1 /* Copyright (C) 2015 Trend Micro Inc.
2 * All rights reserved.
3 *
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
7 * Foundation.
8 */
9
10 #include "to_json.h"
11 #include "json_extended.h"
12 #include "shared.h"
13 #include "rules.h"
14 #include "cJSON.h"
15 #include "config.h"
16 #include <sys/resource.h>
17
18
19
20 /* Convert Eventinfo to json */
Eventinfo_to_jsonstr(const Eventinfo * lf)21 char *Eventinfo_to_jsonstr(const Eventinfo *lf)
22 {
23 cJSON *root;
24 cJSON *rule;
25 cJSON *file_diff;
26 char *out;
27 int i;
28
29 extern long int __crt_ftell;
30
31 root = cJSON_CreateObject();
32
33 cJSON_AddItemToObject(root, "rule", rule = cJSON_CreateObject());
34
35 if ( lf->time ) {
36
37 char alert_id[23];
38 double timestamp_ms;
39 timestamp_ms = ((double)lf->time)*1000;
40 alert_id[22] = '\0';
41 if((snprintf(alert_id, 22, "%ld.%ld", (long int)lf->time, __crt_ftell)) < 0) {
42 merror("snprintf failed");
43 }
44
45 cJSON_AddStringToObject(root, "id", alert_id);
46 cJSON_AddNumberToObject(root, "TimeStamp", timestamp_ms);
47 }
48
49
50 if(lf->generated_rule){
51 if(lf->generated_rule->level) {
52 cJSON_AddNumberToObject(rule, "level", lf->generated_rule->level);
53 }
54 if(lf->generated_rule->comment) {
55 cJSON_AddStringToObject(rule, "comment", lf->generated_rule->comment);
56 }
57 if(lf->generated_rule->sigid) {
58 cJSON_AddNumberToObject(rule, "sidid", lf->generated_rule->sigid);
59 }
60 if(lf->generated_rule->cve) {
61 cJSON_AddStringToObject(rule, "cve", lf->generated_rule->cve);
62 }
63 if(lf->generated_rule->info) {
64 cJSON_AddStringToObject(rule, "info", lf->generated_rule->info);
65 }
66 if(lf->generated_rule->frequency){
67 cJSON_AddNumberToObject(rule, "frequency", lf->generated_rule->frequency);
68 }
69 if(lf->generated_rule->firedtimes){
70 cJSON_AddNumberToObject(rule, "firedtimes", lf->generated_rule->firedtimes);
71 }
72 }
73
74 if( lf->decoder_info->name ) {
75 cJSON_AddStringToObject(root, "decoder", lf->decoder_info->name);
76 }
77 if( lf->decoder_info->parent ) {
78 cJSON_AddStringToObject(root, "decoder_parent", lf->decoder_info->parent);
79 }
80
81 if (lf->action) {
82 cJSON_AddStringToObject(root, "action", lf->action);
83 }
84 if (lf->protocol) {
85 cJSON_AddStringToObject(root, "protocol", lf->protocol);
86 }
87 if (lf->srcip) {
88 cJSON_AddStringToObject(root, "srcip", lf->srcip);
89 }
90
91 #ifdef LIBGEOIP_ENABLED
92 if (lf->srcgeoip && Config.geoip_jsonout) {
93 cJSON_AddStringToObject(root, "srcgeoip", lf->srcgeoip);
94 }
95 #endif
96
97 if (lf->srcport) {
98 cJSON_AddStringToObject(root, "srcport", lf->srcport);
99 }
100 if (lf->srcuser) {
101 cJSON_AddStringToObject(root, "srcuser", lf->srcuser);
102 }
103 if (lf->dstip) {
104 cJSON_AddStringToObject(root, "dstip", lf->dstip);
105 }
106 #ifdef LIBGEOIP_ENABLED
107 if (lf->dstgeoip && Config.geoip_jsonout) {
108 cJSON_AddStringToObject(root, "dstgeoip", lf->dstgeoip);
109 }
110 #endif
111
112 if (lf->dstport) {
113 cJSON_AddStringToObject(root, "dstport", lf->dstport);
