OSSEC an open source HIDS --- LogCollector

这些天仔细分析了OSSEC日志收集(LogCollector)部分的细节。

       OSSEC-LogCollector是创建一个无限循环,类似一个监听日志的守护进程,只要监听到日志有变动,就用SOCEKT发送消息给日志分析(analysisd)的守护进程,然后进行解码、匹配等操作。

      

下面先讲OSSEC是如何读取日志的。以读取WINDOWS XP下的事件日志为例。

读取事件日志主要是用到了Windows.h中的几个API:

OpenEventLog,CloseEventLog,ReadEventLog,GetLastError,等。

代码在最下面,我先说明一下每个函数的作用。

int StartEL(char *app, HIDSEL *el) 

打开日志,返回该日志的数目。

char *GetELCategory(int categoryID)

根据类型ID获取日志类型。

char *GetEventDLL(char *evt_name, char *source, char *evt) 

从注册表获取日志的名称。

char *GetELMsg(EVENTLOGRECORD *er,  char *name,  char * source, LPTSTR *elSStr) 

获取该条日志的描述信息。

void ReadEL(HIDSEL *el, int printit)

读取事件日志。注,若只需要读取一次日志,printit设为1即可。OSSEC设置此参数的做法,我想是要忽略已有的日志,只对新产生的日志做处理。

#include "stdio.h"
#include "windows.h"

#define BUFFER_SIZE 2048*256
#define HIDS_MAXSTR 6144
#define HIDS_FLSIZE 256
#define HIDS_LOG_HEADER 256

/*Event logging local structure*/
typedef struct _HIDSEL
{
	int timeOfLast;
	char *name;
	
	EVENTLOGRECORD *er;
	HANDLE h;
	DWORD record;
}HIDSEL;

/*
 *Starts the event logging for each el
 */
int StartEL(char *app, HIDSEL *el)
{
	DWORD recordNum = 0;

	/*Opening the event log*/
	el->h = OpenEventLog(NULL,app);
	if(!el->h)
	{
		printf("HIDS-LogCollecotor ERROR: Uable to open the event log : %s.", app); 
		return (-1);
	}
	
	el->name = app;
	
	if(GetOldestEventLogRecord(el->h, &el->record) == 0)
	{
		/*Unable to read oldest event log record*/
		printf("HIDS-LogCollecotor ERROR: Uable to query last event log from: %s.", app); 
		CloseEventLog(el->h);
		el->h = NULL;
		return(-1);
	}
	
	if(GetNumberOfEventLogRecords(el->h, &recordNum) == 0)
	{		 
		printf("HIDS-LogCollecotor ERROR: Uable to get the number of event logs from: %s.", app); 
		CloseEventLog(el->h);
		el->h = NULL;
		return(-1);
	}
	
	if(recordNum <= 0)
	{
		return 0;
	}
	
	return (int)recordNum;
}

/* 
 * Returns a string related to the category id of the log.
 */
char *GetELCategory(int categoryID)
{
    char *cat;
    switch(categoryID)
    {
        case EVENTLOG_ERROR_TYPE:
            cat = "ERROR";
            break;
        case EVENTLOG_WARNING_TYPE:
            cat = "WARNING";
            break;
        case EVENTLOG_INFORMATION_TYPE:
            cat = "INFORMATION";
            break;
        case EVENTLOG_AUDIT_SUCCESS:
            cat = "AUDIT_SUCCESS";
            break;
        case EVENTLOG_AUDIT_FAILURE:
            cat = "AUDIT_FAILURE";
            break;
        default:
            cat = "Unknown";
            break;
    }
    return	cat;
}


/**
 * Returns the event.
 */
char *GetEventDLL(char *evt_name, char *source, char *evt) 
{
    //char *retStr;
    HKEY key;
    DWORD ret;
    char keyName[512];


    keyName[511] = '\0';

    _snprintf(keyName, 510, 
            "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s", 
            evt_name, 
            source);


    /* Checking if we have it in memory. */
    
    //retStr = OSHash_Get(dll_hash, keyName + 42);
    //if(retStr)
    //{
    //    return(retStr);
    //}
    
    /* Opening registry */	    
    if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, keyName, 0, 
                    KEY_ALL_ACCESS, &key) != ERROR_SUCCESS)
    {
        return(NULL);    
    }


    ret = MAX_PATH -1;	
    if (RegQueryValueEx(key, "EventMessageFile", NULL, 
                NULL, (LPBYTE)evt, &ret) != ERROR_SUCCESS)
    {
        evt[0] = '\0';	
        RegCloseKey(key);
        return(NULL);
    }
    else
    {
        /* Adding to memory. */
        char *skey;
        char *sval;

        skey = strdup(keyName + 42);
        sval = strdup(evt);
        
        if(skey && sval)
        {
            //OSHash_Add(dll_hash, skey, sval); 
        }
        else
        {
            printf("Log Collector: ERROR: Not enough Memory. Exiting.");
        }
    }
    
