int Netaddr_To_Range( char *ipstr, unsigned char *out )
{
int mask;
char *t = NULL;
char _t = '\0';
int maxmask = NULL != strchr(ipstr, ':') ? 128 : 32;
if ( ( t = strchr(ipstr, '/') ) )
{
mask = atoi(t+1);
}
else
{
mask = maxmask;
}
if (t != NULL)
{
_t = t[0];
t[0] = '\0';
}
IP2Bit(ipstr, out);
if (t != NULL)
{
t[0] = _t;
}
Mask2Bit(mask, out+16);
return mask != maxmask;
} /* netaddr_to_range() */
sbool Sagan_BroIntel_IPADDR_All ( char *syslog_message )
{
int i;
int b;
uint32_t ip;
char *results = NULL;
for (i = 1; i < MAX_PARSE_IP; i++)
{
results = Sagan_Parse_IP(syslog_message, i);
/* Failed to find next IP, short circuit the process */
if (!strcmp(results, "0"))
{
return(false);
}
ip = IP2Bit(results);
for ( b = 0; b < counters->brointel_addr_count; b++ )
{
if ( Sagan_BroIntel_Intel_Addr[b].u32_ip == ip )
{
return(true);
}
}
}
return(false);
}
int Sagan_Flowbit_Condition(int rule_position, char *ip_src_char, char *ip_dst_char )
{
time_t t;
struct tm *now;
char timet[20];
char tmp[128] = { 0 };
char *tmp_flowbit_name = NULL;
char *tok = NULL;
int i;
int a;
uint32_t ip_src;
uint32_t ip_dst;
sbool flowbit_match = 0;
int flowbit_total_match = 0;
t = time(NULL);
now=localtime(&t);
strftime(timet, sizeof(timet), "%s", now);
ip_src = IP2Bit(ip_src_char);
ip_dst = IP2Bit(ip_dst_char);
int and_or = 0;
Sagan_Flowbit_Cleanup();
for (i = 0; i < rulestruct[rule_position].flowbit_count; i++)
{
/*******************
* ISSET *
*******************/
if ( rulestruct[rule_position].flowbit_type[i] == 3 )
{
for (a = 0; a < counters_ipc->flowbit_count; a++)
{
strlcpy(tmp, rulestruct[rule_position].flowbit_name[i], sizeof(tmp));
if (Sagan_strstr(rulestruct[rule_position].flowbit_name[i], "|"))
{
tmp_flowbit_name = strtok_r(tmp, "|", &tok);
and_or = 1;
}
else
{
tmp_flowbit_name = strtok_r(tmp, "&", &tok);
and_or = 0; /* Need this? */
}
while (tmp_flowbit_name != NULL )
{
if (!strcmp(tmp_flowbit_name, flowbit_ipc[a].flowbit_name) &&
flowbit_ipc[a].flowbit_state == 1 )
{
/* direction: none */
if ( rulestruct[rule_position].flowbit_direction[i] == 0 )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"isset\" flowbit \"%s\" (direction: \"none\"). (any -> any)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name);
}
flowbit_total_match++;
}
/* direction: both */
if ( rulestruct[rule_position].flowbit_direction[i] == 1 &&
flowbit_ipc[a].ip_src == ip_src &&
flowbit_ipc[a].ip_dst == ip_dst )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"isset\" flowbit \"%s\" (direction: \"both\"). (%s -> %s)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name, ip_src_char, ip_dst_char);
}
flowbit_total_match++;
}
/* direction: by_src */
if ( rulestruct[rule_position].flowbit_direction[i] == 2 &&
flowbit_ipc[a].ip_src == ip_src )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"isset\" flowbit \"%s\" (direction: \"by_src\"). (%s -> any)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name, ip_src_char);
}
flowbit_total_match++;
}
/* direction: by_dst */
if ( rulestruct[rule_position].flowbit_direction[i] == 3 &&
flowbit_ipc[a].ip_dst == ip_dst )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"isset\" flowbit \"%s\" (direction: \"by_dst\"). (any -> %s)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name, ip_dst_char);
}
flowbit_total_match++;
}
/* direction: reverse */
if ( rulestruct[rule_position].flowbit_direction[i] == 4 &&
flowbit_ipc[a].ip_src == ip_dst &&
flowbit_ipc[a].ip_dst == ip_src )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"isset\" flowbit \"%s\" (direction: \"reverse\"). (%s -> %s)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name, ip_dst_char, ip_src_char);
