/*
* Copyright (C) 2007-2013 Sourcefire, Inc.
*
* Authors: Selim Menouar, Verene Houdebine
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA.
*/
#include "shared/misc.h"
#include "shared/output.h"
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#ifndef PRELUDE
void prelude_logging(const char *filename, const char *virname, const char *virhash, int virsize){
logg("You have to compile with libprelude using ./configure --enable-prelude\n");
}
#else
#include <libprelude/prelude.h>
#define ANALYZER_MODEL "ClamAV"
#define ANALYZER_CLASS "AntiVirus"
#define ANALYZER_MANUFACTURER "http://www.sourcefire.com"
static prelude_client_t *prelude_client;
int idmef_analyzer_setup(idmef_analyzer_t *analyzer, const char *analyzer_name){
int ret;
prelude_string_t *str;
/* alert->analyzer->name */
ret = idmef_analyzer_new_name(analyzer, &str);
if ( ret < 0 )
return ret;
prelude_string_set_constant(str, analyzer_name);
/* alert->analyzer->model */
ret = idmef_analyzer_new_model(analyzer, &str);
if ( ret < 0 )
return ret;
prelude_string_set_constant(str, ANALYZER_MODEL );
/* alert->analyzer->class */
ret = idmef_analyzer_new_class(analyzer, &str);
if ( ret < 0 )
return ret;
prelude_string_set_constant(str, ANALYZER_CLASS);
/* alert->analyzer->manufacturer */
ret = idmef_analyzer_new_manufacturer(analyzer, &str);
if ( ret < 0 )
return ret;
prelude_string_set_constant(str, ANALYZER_MANUFACTURER);
/* alert->analyzer->version */
ret = idmef_analyzer_new_version(analyzer, &str);
if ( ret < 0 )
return ret;
prelude_string_set_constant(str, get_version());
return 0;
}
int prelude_initialize_client(const char *analyzer_name){
int ret;
prelude_client = NULL;
ret = prelude_init(0, NULL);
if ( ret < 0 ) {
logg("Unable to initialize the prelude library : %s", prelude_strerror(ret));
return -1;
}
ret = prelude_client_new(&prelude_client, analyzer_name);
if ( ret < 0 ) {
logg("Unable to create a prelude client object : %s", prelude_strerror(ret));
return -1;
}
ret = idmef_analyzer_setup(prelude_client_get_analyzer(prelude_client), analyzer_name);
if ( ret < 0 ) {
logg("%s", prelude_strerror(ret));
return -1;
}
ret = prelude_client_start(prelude_client);
if ( ret < 0 || ! prelude_client ) {
logg("Unable to start prelude client : %s", prelude_strerror(ret));
prelude_client_destroy(prelude_client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
return -1;
}
ret = prelude_client_set_flags(prelude_client, PRELUDE_CLIENT_FLAGS_ASYNC_SEND|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER);
if ( ret < 0) {
logg("Unable to send asynchronous send and timer : %s", prelude_strerror(ret));
prelude_client_destroy(prelude_client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
return -1;
}
return 0;
}
int add_string_additional_data(idmef_alert_t *alert, const char *meaning, const char *ptr){
int ret;
prelude_string_t *str;
idmef_additional_data_t *ad;
idmef_data_t *data;
ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
idmef_additional_data_set_type(ad, IDMEF_ADDITIONAL_DATA_TYPE_STRING);
idmef_additional_data_new_data(ad, &data);
ret = idmef_data_set_char_string_ref(data, ptr);
if ( ret < 0)
return ret;
ret = idmef_additional_data_new_meaning(ad, &str);
if ( ret < 0)
return ret;
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 )
return ret;
return 0;
}
int add_int_additional_data(idmef_alert_t *alert, const char *meaning, int data){
int ret;
prelude_string_t *str;
idmef_additional_data_t *ad;
ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
idmef_additional_data_set_integer(ad, data);
ret = idmef_additional_data_new_meaning(ad, &str);
if ( ret < 0)
return ret;
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 )
return ret;
return 0;
}
void prelude_logging(const char *filename, const char *virname, const char *virhash, int virsize){
int ret;
idmef_message_t *idmef = NULL;
idmef_alert_t *alert;
idmef_classification_t *class;
prelude_string_t *str;
idmef_target_t *target;
idmef_file_t *file;
ret = idmef_message_new(&idmef);
if ( ret < 0 )
goto err;
ret = idmef_message_new_alert(idmef, &alert);
if ( ret < 0 )
goto err;
ret = idmef_alert_new_classification(alert, &class);
if ( ret < 0 )
goto err;
ret = idmef_classification_new_text(class, &str);
if ( ret < 0 )
goto err;
prelude_string_set_constant(str, "Virus Found");
ret = idmef_alert_new_target(alert, &target, 0);
if ( ret < 0 )
goto err;
ret = idmef_target_new_file(target, &file, 0);
if ( ret < 0 )
goto err;
ret = idmef_file_new_path(file, &str);
if ( ret < 0 )
goto err;
prelude_string_set_ref(str, filename);
if ( virname != NULL ) {
ret = add_string_additional_data(alert, "virname", virname);
if ( ret < 0 )
goto err;
}
if ( virhash != NULL){
ret = add_string_additional_data(alert, "virhash", virhash);
if ( ret < 0 )
goto err;
}
ret = add_int_additional_data(alert, "virsize", virsize);
if ( ret < 0 )
goto err;
logg("le client : %s", prelude_client_get_config_filename(prelude_client));
prelude_client_send_idmef(prelude_client, idmef);
idmef_message_destroy(idmef);
return;
err:
if (idmef != NULL)
idmef_message_destroy(idmef);
logg("%s error: %s", prelude_strsource(ret), prelude_strerror(ret));
return;
}
#endif