    RegCloseKey(key);
    return(evt);
}


/**
 * Returns a descriptive message of the event.
 */
char *GetELMsg(EVENTLOGRECORD *er,  char *name, 
		    char * source, LPTSTR *elSStr) 
{
    DWORD fmFlags = 0;
    char strTmp[257];
    char event[MAX_PATH +1];
    char *curr_str;
    char *next_str;
    LPSTR message = NULL;

    HMODULE hevt;

    /* Initializing variables */
    event[MAX_PATH] = '\0';
    strTmp[256] = '\0';


    /* Flags for format event */
    fmFlags |= FORMAT_MESSAGE_FROM_HMODULE;
    fmFlags |= FORMAT_MESSAGE_ALLOCATE_BUFFER;
    fmFlags |= FORMAT_MESSAGE_ARGUMENT_ARRAY;



    /* Get the file name from the registry (stored on event) */
    if(!(curr_str = GetEventDLL(name, source, event)))
    {
        return(NULL);	    
    }	    



    /* If our event has multiple libraries, try each one of them */ 
    while((next_str = strchr(curr_str, ';')))
    {
        *next_str = '\0';

        ExpandEnvironmentStrings(curr_str, strTmp, 255);

        /* Reverting back old value. */
        *next_str = ';';
        

        /* Loading library. */
        hevt = LoadLibraryEx(strTmp, NULL, 
                             DONT_RESOLVE_DLL_REFERENCES |
                             LOAD_LIBRARY_AS_DATAFILE);
        if(hevt)
        {
            if(!FormatMessage(fmFlags, hevt, er->EventID, 0,
                              (LPTSTR) &message, 0, elSStr))
            {
                message = NULL;		  
            }
            FreeLibrary(hevt);

            /* If we have a message, we can return it */
            if(message)
                return(message);
        }


        curr_str = next_str +1;
    }

    
    /* Getting last value. */
    ExpandEnvironmentStrings(curr_str, strTmp, 255);
    hevt = LoadLibraryEx(strTmp, NULL, 
                         DONT_RESOLVE_DLL_REFERENCES |
                         LOAD_LIBRARY_AS_DATAFILE);
    if(hevt)
    {
        int hr;    
        if(!(hr = FormatMessage(fmFlags, hevt, er->EventID, 
                        0,
                        (LPTSTR) &message, 0, elSStr)))
        {
            message = NULL;		  
        }
        FreeLibrary(hevt);

        /* If we have a message, we can return it */
        if(message)
            return(message);
    }

    return(NULL);
}


/*
 *Reads the event log.
 */
void ReadEL(HIDSEL *el, int printit)
{
	DWORD _evtid = 65535;
    DWORD nstr;
    DWORD usrSize;
    DWORD domainSize;
    DWORD read, needed;
    int sizeLeft;
    int strSize;
    int id;

    char mbuffer[BUFFER_SIZE +1];
    LPSTR sstr = NULL;

    char *strTmp = NULL;
    char *category;
    char *source;
    char *computerName;
    char *descriptiveMsg;

    char elUsr[HIDS_FLSIZE +1];
    char elDomain[HIDS_FLSIZE +1];
    char elStr[HIDS_MAXSTR +1];
    char finalMsg[HIDS_MAXSTR +1];
    LPSTR elSStr[HIDS_FLSIZE +1];

    /* Er must point to the mbuffer */
    el->er = (EVENTLOGRECORD *) &mbuffer; 

    /* Zeroing the values */
    elStr[HIDS_MAXSTR] = '\0';
    elUsr[HIDS_FLSIZE] = '\0';
    elDomain[HIDS_FLSIZE] = '\0';
    finalMsg[HIDS_MAXSTR] = '\0';
    elSStr[0] = NULL;
    elSStr[HIDS_FLSIZE] = NULL;
    
    /* Event log is not open */
    if(!el->h)
    {
        return;
    }
    
    /* Reading the event log */
    while(ReadEventLog(el->h,
				EVENTLOG_FORWARDS_READ|EVENTLOG_SEQUENTIAL_READ,
				0,
				el->er, BUFFER_SIZE - 1, &read, &needed))
	{
        if(!printit)
        {
            /* Setting er to the beginning of the buffer */
            el->er = (EVENTLOGRECORD *)&mbuffer;
            continue;
        }

        
        while(read > 0)
        {
            /* We need to initialize every variable before the loop */
            category = GetELCategory(el->er->EventType);
            source = (LPSTR) ((LPBYTE) el->er + sizeof(EVENTLOGRECORD));
            computerName = source + strlen(source) + 1;
            descriptiveMsg = NULL;

            /* Getting event id. */
            id = (int)el->er->EventID & _evtid;
                            
            /* Initialing domain/user size */
            usrSize = 255; domainSize = 255;
            elDomain[0] = '\0';
            elUsr[0] = '\0';