}
flowbit_total_match++;
}
} /* End of strcmp flowbit_name & flowbit_state = 1 */
if ( and_or == 1)
{
tmp_flowbit_name = strtok_r(NULL, "|", &tok);
}
else
{
tmp_flowbit_name = strtok_r(NULL, "&", &tok);
}
} /* End of "while tmp_flowbit_name" */
} /* End of "for a" */
} /* End "if" flowbit_type == 3 (ISSET) */
/*******************
* ISNOTSET *
*******************/
if ( rulestruct[rule_position].flowbit_type[i] == 4 )
{
flowbit_match = 0;
for (a = 0; a < counters_ipc->flowbit_count; a++)
{
strlcpy(tmp, rulestruct[rule_position].flowbit_name[i], sizeof(tmp));
if (Sagan_strstr(rulestruct[rule_position].flowbit_name[i], "|"))
{
tmp_flowbit_name = strtok_r(tmp, "|", &tok);
and_or = 1;
}
else
{
tmp_flowbit_name = strtok_r(tmp, "&", &tok);
and_or = 0; /* Need this? */
}
while (tmp_flowbit_name != NULL )
{
if (!strcmp(tmp_flowbit_name, flowbit_ipc[a].flowbit_name))
{
flowbit_match=1;
if ( flowbit_ipc[a].flowbit_state == 0 )
{
/* direction: none */
if ( rulestruct[rule_position].flowbit_direction[i] == 0 )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"isnotset\" flowbit \"%s\" (direction: \"none\"). (any -> any)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name);
}
flowbit_total_match++;
}
/* direction: both */
if ( rulestruct[rule_position].flowbit_direction[i] == 1 )
{
if ( flowbit_ipc[a].ip_src == ip_src &&
flowbit_ipc[a].ip_dst == ip_dst )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"isnotset\" flowbit \"%s\" (direction: \"both\"). (%s -> %s)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name, ip_src_char, ip_dst_char);
}
flowbit_total_match++;
}
}
/* direction: by_src */
if ( rulestruct[rule_position].flowbit_direction[i] == 2 )
{
if ( flowbit_ipc[a].ip_src == ip_src )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"isnotset\" flowbit \"%s\" (direction: \"by_src\"). (%s -> any)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name, ip_src_char);
}
flowbit_total_match++;
}
}
/* direction: by_dst */
if ( rulestruct[rule_position].flowbit_direction[i] == 3 )
{
if ( flowbit_ipc[a].ip_dst == ip_dst )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"isnotset\" flowbit \"%s\" (direction: \"by_dst\"). (any -> %s)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name, ip_dst_char);
}
flowbit_total_match++;
}
}
/* direction: reverse */
if ( rulestruct[rule_position].flowbit_direction[i] == 4 )
{
if ( flowbit_ipc[a].ip_src == ip_dst &&
flowbit_ipc[a].ip_dst == ip_src )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"isnotset\" flowbit \"%s\" (direction: \"reverse\"). (%s -> %s)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name, ip_dst_char, ip_src_char);
}
flowbit_total_match++;
}
}
} /* End flowbit_state == 0 */
} /* End of strcmp flowbit_name */
if ( and_or == 1)
{
tmp_flowbit_name = strtok_r(NULL, "|", &tok);
}
else
{
tmp_flowbit_name = strtok_r(NULL, "&", &tok);
}
} /* End of "while tmp_flowbit_name" */
} /* End of "for a" */
if ( and_or == 1 && flowbit_match == 1 )
{
flowbit_total_match = rulestruct[rule_position].flowbit_condition_count; /* Do we even need this for OR? */
}
if ( and_or == 0 && flowbit_match == 0 )
{
flowbit_total_match = rulestruct[rule_position].flowbit_condition_count;
}
} /* End of "flowbit_type[i] == 4" */
} /* End of "for i" */
/* IF we match all criteria for isset/isnotset
*
* If we match the flowbit_conditon_count (number of concurrent flowbits)
* we trigger. It it's an "or" statement, we trigger if any of the
* flowbits are set.
