OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
Found an issue with dbd/mysql output modules for alerts. Sample row from alert table:
*************************** 1240. row ***************************
id: 10696367
server_id: 1
rule_id: 1002
level: 2
timestamp: 1642404508
location_id: 30
src_ip: (null) <- it's actually string, not true sql NULL
dst_ip: (null) <- same here
src_port: 0
dst_port: 0
alertid: 1642404505.960511
user: (null) <- same here
Source of problem in src/os_dbd/alert.c near line 170: if al_data->srcip is actually NULL pointer, sprintf placeholder '%s' generates string "('null')" instead proper SQL's NULL. The similar code for postgres (see line 179 and below in this file) handles this case correct: al_data->srcip != NULL ? al_data->srcip : "NULL". The same for other NULLable fields (src_port, dst_ip, dst_port, alertid, level).
Found an issue with dbd/mysql output modules for alerts. Sample row from
alert
table:Source of problem in
src/os_dbd/alert.c
near line 170: ifal_data->srcip
is actually NULL pointer, sprintf placeholder '%s' generates string "('null')" instead proper SQL's NULL. The similar code for postgres (see line 179 and below in this file) handles this case correct:al_data->srcip != NULL ? al_data->srcip : "NULL"
. The same for other NULLable fields (src_port, dst_ip, dst_port, alertid, level).Please fix.