sbool Sagan_BroIntel_IPADDR ( uint32_t ip )
{
int i;
/* If RFC1918, we can short circuit here */
if ( is_rfc1918(ip))
{
if ( debug->debugbrointel )
{
Sagan_Log(S_DEBUG, "[%s, line %d] %u is RFC1918, link local or invalid.", __FILE__, __LINE__, ip);
}
return(false);
}
/* Search array for for the IP address */
for ( i = 0; i < counters->brointel_addr_count; i++)
{
if ( Sagan_BroIntel_Intel_Addr[i].u32_ip == ip )
{
if ( debug->debugbrointel )
{
Sagan_Log(S_DEBUG, "[%s, line %d] Found IP %u.", __FILE__, __LINE__, ip);
}
return(true);
}
}
return(false);
}
std::string BGP::api_get_private_origin_as(BGP* bgp,
std::vector<std::string> &tokens) {
if (tokens.size() < 4) {
return "{\"entries\":[\"prefix\":\"invalid number of parameters\"]}";
}
bgp->lock_adj_rib_in();
uint32_t asn = string_to_uint32_t(tokens[2]);
uint32_t length = string_to_uint32_t(tokens[3]);
// container to hold matches
std::vector<prefix_matches> ip_matches;
uint8_t len = 0;
for (bgp_adj_rib::iterator it_entry = bgp->get_adj_rib_in().begin();
it_entry != bgp->get_adj_rib_in().end(); ++it_entry) {
if (it_entry->second.as_path != nullptr) {
len = (it_entry->second.as_path->length - 1);
// if is rfc1918 then lets check the length
if (is_rfc1918(it_entry->second.nlri.prefix)) {
// we only want blocks larger than or equal to length
if (it_entry->second.nlri.prefix_length <= length) {
if (it_entry->second.as_path->seg_value[len] == asn) {
ip_matches.push_back({it_entry->second.nlri.prefix,
it_entry->second.nlri.prefix_length});
}
}
}
}
}
bgp->unlock_adj_rib_in();
std::stringstream s_s;
s_s.clear();
s_s << "{\"entries\":[";
if (!ip_matches.empty()) {
std::vector<prefix_matches>::iterator it_match;
for (it_match = ip_matches.begin();
it_match != ip_matches.end();
++it_match) {
s_s << "\"" << ip_to_string(it_match->ip) << '/'
<< (int) it_match->length << "\"";
if ((it_match + 1) != ip_matches.end()) {
s_s << ",";
}
}
}
s_s << "]}";
return s_s.str();
}
int Sagan_Bluedot_Lookup(char *data, unsigned char type)
{
char tmpurl[1024] = { 0 };
char tmpdeviceid[64] = { 0 };
CURL *curl;
CURLcode res;
struct curl_slist *headers = NULL;
char *response=NULL;
struct json_object *json_in = NULL;
const char *cat=NULL;
char cattmp[128] = { 0 };
char *saveptr=NULL;
signed char bluedot_alertid = 0; /* -128 to 127 */
int i;
char timet[20] = { 0 };
time_t t;
struct tm *now=NULL;
uint64_t ip = 0;
t = time(NULL);
now=localtime(&t);
strftime(timet, sizeof(timet), "%s", now);
/************************************************************************/
/* Lookup types */
/************************************************************************/
/* IP Address Lookup */
if ( type == BLUEDOT_LOOKUP_IP )
{
ip = IP2Bit(data);
if ( is_rfc1918(ip) )
{
if ( debug->debugbluedot )
{
Sagan_Log(S_DEBUG, "[%s, line %d] %s is RFC1918.", __FILE__, __LINE__, data);
}
return(false);
}
for (i=0; i<counters->bluedot_ip_cache_count; i++)
{
if ( ip == SaganBluedotIPCache[i].host)
{
if (debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Pulled %s (%u) from Bluedot cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotIPCache[i].host, SaganBluedotIPCache[i].alertid);
}
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_ip_cache_hit++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
return(SaganBluedotIPCache[i].alertid);
}
}
/* Check Bluedot IP Queue, make sure we aren't looking up something that is already being looked up */
for (i=0; i < bluedot_ip_queue; i++)
{
if ( ip == SaganBluedotIPQueue[i].host )
{
if (debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] %s (%u) is already being looked up. Skipping....", __FILE__, __LINE__, data, SaganBluedotIPQueue[i].host);
}
return(false);
}
}
/* If not in Bluedot IP queue, add it */
pthread_mutex_lock(&SaganProcBluedotIPWorkMutex);