*
*/
if ( ( rulestruct[rule_position].flowbit_condition_count == flowbit_total_match ) || ( and_or == 1 && flowbit_total_match != 0 ) )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Condition of flowbit returning TRUE. %d %d", __FILE__, __LINE__, rulestruct[rule_position].flowbit_condition_count, flowbit_total_match);
}
return(true);
}
/* isset/isnotset failed. */
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Condition of flowbit returning FALSE. %d %d", __FILE__, __LINE__, rulestruct[rule_position].flowbit_condition_count, flowbit_total_match);
}
return(false);
} /* End of Sagan_Flowbit_Condition(); */
void Sagan_Flowbit_Set(int rule_position, char *ip_src_char, char *ip_dst_char )
{
int i = 0;
int a = 0;
time_t t;
struct tm *now;
char timet[20];
char tmp[128] = { 0 };
char *tmp_flowbit_name = NULL;
char *tok = NULL;
sbool flowbit_match = 0;
sbool flowbit_unset_match = 0;
uint32_t ip_src = 0;
uint32_t ip_dst = 0;
ip_src = IP2Bit(ip_src_char);
ip_dst = IP2Bit(ip_dst_char);
t = time(NULL);
now=localtime(&t);
strftime(timet, sizeof(timet), "%s", now);
struct _Sagan_Flowbit_Track *flowbit_track;
flowbit_track = malloc(sizeof(_Sagan_Flowbit_Track));
if ( flowbit_track == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to allocate memory for flowbit_track. Abort!", __FILE__, __LINE__);
}
memset(flowbit_track, 0, sizeof(_Sagan_Flowbit_Track));
int flowbit_track_count = 0;
Sagan_Flowbit_Cleanup();
for (i = 0; i < rulestruct[rule_position].flowbit_count; i++)
{
/*******************
* UNSET *
*******************/
if ( rulestruct[rule_position].flowbit_type[i] == 2 )
{
/* Flowbits & (ie - bit1&bit2) */
strlcpy(tmp, rulestruct[rule_position].flowbit_name[i], sizeof(tmp));
tmp_flowbit_name = strtok_r(tmp, "&", &tok);
while( tmp_flowbit_name != NULL )
{
for (a = 0; a < counters_ipc->flowbit_count; a++)
{
if ( !strcmp(tmp_flowbit_name, flowbit_ipc[a].flowbit_name ))
{
/* direction: none */
if ( rulestruct[rule_position].flowbit_direction[i] == 0 )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"unset\" flowbit \"%s\" (direction: \"none\"). (any -> any)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name);
}
Sagan_File_Lock(config->shm_flowbit);
flowbit_ipc[a].flowbit_state = 0;
Sagan_File_Unlock(config->shm_flowbit);
flowbit_unset_match = 1;
}
/* direction: both */
if ( rulestruct[rule_position].flowbit_direction[i] == 1 &&
flowbit_ipc[a].ip_src == ip_src &&
flowbit_ipc[a].ip_dst == ip_dst )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"unset\" flowbit \"%s\" (direction: \"both\"). (%s -> %s)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name, ip_src_char, ip_dst_char);
}
Sagan_File_Lock(config->shm_flowbit);
flowbit_ipc[a].flowbit_state = 0;
Sagan_File_Unlock(config->shm_flowbit);
flowbit_unset_match = 1;
}
/* direction: by_src */
if ( rulestruct[rule_position].flowbit_direction[i] == 2 &&
flowbit_ipc[a].ip_src == ip_src )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"unset\" flowbit \"%s\" (direction: \"by_src\"). (%s -> any)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name, ip_src_char);
}
Sagan_File_Lock(config->shm_flowbit);
flowbit_ipc[a].flowbit_state = 0;
Sagan_File_Unlock(config->shm_flowbit);
flowbit_unset_match = 1;
}
/* direction: by_dst */
if ( rulestruct[rule_position].flowbit_direction[i] == 3 &&
flowbit_ipc[a].ip_dst == ip_dst )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"unset\" flowbit \"%s\" (direction: \"by_dst\"). (any -> %s)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name, ip_dst_char);
}
Sagan_File_Lock(config->shm_flowbit);
flowbit_ipc[a].flowbit_state = 0;
Sagan_File_Unlock(config->shm_flowbit);
flowbit_unset_match = 1;
}
/* direction: reverse */
if ( rulestruct[rule_position].flowbit_direction[i] == 4 &&
flowbit_ipc[a].ip_dst == ip_src &&
flowbit_ipc[a].ip_src == ip_dst )
{
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] \"unset\" flowbit \"%s\" (direction: \"reverse\"). (%s -> %s)", __FILE__, __LINE__, flowbit_ipc[a].flowbit_name, ip_dst_char, ip_src_char);
}
Sagan_File_Lock(config->shm_flowbit);
flowbit_ipc[a].flowbit_state = 0;
Sagan_File_Unlock(config->shm_flowbit);
flowbit_unset_match = 1;
}
}
}
if ( debug->debugflowbit && flowbit_unset_match == 0 )
{
Sagan_Log(S_DEBUG, "[%s, line %d] No flowbit found to \"unset\" for %s.", __FILE__, __LINE__, tmp_flowbit_name);
}
tmp_flowbit_name = strtok_r(NULL, "&", &tok);
}
} /* While & flowbits (ie - bit1&bit2) */
/*******************
* SET *
*******************/
if ( rulestruct[rule_position].flowbit_type[i] == 1 )
