Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support multiline alert log in integrator messages #3

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Support multiline alert log in integrator messages #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0a87653
Support multiline alert log messages to integrations
jmpesp Feb 19, 2016
d41d16c
Sanitize all log output for integration and fix Slack POST.
jmpesp Feb 22, 2016
fbbff97
Fix sizeof typo in read-alert.c
jmpesp Feb 22, 2016
aa8e8b8
Fix comment typo in read-alert.c
jmpesp Feb 22, 2016
65f7180
Bump up log_size limit in read-alert.c
jmpesp Feb 22, 2016
10c5484
Bump log_size limit again, add --More-- to output if large
jmpesp Feb 23, 2016
a6d545d
Don't limit log output to 1256 in analysisd
jmpesp Feb 23, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions integrations/slack
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,13 @@ fi
postfile=`mktemp`


echo 'payload={"username":"OSSEC2slack Integration from '$alertlocation'", "icon_emoji": ":ghost:", "text": "OSSEC Alert\n```'$alertdate $alertlocation'\nRule:'$ruleid' (level '$alertlevel'): '$ruledescription'\nIP:'$srcip'\n'$alertlog'\n```"}' > $postfile
echo -n 'payload={"username":"OSSEC2slack Integration from ' > $postfile
echo -n "$alertlocation" >> $postfile
echo -n '", "icon_emoji": ":ghost:", "text": "OSSEC Alert\n```' >> $postfile
echo -n "$alertdate $alertlocation\nRule:$ruleid (level $alertlevel): $ruledescription\nIP:$srcip\n$alertlog\n" >> $postfile
echo -n '```"}' >> $postfile

res=`curl -s --data @$postfile "$WEBHOOK"`
res=`curl -s --data-binary @$postfile "$WEBHOOK"`
echo $res | grep "ok" >/dev/null 2>&1
if [ $? = 0 ]; then
echo "`date` $0 Slack integration ran successfully" >> ${PWD}/logs/integrations.log
Expand Down
8 changes: 4 additions & 4 deletions src/analysisd/alerts/log.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ void OS_LogOutput(Eventinfo *lf)
printf(
"** Alert %d.%ld:%s - %s\n"
"%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'"
"%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
"%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%s\n",
lf->time,
__crt_ftell,
lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
Expand Down Expand Up @@ -110,7 +110,7 @@ void OS_LogOutput(Eventinfo *lf)
char **lasts = lf->generated_rule->last_events;
while(*lasts)
{
printf("%.1256s\n",*lasts);
printf("%s\n",*lasts);
lasts++;
}
lf->generated_rule->last_events[0] = NULL;
Expand All @@ -132,7 +132,7 @@ void OS_Log(Eventinfo *lf)
fprintf(_aflog,
"** Alert %d.%ld:%s - %s\n"
"%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'"
"%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
"%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%s\n",
lf->time,
__crt_ftell,
lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
Expand Down Expand Up @@ -178,7 +178,7 @@ void OS_Log(Eventinfo *lf)
char **lasts = lf->generated_rule->last_events;
while(*lasts)
{
fprintf(_aflog,"%.1256s\n",*lasts);
fprintf(_aflog,"%s\n",*lasts);
lasts++;
}
lf->generated_rule->last_events[0] = NULL;
Expand Down
118 changes: 72 additions & 46 deletions src/os_integrator/integrator.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ void OS_IntegratorD(IntegratorConfig **integrator_config)
char exec_tmp_file[2048 + 1];
char exec_full_cmd[4096 + 1];
FILE *fp;
int log_i;

