| 81 |
81 |
@events
|
| 82 |
82 |
$evstoresize
|
| 83 |
83 |
$fromstart
|
|
84 |
$idmef_analyzer
|
| 84 |
85 |
@inputfilepat
|
| 85 |
86 |
@inputfiles
|
| 86 |
87 |
%inputsrc
|
| ... | ... | |
| 98 |
99 |
@pending_events
|
| 99 |
100 |
$pidfile
|
| 100 |
101 |
$poll_timeout
|
|
102 |
$preludeavail
|
|
103 |
$prelude_options
|
|
104 |
$prelude_client
|
| 101 |
105 |
$processedlines
|
| 102 |
106 |
$quoting
|
| 103 |
107 |
@readbuffer
|
| ... | ... | |
| 123 |
127 |
use IO::Handle;
|
| 124 |
128 |
|
| 125 |
129 |
$syslogavail = eval { require Sys::Syslog };
|
|
130 |
$preludeavail = eval { require Prelude };
|
| 126 |
131 |
|
| 127 |
132 |
$SEC_VERSION = "2.3.2";
|
| 128 |
133 |
|
| 129 |
134 |
|
| 130 |
135 |
# read options given in commandline
|
| 131 |
|
|
| 132 |
136 |
GetOptions( "conf=s" => \@conffilepat,
|
| 133 |
137 |
"input=s" => \@inputfilepat,
|
| 134 |
138 |
"input_timeout=i" => \$input_timeout,
|
| ... | ... | |
| 139 |
143 |
"blocksize=i" => \$blocksize,
|
| 140 |
144 |
"log=s" => \$logfile,
|
| 141 |
145 |
"syslog=s" => \$syslogf,
|
|
146 |
"prelude=s" => \$prelude_options,
|
| 142 |
147 |
"debug=i", \$debuglevel,
|
| 143 |
148 |
"pid=s" => \$pidfile,
|
| 144 |
149 |
"dump=s" => \$dumpfile,
|
| ... | ... | |
| 174 |
179 |
-blocksize=<io block size>
|
| 175 |
180 |
-log=<logfile>
|
| 176 |
181 |
-syslog=<facility>
|
|
182 |
-prelude=<prelude options>
|
| 177 |
183 |
-debug=<debuglevel>
|
| 178 |
184 |
-pid=<pidfile>
|
| 179 |
185 |
-dump=<dumpfile>
|
| ... | ... | |
| 351 |
357 |
use constant ASSIGN => 19;
|
| 352 |
358 |
use constant EVAL => 20;
|
| 353 |
359 |
use constant CALL => 21;
|
|
360 |
use constant PRELUDE => 22;
|
| 354 |
361 |
|
| 355 |
362 |
use constant OPERAND => 0;
|
| 356 |
363 |
use constant NEGATION => 1;
|
| ... | ... | |
| 483 |
490 |
|
| 484 |
491 |
|
| 485 |
492 |
|
|
493 |
# Action: open connection to prelude
|
|
494 |
|
|
495 |
sub open_prelude {
|
|
496 |
my($idmef_analyzer_model, $idmef_analyzer_class, $idmef_analyzer_version);
|
|
497 |
|
|
498 |
if (!$preludeavail) {
|
|
499 |
if (-t STDERR || -f STDERR) {
|
|
500 |
print STDERR "Can't load Prelude, exiting!\n";
|
|
501 |
}
|
|
502 |
|
|
503 |
child_cleanup();
|
|
504 |
exit(1);
|
|
505 |
|
|
506 |
}
|
|
507 |
|
|
508 |
my @prelude_argv = ($0, "--prelude");
|
|
509 |
push @prelude_argv, split(/\s+/, $prelude_options);
|
|
510 |
if (Prelude::prelude_init(scalar(@prelude_argv), \@prelude_argv) != 0) {
|
|
511 |
if (-t STDERR || -f STDERR) {
|
|
512 |
print STDERR "Can't initialize prelude, exiting!\n";
|
|
513 |
}
|
|
514 |
|
|
515 |
child_cleanup();
|
|
516 |
exit(1);
|
|
517 |
|
|
518 |
}
|
|
519 |
|
|
520 |
if (Prelude::prelude_client_new(\$prelude_client, "sec") != 0) {
|
|
521 |
if (-t STDERR || -f STDERR) {
|
|
522 |
print STDERR "Can't create prelude client, exiting!\n";
|
|
523 |
}
|
|
524 |
|
|
525 |
child_cleanup();
|
|
526 |
exit(1);
|
|
527 |
|
|
528 |
}
|
|
529 |
|
|
530 |
$idmef_analyzer = Prelude::prelude_client_get_analyzer($prelude_client);
|
|
531 |
Prelude::idmef_analyzer_set_model($idmef_analyzer, "SEC");
|
|
532 |
Prelude::idmef_analyzer_set_class($idmef_analyzer, "Correlator");
|
|
533 |
Prelude::idmef_analyzer_set_version($idmef_analyzer, $SEC_VERSION);