{
flowbit_match = 0;
/* Flowbits & (ie - bit1&bit2) */
strlcpy(tmp, rulestruct[rule_position].flowbit_name[i], sizeof(tmp));
tmp_flowbit_name = strtok_r(tmp, "&", &tok);
while( tmp_flowbit_name != NULL )
{
for (a = 0; a < counters_ipc->flowbit_count; a++)
{
/* Do we have the flowbit already in memory? If so, update the information */
if (!strcmp(flowbit_ipc[a].flowbit_name, tmp_flowbit_name) &&
flowbit_ipc[a].ip_src == ip_src &&
flowbit_ipc[a].ip_dst == ip_dst )
{
Sagan_File_Lock(config->shm_flowbit);
flowbit_ipc[a].flowbit_expire = atol(timet) + rulestruct[rule_position].flowbit_timeout[i];
flowbit_ipc[a].flowbit_state = 1;
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] [%d] Updated via \"set\" for flowbit \"%s\", [%d]. New expire time is %d (%d) [%u -> %u]. ", __FILE__, __LINE__, a, tmp_flowbit_name, i, flowbit_ipc[i].flowbit_expire, rulestruct[rule_position].flowbit_timeout[i], flowbit_ipc[a].ip_src, flowbit_ipc[a].ip_dst);
}
Sagan_File_Unlock(config->shm_flowbit);
flowbit_match = 1;
}
}
/* If the flowbit isn't in memory, store it to be created later */
if ( flowbit_match == 0 )
{
flowbit_track = ( _Sagan_Flowbit_Track * ) realloc(flowbit_track, (flowbit_track_count+1) * sizeof(_Sagan_Flowbit_Track));
if ( flowbit_track == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for flow_track. Abort!", __FILE__, __LINE__);
}
strlcpy(flowbit_track[flowbit_track_count].flowbit_name, tmp_flowbit_name, sizeof(flowbit_track[flowbit_track_count].flowbit_name));
flowbit_track[flowbit_track_count].flowbit_timeout = rulestruct[rule_position].flowbit_timeout[i];
flowbit_track_count++;
}
tmp_flowbit_name = strtok_r(NULL, "&", &tok);
} /* While & flowbits (ie - bit1&bit2) */
} /* if flowbit_type == 1 */
} /* Out of for i loop */
/* Do we have any flowbits in memory that need to be created? */
if ( flowbit_track_count != 0 )
{
for (i = 0; i < flowbit_track_count; i++)
{
if ( Sagan_Clean_IPC_Object(FLOWBIT) == 0 )
{
Sagan_File_Lock(config->shm_flowbit);
flowbit_ipc[counters_ipc->flowbit_count].ip_src = ip_src;
flowbit_ipc[counters_ipc->flowbit_count].ip_dst = ip_dst;
flowbit_ipc[counters_ipc->flowbit_count].flowbit_expire = atol(timet) + flowbit_track[i].flowbit_timeout;
flowbit_ipc[counters_ipc->flowbit_count].flowbit_state = 1;
flowbit_ipc[counters_ipc->flowbit_count].expire = flowbit_track[i].flowbit_timeout;
strlcpy(flowbit_ipc[counters_ipc->flowbit_count].flowbit_name, flowbit_track[i].flowbit_name, sizeof(flowbit_ipc[counters_ipc->flowbit_count].flowbit_name));
Sagan_File_Unlock(config->shm_flowbit);
Sagan_File_Lock(config->shm_counters);
counters_ipc->flowbit_count++;
Sagan_File_Unlock(config->shm_counters);
if ( debug->debugflowbit)
{
Sagan_Log(S_DEBUG, "[%s, line %d] [%d] Created flowbit \"%s\" via \"set\" [%s -> %s],", __FILE__, __LINE__, counters_ipc->flowbit_count, flowbit_ipc[counters_ipc->flowbit_count].flowbit_name, ip_src_char, ip_dst_char);
}
}
}
}
free(flowbit_track);
} /* End of Sagan_Flowbit_Set */
void Sagan_BroIntel_Load_File ( void )
{
FILE *brointel_file;
char *value;
char *type;
char *description;
sbool found_flag;
sbool found_flag_array;
char *tok = NULL; ;
char *ptmp = NULL;
int line_count;
int i;
uint32_t u32_ip;
char *brointel_filename = NULL;
char brointelbuf[MAX_BROINTEL_LINE_SIZE] = { 0 };
counters->brointel_dups = 0;
brointel_filename = strtok_r(config->brointel_files, ",", &ptmp);
while ( brointel_filename != NULL )
{
Sagan_Log(S_NORMAL, "Bro Intel Processor Loading File: %s.", brointel_filename);
if (( brointel_file = fopen(brointel_filename, "r")) == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Could not load Bro Intel file! (%s - %s)", __FILE__, __LINE__, brointel_filename, strerror(errno));
}
while(fgets(brointelbuf, MAX_BROINTEL_LINE_SIZE, brointel_file) != NULL)
{
/* Skip comments and blank linkes */
if (brointelbuf[0] == '#' || brointelbuf[0] == 10 || brointelbuf[0] == ';' || brointelbuf[0] == 32 )
{
line_count++;
continue;
}
else
{
Remove_Return(brointelbuf);
value = strtok_r(brointelbuf, "\t", &tok);
type = strtok_r(NULL, "\t", &tok);
description = strtok_r(NULL, "\t", &tok);
if ( value == NULL || type == NULL || description == NULL )
{
Sagan_Log(S_WARN, "[%s, line %d] Got invalid line at %d in %s", __FILE__, __LINE__, line_count, brointel_filename);
}
found_flag = 0;
if (!strcmp(type, "Intel::ADDR"))
{
u32_ip = IP2Bit(value);
found_flag = 1; /* Used to short circuit other 'type' lookups */
found_flag_array = 0; /* Used to short circuit/warn when dups are found. This way we don't waste memory/CPU */