file_queue *fileq;
alert_data *al_data;
Expand Down Expand Up @@ -224,58 +225,69 @@ void OS_IntegratorD(IntegratorConfig **integrator_config)
}
else
{
int log_count = 0;
char *tmpstr = al_data->log[0];
while(*tmpstr != '\0')
/* sanitize all output before sending to
integration. especially important because
some integrations send to shell scripts and
variable definition will not be correct */
log_i = 0;
while(al_data->log[log_i])
{
if(*tmpstr == '\'')
{
*tmpstr = ' ';
}
else if(*tmpstr == '\\')
{
*tmpstr = '/';
}
else if(*tmpstr == '`')
{
*tmpstr = ' ';
}
else if(*tmpstr == '"')
{
*tmpstr = ' ';
}
else if(*tmpstr == ';')
{
*tmpstr = ',';
}
else if(*tmpstr == '!')
{
*tmpstr = ' ';
}
else if(*tmpstr == '$')
int logline_length = 0;
char *tmpstr = al_data->log[log_i];
while(*tmpstr != '\0')
{
*tmpstr = ' ';
}
if(*tmpstr == '\'')
{
*tmpstr = ' ';
}
else if(*tmpstr == '\\')
{
*tmpstr = '/';
}
else if(*tmpstr == '`')
{
*tmpstr = ' ';
}
else if(*tmpstr == '"')
{
*tmpstr = ' ';
}
else if(*tmpstr == ';')
{
*tmpstr = ',';
}
else if(*tmpstr == '!')
{
*tmpstr = ' ';
}
else if(*tmpstr == '$')
{
*tmpstr = ' ';
}
else if(*tmpstr < 32 || *tmpstr > 122)
{
*tmpstr = ' ';
}

else if(*tmpstr < 32 || *tmpstr > 122)
{
*tmpstr = ' ';
}
log_count++;
tmpstr++;
logline_length++;
tmpstr++;

if(log_count >= 465)
{
*tmpstr = '\0';
*(tmpstr -1) = '.';
*(tmpstr -2) = '.';
*(tmpstr -3) = '.';
break;
if(logline_length >= 465)
{
*tmpstr='\0';
*(tmpstr -1)='.';
*(tmpstr -2)='.';
*(tmpstr -3)='.';
break;
}
}
}

log_i++;
}

if(al_data->srcip != NULL)
{
tmpstr = al_data->srcip;
char *tmpstr = al_data->srcip;
while(*tmpstr != '\0')
{
if(*tmpstr == '\'')
Expand All @@ -301,7 +313,21 @@ void OS_IntegratorD(IntegratorConfig **integrator_config)
tmpstr++;
}
}
fprintf(fp, "alertdate='%s'\nalertlocation='%s'\nruleid='%d'\nalertlevel='%d'\nruledescription='%s'\nalertlog='%s'\nsrcip='%s'", al_data->date, al_data->location, al_data->rule, al_data->level, al_data->comment, al_data->log[0], al_data->srcip == NULL?"":al_data->srcip);

fprintf(fp, "alertdate='%s'\n", al_data->date);
fprintf(fp, "alertlocation='%s'\n", al_data->location);
fprintf(fp, "ruleid='%d'\n", al_data->rule);
fprintf(fp, "alertlevel='%d'\n", al_data->level);
fprintf(fp, "ruledescription='%s'\n", al_data->comment);
fprintf(fp, "alertlog='%s", al_data->log[0]);
log_i = 1;
while(al_data->log[log_i])
{
fprintf(fp, "\n%s", al_data->log[log_i]);
log_i++;
}
fprintf(fp, "'\n");
fprintf(fp, "srcip='%s'\n", al_data->srcip == NULL ? "" : al_data->srcip);
temp_file_created = 1;
fclose(fp);
}
Expand Down
14 changes: 11 additions & 3 deletions src/shared/read-alert.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ alert_data *GetAlertData(int flag, FILE *fp)
while(fgets(str, OS_BUFFER_SIZE, fp) != NULL)
{

/* Enf of alert */
/* End of alert */
if(strcmp(str, "\n") == 0 && log_size > 0)
{
/* Found in here */
Expand Down Expand Up @@ -169,7 +169,7 @@ alert_data *GetAlertData(int flag, FILE *fp)
}

z = strlen(p) - strlen(m);
os_realloc(alertid, (z + 1)*sizeof(char *), alertid);
os_realloc(alertid, (z + 1)*sizeof(char), alertid);
strncpy(alertid, p, z);
alertid[z] = '\0';

Expand Down Expand Up @@ -345,7 +345,7 @@ alert_data *GetAlertData(int flag, FILE *fp)
os_strdup(p, user);
}
/* It is a log message */
else if(log_size < 20)
else if(log_size < 40)
{
os_clearnl(str,p);

Expand All @@ -368,6 +368,14 @@ alert_data *GetAlertData(int flag, FILE *fp)
log_size++;
log[log_size] = NULL;
}
/* It is a very long log message */
else if(log_size == 40)
{
os_realloc(log, (log_size +2)*sizeof(char *), log);
os_strdup("--More--", log[log_size]);
log_size++;
log[log_size] = NULL;
}
}

continue;
Expand Down