diff --git a/debian/changelog b/debian/changelog index 50b3b90..4feaf75 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-sguil-agent-ossec (20120726-0ubuntu0securityonion15) precise; urgency=low + + * more fixes from Brian Kellogg + + -- Doug Burks Tue, 05 May 2015 14:28:26 -0400 + securityonion-sguil-agent-ossec (20120726-0ubuntu0securityonion14) precise; urgency=low * restart using setsid diff --git a/debian/patches/more-fixes-from-Brian-Kellogg b/debian/patches/more-fixes-from-Brian-Kellogg new file mode 100644 index 0000000..0cca29e --- /dev/null +++ b/debian/patches/more-fixes-from-Brian-Kellogg @@ -0,0 +1,108 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-sguil-agent-ossec (20120726-0ubuntu0securityonion15) precise; urgency=low + . + * more fixes from Brian Kellogg +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-sguil-agent-ossec-20120726.orig/etc/nsm/ossec/ossec_agent.tcl ++++ securityonion-sguil-agent-ossec-20120726/etc/nsm/ossec/ossec_agent.tcl +@@ -81,14 +81,13 @@ proc bgerror { errorMsg } { + proc InitAgent {} { + + global DEBUG FILENAME MIN_PRIORITY DNS DEFAULT_DNS_DOMAIN USE_DNS +- global nDate sig_id priority message src_ip user hexPayload payload agent src_port dst_port ++ global nDate sig_id priority message src_ip hexPayload payload agent src_port dst_port + + set nDate "" + set sig_id "" + set priority "" + set message "" + set src_ip "" +- set user "" + set hexPayload "" + set payload "" + set agent "" +@@ -201,7 +200,7 @@ proc ResolveHostname { hostName } { + # + proc ProcessData { line } { + global AGENT_TYPE +- global nDate sig_id priority message src_ip user hexPayload payload agent src_port dst_port ++ global nDate sig_id priority message src_ip hexPayload payload agent src_port dst_port + + # We do not care about the first line of an alert so find it and forget it + if { [regexp {(?x) ^\*\*\s+Alert} $line] } { +@@ -228,26 +227,13 @@ proc ProcessData { line } { + ^Rule:\s+(\d+)\s+\(level\s+(\d+)\)\s+->\s+'(.*)' + } $line MatchVar sig_id priority message ] } { + set message "\[[string toupper $AGENT_TYPE]\] $message" +- } elseif { [regexp {(?x) +- ^User:\s+(.*) +- } $line MatchVar user ] } { +- # We really don't have anything to do here, since we matched all +- # our variables directly in the conditional for this block +- } elseif { [regexp {(?x) +- ^Src\s+IP:\s+(.*) +- } $line MatchVar src_ip ] } { ++ } elseif { [regexp {(?x) ^Src\s+IP:\s+(\S+)} $line MatchVar src_ip ] } { + set src_ip [ResolveHostname $src_ip] +- } elseif { [regexp {(?x) +- ^Src\s+Port:\s+(\d+) +- } $line MatchVar src_port ] } { ++ } elseif { [regexp {(?x) ^Src\s+Port:\s+(\d+)} $line MatchVar src_port ] } { + # nothing to do as regexp filled the var +- } elseif { [regexp {(?x) +- ^Dst\s+IP:\s+(.*) +- } $line MatchVar agent ] } { ++ } elseif { [regexp {(?x) ^Dst\s+IP:\s+(\S+)} $line MatchVar agent ] } { + set agent [ResolveHostname $agent] +- } elseif { [regexp {(?x) +- ^Dst\s+Port:\s+(\d+) +- } $line MatchVar dst_port ] } { ++ } elseif { [regexp {(?x) ^Dst\s+Port:\s+(\d+)} $line MatchVar dst_port ] } { + # nothing to do as regexp filled the var + # check to see if this is a blank line + # if it is then we've reached the end of the alert and can now send it to Sguil +@@ -268,7 +254,7 @@ proc SendAlert {} { + global HOSTNAME IPADDR AGENT_ID NEXT_EVENT_ID AGENT_TYPE GEN_ID + global MIN_PRIORITY + global sguildSocketID DEBUG +- global nDate sig_id priority message src_ip user hexPayload payload agent src_port dst_port ++ global nDate sig_id priority message src_ip hexPayload payload agent src_port dst_port + + # If we meet the minimum priority threshold to issue an alert, + # do it here. +@@ -280,7 +266,6 @@ proc SendAlert {} { + puts "\tSigID: $sig_id" + puts "\tPriority: $priority" + puts "\tSrcIP: $src_ip" +- puts "\tUser: $user" + puts "\tMessage: $message" + puts "\tPayload: $payload" + puts "\tSrcPort: $src_port" +@@ -357,7 +342,6 @@ proc SendAlert {} { + set sig_id "" + set priority "" + set src_ip "" +- set user "" + set message "" + set payload "" + set hexPayload "" diff --git a/debian/patches/series b/debian/patches/series index 2954516..d21f86e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ Issue-705:-ossec_agent:-improvements-from-Brian-Kellogg Issue-716:-tighten-regex-to-only-look-for-->-anchored-to-hostname-or-IP Issue-717:-ossec_agent:-send-alerts-to-sguild-immediately-instead-of-waiting-for-next-alert Fixed-alert-body-not-appending. +more-fixes-from-Brian-Kellogg