->time;
-                    }
-                    /* If the currently time - the time the rule was ignored
-                     * is less than the time it should be ignored,
-                     * leave (do not alert again).
-                     */
-                    else if((lf->time - currently_rule->time_ignored) 
-                            < currently_rule->ignore_time)
-                    {
-                        break;
-                    }
-                    else
-                    {
-                        currently_rule->time_ignored = lf->time;
-                    }
-                }
-
-
-                /* Pointer to the rule that generated it */
-                lf->generated_rule = currently_rule;
-
-                
-                /* Checking if we should ignore it */
-                if(currently_rule->ckignore && IGnore(lf))