2004-02-10 Yoann Vandoorselaere * src/lml-alert.c (generate_target): check for user/process/node before inserting a default value for theses. 2004-02-01 Yoann Vandoorselaere * src/file-server.c: * src/pconfig.c (set_file): * src/log-common.c: big sanitization of the API. * plugins/simple/simple.c (parse_ruleset_directive): if an inclusion file, do not ignore other file. 2004-02-01 Yoann Vandoorselaere * src/udp-server.c (udp_server_process_event): use log_file_set_source(). (udp_server_process_event): remove trailling syslog priority / facility '>' character. * src/log-common.c (log_file_set_source): implemented. Doesn't check wether the file exist. free previous value if already set. (log_file_set_filename): free filename if it already exist. * src/udp-server.c (udp_server_new): verbose message when the syslog server is enabled. (udp_server_process_event, udp_server_new): embed a log_file_t within udp_server_t. Set the filename to be the source of the syslog message. Avoid a crash due to the recent log file handling change. 2004-01-31 Yoann Vandoorselaere * plugins/simple/ruleset/simple.rules (regex): use the same classification for user authentication (succeeded/failed). 2004-01-23 Yoann Vandoorselaere * plugins/simple/simple.c: (simple_run): remove latest "pass" addition, cleanup the code and allow use of the "last" attribute with regex that doesn't generate an alert. Keep the pass_rules_first option throught. 2004-01-23 Yoann Vandoorselaere (set_pass_first): (parse_rule_pass): implemented. (parse_rule_keyword): hook pass keyword. (simple_run): stop walking rule in case we meet a "pass" rule. (plugin_init): new option to process pas rule first, if the user want to. Make this option get higher priority than the ruleset specification option. (parse_ruleset_directive): if the "pass rules" first option was specified, add pass rules at the begining of the list. 2004-01-20 Gene R Gomez * plugins/simple/ruleset: Cleaned up regex to remove some syslog dependencies (vigor.rules and a few others without sample logs remain). Added honeyd.rules ruleset. 2004-01-15 Yoann Vandoorselaere * plugins/simple/ruleset/simple.rules (regex): better rules. * plugins/simple/ruleset/grsecurity.rules: * plugins/simple/ruleset/ssh.rules: syslog independance... * src/lml-alert.c (generate_target): reuse existing target if any. We need some kind of mechanism so that it is totally doable from the rulesets. * prelude-lml.conf.in (file): update metalog default format. 2004-01-11 Yoann Vandoorselaere * src/log-common.c (log_file_new): oops, set default ts_fmt. 2004-01-10 Yoann Vandoorselaere * src/log-common.c (format_header, handle_escaped, format_common): (format_tstamp): Re-worked, cleaned-up, with the ability to tell where exactly in the log is the timestamp. Make it much more easy to add new hook for IDMEF field within the log. (SYSLOG_LOG_FMT): (SYSLOG_TS_FMT): update to the newer format. * prelude-lml.conf.in: remove invalid section, use new log message configuration format. 2004-01-09 Gene Gomez * plugins/simple/ruleset: id and revision tags added to all rules. This should allow for better management and revisioning of the rulesets. 2004-01-08 Gene Gomez * plugins/simple/ruleset: Rulesets "sanitized"; standardized format introduced. 2004-01-07 Nicolas Delon * plugins/simple/simple.c: (build_message) fit idmef_message changes 2003-12-29 Yoann Vandoorselaere * plugins.rules.in: remove paxmod. Obsoleted. 2003-12-26 Nicolas Delon * src/lml-alert.c: (send_heartbeat_cb) call prelude_msgbuf_mark_end() to flush the alert 2003-12-26 Yoann Vandoorselaere * src/lml-alert.c (generate_target): if target_user is set add to the alert. (lml_emit_alert): call prelude_msgbuf_mark_end() to flush the alert. * src/pconfig.c (pconfig_set): workaround prelude-getopt flaw... * src/file-server.c (file_server_wake_up): (initialize_fam): don't try to initialize fam on each file monitored in case fam initialization fail once. * src/pconfig.c (set_logwatch): remove new logfile configuration scheme for now, it's not ready yet. (set_file): create the log_file_t object here, and set the format according to the last format variable value (default is syslog if not set). Option order is respected. 2003-12-22 Nicolas Delon * plugins/simple/ruleset/*.rules: change all impact.* to assessement.impact.* 2003-12-21 Yoann Vandoorselaere * plugins/simple/simple.c (parse_rule_object_value): fix a typo. * src/pconfig.c (pconfig_set, set_logwatch): comment call to prelude_option_parse_from_context for now so that LML is usable... 2003-12-21 Yoann Vandoorselaere * plugins/simple/simple.c: some code simplification. Include patch from Nicolas Delon, (2003-12-20 Changelog entry). 2003-12-20 Nicolas Delon * plugins/debug/debug.c: * plugins/pax/pax.c: * plugins/simple/simple.c: * plugins/simple/ruleset/checkpoint.rules: * plugins/simple/ruleset/cisco.rules: * plugins/simple/ruleset/exim.rules: * plugins/simple/ruleset/grsecurity.rules: * plugins/simple/ruleset/ipchains.rules: * plugins/simple/ruleset/ipfw.rules: * plugins/simple/ruleset/ipso.rules: * plugins/simple/ruleset/netfilter.rules: * plugins/simple/ruleset/ntsyslog.rules: * plugins/simple/ruleset/portsentry.rules: * plugins/simple/ruleset/proftpd.rules: * plugins/simple/ruleset/qpopper.rules: * plugins/simple/ruleset/simple.rules: * plugins/simple/ruleset/squid.rules: * plugins/simple/ruleset/ssh.rules: * plugins/simple/ruleset/vigor.rules: * plugins/simple/ruleset/vpopmail.rules: * plugins/simple/ruleset/wap11.rules: * plugins/simple/ruleset/zywall.rules: * plugins/simple/ruleset/zyxel.rules: * src/file-server.c: * src/lml-alert.c: prelude-lml has been ported to the new IDMEF API the most important thing is that simple.c now use idmef_object to create object from the rules files the code has also been cleaned up and thanks to idmef_object simple.c is just about 900 lines long against 2500 before the port because of the use of idmef_object, the format of rules has changed a little bit: "class" become "classification" and listed elements of the object must be indexed, for example: source.node.address; source.node.address.address=$1; become source(0).node.address(0).address=$1 2003-12-15 Yoann Vandoorselaere * Merge from 0-8. * src/pconfig.c (set_batch_mode): (set_logfile_format): (set_logfile_ts_format): implemented. (set_file): (set_logwatch): cleaner children option handling. (pconfig_set): add options... * src/main.c (main): if batch mode is set, don't use the select() loop, and don't sleep between reading call. * src/log-common.c: New API abstracting the logfile, permitting to easily setup per logfile format string. (format_time): (handle_escaped): (format_header): (format_log): use user provided format string. * src/file-server.c: if batch_mode is set, don't initialize FAM. (file_server_set_batch_mode): implemented. 2003-12-12 Yoann Vandoorselaere * src/main.c (main): only use the polling method if batch_mode is not set. don't call sleep() in case batch_mode is enabled: we want to read everything at once. * plugins/simple/simple.c (parse_id): (parse_revision): implemented. (parse_rule): added hook for parse_id and parse_revision. This feature was requested in order to help with ruleset administration. 2003-10-27 Yoann Vandoorselaere * plugins/simple/ruleset/Makefile.am (ruleset_DATA): * plugins/simple/ruleset/wap11.rules: new ruleset to monitor WAP11 activity. 2003-10-22 Yoann Vandoorselaere * NEWS: updated. * configure.in: bump version to 0.8.6. * plugins/simple/simple.c: (create_service_port): if the variable is prefixed with 0x or 0X, then set VARIABLE_CONTENT_TYPE_HEX. So that we force it to be read as a base 16 value later. (resolve_variable): do not use atoi() anymore, but use strtol(). Default base argument is 0, allowing to automatically handle decimal, hexadecimal, and octal. For value that contain hex, but not prefixed by 0x, then 0x should added as the variable prefix, so that we know how to handle it. * plugins/simple/simple.c (resolve_variable): Avoid to test the value with isdigit if VARIABLE_CONTENT_TYPE_HEX is set. This is used for hexadecimal value only. Fix problem if first byte of an hexadecimal value is not a digit. 2003-10-21 Stéphane Loeuillet * plugins/simple/ruleset/portsentry.rules : add a new rule concerning dropped packets * plugins/simple/ruleset/zyxel.rules : add a rule for PPP logs specify ruleset/rule number concerned by a Filter log add a H before port number as they are in hexadecimal in those logs 2003-10-11 Krzysztof Zaraska * src/lml-alert.c(generate_target): fixed handling return value of prelude_inet_getaddrinfo(). * plugins/simple/ipfw.rules: fixed ICMP rules. Thanks to mark@fantoma.net for the report. 2003-10-06 Yoann Vandoorselaere * NEWS: updated. * configure.in: bump version to 0.8.5. 2003-09-25 Nicolas Delon * src/file-server.c: (is_file_already_used) bug fix, this function only tested if the log file has been removed, but not if the file has been renamed or not (which typically happen when a log file is rotate without compression (is simple rename of the log file is performed)) (fam_process_event) bug fix / update, also call is_file_already_used when the log file is moved * src/log-common.c: bug fix, make this file also compil with OS other than Linux 2003-09-21 Yoann Vandoorselaere * NEWS: updated * configure.in: bump version number to 0.8.4. * plugins/simple/simple.c (emit_alert): do not free target_hostname. It should provide more informations about the target. * plugins/simple/ruleset/netfilter.rules: Add target information to the alert issued from netfilter logs. 2003-08-10 Krzysztof Zaraska * configure.in: removed pcre.h test. 2003-08-10 Krzysztof Zaraska * src/regex.c (regex_create_entry): removed a debugging printf. 2003-08-09 Krzysztof Zaraska * configure.in: handle situation where $fam_include_dir is undefined correctly. 2003-08-09 Yoann Vandoorselaere * src/regex.c (trim): \0 at the end of the string, so that we don't get the end of the filtered input line. * src/file-server.c (logfile_alert): set file category to "current". 2003-08-06 Yoann Vandoorselaere * src/regex.c (trim): fix this function so that it is clean and understandable. (regex_init): use strtok() instead of strtok_r() because it might not be supported. Remove lot of un-necessary code, no string copy are needed. 2003-07-20 Yoann Vandoorselaere * NEWS: update for upcoming release. 2003-07-09 Yoann Vandoorselaere * src/file-server.c (logfile_alert): * src/main.c (lml_dispatch_log): update to the new log container interface. * src/log-common.c: major rework of the log interface, to be more object oriented. Also, when log_container_new() is called, always fill a default hostname, so that we don't end up with a NULL hostname when log_container_set_log() isn't called (we don't have the syslog header). 2003-06-17 Yoann Vandoorselaere * src/file-server.c (file_metadata_get_position): always set st_size. (file_metadata_get_position): don't issue an alert here, if there was a rotation. The user already got a logfile deleted alert. (file_metadata_get_position): (file_metadata_get_position): in case there was a rotation or a checksum error, we have to analyze the file from the beginning: set monitor->last_size to 0 before returning. Avoid alert duplicate. 