/* Check for duplicates. */
for (i=0; i < counters->brointel_addr_count; i++)
{
if ( u32_ip == Sagan_BroIntel_Intel_Addr[i].u32_ip )
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::ADDR address %s in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Addr = (_Sagan_BroIntel_Intel_Addr *) realloc(Sagan_BroIntel_Intel_Addr, (counters->brointel_addr_count+1) * sizeof(_Sagan_BroIntel_Intel_Addr));
if ( Sagan_BroIntel_Intel_Addr == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Addr. Abort!", __FILE__, __LINE__);
}
Sagan_BroIntel_Intel_Addr[counters->brointel_addr_count].u32_ip = IP2Bit(value);
counters->brointel_addr_count++;
}
}
if (!strcmp(type, "Intel::DOMAIN") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters-> brointel_domain_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_Domain[i].domain, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::DOMAIN '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Domain = (_Sagan_BroIntel_Intel_Domain *) realloc(Sagan_BroIntel_Intel_Domain, (counters->brointel_domain_count+1) * sizeof(_Sagan_BroIntel_Intel_Domain));
if ( Sagan_BroIntel_Intel_Domain == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Domain. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_Domain[counters->brointel_domain_count].domain, value, sizeof(Sagan_BroIntel_Intel_Domain[counters->brointel_domain_count].domain));
counters->brointel_domain_count++;
}
}
if (!strcmp(type, "Intel::FILE_HASH") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_file_hash_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_File_Hash[i].hash, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::FILE_HASH '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_File_Hash = (_Sagan_BroIntel_Intel_File_Hash *) realloc(Sagan_BroIntel_Intel_File_Hash, (counters->brointel_file_hash_count+1) * sizeof(_Sagan_BroIntel_Intel_File_Hash));
if ( Sagan_BroIntel_Intel_File_Hash == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_File_Hash. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_File_Hash[counters->brointel_file_hash_count].hash, value, sizeof(Sagan_BroIntel_Intel_File_Hash[counters->brointel_file_hash_count].hash));
counters->brointel_file_hash_count++;
}
}
if (!strcmp(type, "Intel::URL") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_url_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_URL[i].url, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::URL '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_URL = (_Sagan_BroIntel_Intel_URL *) realloc(Sagan_BroIntel_Intel_URL, (counters->brointel_url_count+1) * sizeof(_Sagan_BroIntel_Intel_URL));
if ( Sagan_BroIntel_Intel_URL == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_URL. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_URL[counters->brointel_url_count].url, value, sizeof(Sagan_BroIntel_Intel_URL[counters->brointel_url_count].url));
counters->brointel_url_count++;
}
}
if (!strcmp(type, "Intel::SOFTWARE") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_software_count++; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_Software[i].software, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::SOFTWARE '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Software = (_Sagan_BroIntel_Intel_Software *) realloc(Sagan_BroIntel_Intel_Software, (counters->brointel_software_count+1) * sizeof(_Sagan_BroIntel_Intel_Software));
if ( Sagan_BroIntel_Intel_Software == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Software. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_Software[counters->brointel_software_count].software, value, sizeof(Sagan_BroIntel_Intel_Software[counters->brointel_software_count].software));
counters->brointel_software_count++;
}
}
if (!strcmp(type, "Intel::EMAIL") && found_flag == 0)
{
To_LowerC(value);
found_flag_array = 0;
for (i=0; i < counters->brointel_email_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_Email[i].email, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::EMAIL '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Email = (_Sagan_BroIntel_Intel_Email *) realloc(Sagan_BroIntel_Intel_Email, (counters->brointel_email_count+1) * sizeof(_Sagan_BroIntel_Intel_Email));
if ( Sagan_BroIntel_Intel_Email == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Email. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_Email[counters->brointel_email_count].email, value, sizeof(Sagan_BroIntel_Intel_Email[counters->brointel_email_count].email));