SaganBluedotIPQueue = (_Sagan_Bluedot_IP_Queue *) realloc(SaganBluedotIPQueue, (bluedot_ip_queue+1) * sizeof(_Sagan_Bluedot_IP_Queue));
SaganBluedotIPQueue[bluedot_ip_queue].host = ip;
bluedot_ip_queue++;
pthread_mutex_unlock(&SaganProcBluedotIPWorkMutex);
if (debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Going to query IP %s (%u) from Bluedot.", __FILE__, __LINE__, data, ip);
}
snprintf(tmpurl, sizeof(tmpurl), "%s%s%s", config->bluedot_url, BLUEDOT_IP_LOOKUP_URL, data);
} /* BLUEDOT_LOOKUP_IP */
if ( type == BLUEDOT_LOOKUP_HASH )
{
for (i=0; i<counters->bluedot_hash_cache_count; i++)
{
if (!strcmp(data, SaganBluedotHashCache[i].hash))
{
if (debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Pulled file hash '%s' from Bluedot hash cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotHashCache[i].alertid);
}
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_hash_cache_hit++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
return(SaganBluedotHashCache[i].alertid);
}
}
snprintf(tmpurl, sizeof(tmpurl), "%s%s%s", config->bluedot_url, BLUEDOT_HASH_LOOKUP_URL, data);
}
if ( type == BLUEDOT_LOOKUP_URL )
{
for (i=0; i<counters->bluedot_url_cache_count; i++)
{
if (!strcmp(data, SaganBluedotURLCache[i].url))
{
if (debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Pulled file URL '%s' from Bluedot URL cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotURLCache[i].alertid);
}
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_url_cache_hit++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
return(SaganBluedotURLCache[i].alertid);
}
}
snprintf(tmpurl, sizeof(tmpurl), "%s%s%s", config->bluedot_url, BLUEDOT_URL_LOOKUP_URL, data);
}
if ( type == BLUEDOT_LOOKUP_FILENAME )
{
for (i=0; i<counters->bluedot_filename_cache_count; i++)
{
if (!strcmp(data, SaganBluedotFilenameCache[i].filename))
{
if (debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Pulled file filename '%s' from Bluedot filename cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotFilenameCache[i].alertid);
}
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_filename_cache_hit++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
return(SaganBluedotFilenameCache[i].alertid);
}
}
snprintf(tmpurl, sizeof(tmpurl), "%s%s%s", config->bluedot_url, BLUEDOT_FILENAME_LOOKUP_URL, data);
}
snprintf(tmpdeviceid, sizeof(tmpdeviceid), "X-BLUEDOT-DEVICEID: %s", config->bluedot_device_id);
curl = curl_easy_init();
if (curl)
{
curl_easy_setopt(curl, CURLOPT_URL, tmpurl);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback_func);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response);
curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1); /* WIll send SIGALRM if not set */
headers = curl_slist_append (headers, BLUEDOT_PROCESSOR_USER_AGENT);
headers = curl_slist_append (headers, tmpdeviceid);
// headers = curl_slist_append (headers, "X-Bluedot-Verbose: 1"); /* For more verbose output */
curl_easy_setopt(curl, CURLOPT_HTTPHEADER , headers );
res = curl_easy_perform(curl);
}
curl_easy_cleanup(curl);
if ( response == NULL )
{
Sagan_Log(S_WARN, "[%s, line %d] Bluedot returned a empty \"response\".", __FILE__, __LINE__);
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_error_count++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
Sagan_Bluedot_Clean_Queue(data, type);
return(false);
}
json_in = json_tokener_parse(response);
if ( type == BLUEDOT_LOOKUP_IP )
{
cat = json_object_get_string(json_object_object_get(json_in, "qipcode"));
}
else if ( type == BLUEDOT_LOOKUP_HASH )
{
cat = json_object_get_string(json_object_object_get(json_in, "qhashcode"));
}
else if ( type == BLUEDOT_LOOKUP_URL )
{
cat = json_object_get_string(json_object_object_get(json_in, "qurlcode"));
}
else if ( type == BLUEDOT_LOOKUP_FILENAME )
{
cat = json_object_get_string(json_object_object_get(json_in, "qfilenamecode"));
}
if ( cat == NULL )
{