114 }
115 if (lf->dstuser) {
116 cJSON_AddStringToObject(root, "dstuser", lf->dstuser);
117 }
118 if (lf->location) {
119 cJSON_AddStringToObject(root, "location", lf->location);
120 }
121 if (lf->full_log) {
122 cJSON_AddStringToObject(root, "full_log", lf->full_log);
123 }
124 if (lf->generated_rule->last_events && lf->generated_rule->last_events[1] && lf->generated_rule->last_events[1][0]) {
125 cJSON_AddStringToObject(root, "previous_output", lf->generated_rule->last_events[1]);
126 }
127
128 if (lf->filename) {
129 file_diff = cJSON_CreateObject();
130 cJSON_AddItemToObject(root, "SyscheckFile", file_diff);
131
132 cJSON_AddStringToObject(file_diff, "path", lf->filename);
133
134 if (lf->md5_before && lf->md5_after && strcmp(lf->md5_before, lf->md5_after) != 0 ) {
135 cJSON_AddStringToObject(file_diff, "md5_before", lf->md5_before);
136 cJSON_AddStringToObject(file_diff, "md5_after", lf->md5_after);
137 }
138 if(lf->sha1_before && lf->sha1_after && strcmp(lf->sha1_before, lf->sha1_after) != 0) {
139 cJSON_AddStringToObject(file_diff, "sha1_before", lf->sha1_before);
140 cJSON_AddStringToObject(file_diff, "sha1_after", lf->sha1_after);
141 }
142 if(lf->owner_before && lf->owner_after && strcmp(lf->owner_before, lf->owner_after) != 0) {
143 cJSON_AddStringToObject(file_diff, "owner_before", lf->owner_before);
144 cJSON_AddStringToObject(file_diff, "owner_after", lf->owner_after);
145 }
146 if(lf->gowner_before && lf->gowner_after && strcmp(lf->gowner_before, lf->gowner_after) != 0) {
147 cJSON_AddStringToObject(file_diff, "gowner_before", lf->gowner_before);
148 cJSON_AddStringToObject(file_diff, "gowner_after", lf->gowner_after);
149 }
150 if(lf->perm_before && lf->perm_after && (lf->perm_before != lf->perm_after)) {
151 cJSON_AddNumberToObject(file_diff, "perm_before", lf->perm_before);
152 cJSON_AddNumberToObject(file_diff, "perm_after", lf->perm_after);
153 }
154 }
155 if ( lf->hostname ) {
156 cJSON_AddStringToObject(root, "hostname", lf->hostname);
157 }
158 if ( lf->program_name ) {
159 cJSON_AddStringToObject(root, "program_name", lf->program_name);
160 }
161 if ( lf->status ) {
162 cJSON_AddStringToObject(root, "status", lf->status);
163 }
164 if(lf->command)
165 cJSON_AddStringToObject(root, "command", lf->command);
166
167 if ( lf->url ) {
168 cJSON_AddStringToObject(root, "url", lf->url);
169 }
170 if ( lf->data ) {
171 cJSON_AddStringToObject(root, "data", lf->data);
172 }
173 if ( lf->systemname ) {
174 cJSON_AddStringToObject(root, "systemname", lf->systemname);
175 }
176
177 // DecoderInfo
178 if(lf->decoder_info){
179 cJSON *decoder;
180 // Dynamic fields
181 if (lf->decoder_info->fields) {
182 for (i = 0; i < Config.decoder_order_size; i++) {
183 if (lf->decoder_info->fields[i] && lf->fields[i]) {
184 cJSON_AddStringToObject(root, lf->decoder_info->fields[i], lf->fields[i]);
185 }
186 }
187 }
188
189 cJSON_AddItemToObject(root, "decoder_desc", decoder = cJSON_CreateObject());
190
191 if (lf->decoder_info->fts)