2003-06-13 Yoann Vandoorselaere * src/lml-alert.c (resolve_failed_fallback): Implemented. Try to fill what we can in case getaddrinfo() fail (which only happen in badly configured environment). (generate_target): dump an error using prelude_inet_gai_strerror() if prelude_inet_getaddrinfo() fail. Call resolve_failed_fallback(). 2003-06-12 Yoann Vandoorselaere * src/lml-alert.c (ANALYZER_MODEL): fix class and model. (generate_target): use prelude_inet_getaddrinfo() in order to get target information, call fill_target(). (keep_buffer): Ugly hack because of the IDMEF API memory handling sillyness. (fill_target): implemented. Walk the addrinfo list and populate Node and Address. 2003-06-11 Yoann Vandoorselaere * configure.in: use AC_PATH_GENERIC instead of AC_PATH_GENERIC2 for PCRE checks. * acinclude.m4: delete AC_PATH_GENERIC2, make AC_PATH_GENERIC handle version number with both 2 and 3 separated numbers. * src/file-server.c (file_metadata_read): (file_metadata_save): returning the address of a local variable is a bad idea. I wonder how it worked before. 2003-06-09 Stephane Loeuillet * configure.in now detect pcre.h and stops configure if not present * src/regex.c : make an error message more verbose (display name of the file it can't open) 2003-06-02 Yoann Vandoorselaere * src/file-server.c (monitor_open): be verbose when we fail to open a logfile. * src/pconfig.c (set_lml_group): new function, find group by name, and save the group GID. (pconfig_set): new --group (-g) option, take a groupname argument. LML will then setgid to the specified group if requested. (set_file): check that we have read permission, at least. This fix bug #0000081. 2003-05-19 Krzysztof Zaraska * plugins/simple/ruleset/ipchains.rules: new file. Linux IPChains ruleset from Simon Castro * plugins/simple/ruleset/simple.rules: * plugins/simple/ruleset/Makefile.am: modified accordingly 2003-05-19 Stephane Loeuillet * plugins/simple/ruleset/{simple.rules, Makefile.am} : - include the two new .rules files * plugins/simple/ruleset/{portsentry,vigor}.rules : - add two PortSentry regex - add Vigor xDSl router built-in firewall support (John Green ) 2003-05-19 Yoann Vandoorselaere * configure.in (enable_fam): remove debuging echo. (log_plugin_dir): remove trailling / * Makefile.am (install-data-local): install plugin.rules manually, don't overwrite if already present. (EXTRA_DIST): remove preludeconf_DATA (fix bug #0000079: "make install of prelude-lml override old etc/prelude-lml/prelude-lml.conf" 2003-05-18 Stephane Loeuillet * plugins/simple/ruleset/{simple,exim,checkpoint,squid,ipso,ntsyslog}.rules : - split regex lines to make them more 'diff friendly' * plugins/simple/simple.c : - split function 'resolve_variable' to new function 'resolve_variable_list' and 'resolve_variable' - add a new variable type for [source/target].service.port (VARIABLE_TYPE_PORT). now, ports could either contain a port number or a service name (www would resolve to 80, depending your /etc/services) 2003-05-02 Yoann Vandoorselaere * src/file-server.c (read_logfile): we are not threaded anymore, so stop using getc_unlocked(), which despite the confusing glibc manpage, doesn't seem to be portable. Use getc() instead. 2003-04-26 Yoann Vandoorselaere * configure.in: bump version number to 0.8.3. * src/file-server.c (check_logfile_data): handle case where the logfile get truncated. (read_logfile): return immediatly with rlen set to 0 if available is 0. 2003-04-26 Stephane Loeuillet * plugins/simple/ruleset/{proftpd,qpopper,ssh,vpopmail}.rules : - added 'last' keyword when needed to not parse a log line 2 times - changed my mail address 2003-04-25 Yoann Vandoorselaere * src/file-server.c (read_logfile): changed the semantic of this function: - Now return -1 if it couldn't read a full log line (data doesn't end with \n). - Return the size of the whole log line otherwise (not only what has been read uppon this call, as a log line might require several call of this function in order to be read). - The function now take a pointer to a 64 bits integer as argument, which is _always_ modified to reflect the size of what have been read. - The function now take an "available" 64bits integer argument that specify how many byte we should read at max (needed because the file size might change between the time we call stat() and we read the file). (check_logfile_data): update to fit the new read_logfile() semantic. * src/pconfig.c (set_file): fail if the given file doesn't exist (only fail on startup). * src/file-server.c (file_metadata_read): in case the metadata file contain invalid stuff, issue a warning and truncate it. (check_logfile_data): remove invalid assertion(). Call abort() if FAM is activated and that it notified us, but the number of bytes read doesn't match the new file size. That should never happen. * src/main.c (main): call file_server_start_monitoring(). * src/file-server.c: cleanup, re-organisation. (file_server_start_monitoring): New function, initialize everything once by calling file_server_wake_up(), which'll have the side effect of opening un-opened file. (file_server_monitor_file): do not call monitor_open() here: we want all unread bytes to be processed before activating FAM notification if enabled. (check_logfile_data): assert in case rwe get an EOF on read an FAM was initialized. (file_metadata_get_position): set last_size to current file size only if we want to start at the tail. Emit an alert and set file position to 0 if the checksum is invalid. Include size of checksumed line in last_size. (file_metadata_save): truncate the file before writing to it. Avoid garbage to remain in the file. * configure.in: check for FILENAME_MAX, define it if it's not defined on this system. 