|
|
534 |
|
|
535 |
if (Prelude::prelude_client_start($prelude_client) != 0) {
|
|
536 |
if (-t STDERR || -f STDERR) {
|
|
537 |
print STDERR "Can't start prelude client, exiting!\n";
|
|
538 |
}
|
|
539 |
|
|
540 |
child_cleanup();
|
|
541 |
exit(1);
|
|
542 |
|
|
543 |
}
|
|
544 |
|
|
545 |
my $flag = $Prelude::PRELUDE_CLIENT_FLAGS_ASYNC_TIMER;
|
|
546 |
if (Prelude::prelude_client_set_flags($prelude_client, $Prelude::PRELUDE_CLIENT_FLAGS_ASYNC_TIMER) != 0) {
|
|
547 |
if (-t STDERR || -f STDERR) {
|
|
548 |
print STDERR "Can't set timer flag for prelude client, exiting!\n";
|
|
549 |
}
|
|
550 |
|
|
551 |
child_cleanup();
|
|
552 |
exit(1);
|
|
553 |
|
|
554 |
}
|
|
555 |
|
|
556 |
}
|
|
557 |
|
|
558 |
|
|
559 |
|
| 486 |
560 |
# Parameters: par1 - severity of the log message
|
| 487 |
561 |
# par2, par3, ... - strings to be logged
|
| 488 |
562 |
# Action: strings par2, par3, ... will be equipped with timestamp and
|
| ... | ... | |
| 1019 |
1093 |
|
| 1020 |
1094 |
}
|
| 1021 |
1095 |
|
|
1096 |
elsif ($action =~ /^prelude$/i) { return PRELUDE; }
|
|
1097 |
|
| 1022 |
1098 |
elsif ($action =~ /^create\b\s*(\S*)\s*(\S*)\s*(.*)/i) {
|
| 1023 |
1099 |
|
| 1024 |
1100 |
$context = $1;
|
| ... | ... | |
| 3616 |
3692 |
|
| 3617 |
3693 |
}
|
| 3618 |
3694 |
|
|
3695 |
elsif ($src_ref->[$i] == PRELUDE) {
|
|
3696 |
|
|
3697 |
push @{$dest_ref}, PRELUDE;
|
|
3698 |
++$i;
|
|
3699 |
|
|
3700 |
}
|
|
3701 |
|
| 3619 |
3702 |
elsif ($src_ref->[$i] == CREATECONTEXT) {
|
| 3620 |
3703 |
|
| 3621 |
3704 |
push @{$dest_ref}, CREATECONTEXT;
|
| ... | ... | |
| 3850 |
3933 |
my($event, @event, $alias, @aliases, @params);
|
| 3851 |
3934 |
my($variable, $value, $code, @retval, $evalok);
|
| 3852 |
3935 |
my($key, $ref);
|
|
3936 |
my($idmef_time, $idmef_message, $idmef_alert);
|
|
3937 |
my($idmef_path, $idmef_value);
|
| 3853 |
3938 |
|
| 3854 |
3939 |
|
| 3855 |
3940 |
$i = 0;
|
| ... | ... | |
| 4024 |
4109 |
|
| 4025 |
4110 |
}
|
| 4026 |
4111 |
|
|
4112 |
elsif ($actionlist->[$i] == PRELUDE) {
|
|
4113 |
|
|
4114 |
if (Prelude::idmef_message_new(\$idmef_message) == 0) {
|
|
4115 |
|
|
4116 |
Prelude::idmef_time_new_from_gettimeofday(\$idmef_time);
|
|
4117 |
Prelude::idmef_message_new_alert($idmef_message, \$idmef_alert);
|
|
4118 |
Prelude::idmef_alert_set_analyzer($idmef_alert, $idmef_analyzer, -1);
|
|
4119 |
Prelude::idmef_alert_set_create_time($idmef_alert, $idmef_time);
|
|
4120 |
|
|
4121 |
# split into fields
|
|
4122 |
my @fields = split(/[^\\];/, $text);
|
|
4123 |
|
|
4124 |
foreach my $field (@fields) {
|
|
4125 |
|
|
4126 |
$field =~ s/\\;/;/;
|
|
4127 |
my ($object, $value) = split(/=/, $field);
|
|
4128 |
$object =~ s/^\s*//;
|
|
4129 |
$object =~ s/\s*$//;
|
|
4130 |
$value =~ s/^\s*//;
|
|
4131 |
$value =~ s/\s*$//;
|
|
4132 |
|
|
4133 |
if (Prelude::idmef_path_new(\$idmef_path, $object) == 0) {
|
|
4134 |
|
|
4135 |
if (Prelude::idmef_value_new_from_path(\$idmef_value, $idmef_path, $value) == 0) {
|
|
4136 |
|
|
4137 |
if (Prelude::idmef_path_set($idmef_path, $idmef_message, $idmef_value) == 0) {
|
|
4138 |
|
|
4139 |
Prelude::idmef_path_destroy($idmef_path);
|
|
4140 |
|
|
4141 |
} else {
|
|
4142 |
|
|
4143 |