counters->brointel_email_count++;
found_flag = 1;
}
}
if (!strcmp(type, "Intel::USER_NAME") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_user_name_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_User_Name[i].username, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::USER_NAME '%s' in %s on line %.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_User_Name = (_Sagan_BroIntel_Intel_User_Name *) realloc(Sagan_BroIntel_Intel_User_Name, (counters->brointel_user_name_count+1) * sizeof(_Sagan_BroIntel_Intel_User_Name));
if ( Sagan_BroIntel_Intel_User_Name == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_User_Name. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_User_Name[counters->brointel_user_name_count].username, value, sizeof(Sagan_BroIntel_Intel_User_Name[counters->brointel_user_name_count].username));
counters->brointel_user_name_count++;
}
}
if (!strcmp(type, "Intel::FILE_NAME") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_file_name_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_File_Name[i].file_name, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::FILE_NAME '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_File_Name = (_Sagan_BroIntel_Intel_File_Name *) realloc(Sagan_BroIntel_Intel_File_Name, (counters->brointel_file_name_count+1) * sizeof(_Sagan_BroIntel_Intel_File_Name));
if ( Sagan_BroIntel_Intel_File_Name == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_File_Name. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_File_Name[counters->brointel_file_name_count].file_name, value, sizeof(Sagan_BroIntel_Intel_File_Name[counters->brointel_file_name_count].file_name));
counters->brointel_file_name_count++;
}
}
if (!strcmp(type, "Intel::CERT_HASH") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_cert_hash_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_Cert_Hash[i].cert_hash, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::CERT_HASH '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Cert_Hash = (_Sagan_BroIntel_Intel_Cert_Hash *) realloc(Sagan_BroIntel_Intel_Cert_Hash, (counters->brointel_cert_hash_count+1) * sizeof(_Sagan_BroIntel_Intel_Cert_Hash));
if ( Sagan_BroIntel_Intel_Cert_Hash == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Cert_Hash. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_Cert_Hash[counters->brointel_cert_hash_count].cert_hash, value, sizeof(Sagan_BroIntel_Intel_Cert_Hash[counters->brointel_cert_hash_count].cert_hash));
counters->brointel_cert_hash_count++;
}
}
}
line_count++;
}
fclose(brointel_file);
brointel_filename = strtok_r(NULL, ",", &ptmp);
line_count = 0;
}
}
void Sagan_Processor ( void )
{
struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL = NULL;
SaganProcSyslog_LOCAL = malloc(sizeof(struct _Sagan_Proc_Syslog));
if ( SaganProcSyslog_LOCAL == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to allocate memory for SaganProcSyslog_LOCAL. Abort!", __FILE__, __LINE__);
}
memset(SaganProcSyslog_LOCAL, 0, sizeof(struct _Sagan_Proc_Syslog));
sbool ignore_flag=0;
int i;
for (;;)
{
pthread_mutex_lock(&SaganProcWorkMutex);
while ( proc_msgslot == 0 ) pthread_cond_wait(&SaganProcDoWork, &SaganProcWorkMutex);
if ( config->sagan_reload == 1 )
{
pthread_cond_wait(&SaganReloadCond, &SaganReloadMutex);
}
proc_msgslot--; /* This was ++ before coming over, so we now -- it to get to
* original value */
strlcpy(SaganProcSyslog_LOCAL->syslog_host, SaganProcSyslog[proc_msgslot].syslog_host, sizeof(SaganProcSyslog_LOCAL->syslog_host));
strlcpy(SaganProcSyslog_LOCAL->syslog_facility, SaganProcSyslog[proc_msgslot].syslog_facility, sizeof(SaganProcSyslog_LOCAL->syslog_facility));
strlcpy(SaganProcSyslog_LOCAL->syslog_priority, SaganProcSyslog[proc_msgslot].syslog_priority, sizeof(SaganProcSyslog_LOCAL->syslog_priority));
strlcpy(SaganProcSyslog_LOCAL->syslog_level, SaganProcSyslog[proc_msgslot].syslog_level, sizeof(SaganProcSyslog_LOCAL->syslog_level));
strlcpy(SaganProcSyslog_LOCAL->syslog_tag, SaganProcSyslog[proc_msgslot].syslog_tag, sizeof(SaganProcSyslog_LOCAL->syslog_tag));
strlcpy(SaganProcSyslog_LOCAL->syslog_date, SaganProcSyslog[proc_msgslot].syslog_date, sizeof(SaganProcSyslog_LOCAL->syslog_date));
strlcpy(SaganProcSyslog_LOCAL->syslog_time, SaganProcSyslog[proc_msgslot].syslog_time, sizeof(SaganProcSyslog_LOCAL->syslog_time));
strlcpy(SaganProcSyslog_LOCAL->syslog_program, SaganProcSyslog[proc_msgslot].syslog_program, sizeof(SaganProcSyslog_LOCAL->syslog_program));