Sagan_Log(S_WARN, "Bluedot return a bad category.");
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_error_count++; // DEBUG <- Total error count
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
Sagan_Bluedot_Clean_Queue(data, type);
return(false);
}
/* strtok_r() doesn't like const char *cat */
snprintf(cattmp, sizeof(cattmp), "%s", cat);
strtok_r(cattmp, "\"", &saveptr);
bluedot_alertid = atoi(strtok_r(NULL, "\"", &saveptr));
if ( debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Bluedot return category \"%d\" for %s.", __FILE__, __LINE__, bluedot_alertid, data);
}
if ( bluedot_alertid == -1 )
{
Sagan_Log(S_WARN, "Bluedot reports an invalid API key. Lookup aborted!");
counters->bluedot_error_count++;
return(false);
}
/************************************************************************/
/* Add entries to cache */
/************************************************************************/
/* IP Address lookup */
if ( type == BLUEDOT_LOOKUP_IP )
{
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_ip_total++;
SaganBluedotIPCache = (_Sagan_Bluedot_IP_Cache *) realloc(SaganBluedotIPCache, (counters->bluedot_ip_cache_count+1) * sizeof(_Sagan_Bluedot_IP_Cache));
SaganBluedotIPCache[counters->bluedot_ip_cache_count].host = ip;
SaganBluedotIPCache[counters->bluedot_ip_cache_count].utime = atol(timet); /* store utime */
SaganBluedotIPCache[counters->bluedot_ip_cache_count].alertid = bluedot_alertid;
counters->bluedot_ip_cache_count++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
}
/* File hash lookup */
else if ( type == BLUEDOT_LOOKUP_HASH )
{
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_hash_total++;
SaganBluedotHashCache = (_Sagan_Bluedot_Hash_Cache *) realloc(SaganBluedotHashCache, (counters->bluedot_hash_cache_count+1) * sizeof(_Sagan_Bluedot_Hash_Cache));
strlcpy(SaganBluedotHashCache[counters->bluedot_hash_cache_count].hash, data, sizeof(SaganBluedotHashCache[counters->bluedot_hash_cache_count].hash));
SaganBluedotHashCache[counters->bluedot_hash_cache_count].utime = atol(timet); /* store utime */
SaganBluedotHashCache[counters->bluedot_hash_cache_count].alertid = bluedot_alertid;
counters->bluedot_hash_cache_count++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
}
/* URL lookup */
else if ( type == BLUEDOT_LOOKUP_URL )
{
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_url_total++;
SaganBluedotURLCache = (_Sagan_Bluedot_URL_Cache *) realloc(SaganBluedotURLCache, (counters->bluedot_url_cache_count+1) * sizeof(_Sagan_Bluedot_URL_Cache));
strlcpy(SaganBluedotURLCache[counters->bluedot_url_cache_count].url, data, sizeof(SaganBluedotURLCache[counters->bluedot_url_cache_count].url));
SaganBluedotURLCache[counters->bluedot_url_cache_count].utime = atol(timet); /* store utime */
SaganBluedotURLCache[counters->bluedot_url_cache_count].alertid = bluedot_alertid;
counters->bluedot_url_cache_count++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
}
/* Filename Lookup */
else if ( type == BLUEDOT_LOOKUP_FILENAME )
{
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_filename_total++;
SaganBluedotFilenameCache = (_Sagan_Bluedot_Filename_Cache *) realloc(SaganBluedotFilenameCache, (counters->bluedot_filename_cache_count+1) * sizeof(_Sagan_Bluedot_Filename_Cache));
strlcpy(SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].filename, data, sizeof(SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].filename));
SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].utime = atol(timet);
SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].alertid = bluedot_alertid;
counters->bluedot_filename_cache_count++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
}
Sagan_Bluedot_Clean_Queue(data, type); /* Remove item for "queue" */
json_object_put(json_in); /* Clear json_in as we're done with it */
return(bluedot_alertid);
}
