3 /**********************************************************************************
4 ** (c) Copyright 2002, Brenno J.S.A.A.F. de Winter, De Winter Information Soltions
5 ** This is free software; you can redistribute it and/or modify it under the
6 ** terms of the GNU General Public License, see the file COPYING.
7 ***********************************************************************************/
9 function linux_log () {
10 /* The function linux_log will seperate the logline in several elements. This will
11 * ease the work of recognizing the type of logline. Once this has been detected
12 * the correct module will start using the data for a log_adv-table.
14 * GLOBALS : $dbms (database class containing the logline)
15 * OUTPUT : Status of success ('TRUE' for success and 'FALSE' for failure
20 $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]);
21 $local_logline_array = explode (" ", $local_log_string);
23 switch (strtolower($local_logline_array[4])) {
25 //This is a kernel logline now discover which type kernel-record we have
27 //Detect if this is a network-line
28 if (strtolower(substr($local_logline_array[5],0,3)) == "in=") {
29 //this is a networkline call the processing the routines
30 $local_result = linux_kernel_network();
33 $local_failing_string = "Failing string: ".$dbms->db_result_row[5];
34 syslog (LOG_INFO, "Unrecognized kernelline");
35 syslog (LOG_INFO, $local_failing_string);
44 function linux_kernel_network() {
46 /* This function is able to deal with the output of kernel-network messages
47 * coming from iptables and other similar tools. When elements are found
48 * that cannot be identified a notification will be written to the logbook
49 * for easy expansion of this routine.
52 * OUTPUT : "TRUE" for success and "FALSE" for failure.
56 $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]);
57 $local_logline_array = explode (" ", $local_log_string);
58 $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT
59 $local_sql_2 = "logid, detailed_table"; //FIELDS
60 $local_sql_3 = "'".$dbms->db_result_row[0]."', 'kernel_network'"; //VALUES
64 $local_dbms = copy_db_class($dbms);
66 for ($i = 4; $i <= ( count($local_logline_array) - 1); $i++) {
67 //Process each element by exploding this based on the sign: =
68 $local_element = explode("=", $local_logline_array[$i]);
69 switch (strtolower($local_element[0])) {
72 $local_sql_2 .= ", device_in";
73 $local_sql_3 .= ", '".$local_element[1]."'";
77 $local_sql_2 .= ", device_out";
78 $local_sql_3 .= ", '".$local_element[1]."'";
82 $local_sql_2 .= ", hw_address";
83 $local_sql_3 .= ", '".$local_element[1]."'";
87 $local_sql_2 .= ", source_ip";
88 $local_sql_3 .= ", '".$local_element[1]."'";
92 $local_sql_2 .= ", destination_ip";
93 $local_sql_3 .= ", '".$local_element[1]."'";
97 if ($local_len == 0) {
98 $local_sql_2 .= ", packet_length";
101 $local_sql_2 .= ", body_len";
104 $local_sql_3 .= ", '".$local_element[1]."'";
109 $local_sql_2 .= ", tos_bit";
110 $local_sql_3 .= ", '".$local_element[1]."'";
114 $local_sql_2 .= ", prec_bit";
115 $local_sql_3 .= ", '".$local_element[1]."'";
119 $local_sql_2 .= ", ttl";
120 $local_sql_3 .= ", '".$local_element[1]."'";
125 if ($local_id == 0) {
126 $local_sql_2 .= ", header_id";
127 $local_sql_3 .= ", '".$local_element[1]."'";
133 $local_sql_2 .= ", protocol";
134 $local_sql_3 .= ", '".$local_element[1]."'";
135 if ($local_element[1] == 'ICMP') {
141 $local_sql_2 .= ", destination_port";
142 $local_sql_3 .= ", '".$local_element[1]."'";
146 $local_sql_2 .= ", source_port";
147 $local_sql_3 .= ", '".$local_element[1]."'";
151 $local_sql_2 .= ", window";
152 $local_sql_3 .= ", '".$local_element[1]."'";
156 $local_sql_2 .= ", urgp";
157 $local_sql_3 .= ", '".$local_element[1]."'";
161 $local_sql_2 .= ", rst";
162 $local_sql_3 .= ", true";
166 $local_sql_2 .= ", syn";
167 $local_sql_3 .= ", true";
171 $local_sql_2 .= ", df";
172 $local_sql_3 .= ", true";
176 $local_sql_2 .= ", type";
177 $local_sql_3 .= ", '".$local_element[1]."'";
181 $local_sql_2 .= ", code";
182 $local_sql_3 .= ", '".$local_element[1]."'";
186 $local_sql_2 .= ", sequence_number";
187 $local_sql_3 .= ", '".$local_element[1]."'";
191 $local_sql_2 .= ", res";
192 $local_sql_3 .= ", '".$local_element[1]."'";
196 /*This record is different. In ICMP information is sometimes returned on an original packet.
197 * When the brackets are used a second line will be added to the
198 * log_adv_kernel_network-table. For that reason the processing into the database will be
199 * done here as well. After that a new insert-string will be created.
202 //Enter the data into the database
203 $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")";
204 $local_dbms->query($local_sql);
206 $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT
207 $local_sql_2 = "logid, detailed_table"; //FIELDS
208 $local_sql_3 = "'".$dbms->db_result_row[0]."', 'kernel_network'"; //VALUES
214 syslog(LOG_INFO, "Unrecognized kernel/network entry: ".$local_element[0]);
220 //Now that the data is complete create the SQL-statement
221 $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")";
222 $local_dbms->query($local_sql);