static void ArmClasses(Averages av, char *timekey)
{
double sigma;
Item *ip,*classlist = NULL;
int i, j, k;
char buff[CF_BUFSIZE], ldt_buff[CF_BUFSIZE], name[CF_MAXVARSIZE];
static int anomaly[CF_OBSERVABLES][LDT_BUFSIZE];
extern Item *ALL_INCOMING;
extern Item *MON_UDP4, *MON_UDP6, *MON_TCP4, *MON_TCP6;
for (i = 0; i < CF_OBSERVABLES; i++)
{
char desc[CF_BUFSIZE];
GetObservable(i, name, desc);
sigma = SetClasses(name, CF_THIS[i], av.Q[i].expect, av.Q[i].var, LOCALAV.Q[i].expect, LOCALAV.Q[i].var, &classlist, timekey);
SetVariable(name, CF_THIS[i], av.Q[i].expect, sigma, &classlist);
/* LDT */
ldt_buff[0] = '\0';
anomaly[i][LDT_POS] = false;
if (!LDT_FULL)
{
anomaly[i][LDT_POS] = false;
}
if (LDT_FULL && (CHI[i] > CHI_LIMIT[i]))
{
anomaly[i][LDT_POS] = true; /* Remember the last anomaly value */
Log(LOG_LEVEL_VERBOSE, "LDT(%d) in %s chi = %.2f thresh %.2f ", LDT_POS, name, CHI[i], CHI_LIMIT[i]);
/* Last printed element is now */
for (j = LDT_POS + 1, k = 0; k < LDT_BUFSIZE; j++, k++)
{
if (j == LDT_BUFSIZE) /* Wrap */
{
j = 0;
}
if (anomaly[i][j])
{
snprintf(buff, CF_BUFSIZE, " *%.2f*", LDT_BUF[i][j]);
}
else
{
snprintf(buff, CF_BUFSIZE, " %.2f", LDT_BUF[i][j]);
}
strcat(ldt_buff, buff);
}
if (CF_THIS[i] > av.Q[i].expect)
{
snprintf(buff, CF_BUFSIZE, "%s_high_ldt", name);
}
else
{
snprintf(buff, CF_BUFSIZE, "%s_high_ldt", name);
}
AppendItem(&classlist, buff, "2");
EvalContextHeapPersistentSave(buff, "measurements", CF_PERSISTENCE, CONTEXT_STATE_POLICY_PRESERVE);
}
else
{
for (j = LDT_POS + 1, k = 0; k < LDT_BUFSIZE; j++, k++)
{
if (j == LDT_BUFSIZE) /* Wrap */
{
j = 0;
}
if (anomaly[i][j])
{
snprintf(buff, CF_BUFSIZE, " *%.2f*", LDT_BUF[i][j]);
}
else
{
snprintf(buff, CF_BUFSIZE, " %.2f", LDT_BUF[i][j]);
}
strcat(ldt_buff, buff);
}
}
}
SetMeasurementPromises(&classlist);
// Report on the open ports, in various ways
AddOpenPortsClasses("listening_ports", ALL_INCOMING, &classlist);
AddOpenPortsClasses("listening_udp6_ports", MON_UDP6, &classlist);
AddOpenPortsClasses("listening_udp4_ports", MON_UDP4, &classlist);
AddOpenPortsClasses("listening_tcp6_ports", MON_TCP6, &classlist);
AddOpenPortsClasses("listening_tcp4_ports", MON_TCP4, &classlist);
// Port addresses
if (ListLen(MON_TCP6) + ListLen(MON_TCP4) > 512)
{
Log(LOG_LEVEL_INFO, "Disabling address information of TCP ports in LISTEN state: more than 512 listening ports are detected");
}
else
{
for (ip = MON_TCP6; ip != NULL; ip=ip->next)
{
snprintf(buff,CF_BUFSIZE,"tcp6_port_addr[%s]=%s",ip->name,ip->classes);
AppendItem(&classlist,buff,NULL);
}
for (ip = MON_TCP4; ip != NULL; ip=ip->next)
{
snprintf(buff,CF_BUFSIZE,"tcp4_port_addr[%s]=%s",ip->name,ip->classes);
AppendItem(&classlist,buff,NULL);
}
}
for (ip = MON_UDP6; ip != NULL; ip=ip->next)
{
snprintf(buff,CF_BUFSIZE,"udp6_port_addr[%s]=%s",ip->name,ip->classes);
AppendItem(&classlist,buff,NULL);
}
for (ip = MON_UDP4; ip != NULL; ip=ip->next)
{
snprintf(buff,CF_BUFSIZE,"udp4_port_addr[%s]=%s",ip->name,ip->classes);
