1 /* Copyright (C) 2009 Trend Micro Inc.
2 * All rights reserved.
3 *
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
7 * Foundation
8 */
9
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <unistd.h>
14 #include <sys/types.h>
15 #include <dirent.h>
16 #include <time.h>
17 #include <windows.h>
18
19 #include "os_regex/os_regex.h"
20
21
22 #define OSSECCONF "ossec.conf"
23 #define OS_MAXSTR 1024
24
25 int total;
26
27
direxist(char * dir)28 int direxist(char *dir)
29 {
30 DIR *dp;
31
32 /* Open dir */
33 dp = opendir(dir);
34 if (dp == NULL) {
35 return (0);
36 }
37
38 closedir(dp);
39 return (1);
40 }
41
fileexist(char * file)42 int fileexist(char *file)
43 {
44 FILE *fp;
45
46 /* Open file */
47 fp = fopen(file, "r");
48 if (!fp) {
49 return (0);
50 }
51
52 fclose(fp);
53 return (1);
54 }
55
dogrep(char * file,char * str)56 int dogrep(char *file, char *str)
57 {
58 char line[OS_MAXSTR + 1];
59 FILE *fp;
60
61 /* Open file */
62 fp = fopen(file, "r");
63 if (!fp) {
64 return (0);
65 }
66
67 /* Clear memory */
68 memset(line, '\0', OS_MAXSTR + 1);
69
70 /* Read file and look for str */
71 while (fgets(line, OS_MAXSTR, fp) != NULL) {
72 if (OS_Match(str, line)) {
73 fclose(fp);
74 return (1);
75 }
76 }
77
78 fclose(fp);
79 return (0);
80 }
81
82 /* Get Windows directory */
get_win_dir(char * file,int f_size)83 static void get_win_dir(char *file, int f_size)
84 {
85 ExpandEnvironmentStrings("%WINDIR%", file, f_size);
86
87 if (!direxist(file)) {
88 strncpy(file, "C:\\WINDOWS", f_size);
89 }
90 }
91
config_dir(char * name,char * dir,char * vfile)92 int config_dir(char *name, char *dir, char *vfile)
93 {
94 FILE *fp;
95
96 if (!direxist(dir)) {
97 return (0);
98 }
99
100 if (dogrep(OSSECCONF, vfile)) {
101 printf("%s: Log file already configured: '%s'.\n",
102 name, vfile);
103 return (1);
104 }
105
106 printf("%s: IIS directory found, but no valid log.\n", name);
107 printf("%s: You may have it configured in a format different\n"
108 " than W3C Extended or you just don't have today's\n"
109 " log available.\n", name);
110 printf("%s: http://www.ossec.net/en/manual.html#iis\n\n", name);
111
112 /* Add IIS config */
113 fp = fopen(OSSECCONF, "a");
114 if (!fp) {
115 printf("%s: Unable to edit configuration file.\n", name);
116 return (1);
117 }
118
119 fprintf(fp, "\r\n"
120 "\r\n"
121 "<!-- IIS log file -->\r\n"
122 "<ossec_config>\r\n"
123 " <localfile>\r\n"
124 " <location>%s</location>\r\n"
125 " <log_format>iis</log_format>\r\n"
126 " </localfile>\r\n"
127 "</ossec_config>\r\n\r\n", vfile);
128
129 printf("%s: Action completed.\n", name);
130
131 total++;
132 fclose(fp);
133
134 return (1);
135 }
136
137 /* Check if the IIS file is present in the config */
config_iis(char * name,char * file,char * vfile)138 int config_iis(char *name, char *file, char *vfile)
139 {
140 FILE *fp;
141
142 if (!fileexist(file)) {
143 return (0);
144 }
145
146 total++;
147
148 if (dogrep(OSSECCONF, vfile)) {
149 printf("%s: Log file already configured: '%s'.\n",
150 name, vfile);
151 return (1);
152 }
153
154 printf("%s: Adding IIS log file to be monitored: '%s'.\n", name, vfile);
155
156 /* Add iis config config */
157 fp = fopen(OSSECCONF, "a");
158 if (!fp) {
159 printf("%s: Unable to edit configuration file.\n", name);
160 return (1);
161 }
162
163 fprintf(fp, "\r\n"
164 "\r\n"
165 "<!-- IIS log file -->\r\n"
