From 0a87653d5807714631e4ea05ad1f0f6cc55d0a7d Mon Sep 17 00:00:00 2001 From: James MacMahon Date: Fri, 19 Feb 2016 12:36:26 -0500 Subject: [PATCH 1/7] Support multiline alert log messages to integrations `sh` supports multiline variables like so: variable='test data multiline' Fill the alertlog integrator variable using every line of alert log. not just the first one. --- src/os_integrator/integrator.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/os_integrator/integrator.c b/src/os_integrator/integrator.c index d08f2ba..d126c4a 100644 --- a/src/os_integrator/integrator.c +++ b/src/os_integrator/integrator.c @@ -301,7 +301,20 @@ void OS_IntegratorD(IntegratorConfig **integrator_config) tmpstr++; } } - fprintf(fp, "alertdate='%s'\nalertlocation='%s'\nruleid='%d'\nalertlevel='%d'\nruledescription='%s'\nalertlog='%s'\nsrcip='%s'", al_data->date, al_data->location, al_data->rule, al_data->level, al_data->comment, al_data->log[0], al_data->srcip == NULL?"":al_data->srcip); + fprintf(fp, "alertdate='%s'\n", al_data->date); + fprintf(fp, "alertlocation='%s'\n", al_data->location); + fprintf(fp, "ruleid='%d'\n", al_data->rule); + fprintf(fp, "alertlevel='%d'\n", al_data->level); + fprintf(fp, "ruledescription='%s'\n", al_data->comment); + fprintf(fp, "alertlog='%s", al_data->log[0]); + int log_i = 1; + while(al_data->log[log_i]) + { + fprintf(fp, "\n%s", al_data->log[log_i]); + log_i++; + } + fprintf(fp, "'\n"); + fprintf(fp, "srcip='%s'\n", al_data->srcip == NULL ? "" : al_data->srcip); temp_file_created = 1; fclose(fp); } From d41d16c57a8989733060dc9e0aed9fdd6ff6e17e Mon Sep 17 00:00:00 2001 From: James MacMahon Date: Mon, 22 Feb 2016 10:18:18 -0500 Subject: [PATCH 2/7] Sanitize all log output for integration and fix Slack POST. Existing integrations use a shell script to POST data and a previous commit changed the `alertlog` variable so it contains the full multiline alert log. This requires each line to be sanitized, otherwise the shell variable definition will be incorrect. Iterate over log output and sanitize each line. In the Slack integration, `curl` has been changed to use `--data-binary` so it will _not_ strip out newlines and carriage returns when POSTing data. --- integrations/slack | 8 ++- src/os_integrator/integrator.c | 105 ++++++++++++++++++--------------- 2 files changed, 65 insertions(+), 48 deletions(-) diff --git a/integrations/slack b/integrations/slack index f2bd1c9..5560d5c 100755 --- a/integrations/slack +++ b/integrations/slack @@ -36,9 +36,13 @@ fi postfile=`mktemp` -echo 'payload={"username":"OSSEC2slack Integration from '$alertlocation'", "icon_emoji": ":ghost:", "text": "OSSEC Alert\n```'$alertdate $alertlocation'\nRule:'$ruleid' (level '$alertlevel'): '$ruledescription'\nIP:'$srcip'\n'$alertlog'\n```"}' > $postfile +echo -n 'payload={"username":"OSSEC2slack Integration from ' > $postfile +echo -n "$alertlocation" >> $postfile +echo -n '", "icon_emoji": ":ghost:", "text": "OSSEC Alert\n```' >> $postfile +echo -n "$alertdate $alertlocation\nRule:$ruleid (level $alertlevel): $ruledescription\nIP:$srcip\n$alertlog\n" >> $postfile +echo -n '```"}' >> $postfile -res=`curl -s --data @$postfile "$WEBHOOK"` +res=`curl -s --data-binary @$postfile "$WEBHOOK"` echo $res | grep "ok" >/dev/null 2>&1 if [ $? = 0 ]; then echo "`date` $0 Slack integration ran successfully" >> ${PWD}/logs/integrations.log diff --git a/src/os_integrator/integrator.c b/src/os_integrator/integrator.c index d126c4a..7117a4d 100644 --- a/src/os_integrator/integrator.c +++ b/src/os_integrator/integrator.c @@ -28,6 +28,7 @@ void OS_IntegratorD(IntegratorConfig **integrator_config) char exec_tmp_file[2048 + 1]; char exec_full_cmd[4096 + 1]; FILE *fp; + int log_i; file_queue *fileq; alert_data *al_data; @@ -224,58 +225,69 @@ void OS_IntegratorD(IntegratorConfig **integrator_config) } else { - int log_count = 0; - char *tmpstr = al_data->log[0]; - while(*tmpstr != '\0') + /* sanitize all output before sending to + integration. especially important because + some integrations send to shell scripts and + variable definition will not be correct */ + log_i = 0; + while(al_data->log[log_i]) { - if(*tmpstr == '\'') - { - *tmpstr = ' '; - } - else if(*tmpstr == '\\') - { - *tmpstr = '/'; - } - else if(*tmpstr == '`') - { - *tmpstr = ' '; - } - else if(*tmpstr == '"') - { - *tmpstr = ' '; - } - else if(*tmpstr == ';') - { - *tmpstr = ','; - } - else if(*tmpstr == '!') - { - *tmpstr = ' '; - } - else if(*tmpstr == '$') + int logline_length = 0; + char *tmpstr = al_data->log[log_i]; + while(*tmpstr != '\0') { - *tmpstr = ' '; - } + if(*tmpstr == '\'') + { + *tmpstr = ' '; + } + else if(*tmpstr == '\\') + { + *tmpstr = '/'; + } + else if(*tmpstr == '`') + { + *tmpstr = ' '; + } + else if(*tmpstr == '"') + { + *tmpstr = ' '; + } + else if(*tmpstr == ';') + { + *tmpstr = ','; + } + else if(*tmpstr == '!') + { + *tmpstr = ' '; + } + else if(*tmpstr == '$') + { + *tmpstr = ' '; + } + else if(*tmpstr < 32 || *tmpstr > 122) + { + *tmpstr = ' '; + } - else if(*tmpstr < 32 || *tmpstr > 122) - { - *tmpstr = ' '; - } - log_count++; - tmpstr++; + logline_length++; + tmpstr++; - if(log_count >= 465) - { - *tmpstr = '\0'; - *(tmpstr -1) = '.'; - *(tmpstr -2) = '.'; - *(tmpstr -3) = '.'; - break; + if(logline_length >= 465) + { + *tmpstr='\0'; + *(tmpstr -1)='.'; + *(tmpstr -2)='.'; + *(tmpstr -3)='.'; + break; + } } - } + + log_i++; + } + if(al_data->srcip != NULL) { - tmpstr = al_data->srcip; + char *tmpstr = al_data->srcip; while(*tmpstr != '\0') { if(*tmpstr == '\'') @@ -301,13 +313,14 @@ void OS_IntegratorD(IntegratorConfig **integrator_config) tmpstr++; } } + fprintf(fp, "alertdate='%s'\n", al_data->date); fprintf(fp, "alertlocation='%s'\n", al_data->location); fprintf(fp, "ruleid='%d'\n", al_data->rule); fprintf(fp, "alertlevel='%d'\n", al_data->level); fprintf(fp, "ruledescription='%s'\n", al_data->comment); fprintf(fp, "alertlog='%s", al_data->log[0]); - int log_i = 1; + log_i = 1; while(al_data->log[log_i]) { fprintf(fp, "\n%s", al_data->log[log_i]); From fbbff978fb766cd497dc0a2dd09264c808e2f2f8 Mon Sep 17 00:00:00 2001 From: James MacMahon Date: Mon, 22 Feb 2016 13:50:21 -0500 Subject: [PATCH 3/7] Fix sizeof typo in read-alert.c --- src/shared/read-alert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/read-alert.c b/src/shared/read-alert.c index e27d543..248e22b 100755 --- a/src/shared/read-alert.c +++ b/src/shared/read-alert.c @@ -169,7 +169,7 @@ alert_data *GetAlertData(int flag, FILE *fp) } z = strlen(p) - strlen(m); - os_realloc(alertid, (z + 1)*sizeof(char *), alertid); + os_realloc(alertid, (z + 1)*sizeof(char), alertid); strncpy(alertid, p, z); alertid[z] = '\0'; From aa8e8b881b30d915968fcef2c78061b83e4de984 Mon Sep 17 00:00:00 2001 From: James MacMahon Date: Mon, 22 Feb 2016 14:09:04 -0500 Subject: [PATCH 4/7] Fix comment typo in read-alert.c --- src/shared/read-alert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/read-alert.c b/src/shared/read-alert.c index 248e22b..d197f3f 