2003-04-24 Yoann Vandoorselaere * src/pconfig.c (pconfig_set): add the rotation-interval option. * src/Makefile.am (DEFS): add -D_FILE_OFFSET_BITS=64 to the CFLAGS. * Makefile.am (install-data-local): create the metadata directory. * plugins/simple/ruleset/squid.rules: * plugins/simple/ruleset/ntsyslog.rules: * plugins/simple/ruleset/checkpoint.rules: * plugins/simple/ruleset/ipso.rules: new rulesets from Vincent Glaume . * plugins/simple/simple.c: Include modified patch from Vincent Glaume , adding a "last" keyword, telling to stop walking our regex list data once a regex has been matched. 2003-04-23 Yoann Vandoorselaere * src/file-server.c (file_metadata_read): read the offset and the last log line where we stopped analyzing data from the logfile metadata. (file_metadata_save): Save current offset and current log line. (file_metadata_position_monitor): Position the monitor provided the content of the metadata. If there is no metadata, we start reading the file from it's tail. If there is metadata available and current logfile size is less than the specified metadata offset, the log got rotated, and we start analyzing the file at 0. If there are metadata available and current logfile size is more or equan than the specified metadata offset: start analyzing the logfile from the specified offset. Unless the checksum doesn't match, in which case we'll issue an alert, and restart from 0. (file_metadata_open): compute metadata filename associated with the monitor. Open it. 2003-04-22 Yoann Vandoorselaere * src/file-server.c (monitor_open): if provided filename is "stdin", use stdin as the input descriptor. 2003-03-18 Krzysztof Zaraska * plugins/simple/ruleset/Makefile.am: add missing entries to ruleset_DATA. * plugins/simple/ruleset/proftpd.rules: * plugins/simple/ruleset/ssh.rules: * plugins/simple/ruleset/vpopmail.rules: English grammar fixes. 2003-02-27 Yoann Vandoorselaere * plugins/simple/ruleset/exim.rules (regex): add \ to end of line. * src/udp-server.c (udp_server_get_event_fd): Avoid a NULL pointer dereference. * src/main.c (add_fd_to_set): (wait_for_event): don't add the FD if it's value is -1. 2003-02-27 Yoann Vandoorselaere * plugins/simple/ruleset/exim.rules (regex): add \ to end of line. * src/udp-server.c (udp_server_get_event_fd): Avoid a NULL pointer dereference. * src/main.c (add_fd_to_set): (wait_for_event): don't add the FD if it's value is -1. 2003-02-04 Yoann Vandoorselaere * plugins/simple/ruleset/simple.rules (include): include exim.rules. * plugins/simple/ruleset/exim.rules: included contribution from Laurent Oudot . * Ruleset update from Stéphane Loeuillet . Include new ProFTPD, vpopmail, and qpopper, rulesets. * plugins/simple/simple.c: handling of IDMEF source and destination address. * src/file-server.c: (fam_wait_for_event): remove unused. * src/lml-alert.c (generate_analyzer): make LML alert carry LML version. 2003-01-23 Yoann Vandoorselaere * src/main.c (sighup_handler): implemented. Set the global got_sighup variable to 1 in an atomic way. (got_sighup is a volatile sig_atomic_t). (main): register an handler for SIGHUP. Use the wait_for_event function if we have FAM file monitoring or an UDP server or both. Revert to normal polling otherwise, meaning we call file_server_wake_up() every second, and check for SIGHUP. (wait_for_event): call handle_sighup_if_needed() each time we goes throught the event loop. Restart the loop if select() return EINTR, so that we caught the signal immediatly. (handle_sighup_if_needed): implemented. If got_sighup is then, then the udp server port will be closed (so that we can bind the port again), and prelude-lml will be restarted. * src/file-server.c (file_server_monitor_file): print an error if we can't open the monitored file. (file_server_get_event_fd): return -1 if we have FAM but it is not enabled because of the writev() bug. (file_server_standalone): removed this function, the code is being moved in another place so that we can poll for SIGHUP periodically. * Makefile.am (install-data-local): install prelude-lml.conf-dist with mode 600. 2002-12-18 Yoann Vandoorselaere * plugins/debug/debug.c (debug_run): stop using our own msgbuf. Use lml-alert provided function. Also, debug message are _low_ priority. 2002-12-09 Yoann Vandoorselaere * configure.in: bump version number to 0.8.2. * NEWS: updated. * Makefile.am (EXTRA_DIST): include COPYING.OpenSSL * plugins/simple/ruleset/netfilter.rules: Include patch from Nicolas Delon : the pattern "(MAC=[\w:]+)?" is used to match the MAC string reported by netfilter in log. This rule works fine for packets received on a LAN where IP packets are encapsulated in an ethernet (for example) frame, but do not work for packets directly received from internet where MAC as no value and is reported as the simple string "MAC=" in the log line. The "(MAC=[\w:]+)?" string should be replaced by "MAC=([\w:]+)?", so that the pattern can match in both cases. * configure.in (enable_fam): check that FAM library and headers are available on this system before compiling in FAM support. * configure.in: * src/file-server.c: Move test issued to see if the operating system we're running on is vulnerable to the writev() issued change not being notified to file-server.c. The check is now done at runtime, this will prevent people from recompiling LML when reinstalling a new kernel. * src/main.c (sig_handler): don't use fprintf, use the log() function. 