Commits

Jeremy Rossi  committed 1809fb7

second set of patches from Atomic Secure Linux: THis completes the ossec-dbd changes

  • Participants
  • Parent commits 75048ad

Comments (0)

Files changed (4)

File src/headers/read-alert.h

 {
     int rule;
     int level;
+    char *alertid;
     char *date;
     char *location;
     char *comment;

File src/os_dbd/alert.c

     /* Generating final SQL */
     snprintf(sql_query, OS_SIZE_8192,
             "INSERT INTO "
-            "alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port) "
-            "VALUES ('%u', '%u', '%u','%u', '%u', '%lu', '%u', '%lu', '%u')",
+            "alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid) "
+            "VALUES ('%u', '%u', '%u','%u', '%u', '%lu', '%u', '%lu', '%u', '%s')",
             db_config->alert_id, db_config->server_id, al_data->rule,
             (unsigned int)time(0), *loc_id,
             (unsigned long)ntohl(s_ip), (unsigned short)s_port,
-            (unsigned long)ntohl(d_ip), (unsigned short)d_port);
+            (unsigned long)ntohl(d_ip), (unsigned short)d_port,
+            al_data->alertid);
 
 
     /* Inserting into the db */

File src/os_dbd/mysql.schema

     dst_ip          INT         UNSIGNED,
     src_port        SMALLINT    UNSIGNED,
     dst_port        SMALLINT    UNSIGNED,
+    alertid         TINYTEXT    DEFAULT NULL,
     PRIMARY KEY (id, server_id),
     INDEX       time (timestamp),
     INDEX       (rule_id),

File src/shared/read-alert.c

     int _r = 0, log_size;
     char *p;
 
+    char *alertid = NULL;
     char *date = NULL;
     char *comment = NULL;
     char *location = NULL;
             {
                 alert_data *al_data;
                 os_calloc(1, sizeof(alert_data), al_data);
+                al_data->alertid = alertid;
                 al_data->level = level;
                 al_data->rule = rule;
                 al_data->location = location;
         if(strncmp(ALERT_BEGIN, str, ALERT_BEGIN_SZ) == 0)
         {
             p = str + ALERT_BEGIN_SZ + 1;
+
+            char * m = strstr(p, ":");
+            if (!m)
+            {
+                continue;
+            }
+
+            int z = strlen(p) - strlen(m);
+            os_realloc(alertid, (z + 1)*sizeof(char *), alertid);
+            strncpy(alertid, p, z);
+            alertid[z] = '\0';
             
             /* Searching for email flag */
             p = strchr(p, ' ');