AppendItem(&classlist,buff,NULL);
}
PublishEnvironment(classlist);
DeleteItemList(classlist);
}
static void ArmClasses(Averages av, char *timekey)
{
double sigma;
Item *ip,*classlist = NULL;
int i, j, k;
char buff[CF_BUFSIZE], ldt_buff[CF_BUFSIZE], name[CF_MAXVARSIZE];
static int anomaly[CF_OBSERVABLES][LDT_BUFSIZE];
extern Item *ALL_INCOMING;
extern Item *MON_UDP4, *MON_UDP6, *MON_TCP4, *MON_TCP6;
CfDebug("Arm classes for %s\n", timekey);
for (i = 0; i < CF_OBSERVABLES; i++)
{
char desc[CF_BUFSIZE];
GetObservable(i, name, desc);
sigma =
SetClasses(name, CF_THIS[i], av.Q[i].expect, av.Q[i].var, LOCALAV.Q[i].expect, LOCALAV.Q[i].var, &classlist,
timekey);
SetVariable(name, CF_THIS[i], av.Q[i].expect, sigma, &classlist);
/* LDT */
ldt_buff[0] = '\0';
anomaly[i][LDT_POS] = false;
if (!LDT_FULL)
{
anomaly[i][LDT_POS] = false;
}
if (LDT_FULL && (CHI[i] > CHI_LIMIT[i]))
{
anomaly[i][LDT_POS] = true; /* Remember the last anomaly value */
CfOut(cf_verbose, "", "LDT(%d) in %s chi = %.2f thresh %.2f \n", LDT_POS, name, CHI[i], CHI_LIMIT[i]);
/* Last printed element is now */
for (j = LDT_POS + 1, k = 0; k < LDT_BUFSIZE; j++, k++)
{
if (j == LDT_BUFSIZE) /* Wrap */
{
j = 0;
}
if (anomaly[i][j])
{
snprintf(buff, CF_BUFSIZE, " *%.2f*", LDT_BUF[i][j]);
}
else
{
snprintf(buff, CF_BUFSIZE, " %.2f", LDT_BUF[i][j]);
}
strcat(ldt_buff, buff);
}
if (CF_THIS[i] > av.Q[i].expect)
{
snprintf(buff, CF_BUFSIZE, "%s_high_ldt", name);
}
else
{
snprintf(buff, CF_BUFSIZE, "%s_high_ldt", name);
}
AppendItem(&classlist, buff, "2");
NewPersistentContext(buff, CF_PERSISTENCE, cfpreserve);
}
else
{
for (j = LDT_POS + 1, k = 0; k < LDT_BUFSIZE; j++, k++)
{
if (j == LDT_BUFSIZE) /* Wrap */
{
j = 0;
}
if (anomaly[i][j])
{
snprintf(buff, CF_BUFSIZE, " *%.2f*", LDT_BUF[i][j]);
}
else
{
snprintf(buff, CF_BUFSIZE, " %.2f", LDT_BUF[i][j]);
}
strcat(ldt_buff, buff);
}
}
}
SetMeasurementPromises(&classlist);
// Report on the open ports, in various ways
ldt_buff[0] = '\0';
PrintItemList(ldt_buff,CF_BUFSIZE,ALL_INCOMING);
if (strlen(ldt_buff) < 1500)
{
snprintf(buff,CF_BUFSIZE,"@listening_ports=%s",ldt_buff);
AppendItem(&classlist,buff,NULL);
}
ldt_buff[0] = '\0';
PrintItemList(ldt_buff,CF_BUFSIZE,MON_UDP6);
if (strlen(ldt_buff) < 1500)
{
snprintf(buff,CF_BUFSIZE,"@listening_udp6_ports=%s",ldt_buff);
AppendItem(&classlist,buff,NULL);
}
ldt_buff[0] = '\0';
PrintItemList(ldt_buff,CF_BUFSIZE,MON_UDP4);
if (strlen(ldt_buff) < 1500)
{
snprintf(buff,CF_BUFSIZE,"@listening_udp4_ports=%s",ldt_buff);
AppendItem(&classlist,buff,NULL);
}
ldt_buff[0] = '\0';
PrintItemList(ldt_buff,CF_BUFSIZE,MON_TCP6);
if (strlen(ldt_buff) < 1500)
{
snprintf(buff,CF_BUFSIZE,"@listening_tcp6_ports=%s",ldt_buff);
AppendItem(&classlist,buff,NULL);
}
ldt_buff[0] = '\0';
PrintItemList(ldt_buff,CF_BUFSIZE,MON_TCP4);
if (strlen(ldt_buff) < 1500)
{
snprintf(buff,CF_BUFSIZE,"@listening_tcp4_ports=%s",ldt_buff);
AppendItem(&classlist,buff,NULL);