2002-12-05 Yoann Vandoorselaere * src/file-server.c: include config.h before checking if HAVE_FAM is set. * acconfig.h: removed. * configure.in: implemented FAM detection code. This code will both check if FAM is available, and if FAM notice writev() change (known Linux kernel bug). Also removed code that check if we need aligned access, libprelude do that for us, and it's not needed anyway. 2002-11-28 Yoann Vandoorselaere * src/pconfig.c (print_help): fit prelude-getopt API change. 2002-11-12 Yoann Vandoorselaere * COPYING.OpenSSL: * README: Permit linking with OpenSSL so that Debian package might be distributed. 2002-11-06 Yoann Vandoorselaere * src/file-server.c (file_server_standalone): add a call to prelude_wake_up_timer() in standalone mode. 2002-10-28 Yoann Vandoorselaere * plugins/simple/ruleset/zywall.rules: Include ZyWall ruleset contributed by Laurent Oudot * plugins/simple/ruleset/simple.rules (include): include zywall.rules. 2002-10-26 Yoann Vandoorselaere * plugins/simple/ruleset/ssh.rules: Include sshd ruleset contributed by Nicolas Delon . * plugins/simple/ruleset/simple.rules (include): include ssh.rules * plugins/simple/ruleset/Makefile.am (ruleset_DATA): add ssh.rules 2002-10-13 Yoann Vandoorselaere * plugins/simple/ruleset/grsecurity.rules: new grsecurity ruleset, contributed by Brad Spengler , and handling grsecurity up to 1.9.7. * plugins/simple/ruleset/simple.rules: fix a typo. * plugins/simple/simple.c (parse_ruleset): check if rule->regex is NULL (which is possible in case a rule doesn't provide a regex). Dump an error, and drop the rule. This fix a possible SIGSEGV on possible malformed rules. 2002-09-20 Krzysztof Zaraska * plugins/simple/ruleset/simple.rules: fix typo. 2002-09-19 Krzysztof Zaraska * plugins/debug/debug.c: * plugins/pax/pax.c: * plugins/simple/simple.c: * src/regex.c: include . That allows the code to build on FreeBSD. 2002-09-18 Yoann Vandoorselaere * src/udp-server.c (udp_server_process_event): new function, read one syslog message. (udp_server_get_event_fd): new function. (udp_server_new): fix call to memset(). The udp-server implementation doesn't depend on pthread anymore. * src/main.c (lml_dispatch_log): doesn't take an lml_queue_t argument anymore. (main): call file_server_standalone if no udp server is configured. Otherwise call wait_for_event. (wait_for_event): select on the UDP server socket, and on the file-server socket if FAM is activated. Otherwise, the file-server function are called every seconds. * src/log-common.c (_XOPEN_SOURCE): move this definition arround stdio.h inclusion. This solve the Solaris compilation problem. * src/file-server.c: massive reorganisation. (monitor_open): call fam_setup_monitor if HAVE_FAM is set. (fam_setup_monitor): (fam_process_event): (fam_wait_for_event): (fam_process_queued_events): new function handling FAM monitor. (file_server_standalone): use FAM if possible. (file_server_wake_up): ditto. file-server is now able to monitor file change throught FAM, insteaf of polling every file descriptor every second. This code is not yet enabled on architecture that support it because the current Linux Kernel version with Dnotify support (user by FAM) doesn't seem to notice some of the data written to a file throught writev(). * src/Makefile.am (prelude_lml_SOURCES): remove queue.c dependencie. * plugins/simple/ruleset/simple.rules: document User/UserID field usage. * plugins/simple/simple.c (create_userid_type): (create_userid_name): (create_userid_number): (retrieve_latest_userid): (create_source_user): (create_target_user): (create_user_category): (parse_target_user_category): (parse_source_user_category): (parse_target_user_userid_type): (parse_source_user_userid_type): (parse_target_user_userid_name): (parse_source_user_userid_name): (parse_target_user_userid_number): (parse_source_user_userid_number): (parse_target_user_userid): (free_user): implemented. (record_source_fields): handle User/UserID fields. (parse_rule): only call store_runtime_variable if value is not NULL. (free_rule): call free_user(). (parse_rule): update to handle User/UserID IDMEF object. (filter_string): allow key without value (so that they can be used as delimiter). 2002-09-13 Yoann Vandoorselaere * src/log-common.c: fix a solaris compilation problem where the timeval structure wouldn't be defined if _XOPEN_SOURCE is defined. Only define _XOPEN_SOURCE for inclusion, and #undef it after. 2002-08-29 Yoann Vandoorselaere * configure.in: bump version number to 0.8.1. * NEWS: update release notes. * src/file-server.c (file_server_monitor_file): added a log() telling the file doesn't exist and that we'll try to re-open it periodically. 2002-08-24 Guillaume Pelat * src/log-common.c (log_container_new): * src/pconfig.c (set_pidfile): (set_udp_server_addr): checking strdup return value. * src/udp-server.c (udp_server_new): fixing memory leak 2002-08-21 Guillaume Pelat * src/file-server.c (check_modification_time): fixed assert problem when two modifications are done in the log file at the same second. 2002-08-21 Guillaume Pelat * src/file-server.c (logfile_alert): * src/regex.c(regex_init): replace strncpy by snprintf. 2002-08-21 Guillaume Pelat * src/file-server.c (logfile_alert): fix unterminated string. * plugins/simple/simple.c (parse_include): fix unterminated string. Close the open file. * src/regex.c: coding style fixes (regex_init): fix unterminated strings. 2002-08-20 Yoann Vandoorselaere * src/log-common.c (format_syslog_header): return -1 if buf is NULL. (log_container_new): some of the argument might be NULL. (log_container_delete): ditto. * configure.in: require autoconf >= 2.53. 