/*
* logtool - a logfile parsing/monitoring/manipulation utility
*
* Copyright (C) Y2K (2000) A.L.Lambert
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
/* Yee ole includes (I put this all in one file for my sanity) */
#include "includes.h"
/*
* a module to process iptables messages into something sane to read with the naked eye
*/
/* a function to get the value blah where SOMETHING=blah in the event message */
int mip_parse_val(char *target, char *str) {
char tmp_str[LSIZE];
char *ptr;
/* okie, we're going to jump to target */
ptr = strstr(event.raw, str);
/* if ptr == NULL, we didn't find anything */
if(ptr == NULL) return -1;
/* move forward to the = sign */
ptr = strstr(ptr, "=");
++ptr; /* and then to first char of our value */
strcpy(tmp_str, ptr); /* copy that to tmp_str */
ptr = strstr(tmp_str, " "); /* jump to the space after the value */
ptr[0] = '\0'; /* null terminate it there */
if(tmp_str[0] != '\0') { /* if we got a value */
strcpy(target, tmp_str); /* put it into the target variable */
} else { /* otherwise, return an error */
return 1;
}
/* if we made it this far, return no error */
return 0;
}
/* a function to rip everything outside the syslog message into a variable we can parse */
int mip_parse_msg(char *msg) {
char tmp_msg[LSIZE];
char *ptr;
sscanf(event.raw, "%*s %*s %*s %*s %[^\n]", tmp_msg);
/* in == the start of iptables messages */
ptr = strstr(tmp_msg, "IN=");
/* if we found the beginning, then null byte it and copy it to *msg */
if(ptr !=NULL) {
ptr[0] = '\0';
if(msg[0] != '\0') {
strcat(msg, tmp_msg);
}
}
return 0;
}
short int mip_build_sd(char *src, char *src_prt, char *dst, char *dst_prt, short int resolv) {
char tmp_str[LSIZE];
char *ptr;
if(resolv == TRUE) {
ptr = get_host(src);
if(ptr != NULL) {
strcpy(tmp_str, ptr);
strcat(tmp_str, "(");
strcat(tmp_str, src);
strcat(tmp_str, ")");
strcpy(src, tmp_str);
}
ptr = get_host(dst);
if(ptr != NULL) {
strcpy(tmp_str, ptr);
strcat(tmp_str, "(");
strcat(tmp_str, dst);
strcat(tmp_str, ")");
strcpy(dst, tmp_str);
/* output snort-esque color formatting if we're in ANSI or HTML mode */
if(cf.outfmt == OUTPUT_ANSI || cf.outfmt == OUTPUT_HTML) {
lt_strep(src, 1024, "(", "\033e\033l(\033e\033w");
lt_strep(src, 1024, ")", "\033e\033l)\033e");
lt_strep(dst, 1024, "(", "\033e\033l(\033e\033w");
lt_strep(dst, 1024, ")", "\033e\033l)\033e");
}
}
}
if(cf.outfmt == OUTPUT_ANSI || cf.outfmt == OUTPUT_HTML) {
if(src_prt[0] != '\0') {
sprintf(tmp_str, " \033W%s\033e\033l:\033e\033W%s \033l->\033e \033W%s\033e:\033W%s\033e", src, src_prt, dst, dst_prt);
} else {
sprintf(tmp_str, " \033W%s\033e \033l->\033e \033W%s", src, dst);
}
} else {
if(src_prt[0] != '\0') {
sprintf(tmp_str, " %s:%s -> %s:%s", src, src_prt, dst, dst_prt);
} else {
sprintf(tmp_str, " %s -> %s", src, dst);
}
}
strcat(event.pmsg, tmp_str);
return 0;
}
short int ltm_iptables() {
/* see mods.h for the iptables data struct */
/* variables local to this guy */
char msg[LSIZE]; /* user defined message (if any) */
char tmp_str[LSIZE]; /* some place to stick data temp basis */
short int resolv = FALSE;/* do we resolve IP addresses? */
resolv = mod_varcheck("modipt_resolvips");
/* Figure out what color this message should be */
lt_set_event_color();
/* because you most often don't get a 'program' field in one of these */
strcpy(event.program, "iptables:");
/* parse up the basics (date format's, prog/src, etc) */
mod_premsg_setup();
/* see if user used any prefixing and put it in the output if so */
strcpy(msg, "-j LOG: ");
mip_parse_msg(msg);
/* now we get to work on parsing the variables in order */
strcpy(it.in_if, "");
strcpy(it.ou_if, "");
strcpy(it.src, "");
strcpy(it.src_prt, "");
strcpy(it.dst, "");
strcpy(it.dst_prt, "");
strcpy(it.plen, "");
strcpy(it.tos, "");
strcpy(it.prec, "");
strcpy(it.ttl, "");
strcpy(it.proto, "");
mip_parse_val(it.in_if, "IN=");
mip_parse_val(it.ou_if, "OUT=");
mip_parse_val(it.src, "SRC=");
mip_parse_val(it.src_prt, "SPT=");
mip_parse_val(it.dst, "DST=");
mip_parse_val(it.dst_prt, "DPT=");
mip_parse_val(it.plen, "LEN=");
mip_parse_val(it.tos, "TOS=");
mip_parse_val(it.prec, "PREC=");
mip_parse_val(it.ttl, "TTL=");
mip_parse_val(it.proto, "PROTO=");
/* okie, parsing done, start building event.pmsg */
/* start with the msg (if any) */
if(msg[0] != '\0') {
sprintf(tmp_str, " %s%s%s", event.pcolor, msg, "\033e");
strcpy(it.msg, msg);
strcat(event.pmsg, tmp_str);
}
if(it.proto[0] != '\0') {
strcpy(tmp_str, " \033e\033l{\033e\033C");
strcat(tmp_str, it.proto);
strcat(tmp_str, "\033e\033l}\033e");
strcat(event.pmsg, tmp_str);
}
mip_build_sd(it.src, it.src_prt, it.dst, it.dst_prt, resolv);
/* make a link from the event.module structure to our iptables data */
event.m.iptables = ⁢
return 0;
}
/*
Mar 5 02:48:09 kern@friday/1.1.1.1 Bad packet on pub int:IN=eth1 OUT= MAC=00:40:05:6c:f9:8b:00:02:3b:01:be:9d:08:00 SRC=61.14.66.78 DST=65.71.249.147 LEN=78 TOS=0x00 PREC=0x00 TTL=108 ID=11861 PROTO=UDP SPT=1028 DPT=137 LEN=58
*/
syntax highlighted by Code2HTML, v. 0.9.1