3 /**********************************************************************************
4 ** (c) Copyright 2002, Brenno J.S.A.A.F. de Winter, De Winter Information Soltions
5 ** This is free software; you can redistribute it and/or modify it under the
6 ** terms of the GNU General Public License, see the file COPYING.
7 ***********************************************************************************/
11 /* The function linux_log will seperate the logline in several elements. This will
12 * ease the work of recognizing the type of logline. Once this has been detected
13 * the correct module will start using the data for a log_adv-table.
15 * GLOBALS : $dbms (database class containing the logline)
16 * OUTPUT : Status of success ('TRUE' for success and 'FALSE' for failure
20 global $developrelease;
22 $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]);
23 $local_logline_array = explode (" ", $local_log_string);
25 switch (strtolower($local_logline_array[4]))
28 //This is a kernel logline now discover which type kernel-record we have
30 //Detect if this is a network-line
31 if (strtolower(substr($local_logline_array[5],0,3)) == "in=")
33 //this is a networkline call the processing the routines
34 $local_result = linux_kernel_network();
39 if (strtolower($local_logline_array[4]) == 'device')
41 $local_result = linux_kernel_device();
46 if ($developrelease == 'TRUE')
48 $local_failing_string = "Failing string: ".$dbms->db_result_row[5];
49 syslog (LOG_INFO, "Unrecognized kernelline:".$local_log_string);
50 syslog (LOG_INFO, $local_failing_string);
56 } // <=== We were missing this brace
64 function linux_kernel_network() {
66 /* This function is able to deal with the output of kernel-network messages
67 * coming from iptables and other similar tools. When elements are found
68 * that cannot be identified a notification will be written to the logbook
69 * for easy expansion of this routine.
71 * GLOBALS : $dbms, $dbms_working;
72 * OUTPUT : "TRUE" for success and "FALSE" for failure.
77 $local_log_string = str_replace(" ", " ", $dbms->db_result_row[6]);
78 $local_logline_array = explode (" ", $local_log_string);
79 $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT
80 $local_sql_2 = "logid, detailed_table"; //FIELDS
81 $local_sql_3 = "'".$dbms->db_result_row[0]."', 'kernel_network'"; //VALUES
85 for ($i = 4; $i <= ( count($local_logline_array) - 1); $i++) {
86 //Process each element by exploding this based on the sign: =
87 $local_element = explode("=", $local_logline_array[$i]);
88 switch (strtolower($local_element[0])) {
91 $local_sql_2 .= ", device_in";
92 $local_sql_3 .= ", '".$local_element[1]."'";
96 $local_sql_2 .= ", device_out";
97 $local_sql_3 .= ", '".$local_element[1]."'";
101 $local_sql_2 .= ", hw_address";
102 $local_sql_3 .= ", '".$local_element[1]."'";
106 $local_sql_2 .= ", source_ip";
107 $local_sql_3 .= ", '".$local_element[1]."'";
111 $local_sql_2 .= ", destination_ip";
112 $local_sql_3 .= ", '".$local_element[1]."'";
116 if ($local_len == 0) {
117 $local_sql_2 .= ", packet_length";
120 $local_sql_2 .= ", body_len";
123 $local_sql_3 .= ", '".$local_element[1]."'";
127 $local_sql_2 .= ", tos_bit";
128 $local_sql_3 .= ", '".$local_element[1]."'";
132 $local_sql_2 .= ", prec_bit";
133 $local_sql_3 .= ", '".$local_element[1]."'";
137 $local_sql_2 .= ", ttl";
138 $local_sql_3 .= ", '".$local_element[1]."'";
143 if ($local_id == 0) {
144 $local_sql_2 .= ", header_id";
145 $local_sql_3 .= ", '".$local_element[1]."'";
151 $local_sql_2 .= ", protocol";
152 $local_sql_3 .= ", '".$local_element[1]."'";
153 if ($local_element[1] == 'ICMP') {
159 $local_sql_2 .= ", destination_port";
160 $local_sql_3 .= ", '".$local_element[1]."'";
164 $local_sql_2 .= ", source_port";
165 $local_sql_3 .= ", '".$local_element[1]."'";
169 $local_sql_2 .= ", window";
170 $local_sql_3 .= ", '".$local_element[1]."'";
174 $local_sql_2 .= ", urgp";
175 $local_sql_3 .= ", '".$local_element[1]."'";
179 $local_sql_2 .= ", rst";
180 $local_sql_3 .= ", true";
184 $local_sql_2 .= ", syn";
185 $local_sql_3 .= ", true";
189 $local_sql_2 .= ", df";
190 $local_sql_3 .= ", true";
194 $local_sql_2 .= ", type";
195 $local_sql_3 .= ", '".$local_element[1]."'";
199 $local_sql_2 .= ", code";
200 $local_sql_3 .= ", '".$local_element[1]."'";
204 $local_sql_2 .= ", sequence_number";
205 $local_sql_3 .= ", '".$local_element[1]."'";
209 $local_sql_2 .= ", res";
210 $local_sql_3 .= ", '".$local_element[1]."'";
214 /*This record is different. In ICMP information is sometimes returned on an original packet.
215 * When the brackets are used a second line will be added to the
216 * log_adv_kernel_network-table. For that reason the processing into the database will be
217 * done here as well. After that a new insert-string will be created.
220 //Enter the data into the database
221 $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")";
222 $dbms_working->query($local_sql);
224 $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT
225 $local_sql_2 = "logid, detailed_table"; //FIELDS
226 $local_sql_3 = "'".$dbms->db_result_row[0]."', 'kernel_network'"; //VALUES
231 /* $local_element[0];
232 syslog(LOG_INFO, "Unrecognized kernel/network entry: ".$local_element[0]);
240 //Now that the data is complete create the SQL-statement
241 $local_sql = $local_sql_1." (".$local_sql_2.") VALUES (".$local_sql_3.")";
242 $dbms_working->query($local_sql);
246 function linux_kernel_device() {
247 /* This function is able to deal with the output of kernel-network messages
248 * coming from device related processes. Typically networkcard and other
249 * hardware-related data will show-up here
251 * GLOBALS : $dbms, $dbms_working
252 * OUTPUT : "TRUE" for success and "FALSE" for failure.
255 global $dbms, $dbms_working;