}
// Port addresses
for (ip = MON_TCP6; ip != NULL; ip=ip->next)
{
snprintf(buff,CF_BUFSIZE,"tcp6_port_addr[%s]=%s",ip->name,ip->classes);
AppendItem(&classlist,buff,NULL);
}
for (ip = MON_TCP4; ip != NULL; ip=ip->next)
{
snprintf(buff,CF_BUFSIZE,"tcp4_port_addr[%s]=%s",ip->name,ip->classes);
AppendItem(&classlist,buff,NULL);
}
for (ip = MON_UDP6; ip != NULL; ip=ip->next)
{
snprintf(buff,CF_BUFSIZE,"udp6_port_addr[%s]=%s",ip->name,ip->classes);
AppendItem(&classlist,buff,NULL);
}
for (ip = MON_UDP4; ip != NULL; ip=ip->next)
{
snprintf(buff,CF_BUFSIZE,"udp4_port_addr[%s]=%s",ip->name,ip->classes);
AppendItem(&classlist,buff,NULL);
}
MonPublishEnvironment(classlist);
}
static Averages EvalAvQ(EvalContext *ctx, char *t)
{
Averages *lastweek_vals, newvals;
double last5_vals[CF_OBSERVABLES];
double This[CF_OBSERVABLES];
char name[CF_MAXVARSIZE];
time_t now = time(NULL);
int i;
Banner("Evaluating and storing new weekly averages");
if ((lastweek_vals = GetCurrentAverages(t)) == NULL)
{
Log(LOG_LEVEL_ERR, "Error reading average database");
exit(1);
}
/* Discard any apparently anomalous behaviour before renormalizing database */
for (i = 0; i < CF_OBSERVABLES; i++)
{
double delta2;
char desc[CF_BUFSIZE];
name[0] = '\0';
GetObservable(i, name, desc);
/* Overflow protection */
if (lastweek_vals->Q[i].expect < 0)
{
lastweek_vals->Q[i].expect = 0;
}
if (lastweek_vals->Q[i].q < 0)
{
lastweek_vals->Q[i].q = 0;
}
if (lastweek_vals->Q[i].var < 0)
{
lastweek_vals->Q[i].var = 0;
}
// lastweek_vals is last week's stored data
This[i] =
RejectAnomaly(CF_THIS[i], lastweek_vals->Q[i].expect, lastweek_vals->Q[i].var, LOCALAV.Q[i].expect,
LOCALAV.Q[i].var);
newvals.Q[i].q = This[i];
newvals.last_seen = now; // Record the freshness of this slot
LOCALAV.Q[i].q = This[i];
Log(LOG_LEVEL_DEBUG, "Previous week's '%s.q' %lf", name, lastweek_vals->Q[i].q);
Log(LOG_LEVEL_DEBUG, "Previous week's '%s.var' %lf", name, lastweek_vals->Q[i].var);
Log(LOG_LEVEL_DEBUG, "Previous week's '%s.ex' %lf", name, lastweek_vals->Q[i].expect);
Log(LOG_LEVEL_DEBUG, "Just measured: CF_THIS[%s] = %lf", name, CF_THIS[i]);
Log(LOG_LEVEL_DEBUG, "Just sanitized: This[%s] = %lf", name, This[i]);
newvals.Q[i].expect = WAverage(This[i], lastweek_vals->Q[i].expect, WAGE);
LOCALAV.Q[i].expect = WAverage(newvals.Q[i].expect, LOCALAV.Q[i].expect, ITER);
if (last5_vals[i] > 0)
{
newvals.Q[i].dq = newvals.Q[i].q - last5_vals[i];
LOCALAV.Q[i].dq = newvals.Q[i].q - last5_vals[i];
}
else
{
newvals.Q[i].dq = 0;
LOCALAV.Q[i].dq = 0;
}
// Save the last measured value as the value "from five minutes ago" to get the gradient
last5_vals[i] = newvals.Q[i].q;
delta2 = (This[i] - lastweek_vals->Q[i].expect) * (This[i] - lastweek_vals->Q[i].expect);
if (lastweek_vals->Q[i].var > delta2 * 2.0)
{
/* Clean up past anomalies */
newvals.Q[i].var = delta2;
LOCALAV.Q[i].var = WAverage(newvals.Q[i].var, LOCALAV.Q[i].var, ITER);
}
else
{
