merge Brian's pull request

debian/changelog

@@ -1,3 +1,9 @@
+securityonion-sguil-agent-ossec (20120726-0ubuntu0securityonion15) precise; urgency=low
+
+  * more fixes from Brian Kellogg 
+
+ -- Doug Burks <[email protected]>  Tue, 05 May 2015 14:28:26 -0400
+
 securityonion-sguil-agent-ossec (20120726-0ubuntu0securityonion14) precise; urgency=low
 
   * restart using setsid 

debian/patches/more-fixes-from-Brian-Kellogg

@@ -0,0 +1,108 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-sguil-agent-ossec (20120726-0ubuntu0securityonion15) precise; urgency=low
+ .
+   * more fixes from Brian Kellogg
+Author: Doug Burks <[email protected]>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- securityonion-sguil-agent-ossec-20120726.orig/etc/nsm/ossec/ossec_agent.tcl
++++ securityonion-sguil-agent-ossec-20120726/etc/nsm/ossec/ossec_agent.tcl
+@@ -81,14 +81,13 @@ proc bgerror { errorMsg } {
+ proc InitAgent {} {
+
+     global DEBUG FILENAME MIN_PRIORITY  DNS DEFAULT_DNS_DOMAIN USE_DNS
+-    global nDate sig_id priority message src_ip user hexPayload payload agent src_port dst_port
++    global nDate sig_id priority message src_ip hexPayload payload agent src_port dst_port
+
+     set nDate ""
+     set sig_id ""
+     set priority ""
+     set message ""
+     set src_ip ""
+-    set user ""
+     set hexPayload ""
+     set payload ""
+     set agent ""
+@@ -201,7 +200,7 @@ proc ResolveHostname { hostName } {
+ #
+ proc ProcessData { line } {
+     global AGENT_TYPE
+-    global nDate sig_id priority message src_ip user hexPayload payload agent src_port dst_port
++    global nDate sig_id priority message src_ip hexPayload payload agent src_port dst_port
+
+     # We do not care about the first line of an alert so find it and forget it
+     if { [regexp {(?x) ^\*\*\s+Alert} $line] } {
+@@ -228,26 +227,13 @@ proc ProcessData { line } {
+                  ^Rule:\s+(\d+)\s+\(level\s+(\d+)\)\s+->\s+'(.*)'
+                  } $line MatchVar sig_id priority message ] } {
+         set message "\[[string toupper $AGENT_TYPE]\] $message"
+-    } elseif { [regexp {(?x)
+-                 ^User:\s+(.*)
+-                } $line MatchVar user ] } {
+-        # We really don't have anything to do here, since we matched all
+-        # our variables directly in the conditional for this block
+-    } elseif { [regexp {(?x)
+-                 ^Src\s+IP:\s+(.*)
+-                 } $line MatchVar src_ip ] } {
++    } elseif { [regexp {(?x) ^Src\s+IP:\s+(\S+)} $line MatchVar src_ip ] } {
+         set src_ip [ResolveHostname $src_ip]
+-    } elseif { [regexp {(?x)
+-                 ^Src\s+Port:\s+(\d+)
+-                 } $line MatchVar src_port ] } {
++    } elseif { [regexp {(?x) ^Src\s+Port:\s+(\d+)} $line MatchVar src_port ] } {
+         # nothing to do as regexp filled the var
+-    } elseif { [regexp {(?x)
+-                 ^Dst\s+IP:\s+(.*)
+-                 } $line MatchVar agent ] } {
++    } elseif { [regexp {(?x) ^Dst\s+IP:\s+(\S+)} $line MatchVar agent ] } {
+         set agent [ResolveHostname $agent]
+-    } elseif { [regexp {(?x)
+-                 ^Dst\s+Port:\s+(\d+)
+-                 } $line MatchVar dst_port ] } {
++    } elseif { [regexp {(?x) ^Dst\s+Port:\s+(\d+)} $line MatchVar dst_port ] } {
+         # nothing to do as regexp filled the var
+     # check to see if this is a blank line
+     # if it is then we've reached the end of the alert and can now send it to Sguil
+@@ -268,7 +254,7 @@ proc SendAlert {} {
+     global HOSTNAME IPADDR AGENT_ID NEXT_EVENT_ID AGENT_TYPE GEN_ID
+     global MIN_PRIORITY
+     global sguildSocketID DEBUG
+-    global nDate sig_id priority message src_ip user hexPayload payload agent src_port dst_port
++    global nDate sig_id priority message src_ip hexPayload payload agent src_port dst_port
+
+     # If we meet the minimum priority threshold to issue an alert,
+     # do it here.
+@@ -280,7 +266,6 @@ proc SendAlert {} {
+            puts "\tSigID: $sig_id"
+            puts "\tPriority: $priority"
+            puts "\tSrcIP: $src_ip"
+-           puts "\tUser: $user"
+            puts "\tMessage: $message"
+            puts "\tPayload: $payload"
+            puts "\tSrcPort: $src_port"
+@@ -357,7 +342,6 @@ proc SendAlert {} {
+     set sig_id ""
+     set priority ""
+     set src_ip ""
+-    set user ""
+     set message ""
+     set payload ""
+     set hexPayload ""

debian/patches/series

@@ -6,3 +6,4 @@ Issue-705:-ossec_agent:-improvements-from-Brian-Kellogg
 Issue-716:-tighten-regex-to-only-look-for-->-anchored-to-hostname-or-IP
 Issue-717:-ossec_agent:-send-alerts-to-sguild-immediately-instead-of-waiting-for-next-alert
 Fixed-alert-body-not-appending.
+more-fixes-from-Brian-Kellogg