100755 --- a/src/shared/read-alert.c +++ b/src/shared/read-alert.c @@ -125,7 +125,7 @@ alert_data *GetAlertData(int flag, FILE *fp) while(fgets(str, OS_BUFFER_SIZE, fp) != NULL) { - /* Enf of alert */ + /* End of alert */ if(strcmp(str, "\n") == 0 && log_size > 0) { /* Found in here */ From 65f7180c9e9ff14fb37f0157b8512c4d833132e8 Mon Sep 17 00:00:00 2001 From: James MacMahon Date: Mon, 22 Feb 2016 15:35:20 -0500 Subject: [PATCH 5/7] Bump up log_size limit in read-alert.c Number of open ports in netstat output is unusually large on our instances so bump up the log_size limit. --- src/shared/read-alert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/read-alert.c b/src/shared/read-alert.c index d197f3f..1c4cdf5 100755 --- a/src/shared/read-alert.c +++ b/src/shared/read-alert.c @@ -345,7 +345,7 @@ alert_data *GetAlertData(int flag, FILE *fp) os_strdup(p, user); } /* It is a log message */ - else if(log_size < 20) + else if(log_size < 30) { os_clearnl(str,p); From 10c5484511d8eb5f715446d1719012742fc0394a Mon Sep 17 00:00:00 2001 From: James MacMahon Date: Tue, 23 Feb 2016 12:45:59 -0500 Subject: [PATCH 6/7] Bump log_size limit again, add --More-- to output if large --- src/shared/read-alert.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/shared/read-alert.c b/src/shared/read-alert.c index 1c4cdf5..25d40a2 100755 --- a/src/shared/read-alert.c +++ b/src/shared/read-alert.c @@ -345,7 +345,7 @@ alert_data *GetAlertData(int flag, FILE *fp) os_strdup(p, user); } /* It is a log message */ - else if(log_size < 30) + else if(log_size < 40) { os_clearnl(str,p); @@ -368,6 +368,14 @@ alert_data *GetAlertData(int flag, FILE *fp) log_size++; log[log_size] = NULL; } + /* It is a very long log message */ + else if(log_size == 40) + { + os_realloc(log, (log_size +2)*sizeof(char *), log); + os_strdup("--More--", log[log_size]); + log_size++; + log[log_size] = NULL; + } } continue; From a6d545d16e4cb01068f51230b2960e7cc2f54626 Mon Sep 17 00:00:00 2001 From: James MacMahon Date: Tue, 23 Feb 2016 12:47:46 -0500 Subject: [PATCH 7/7] Don't limit log output to 1256 in analysisd --- src/analysisd/alerts/log.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/analysisd/alerts/log.c b/src/analysisd/alerts/log.c index 974e3c4..3c41d3b 100755 --- a/src/analysisd/alerts/log.c +++ b/src/analysisd/alerts/log.c @@ -64,7 +64,7 @@ void OS_LogOutput(Eventinfo *lf) printf( "** Alert %d.%ld:%s - %s\n" "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'" - "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n", + "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%s\n", lf->time, __crt_ftell, lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"", @@ -110,7 +110,7 @@ void OS_LogOutput(Eventinfo *lf) char **lasts = lf->generated_rule->last_events; while(*lasts) { - printf("%.1256s\n",*lasts); + printf("%s\n",*lasts); lasts++; } lf->generated_rule->last_events[0] = NULL; @@ -132,7 +132,7 @@ void OS_Log(Eventinfo *lf) fprintf(_aflog, "** Alert %d.%ld:%s - %s\n" "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'" - "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n", + "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%s\n", lf->time, __crt_ftell, lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"", @@ -178,7 +178,7 @@ void OS_Log(Eventinfo *lf) char **lasts = lf->generated_rule->last_events; while(*lasts) { - fprintf(_aflog,"%.1256s\n",*lasts); + fprintf(_aflog,"%s\n",*lasts); lasts++; } lf->generated_rule->last_events[0] = NULL;