192 cJSON_AddNumberToObject(decoder, "fts", lf->decoder_info->fts);
193 if (lf->decoder_info->accumulate)
194 cJSON_AddNumberToObject(decoder, "accumulate", lf->decoder_info->accumulate);
195
196 if (lf->decoder_info->parent)
197 cJSON_AddStringToObject(decoder, "parent", lf->decoder_info->parent);
198 if (lf->decoder_info->name)
199 cJSON_AddStringToObject(decoder, "name", lf->decoder_info->name);
200 if (lf->decoder_info->ftscomment)
201 cJSON_AddStringToObject(decoder, "ftscomment", lf->decoder_info->ftscomment);
202
203 }
204
205
206 W_ParseJSON(root, lf);
207
208 out = cJSON_PrintUnformatted(root);
209 cJSON_Delete(root);
210 return out;
211 }
212
213 /* Convert Archiveinfo to json */
Archiveinfo_to_jsonstr(const Eventinfo * lf)214 char *Archiveinfo_to_jsonstr(const Eventinfo *lf)
215 {
216 cJSON *root;
217 char *out;
218 int i;
219
220 root = cJSON_CreateObject();
221
222 if(lf->program_name)
223 cJSON_AddStringToObject(root, "program_name", lf->program_name);
224
225 if(lf->log)
226 cJSON_AddStringToObject(root, "log", lf->log);
227
228 if(lf->srcip)
229 cJSON_AddStringToObject(root, "srcip", lf->srcip);
230
231 if(lf->dstip)
232 cJSON_AddStringToObject(root, "dstip", lf->dstip);
233
234 if(lf->srcport)
235 cJSON_AddStringToObject(root, "srcport", lf->srcport);
236
237 if(lf->dstport)
238 cJSON_AddStringToObject(root, "dstport", lf->dstport);
239
240 if(lf->protocol)
241 cJSON_AddStringToObject(root, "protocol", lf->protocol);
242
243 if(lf->action)
244 cJSON_AddStringToObject(root, "action", lf->action);
245
246 if(lf->srcuser)
247 cJSON_AddStringToObject(root, "srcuser", lf->srcuser);
248
249 if(lf->dstuser)
250 cJSON_AddStringToObject(root, "dstuser", lf->dstuser);
251
252 if(lf->id)
253 cJSON_AddStringToObject(root, "id", lf->id);
254
255 if(lf->status)
256 cJSON_AddStringToObject(root, "status", lf->status);
257
258 if(lf->command)
259 cJSON_AddStringToObject(root, "command", lf->command);
260
261 if(lf->url)
262 cJSON_AddStringToObject(root, "url", lf->url);
263
264 if(lf->data)
265 cJSON_AddStringToObject(root, "data", lf->data);
266
267 if(lf->systemname)
268 cJSON_AddStringToObject(root, "systemname", lf->systemname);
269
270
271 if (lf->filename) {
272 cJSON_AddStringToObject(root, "filename", lf->filename);
273
274 if (lf->md5_before && lf->md5_after && (strcmp(lf->md5_before, lf->md5_after) != 0)) {
275 cJSON_AddStringToObject(root, "md5_before", lf->md5_before);
276 cJSON_AddStringToObject(root, "md5_after", lf->md5_after);
277 }
278 if (lf->sha1_before && lf->sha1_after && !(strcmp(lf->sha1_before, lf->sha1_after) != 0)) {
279 cJSON_AddStringToObject(root, "sha1_before", lf->sha1_before);
280 cJSON_AddStringToObject(root, "sha1_after", lf->sha1_after);
281 }
282 if (lf->owner_before && lf->owner_after && !(strcmp(lf->owner_before, lf->owner_after) != 0)) {
283 cJSON_AddStringToObject(root, "owner_before", lf->owner_before);
284 cJSON_AddStringToObject(root, "owner_after", lf->owner_after);
285 }
286 if (lf->gowner_before && lf->gowner_after && !(strcmp(lf->gowner_before, lf->gowner_after) != 0)) {
