1. Jeremy Rossi
  2. ossec-hids

Commits

Jeremy Rossi  committed 75048ad

Patches from atomic secure linux: Adding src and dst ip and ports to the database.

  • Participants
  • Parent commits 559cec8
  • Branches default

Comments (0)

Files changed (4)

File src/analysisd/alerts/log.c

View file
     printf(
            "** Alert %d.%ld:%s - %s\n"
             "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
-            "Src IP: %s\nUser: %s\n%.1256s\n",
+            "Src IP: %s\nSrc Port: %s\nDst IP: %s\nDst Port: %s\nUser: %s\n%.1256s\n",
             lf->time,
             __crt_ftell,
             lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
             lf->generated_rule->level,
             lf->generated_rule->comment,
             lf->srcip == NULL?"(none)":lf->srcip,
+            lf->srcport == NULL?"(none)":lf->srcport,
+            lf->dstip == NULL?"(none)":lf->dstip,
+            lf->dstport == NULL?"(none)":lf->dstport,
             lf->dstuser == NULL?"(none)":lf->dstuser,
             lf->full_log);
 
     fprintf(_aflog,
             "** Alert %d.%ld:%s - %s\n"
             "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'\n"
-            "Src IP: %s\nUser: %s\n%.1256s\n",
+            "Src IP: %s\nSrc Port: %s\nDst IP: %s\nDst Port: %s\nUser: %s\n%.1256s\n",
             lf->time,
             __crt_ftell,
             lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
             lf->generated_rule->level,
             lf->generated_rule->comment,
             lf->srcip == NULL?"(none)":lf->srcip,
+            lf->srcport == NULL?"(none)":lf->srcport,
+            lf->dstip == NULL?"(none)":lf->dstip,
+            lf->dstport == NULL?"(none)":lf->dstport,
             lf->dstuser == NULL?"(none)":lf->dstuser,
             lf->full_log);
 

File src/headers/read-alert.h

View file
     char *comment;
     char *group;
     char *srcip;
+    int srcport;
+    char *dstip;
+    int dstport;
     char *user;
     char **log;
 }alert_data;

File src/os_dbd/alert.c

View file
 {
     int i;
     unsigned int s_ip = 0, d_ip = 0, location_id = 0;
+    unsigned short s_port = 0, d_port = 0;
     int *loc_id;
     char sql_query[OS_SIZE_8192 +1];
     char *fulllog = NULL;
             s_ip = net.s_addr;
         }
     }
-    d_ip = 0;
+
+    /* Converting dstip to int */
+    if(al_data->dstip)
+    {
+        struct in_addr net;
+
+        /* Extracting ip address */
+        if(inet_aton(al_data->dstip, &net))
+        {
+            d_ip = net.s_addr;
+        }
+    }
+
+    /* Source Port */
+    s_port = al_data->srcport;
+
+    /* Destination Port */
+    d_port = al_data->dstport;
 
 
     /* Escaping strings */
     /* Generating final SQL */
     snprintf(sql_query, OS_SIZE_8192,
             "INSERT INTO "
-            "alert(id,server_id,rule_id,timestamp,location_id,src_ip) "
-            "VALUES ('%u', '%u', '%u','%u', '%u', '%lu')",
+            "alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port) "
+            "VALUES ('%u', '%u', '%u','%u', '%u', '%lu', '%u', '%lu', '%u')",
             db_config->alert_id, db_config->server_id, al_data->rule,
-            (unsigned int)time(0), *loc_id, (unsigned long)ntohl(s_ip));
+            (unsigned int)time(0), *loc_id,
+            (unsigned long)ntohl(s_ip), (unsigned short)s_port,
+            (unsigned long)ntohl(d_ip), (unsigned short)d_port);
 
 
     /* Inserting into the db */

File src/shared/read-alert.c

View file
 #define RULE_BEGIN_SZ   6
 #define SRCIP_BEGIN     "Src IP: "
 #define SRCIP_BEGIN_SZ  8
+#define SRCPORT_BEGIN     "Src Port: "
+#define SRCPORT_BEGIN_SZ  10
+#define DSTIP_BEGIN     "Dst IP: "
+#define DSTIP_BEGIN_SZ  8
+#define DSTPORT_BEGIN     "Dst Port: "
+#define DSTPORT_BEGIN_SZ  10
 #define USER_BEGIN      "User: "
 #define USER_BEGIN_SZ   6
 #define ALERT_MAIL      "mail"
     char *comment = NULL;
     char *location = NULL;
     char *srcip = NULL;
+    char *dstip = NULL;
     char *user = NULL;
     char *group = NULL;
     char **log = NULL;
-    int level, rule;
+    int level, rule, srcport, dstport;
     
     char str[OS_BUFFER_SIZE+1];
     str[OS_BUFFER_SIZE]='\0';
     {
         
         /* Enf of alert */
-        if(strcmp(str, "\n") == 0)
+        if(strcmp(str, "\n") == 0 && log_size > 0)
         {
             /* Found in here */
             if(_r == 2)
                 al_data->group = group;
                 al_data->log = log;
                 al_data->srcip = srcip;
+                al_data->srcport = srcport;
+                al_data->dstip = dstip;
+                al_data->dstport = dstport;
                 al_data->user = user;
                 al_data->date = date;
                
                 p = str + SRCIP_BEGIN_SZ;
                 os_strdup(p, srcip);
             }
+            /* srcport */
+            else if(strncmp(SRCPORT_BEGIN, str, SRCPORT_BEGIN_SZ) == 0)
+            {
+                os_clearnl(str,p);
+                
+                p = str + SRCPORT_BEGIN_SZ;
+                srcport = atoi(p);
+            }
+            /* dstip */
+            else if(strncmp(DSTIP_BEGIN, str, DSTIP_BEGIN_SZ) == 0)
+            {
+                os_clearnl(str,p);
+                
+                p = str + DSTIP_BEGIN_SZ;
+                os_strdup(p, dstip);
+            }
+            /* dstport */
+            else if(strncmp(DSTPORT_BEGIN, str, DSTPORT_BEGIN_SZ) == 0)
+            {
+                os_clearnl(str,p);
+                
+                p = str + DSTPORT_BEGIN_SZ;
+                dstport = atoi(p);
+            }
             /* username */
             else if(strncmp(USER_BEGIN, str, USER_BEGIN_SZ) == 0)
             {