strlcpy(SaganProcSyslog_LOCAL->syslog_message, SaganProcSyslog[proc_msgslot].syslog_message, sizeof(SaganProcSyslog_LOCAL->syslog_message));
pthread_mutex_unlock(&SaganProcWorkMutex);
/* Check for general "drop" items. We do this first so we can save CPU later */
if ( config->sagan_droplist_flag )
{
ignore_flag=0;
for (i = 0; i < counters->droplist_count; i++)
{
if (Sagan_strstr(SaganProcSyslog_LOCAL->syslog_message, SaganIgnorelist[i].ignore_string))
{
pthread_mutex_lock(&SaganIgnoreCounter);
counters->ignore_count++;
pthread_mutex_unlock(&SaganIgnoreCounter);
ignore_flag=1;
goto outside_loop; /* Stop processing from ignore list */
}
}
}
outside_loop:
/* If we're in a ignore state, then we can bypass the processors */
if ( ignore_flag == 0 )
{
Sagan_Engine(SaganProcSyslog_LOCAL);
if ( config->sagan_track_clients_flag )
{
Sagan_Track_Clients( IP2Bit(SaganProcSyslog_LOCAL->syslog_host) );
}
} // End if if (ignore_Flag)
} // for (;;)
Sagan_Log(S_WARN, "[%s, line %d] Holy cow! You should never see this message!", __FILE__, __LINE__);
free(SaganProcSyslog_LOCAL); /* Should never make it here */
}
int Sagan_Bluedot_Lookup(char *data, unsigned char type)
{
char tmpurl[1024] = { 0 };
char tmpdeviceid[64] = { 0 };
CURL *curl;
CURLcode res;
struct curl_slist *headers = NULL;
char *response=NULL;
struct json_object *json_in = NULL;
const char *cat=NULL;
char cattmp[128] = { 0 };
char *saveptr=NULL;
signed char bluedot_alertid = 0; /* -128 to 127 */
int i;
char timet[20] = { 0 };
time_t t;
struct tm *now=NULL;
uint64_t ip = 0;
t = time(NULL);
now=localtime(&t);
strftime(timet, sizeof(timet), "%s", now);
/************************************************************************/
/* Lookup types */
/************************************************************************/
/* IP Address Lookup */
if ( type == BLUEDOT_LOOKUP_IP )
{
ip = IP2Bit(data);
if ( is_rfc1918(ip) )
{
if ( debug->debugbluedot )
{
Sagan_Log(S_DEBUG, "[%s, line %d] %s is RFC1918.", __FILE__, __LINE__, data);
}
return(false);
}
for (i=0; i<counters->bluedot_ip_cache_count; i++)
{
if ( ip == SaganBluedotIPCache[i].host)
{
if (debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Pulled %s (%u) from Bluedot cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotIPCache[i].host, SaganBluedotIPCache[i].alertid);
}
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_ip_cache_hit++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
return(SaganBluedotIPCache[i].alertid);
}
}
/* Check Bluedot IP Queue, make sure we aren't looking up something that is already being looked up */
for (i=0; i < bluedot_ip_queue; i++)
{
if ( ip == SaganBluedotIPQueue[i].host )
{
if (debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] %s (%u) is already being looked up. Skipping....", __FILE__, __LINE__, data, SaganBluedotIPQueue[i].host);
}
return(false);
}
}
/* If not in Bluedot IP queue, add it */
pthread_mutex_lock(&SaganProcBluedotIPWorkMutex);
SaganBluedotIPQueue = (_Sagan_Bluedot_IP_Queue *) realloc(SaganBluedotIPQueue, (bluedot_ip_queue+1) * sizeof(_Sagan_Bluedot_IP_Queue));
SaganBluedotIPQueue[bluedot_ip_queue].host = ip;
bluedot_ip_queue++;
pthread_mutex_unlock(&SaganProcBluedotIPWorkMutex);
if (debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Going to query IP %s (%u) from Bluedot.", __FILE__, __LINE__, data, ip);
}
snprintf(tmpurl, sizeof(tmpurl), "%s%s%s", config->bluedot_url, BLUEDOT_IP_LOOKUP_URL, data);
} /* BLUEDOT_LOOKUP_IP */
if ( type == BLUEDOT_LOOKUP_HASH )
{
for (i=0; i<counters->bluedot_hash_cache_count; i++)
{
if (!strcmp(data, SaganBluedotHashCache[i].hash))
{
if (debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Pulled file hash '%s' from Bluedot hash cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotHashCache[i].alertid);
}
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_hash_cache_hit++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
return(SaganBluedotHashCache[i].alertid);
}
}
snprintf(tmpurl, sizeof(tmpurl), "%s%s%s", config->bluedot_url, BLUEDOT_HASH_LOOKUP_URL, data);
}
if ( type == BLUEDOT_LOOKUP_URL )
{
for (i=0; i<counters->bluedot_url_cache_count; i++)
{
if (!strcmp(data, SaganBluedotURLCache[i].url))
{
if (debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Pulled file URL '%s' from Bluedot URL cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotURLCache[i].alertid);
}
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_url_cache_hit++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
return(SaganBluedotURLCache[i].alertid);