287 cJSON_AddStringToObject(root, "gowner_before", lf->gowner_before);
288 cJSON_AddStringToObject(root, "gowner_after", lf->gowner_after);
289 }
290 if (lf->perm_before && lf->perm_after && lf->perm_before != lf->perm_after) {
291 cJSON_AddNumberToObject(root, "perm_before", lf->perm_before);
292 cJSON_AddNumberToObject(root, "perm_after", lf->perm_after);
293 }
294 }
295
296
297 // RuleInfo
298 if(lf->generated_rule){
299 cJSON *rule;
300
301 cJSON_AddItemToObject(root, "rule", rule = cJSON_CreateObject());
302
303 if (lf->generated_rule->level)
304 cJSON_AddNumberToObject(rule, "level", lf->generated_rule->level);
305
306 if (lf->generated_rule->comment)
307 cJSON_AddStringToObject(rule, "comment", lf->generated_rule->comment);
308
309 if (lf->generated_rule->sigid)
310 cJSON_AddNumberToObject(rule, "sidid", lf->generated_rule->sigid);
311
312 if (lf->generated_rule->cve)
313 cJSON_AddStringToObject(rule, "cve", lf->generated_rule->cve);
314
315 if (lf->generated_rule->info)
316 cJSON_AddStringToObject(rule, "info", lf->generated_rule->info);
317
318 if (lf->generated_rule->frequency)
319 cJSON_AddNumberToObject(rule, "frequency", lf->generated_rule->frequency);
320
321 if (lf->generated_rule->firedtimes)
322 cJSON_AddNumberToObject(rule, "firedtimes", lf->generated_rule->firedtimes);
323
324 if (lf->generated_rule->group) {
325 W_JSON_ParseGroups(root,lf,1);
326 }
327
328 if (lf->full_log && W_isRootcheck(root,1)) {
329 W_JSON_ParseRootcheck(root,lf,1);
330 }
331
332 }
333
334 // DecoderInfo
335 if(lf->decoder_info){
336 cJSON *decoder;
337 // Dynamic fields
338 if (lf->decoder_info->fields) {
339 for (i = 0; i < Config.decoder_order_size; i++) {
340 if (lf->decoder_info->fields[i] && lf->fields[i]) {
341 cJSON_AddStringToObject(root, lf->decoder_info->fields[i], lf->fields[i]);
342 }
343 }
344 }
345
346 cJSON_AddItemToObject(root, "decoder", decoder = cJSON_CreateObject());
347
348 if (lf->decoder_info->fts)
349 cJSON_AddNumberToObject(decoder, "fts", lf->decoder_info->fts);
350 if (lf->decoder_info->accumulate)
351 cJSON_AddNumberToObject(decoder, "accumulate", lf->decoder_info->accumulate);
352
353 if (lf->decoder_info->parent)
354 cJSON_AddStringToObject(decoder, "parent", lf->decoder_info->parent);
355 if (lf->decoder_info->name)
356 cJSON_AddStringToObject(decoder, "name", lf->decoder_info->name);
357 if (lf->decoder_info->ftscomment)
358 cJSON_AddStringToObject(decoder, "ftscomment", lf->decoder_info->ftscomment);
359
360 }
361
362
363 if (lf->full_log)
364 cJSON_AddStringToObject(root, "full_log", lf->full_log);
365
366 if(lf->year && strnlen(lf->mon, 4) && lf->day && strnlen(lf->hour, 10))
367 W_JSON_ParseTimestamp(root, lf);
368
369 if(lf->hostname){
370 W_JSON_ParseHostname(root, lf->hostname);
371 W_JSON_ParseAgentIP(root, lf);
372 }
373
374 if (lf->location)
375 W_JSON_ParseLocation(root,lf,0);
376
377
378
379
380 out = cJSON_PrintUnformatted(root);
381 cJSON_Delete(root);
382 return out;
383 }
384