166 "<ossec_config>\r\n"
167 " <localfile>\r\n"
168 " <location>%s</location>\r\n"
169 " <log_format>iis</log_format>\r\n"
170 " </localfile>\r\n"
171 "</ossec_config>\r\n\r\n", vfile);
172
173 printf("%s: Action completed.\n", name);
174 fclose(fp);
175
176 return (1);
177 }
178
179 /* Setup Windows after install */
main(int argc,char ** argv)180 int main(int argc, char **argv)
181 {
182 int i = 0;
183 time_t tm;
184 struct tm *p;
185 char win_dir[2048];
186
187 if (argc >= 2) {
188 if (chdir(argv[1]) != 0) {
189 printf("%s: Invalid directory: '%s'.\n", argv[0], argv[1]);
190 return (0);
191 }
192 }
193
194 /* Check if ossec was installed already */
195 if (!fileexist(OSSECCONF)) {
196 printf("%s: Unable to find ossec config: '%s'", argv[0], OSSECCONF);
197 exit(0);
198 }
199
200 /* Get today's day */
201 tm = time(NULL);
202 p = localtime(&tm);
203
204 total = 0;
205
206 printf("%s: Looking for IIS log files to monitor.\r\n",
207 argv[0]);
208 printf("%s: For more information: http://www.ossec.net/en/win.html\r\n",
209 argv[0]);
210 printf("\r\n");
211
212 /* Get Window directory */
213 get_win_dir(win_dir, sizeof(win_dir) - 1);
214
215 /* Look for IIS log files */
216 while (i <= 254) {
217 char lfile[OS_MAXSTR + 1];
218 char vfile[OS_MAXSTR + 1];
219
220 i++;
221
222 /* Search for NCSA */
223 snprintf(lfile,
224 OS_MAXSTR,
225 "%s\\System32\\LogFiles\\W3SVC%d\\nc%02d%02d%02d.log",
226 win_dir, i, (p->tm_year + 1900) - 2000, p->tm_mon + 1, p->tm_mday);
227 snprintf(vfile,
228 OS_MAXSTR,
229 "%s\\System32\\LogFiles\\W3SVC%d\\nc%%y%%m%%d.log",
230 win_dir, i);
231
232 /* Try dir-based */
233 config_iis(argv[0], lfile, vfile);
234
235 /* Search for W3C extended */
236 snprintf(lfile,
237 OS_MAXSTR,
238 "%s\\System32\\LogFiles\\W3SVC%d\\ex%02d%02d%02d.log",
239 win_dir, i, (p->tm_year + 1900) - 2000, p->tm_mon + 1, p->tm_mday);
240
241 snprintf(vfile,
242 OS_MAXSTR,
243 "%s\\System32\\LogFiles\\W3SVC%d\\ex%%y%%m%%d.log",
244 win_dir, i);
245
246 /* Try dir-based */
247 if (config_iis(argv[0], lfile, vfile) == 0) {
248 snprintf(lfile,
249 OS_MAXSTR,
250 "%s\\System32\\LogFiles\\W3SVC%d", win_dir, i);
251 config_dir(argv[0], lfile, vfile);
252 }
253
254 /* Search for FTP Extended format */
255 snprintf(lfile,
256 OS_MAXSTR,
257 "%s\\System32\\LogFiles\\MSFTPSVC%d\\ex%02d%02d%02d.log",
258 win_dir, i, (p->tm_year + 1900) - 2000, p->tm_mon + 1, p->tm_mday);
259
260 snprintf(vfile,
261 OS_MAXSTR,
262 "%s\\System32\\LogFiles\\MSFTPSVC%d\\ex%%y%%m%%d.log",
263 win_dir, i);
264 if (config_iis(argv[0], lfile, vfile) == 0) {
265 snprintf(lfile,
266 OS_MAXSTR,
267 "%s\\System32\\LogFiles\\MSFTPSVC%d", win_dir, i);
268 config_dir(argv[0], lfile, vfile);
269 }
270
271 /* Search for IIS SMTP logs */
272 snprintf(lfile,
273 OS_MAXSTR,
274 "%s\\System32\\LogFiles\\SMTPSVC%d\\ex%02d%02d%02d.log",
275 win_dir, i, (p->tm_year + 1900) - 2000, p->tm_mon + 1, p->tm_mday);
276
277 snprintf(vfile,
278 OS_MAXSTR,
279 "%s\\System32\\LogFiles\\SMTPSVC%d\\ex%%y%%m%%d.log",
280 win_dir, i);
281 if (config_iis(argv[0], lfile, vfile) == 0) {
282 snprintf(lfile,
283 OS_MAXSTR,
284 "%s\\System32\\LogFiles\\SMTPSVC%d", win_dir, i);
285 config_dir(argv[0], lfile, vfile);
286 }
287 }
288
289 if (total == 0) {
290 printf("%s: No IIS log added. Look at the link above for more "
291 "information.\r\n", argv[0]);
292 }
293
294 return (0);
295 }
296