2002-08-16 Yoann Vandoorselaere * src/file-server.c (file_server_wake_up): cleanup. (logfile_alert): new function. (process_logfile): new function. (is_file_already_used): check the logfile hard link count, emit an alert if we reach 0. (check_modification_time): emit an alert if modification time got modified, but file size didn't increase. * src/lml-alert.c (lml_emit_alert): there might be no log entry. * plugins/simple/simple.c (emit_alert): coding style fix. * src/file-server.c: last_size is off_t, not time_t. new last_mtime member. (file_server_monitor_file): dup the filename before checking if opening the file suceeded, so that reopening inactive file work again. 2002-07-30 Yoann Vandoorselaere * configure.in: update version number to 0.8.0. 2002-07-29 Yoann Vandoorselaere Thanks to DINH Viet Hoa , for reporting all theses problem: * src/include/queue.h: rename queue_t to lml_queue_t to avoid namespace conflict. * src/file-server.c (read_logfile): clearerr_unlocked is not standard. Use clearerr. * src/log-common.c: include string.h. * src/regex.c (trim): * src/log-common.c (format_syslog_header): cast to int when calling isalnum and isspace. 2002-07-11 Yoann Vandoorselaere * plugins/debug/debug.c (set_debug_state): (set_output): fix the latest prelude getopt API change. 2002-06-27 Yoann Vandoorselaere * fit latest prelude-getopt API change. 2002-06-26 Yoann Vandoorselaere * plugins/simple/simple.c (read_multiline): moved to libprelude, common function. (parse_ruleset): use prelude_read_multiline(). 2002-06-16 Yoann Vandoorselaere * plugins/simple/simple.c: Included patch from Arnaud Guignard to handle the process IDMEF object. 2002-06-14 Yoann Vandoorselaere * Makefile.am (install-data-local): use $(DESTDIR) as the top prefix for installing stuff. 2002-06-13 Yoann Vandoorselaere Patch from Arnaud Guignard : * plugins/simple/simple.c (parse_ruleset): fixed a bug when a TAB was at a beginning of a line in a multiline rule. 2002-06-10 Yoann Vandoorselaere * configure.in: only enable gtkdoc if requested. * plugins/simple/ruleset/simple.rules (include): include grsecurity.rules. * plugins/simple/simple.c (read_multiline): new function, handle multiline (line ending with \). (parse_ruleset): use read_multiline(). (parse_ruleset): handle TAB at the begining of the line. 2002-06-06 Yoann Vandoorselaere * src/lml-alert.c (generate_analyzer): generate analyzer. Use prelude_analyzer_fill_infos(). (send_heartbeat_cb): use generate_analyzer() (lml_emit_alert): ditto. * plugins/simple/ruleset/grsecurity.rules: Included GRsecurity ruleset, from Brad Spengler . Hand modified it a little to add some missing parenthesis, and change /d and /w to \d and \w respectively. * plugins/simple/ruleset/Makefile.am (ruleset_DATA): install grsecurity.rules. 2002-06-03 Yoann Vandoorselaere * src/lml-alert.c (lml_alert_init): setup analyzer here; register heartbeat callback. (lml_emit_alert): copy global analyzer. (send_heartbeat_cb): new function, send an heartbeat message. * src/main.c (main): call lml_alert_init() after pconfig_set, because lml_alert_init now call libprelude function. * src/lml-alert.c (send_heartbeat_cb): new function, send an heartbeat. (lml_alert_init): 2002-05-31 Yoann Vandoorselaere * src/log-common.c (format_syslog_header): format the syslog timestamp. (format_syslog_header): don't show parsing error... We parse file that don't have the syslog format... We use strptime() in order to do that, combined with localtime() to get missing information, and mktime() to convert back to a timeval. 2002-05-31 Krzysztof Zaraska * plugins/simple/ruleset/ipfw.rules: updated to use new SimpleMod capabilities. 2002-05-30 Laurent Oudot * plugins/simple/simple.c remove a debuging printf() in the changelog (suggested by yoann) 2002-05-30 Yoann Vandoorselaere * src/lml-alert.c (lml_emit_alert): include string.h for strlen()... Thanks to Razvan Cosma (razvan.cosma@catv.telemach.ro) for pointing this out. * plugins/pax/pax.c (pax_log_processing): * plugins/debug/debug.c (debug_run): * src/lml-alert.c (lml_emit_alert): use idmef_additional_data_set_data(). 2002-05-30 Laurent Oudot * plugins/simple/ruleset/netfilter.rules: upgrade of the rules owing to the new simple.c possibilities 2002-05-30 Laurent Oudot * plugins/simple/ruleset/zyxel.rules: upgrade of the rules owing to the new simple.c possibilities 2002-05-27 Yoann Vandoorselaere * src/file-server.c (try_reopening_inactive_fd): remove unused variable. 2002-05-27 Yoann Vandoorselaere Patch from Arnaud Guignard : * plugins/simple/simple.c: added patch to handle IDMEF source node category, source node location, source node name, source spoofed, source interface, source service port, source service protocol, source service name, source service portlist, target node address, target node category, target node location, target node name, target decoy, target interface, target service port, target service protocol, target service name, target service portlist. (record_source_fields): fix the impossibility to have several source/target node addresses. * plugins/simple/ruleset/simple.rules: added definitions for each new IDMEF tag. 2002-05-21 Yoann Vandoorselaere * src/pconfig.c (set_file): file_server_monitor_file() now open the file by itself. * src/file-server.c: use list instead of array to store monitor. Now we have an active FD list and an inactive FD list. (file_server_monitor_file): don't take the file handle as argument anymore, we open the file by ourselve. Mark the file as inactive if we can't open it. (file_server_wake_up): if st_nlink is 0, then the file doesn't exist on the filesystem anymore, mark as inactive, and try reopening later. (try_reopening_inactive_fd): new function, try opening monitor marked as inactive. 