if ($debuglevel >= LOG_WARN) {
|
|
4144 |
log_msg(LOG_WARN,
|
|
4145 |
"Can't set idmef_value for path $object!");
|
|
4146 |
}
|
|
4147 |
|
|
4148 |
}
|
|
4149 |
|
|
4150 |
} else {
|
|
4151 |
|
|
4152 |
if ($debuglevel >= LOG_WARN) {
|
|
4153 |
log_msg(LOG_WARN,
|
|
4154 |
"Can't create new idmef_value for path $object!");
|
|
4155 |
}
|
|
4156 |
|
|
4157 |
}
|
|
4158 |
|
|
4159 |
} else {
|
|
4160 |
|
|
4161 |
if ($debuglevel >= LOG_WARN) {
|
|
4162 |
log_msg(LOG_WARN,
|
|
4163 |
"Can't create new idmef_path $object!");
|
|
4164 |
}
|
|
4165 |
|
|
4166 |
}
|
|
4167 |
|
|
4168 |
}
|
|
4169 |
|
|
4170 |
Prelude::prelude_client_send_idmef($prelude_client, $idmef_message);
|
|
4171 |
Prelude::idmef_message_destroy($idmef_message);
|
|
4172 |
|
|
4173 |
} else {
|
|
4174 |
|
|
4175 |
if ($debuglevel >= LOG_WARN) {
|
|
4176 |
log_msg(LOG_WARN,
|
|
4177 |
"Can't create new idmef_message!");
|
|
4178 |
}
|
|
4179 |
|
|
4180 |
}
|
|
4181 |
|
|
4182 |
++$i;
|
|
4183 |
|
|
4184 |
}
|
|
4185 |
|
| 4027 |
4186 |
elsif ($actionlist->[$i] == CREATECONTEXT) {
|
| 4028 |
4187 |
|
| 4029 |
4188 |
$context = $actionlist->[$i+1];
|
| ... | ... | |
| 5169 |
5328 |
|
| 5170 |
5329 |
}
|
| 5171 |
5330 |
|
|
5331 |
elsif ($actionlist->[$i] == PRELUDE) {
|
|
5332 |
|
|
5333 |
++$i;
|
|
5334 |
|
|
5335 |
}
|
|
5336 |
|
| 5172 |
5337 |
elsif ($actionlist->[$i] == CREATECONTEXT) {
|
| 5173 |
5338 |
|
| 5174 |
5339 |
subst_string(\@subst_modified, $actionlist->[$i+1], $token);
|
| ... | ... | |
| 6661 |
6826 |
|
| 6662 |
6827 |
}
|
| 6663 |
6828 |
|
|
6829 |
elsif ($actionlist->[$i] == PRELUDE) {
|
|
6830 |
|
|
6831 |
$result .= "prelude";
|
|
6832 |
++$i;
|
|
6833 |
|
|
6834 |
}
|
|
6835 |
|
| 6664 |
6836 |
elsif ($actionlist->[$i] == CREATECONTEXT) {
|
| 6665 |
6837 |
|
| 6666 |
6838 |
$result .= "create " . $actionlist->[$i+1] . " " . $actionlist->[$i+2];
|
| ... | ... | |
| 7827 |
7999 |
|
| 7828 |
8000 |
}
|
| 7829 |
8001 |
|
|
8002 |
# reopen prelude connection
|
|
8003 |
if (defined($prelude_options)) {
|
|
8004 |
|
|
8005 |
Prelude::prelude_client_destroy($prelude_client, $Prelude::PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
|
|
8006 |
open_prelude();
|
|
8007 |
|
|
8008 |
}
|
|
8009 |
|
| 7830 |
8010 |
# set flags back to zero
|
| 7831 |
8011 |
|
| 7832 |
8012 |
$refresh = 0;
|
| ... | ... | |
| 7874 |
8054 |
|
| 7875 |
8055 |
}
|
| 7876 |
8056 |
|
|
8057 |
if (defined($prelude_options)) {
|
|
8058 |
|
|
8059 |
Prelude::prelude_client_destroy($prelude_client, $Prelude::PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
|
|
8060 |
open_prelude();
|
|
8061 |
|
|
8062 |
}
|
|
8063 |
|
| 7877 |
8064 |
$openlog = 0;
|
| 7878 |
8065 |
|
| 7879 |
8066 |
}
|
| ... | ... | |
| 8841 |
9028 |
|
| 8842 |
9029 |
### Open logfile
|
| 8843 |
9030 |
|
| 8844 |
|
if (defined($logfile)) { open_logfile($logfile); }
|
| 8845 |
|
if (defined($syslogf)) { open_syslog($syslogf); }
|
|
9031 |
if (defined($logfile)) { open_logfile($logfile); }
|
|
9032 |
if (defined($syslogf)) { open_syslog($syslogf); }
|
|
9033 |
if (defined($prelude_options)) { open_prelude(); }
|
| 8846 |
9034 |
|
| 8847 |
9035 |
log_msg(LOG_NOTICE, "Simple Event Correlator version $SEC_VERSION");
|
| 8848 |
9036 |
|