            /* We must have some description */
            if(el->er->NumStrings)
            {	
                sizeLeft = HIDS_MAXSTR - 1024;	

                sstr = (LPSTR)((LPBYTE)el->er + el->er->StringOffset);
                elStr[0] = '\0';

                for (nstr = 0;nstr < el->er->NumStrings;nstr++)
                {
                    strSize = strlen(sstr);
                    if(sizeLeft > 1)
					{
                        strncat(elStr, sstr, sizeLeft);
                    }

                    strTmp = strchr(elStr, '\0');
                    if(strTmp)
                    {
                        *strTmp = ' ';		
                        strTmp++; *strTmp = '\0';
                    }
                    else
                    {
                        printf("Log Collector: Invalid application string (size+)");
                    }
                    sizeLeft-=strSize + 2;

                    if(nstr <= 92)
                    {
                        elSStr[nstr] = (LPSTR)sstr;
                        elSStr[nstr +1] = NULL;
                    }

                    sstr = strchr((LPSTR)sstr, '\0');
                    
                    if(sstr)
                        sstr++;
                    else
                        break;     
				}

                /* Get a more descriptive message (if available) */                
                descriptiveMsg = GetELMsg(el->er, 
                                          el->name,
                                          source, 
                                          elSStr);                
                                                        
                if(descriptiveMsg != NULL)
                {
                    /* Remove any \n or \r */
                    /* Replace tabs from the argument field to spaces.
                     * So whenever we have option:\tvalue\t, it will
                     * become option: value\t
                     */
                    strTmp = descriptiveMsg;    
                    while(*strTmp != '\0')
                    {
                        if(*strTmp == '\n')
                            *strTmp = ' ';
                        else if(*strTmp == '\r')
                            *strTmp = ' ';
                        else if((*strTmp == ':') && (strTmp[1] == '\t'))
                        {
                            strTmp[1] = ' ';
                            strTmp++;
                        }
                                    
                        strTmp++;
                    }
                }
            }
            else
            {
                strncpy(elStr, "(no message)", 128);	
            }


            /* Getting username */
            if(el->er->UserSidLength)
            {
                SID_NAME_USE account_type;
                if(!LookupAccountSid(NULL, 
                                    (SID *)((LPSTR)el->er + 
                                    el->er->UserSidOffset),
                                    elUsr, 
                                    &usrSize, 
                                    elDomain, 
                                    &domainSize, 
                                    &account_type))		
                {
                    strncpy(elUsr, "(no user)", 255);
                    strncpy(elDomain, "no domain", 255);
                }

            }
            else
            {
                strncpy(elUsr, "(no user)", 255);	
                strncpy(elDomain, "no domain", 255);	
            }


            if(printit)
            {
                DWORD _evtid = 65535;
                int id = (int)el->er->EventID & _evtid; 
               
                finalMsg[HIDS_MAXSTR - HIDS_LOG_HEADER] = '\0'; 
                finalMsg[HIDS_MAXSTR - HIDS_LOG_HEADER -1] = '\0'; 
                
                printf("WinEvtLog: %s: %s(%d): %s: %s: %s: %s: %s\n", 
                        el->name,
                        category, 
                        id,
                        source,
                        elUsr,
                        elDomain,
                        computerName,
                        descriptiveMsg != NULL?descriptiveMsg:elStr);	
                
				/*send msg to server
				 ...................
				 ...................
				 */
            }

            if(descriptiveMsg != NULL)
            {
                LocalFree(descriptiveMsg);
            }

            /* Changing the point to the er */
            read -= el->er->Length;
            el->er = (EVENTLOGRECORD *)((LPBYTE) el->er + el->er->Length);
        }		

        /* Setting er to the beginning of the buffer */	
        el->er = (EVENTLOGRECORD *)&mbuffer;
    }

	
    id = GetLastError();
    if(id == ERROR_HANDLE_EOF)
    {
        return;
    }
    /* Event log was cleared. */
    else if(id == ERROR_EVENTLOG_FILE_CHANGED)
    {
        printf("Log Collector: WARN: Event log cleared: '%s'", el->name);
        
        /* Closing the event log and reopenning. */
        CloseEventLog(el->h);
        el->h = NULL;

        /* Reopening. */
        if(StartEL(el->name, el) < 0)
        {
            printf("Log Collector: ERROR: Unable to reopen event log '%s'", el->name);
        }
    }

    else
    {
        printf("Log Collector: WARN: Error reading event log: %d", id);
    }
}
					  

int main()
{
	HIDSEL hidsEL[3];
	int a,b,c;
	a = StartEL("System",&hidsEL[0]);
	//b = StartEL("Security",&hidsEL[1]);
	//c = StartEL("Application",&hidsEL[2]);
	ReadEL(&hidsEL[0],1);
	//ReadEL(&hidsEL[1],1);
	//ReadEL(&hidsEL[2],1);
	system("pause");
	return 0;
}

 

你可能感兴趣的:(windows,Security,XP,Access)