2002-05-16 Baptiste Malguy * src/*-plugins.c (*_plugins_init): don't return an error if the plugin directory doesn't exist. But do so in case of permission problem. 2002-05-05 Yoann Vandoorselaere * src/include/Makefile.am (include_HEADERS): install needed include file. * Makefile.am (preludeconfdir): fix make distcheck. 2002-04-30 Yoann Vandoorselaere * plugins/simple/simple.c: included patch from Arnaud Guignard to handle IDMEF source node address. 2002-04-29 Yoann Vandoorselaere * plugins/simple/ruleset/netfilter.rules: MAC content can be empty. 2002-04-28 Laurent Oudot * plugin/simple/ruleset/netfilter.rules: new file. Rules for netfilter firewall on Linux 2.4.x boxes. * plugins/simple/ruleset/Makefile.am: added netfilter.rules * plugins/simple/ruleset/zyxel.rules and cisco.rules: added comments. 2002-04-27 Krzysztof Zaraska * plugins/simple/ruleset/ipfw.rules: fixes, cleanup, ICMP support. * plugins/simple/ruleset/Makefile.am: added ifpw.rules 2002-04-27 Yoann Vandoorselaere * configure.in: use AM_PROG_LIBTOOL, for older libtool/automake installation. * src/file-server.c (read_logfile): return the number of byte read. (file_server_wake_up): if we get EOF, without reading all the new available byte, remeber how many byte are left to be read, and retry even thought st_size isn't modified. * src/log-plugins.c (subscribe): (unsubscribe): be more verbose - not only debug. * src/file-server.c (file_server_monitor_file): (file_server_wake_up): use st_size, not st_mtime. also include libprelude/timer.h 2002-04-27 Krzysztof Zaraska * file-server.c: (read_logfile): use clearerr_unlocked() after hitting EOF on observed file. Fixes problem on FreeBSD. 2002-04-27 Krzysztof Zaraska * plugins/simple/ruleset/ipfw.rules: new file. Rules for ipfw firewall on FreeBSD. * plugins/simple/ruleset/simple.rules: include ipfw.rules 2002-04-27 Yoann Vandoorselaere * src/log-plugins.c (subscribe): (unsubscribe): be more verbose about subscribed plugins. * src/file-server.c: include timer.h. * plugins/simple/simple.c: (parse_ruleset): make rulesnum global, this is because of the way we parse include. (filter_string): fix off by one error resulting in trailing whitespace not being removed. (set_simple_ruleset): move the printf telling number of rules loaded here, so that we don't get duplicate printf() for each included file. 2002-04-27 Laurent Oudot * plugins/simple/ruleset/simple.rules: Added include directive for specific rules in cisco.rules and zyxel.rules. The include directive is very cool because it will help at maintaining the rules (if you don't need for example zyxel rules, you can put a simple # character before the include directive). * plugins/simple/ruleset/cisco.rules: New file dedicated to cisco rules. * plugins/simple/ruleset/zyxel.rules: New file dedicated to zyxel rules. 2002-04-27 Yoann Vandoorselaere * src/file-server.c (file_server_monitor_file): use calloc() to allocate the monitor_fd_t object. This fix a possible unitialized read. * plugins/simple/simple.c (parse_include): return -2 on success. (parse_rule): -1 mean error, other value < 0 just mean to stop the processing for this line. 2002-04-27 Laurent Oudot * plugins/simple/ruleset/simple.rules : Added ZyXEL routers and firewalls support. It will help at dealing with ZyXEL network equipments used with security filtering features. 2002-04-26 Laurent Oudot * plugins/simple/ruleset/simple.rules : Added a contrib from Arnaud Guignard (plugin regex rules) and me (for the cisco part) that aims at dealing with cisco security routers alerts. It's just a beginning that will be improved in the future. 2002-04-26 Yoann Vandoorselaere * plugins/simple/simple.c (parse_ruleset): strip out \n. (parse_rule): handle include rule. (parse_include): new function, parse include rule. If the path is not absolute, then we append the current rulesetdir to this filename. 2002-04-25 Yoann Vandoorselaere * src/log-common.c (format_syslog_header): revert 2002-04-24, which was not needed (sscanf don't need precision). 2002-04-24 Yoann Vandoorselaere * src/log-common.c (format_syslog_header): In order for the printf() family function to put a limit to the len of a copied string, a precision have to be given (%255s is not valid, %.255s is). 2002-04-12 Yoann Vandoorselaere * src/file-server.c (read_logfile): (file_server_wake_up): stop using fgets to read the logfile: we now use getc_unlocked, and handle fine the case where : - the buffer is too small. - we meet EOF before meeting EOL. which avoid us being desynchronized. The read buffer is now per file monitor. 2002-04-08 Yoann Vandoorselaere * plugins/simple/simple.c: try to do time consuming stuff at initialisation time. * src/regex.c: instead of searching at runtime for the plugin to use (using string compareason), resolve plugin dependency at initialisation time, and store a pointer to the plugin that need to be ran for a given regex. (regex_exec): the callback now take the plugin as argument. (regex_init): call regex_create_entry instead of doing everything ourselve. (regex_create_entry): new function. * src/log-plugins.c: we do not use hashkey anymore. (log_plugin_run): take the plugin to run as argument. It's now up to the caller to know which plugin to run. * src/hashkey.c: removed. * Makefile.am (install-data-local): Only install default configuration file if it does not exit... If a configuration file is already present, warn the user and install in prelude-lml.conf-dist. 2002-04-05 Krzysztof Zaraska * src/lml-alert.c: include and (FreeBSD compat. fix) 2002-04-04 Yoann Vandoorselaere * src/file-server.c (file_server_wake_up): use buffered IO. * plugins/simple/simple.c: (store_runtime_variable): new function, keep pointer to string that use backward reference. (simple_run): call resolve_variable and free_variable_allocated_data(). (free_variable_allocated_data): new function. (resolve_variable): new function. Use backward reference associated with the matched regex to resolve variable. (replace_str): replace a given variable in a string. The Simple plugin now support backward reference in IDMEF field setting. This mean you can have dynamic text in IDMEF field. 