1 /*
2 * logtool - a logfile parsing/monitoring/manipulation utility
3 *
4 * Copyright (C) Y2K (2000) A.L.Lambert
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2, or (at your option)
9 * any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 /* Yee ole includes (I put this all in one file for my sanity) */
22 #include "includes.h"
23
24 IPTABLES it;
25
26 /*
27 * a module to process iptables messages into something sane to read with the naked eye
28 */
29
30 /* a function to get the value blah where SOMETHING=blah in the event message */
mip_parse_val(char * target,char * str)31 int mip_parse_val(char *target, char *str) {
32
33 char tmp_str[LSIZE];
34 char *ptr;
35
36 /* okie, we're going to jump to target */
37 ptr = strstr(event.raw, str);
38 /* if ptr == NULL, we didn't find anything */
39 if(ptr == NULL) return -1;
40 /* move forward to the = sign */
41 ptr = strstr(ptr, "=");
42 ++ptr; /* and then to first char of our value */
43 strcpy(tmp_str, ptr); /* copy that to tmp_str */
44 ptr = strstr(tmp_str, " "); /* jump to the space after the value */
45 ptr[0] = '\0'; /* null terminate it there */
46 if(tmp_str[0] != '\0') { /* if we got a value */
47 strcpy(target, tmp_str); /* put it into the target variable */
48 } else { /* otherwise, return an error */
49 return 1;
50 }
51 /* if we made it this far, return no error */
52 return 0;
53 }
54
55 /* a function to rip everything outside the syslog message into a variable we can parse */
mip_parse_msg(char * msg)56 int mip_parse_msg(char *msg) {
57
58 char tmp_msg[LSIZE];
59 char *ptr;
60
61 sscanf(event.raw, "%*s %*s %*s %*s %[^\n]", tmp_msg);
62 /* in == the start of iptables messages */
63 ptr = strstr(tmp_msg, "IN=");
64 /* if we found the beginning, then null byte it and copy it to *msg */
65 if(ptr !=NULL) {
66 ptr[0] = '\0';
67 if(msg[0] != '\0') {
68 strcat(msg, tmp_msg);
69 }
70 }
71 return 0;
72 }
73
mip_build_sd(char * src,char * src_prt,char * dst,char * dst_prt,short int resolv)74 short int mip_build_sd(char *src, char *src_prt, char *dst, char *dst_prt, short int resolv) {
75 char tmp_str[LSIZE];
76 char *ptr;
77
78 if(resolv == TRUE) {
79 ptr = get_host(src);
80 if(ptr != NULL) {
81 strcpy(tmp_str, ptr);
82 strcat(tmp_str, "(");
83 strcat(tmp_str, src);
84 strcat(tmp_str, ")");
85 strcpy(src, tmp_str);
86 }
87 ptr = get_host(dst);
88 if(ptr != NULL) {
89 strcpy(tmp_str, ptr);
90 strcat(tmp_str, "(");
91 strcat(tmp_str, dst);
92 strcat(tmp_str, ")");
93 strcpy(dst, tmp_str);
94 /* output snort-esque color formatting if we're in ANSI or HTML mode */
95 if(cf.outfmt == OUTPUT_ANSI || cf.outfmt == OUTPUT_HTML) {
96 lt_strep(src, 1024, "(", "\033e\033l(\033e\033w");
97 lt_strep(src, 1024, ")", "\033e\033l)\033e");
98
99 lt_strep(dst, 1024, "(", "\033e\033l(\033e\033w");
100 lt_strep(dst, 1024, ")", "\033e\033l)\033e");
101
102 }
103 }
104
105 }
106
107 if(cf.outfmt == OUTPUT_ANSI || cf.outfmt == OUTPUT_HTML) {
108 if(src_prt[0] != '\0') {
109 sprintf(tmp_str, " \033W%s\033e\033l:\033e\033W%s \033l->\033e \033W%s\033e:\033W%s\033e", src, src_prt, dst, dst_prt);
110 } else {
111 sprintf(tmp_str, " \033W%s\033e \033l->\033e \033W%s", src, dst);
112 }
113
114 } else {
115 if(src_prt[0] != '\0') {
116 sprintf(tmp_str, " %s:%s -> %s:%s", src, src_prt, dst, dst_prt);
117 } else {
118 sprintf(tmp_str, " %s -> %s", src, dst);
119 }
120 }
121
122 strcat(event.pmsg, tmp_str);
123 return 0;
124 }
125
ltm_iptables()126 short int ltm_iptables() {
127 /* see mods.h for the iptables data struct */
128 /* variables local to this guy */
129 char msg[LSIZE]; /* user defined message (if any) */
130 char tmp_str[LSIZE]; /* some place to stick data temp basis */
131 short int resolv = FALSE;/* do we resolve IP addresses? */
132
133 resolv = mod_varcheck("modipt_resolvips");
134
135 /* Figure out what color this message should be */
136 lt_set_event_color();
137
138 /* because you most often don't get a 'program' field in one of these */
139 strcpy(event.program, "iptables:");
140
141 /* parse up the basics (date format's, prog/src, etc) */
142 mod_premsg_setup();
143
144 /* see if user used any prefixing and put it in the output if so */
145 strcpy(msg, "-j LOG: ");
146 mip_parse_msg(msg);
147
148 /* now we get to work on parsing the variables in order */
149 strcpy(it.in_if, "");
150 strcpy(it.ou_if, "");
151 strcpy(it.src, "");
152 strcpy(it.src_prt, "");
153 strcpy(it.dst, "");
154 strcpy(it.dst_prt, "");
155 strcpy(it.plen, "");
156 strcpy(it.tos, "");
157 strcpy(it.prec, "");
158 strcpy(it.ttl, "");
159 strcpy(it.proto, "");
160 mip_parse_val(it.in_if, "IN=");
161 mip_parse_val(it.ou_if, "OUT=");
162 mip_parse_val(it.src, "SRC=");
163 mip_parse_val(it.src_prt, "SPT=");
164 mip_parse_val(it.dst, "DST=");
165 mip_parse_val(it.dst_prt, "DPT=");
166 mip_parse_val(it.plen, "LEN=");
167 mip_parse_val(it.tos, "TOS=");
168 mip_parse_val(it.prec, "PREC=");
169 mip_parse_val(it.ttl, "TTL=");
170 mip_parse_val(it.proto, "PROTO=");
171
172 /* okie, parsing done, start building event.pmsg */
173 /* start with the msg (if any) */
174 if(msg[0] != '\0') {
175 sprintf(tmp_str, " %s%s%s", event.pcolor, msg, "\033e");
176 strcpy(it.msg, msg);
177 strcat(event.pmsg, tmp_str);
178 }
179
180 if(it.proto[0] != '\0') {
181 strcpy(tmp_str, " \033e\033l{\033e\033C");
182 strcat(tmp_str, it.proto);
183 strcat(tmp_str, "\033e\033l}\033e");
184 strcat(event.pmsg, tmp_str);
185 }
186
187 mip_build_sd(it.src, it.src_prt, it.dst, it.dst_prt, resolv);
188 /* make a link from the event.module structure to our iptables data */
189 event.m.iptables = ⁢
190
191 return 0;
192 }
193
194 /*
195 Mar 5 02:48:09 kern@friday/1.1.1.1 Bad packet on pub int:IN=eth1 OUT= MAC=00:40:05:6c:f9:8b:00:02:3b:01:be:9d:08:00 SRC=61.14.66.78 DST=65.71.249.147 LEN=78 TOS=0x00 PREC=0x00 TTL=108 ID=11861 PROTO=UDP SPT=1028 DPT=137 LEN=58
196 */
197