newvals.Q[i].var = WAverage(delta2, lastweek_vals->Q[i].var, WAGE);
LOCALAV.Q[i].var = WAverage(newvals.Q[i].var, LOCALAV.Q[i].var, ITER);
}
Log(LOG_LEVEL_VERBOSE, "[%d] %s q=%lf, var=%lf, ex=%lf", i, name,
newvals.Q[i].q, newvals.Q[i].var, newvals.Q[i].expect);
Log(LOG_LEVEL_VERBOSE, "[%d] = %lf -> (%lf#%lf) local [%lf#%lf]", i, This[i], newvals.Q[i].expect,
sqrt(newvals.Q[i].var), LOCALAV.Q[i].expect, sqrt(LOCALAV.Q[i].var));
if (This[i] > 0)
{
Log(LOG_LEVEL_VERBOSE, "Storing %.2lf in %s", This[i], name);
}
}
UpdateAverages(ctx, t, newvals);
UpdateDistributions(ctx, t, lastweek_vals); /* Distribution about mean */
return newvals;
}
static Averages EvalAvQ(char *t)
{
Averages *currentvals, newvals;
double This[CF_OBSERVABLES];
char name[CF_MAXVARSIZE];
int i;
Banner("Evaluating and storing new weekly averages");
if ((currentvals = GetCurrentAverages(t)) == NULL)
{
CfOut(cf_error, "", "Error reading average database");
exit(1);
}
/* Discard any apparently anomalous behaviour before renormalizing database */
for (i = 0; i < CF_OBSERVABLES; i++)
{
double delta2;
char desc[CF_BUFSIZE];
name[0] = '\0';
GetObservable(i, name, desc);
/* Overflow protection */
if (currentvals->Q[i].expect < 0)
{
currentvals->Q[i].expect = 0;
}
if (currentvals->Q[i].q < 0)
{
currentvals->Q[i].q = 0;
}
if (currentvals->Q[i].var < 0)
{
currentvals->Q[i].var = 0;
}
This[i] =
RejectAnomaly(CF_THIS[i], currentvals->Q[i].expect, currentvals->Q[i].var, LOCALAV.Q[i].expect,
LOCALAV.Q[i].var);
newvals.Q[i].q = This[i];
LOCALAV.Q[i].q = This[i];
CfDebug("Current %s.q %lf\n", name, currentvals->Q[i].q);
CfDebug("Current %s.var %lf\n", name, currentvals->Q[i].var);
CfDebug("Current %s.ex %lf\n", name, currentvals->Q[i].expect);
CfDebug("CF_THIS[%s] = %lf\n", name, CF_THIS[i]);
CfDebug("This[%s] = %lf\n", name, This[i]);
newvals.Q[i].expect = WAverage(This[i], currentvals->Q[i].expect, WAGE);
LOCALAV.Q[i].expect = WAverage(newvals.Q[i].expect, LOCALAV.Q[i].expect, ITER);
newvals.Q[i].dq = newvals.Q[i].q - currentvals->Q[i].q;
LOCALAV.Q[i].dq = newvals.Q[i].q - currentvals->Q[i].q;
delta2 = (This[i] - currentvals->Q[i].expect) * (This[i] - currentvals->Q[i].expect);
if (currentvals->Q[i].var > delta2 * 2.0)
{
/* Clean up past anomalies */
newvals.Q[i].var = delta2;
LOCALAV.Q[i].var = WAverage(newvals.Q[i].var, LOCALAV.Q[i].var, ITER);
}
else
{
newvals.Q[i].var = WAverage(delta2, currentvals->Q[i].var, WAGE);
LOCALAV.Q[i].var = WAverage(newvals.Q[i].var, LOCALAV.Q[i].var, ITER);
}
CfOut(cf_verbose, "", "[%d] %s q=%lf, var=%lf, ex=%lf", i, name,
newvals.Q[i].q, newvals.Q[i].var, newvals.Q[i].expect);
CfOut(cf_verbose, "", "[%d] = %lf -> (%lf#%lf) local [%lf#%lf]\n", i, This[i], newvals.Q[i].expect,
sqrt(newvals.Q[i].var), LOCALAV.Q[i].expect, sqrt(LOCALAV.Q[i].var));
if (This[i] > 0)
{
CfOut(cf_verbose, "", "Storing %.2lf in %s\n", This[i], name);
}
}
UpdateAverages(t, newvals);
UpdateDistributions(t, currentvals); /* Distribution about mean */
return newvals;
}