2002-04-03 Yoann Vandoorselaere * plugins/simple/simple.c (filter_string): use strchr, not strchrr, to search key - value delimiter. * src/udp-server.c (udp_server_standalone): save the set and restore it when select() return. 2002-04-02 Yoann Vandoorselaere * src/log-common.c (format_syslog_header): new function, parse the syslog header. * src/lml-alert.c (generate_target): new function, take care of including target_program and target_hostname in the IDMEF alert. (lml_emit_alert): call generate_target(). * src/file-server.c (file_server_wake_up): set backslash 0 at the end of the buffer. * src/pconfig.c (set_file): now that we do not rely on server logic to add file monitor, we can add monitor from the option callback. * src/udp-server.c: make the size of our buffer compliant with what is specified in RFC 3164 (1024 bytes max per syslog messages). * plugins.rules.in: comment the Debug plugin entry by default. 2002-03-29 Yoann Vandoorselaere * src/file-server.c (file_server_monitor_file): set current mtime. * plugins/simple/simple.c (parse_impact_desc): new function, parse impact description. (parse_rule): Handle impact description. (simple_run): detail debuging output a little more. * plugins/simple/ruleset/simple.rules: some more rules, and some documentation. * src/main.c (lml_dispatch_log): new public function that should be called when we have a new log line. This function handle both the case when we're threaded (UDP + file monitor), or when there is no thread (file monitor only). * src/udp-server.c (udp_server_standalone): select with a timeout of one second. Call file_server_wake_up every seconds. * src/file-server.c: stop using server-logic.c. We now have an array of FD to monitor. In order to do so, we check the FDs modification time and read data if available, then we go to sleep (as tail does). (file_server_wake_up): to be called by a working thread instead of file_server_standalone() (for exemple if we also have an UDP server). (file_server_standalone): new function for starting the file monitor. * src/server-logic.c: Because there is no way to tell read() / select() to block on EOF for regular file, server-logic.c isn't an adapted solution. Removed. 2002-03-29 Yoann Vandoorselaere * src/server-logic.c (server_logic_process_requests): (child_reader): don't accept connection before the thread install the signal handler for SIGUSR1. * prelude-lml.conf.in (file): now that we are able to have the same entry with different value several time in config file (libprelude), add new file to monitor. 2002-03-28 Krzysztof Zaraska * plugins/simple/simple.c: include and (needed for libprelude/* on FreeBSD) 2002-03-28 Yoann Vandoorselaere * src/lml-alert.c (lml_emit_alert): fill in more informations... Still many work to do. * src/file-server.c (read_file): remove debugging printf(). * src/udp-server.c (udp_server_standalone): use a bigger buffer. We don't want to rely on ethernet stuff. * plugins/pax/pax.c (pax_log_processing): * plugins/simple/simple.c (emit_alert): use lml_emit_alert(). * src/lml-alert.c: new file providing facility for alert emition. Every plugin should use theses functions. * plugins/simple/simple.c: This is the start of the Simple plugin. This plugin have a ruleset, composed of regex, and of information to fill in the alert if the regex match. 2002-03-28 Krzysztof Zaraska * plugins/debug/debug.c: revert to including instead of for compatibility with FreeBSD 4.x and conformance with other Prelude modules. 2002-03-27 Yoann Vandoorselaere * src/hashkey.c (hash_position): cast to unsigned int, lot of cleanup. * src/file-server.c (file_server_monitor_file): take an already open FD as argument (so that we don't require root access here). * src/udp-server.c (udp_server_start): reader and queue are passed to udp_server_start, not udp_server new. * src/pconfig.c (pconfig_set): new -u (--user) option. Prelude LML can now run as a simple user. * src/udp-server.c (udp_server_new): resolve the provided address if any. Else use INADDR_ANY. * src/pconfig.c (pconfig_set): add configuration hook for enabling the UDP server, setting server address, setting server port. * src/main.c (sig_handler): only call udp_server_close if an UDP server is active. (main): only start the UDP server if the user want it. * prelude-lml.conf.in: Update default configuration file. 2002-03-26 Yoann Vandoorselaere * src/regex.c: * src/main.c: more cleanup, performance fix. * src/regex.c (regex_destroy): use list_for_each_safe * src/file-server.c: monitor local files. * src/server-logic.c: used by file-server implementation. * src/pconfig.c: (pconfig_set): add the --file option. * src/main.c: * src/queue.c: * src/udp-server.c: * src/log-plugins.c: coding style fix. 2002-03-22 Krzysztof Zaraska * plugins/pax/pax.c: include and for compatibility with *BSD systems 2002-03-22 Yoann Vandoorselaere * AUTHORS: Pierre-Jean Turpeau, not me :-) * src/Makefile.am (DEFS): local include before anything else.