}
}
snprintf(tmpurl, sizeof(tmpurl), "%s%s%s", config->bluedot_url, BLUEDOT_URL_LOOKUP_URL, data);
}
if ( type == BLUEDOT_LOOKUP_FILENAME )
{
for (i=0; i<counters->bluedot_filename_cache_count; i++)
{
if (!strcmp(data, SaganBluedotFilenameCache[i].filename))
{
if (debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Pulled file filename '%s' from Bluedot filename cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotFilenameCache[i].alertid);
}
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_filename_cache_hit++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
return(SaganBluedotFilenameCache[i].alertid);
}
}
snprintf(tmpurl, sizeof(tmpurl), "%s%s%s", config->bluedot_url, BLUEDOT_FILENAME_LOOKUP_URL, data);
}
snprintf(tmpdeviceid, sizeof(tmpdeviceid), "X-BLUEDOT-DEVICEID: %s", config->bluedot_device_id);
curl = curl_easy_init();
if (curl)
{
curl_easy_setopt(curl, CURLOPT_URL, tmpurl);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback_func);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response);
curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1); /* WIll send SIGALRM if not set */
headers = curl_slist_append (headers, BLUEDOT_PROCESSOR_USER_AGENT);
headers = curl_slist_append (headers, tmpdeviceid);
// headers = curl_slist_append (headers, "X-Bluedot-Verbose: 1"); /* For more verbose output */
curl_easy_setopt(curl, CURLOPT_HTTPHEADER , headers );
res = curl_easy_perform(curl);
}
curl_easy_cleanup(curl);
if ( response == NULL )
{
Sagan_Log(S_WARN, "[%s, line %d] Bluedot returned a empty \"response\".", __FILE__, __LINE__);
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_error_count++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
Sagan_Bluedot_Clean_Queue(data, type);
return(false);
}
json_in = json_tokener_parse(response);
if ( type == BLUEDOT_LOOKUP_IP )
{
cat = json_object_get_string(json_object_object_get(json_in, "qipcode"));
}
else if ( type == BLUEDOT_LOOKUP_HASH )
{
cat = json_object_get_string(json_object_object_get(json_in, "qhashcode"));
}
else if ( type == BLUEDOT_LOOKUP_URL )
{
cat = json_object_get_string(json_object_object_get(json_in, "qurlcode"));
}
else if ( type == BLUEDOT_LOOKUP_FILENAME )
{
cat = json_object_get_string(json_object_object_get(json_in, "qfilenamecode"));
}
if ( cat == NULL )
{
Sagan_Log(S_WARN, "Bluedot return a bad category.");
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_error_count++; // DEBUG <- Total error count
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
Sagan_Bluedot_Clean_Queue(data, type);
return(false);
}
/* strtok_r() doesn't like const char *cat */
snprintf(cattmp, sizeof(cattmp), "%s", cat);
strtok_r(cattmp, "\"", &saveptr);
bluedot_alertid = atoi(strtok_r(NULL, "\"", &saveptr));
if ( debug->debugbluedot)
{
Sagan_Log(S_DEBUG, "[%s, line %d] Bluedot return category \"%d\" for %s.", __FILE__, __LINE__, bluedot_alertid, data);
}
if ( bluedot_alertid == -1 )
{
Sagan_Log(S_WARN, "Bluedot reports an invalid API key. Lookup aborted!");
counters->bluedot_error_count++;
return(false);
}
/************************************************************************/
/* Add entries to cache */
/************************************************************************/
/* IP Address lookup */
if ( type == BLUEDOT_LOOKUP_IP )
{
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_ip_total++;
SaganBluedotIPCache = (_Sagan_Bluedot_IP_Cache *) realloc(SaganBluedotIPCache, (counters->bluedot_ip_cache_count+1) * sizeof(_Sagan_Bluedot_IP_Cache));
SaganBluedotIPCache[counters->bluedot_ip_cache_count].host = ip;
SaganBluedotIPCache[counters->bluedot_ip_cache_count].utime = atol(timet); /* store utime */
SaganBluedotIPCache[counters->bluedot_ip_cache_count].alertid = bluedot_alertid;
counters->bluedot_ip_cache_count++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
}
/* File hash lookup */
else if ( type == BLUEDOT_LOOKUP_HASH )
{
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_hash_total++;
SaganBluedotHashCache = (_Sagan_Bluedot_Hash_Cache *) realloc(SaganBluedotHashCache, (counters->bluedot_hash_cache_count+1) * sizeof(_Sagan_Bluedot_Hash_Cache));
strlcpy(SaganBluedotHashCache[counters->bluedot_hash_cache_count].hash, data, sizeof(SaganBluedotHashCache[counters->bluedot_hash_cache_count].hash));
SaganBluedotHashCache[counters->bluedot_hash_cache_count].utime = atol(timet); /* store utime */
SaganBluedotHashCache[counters->bluedot_hash_cache_count].alertid = bluedot_alertid;
counters->bluedot_hash_cache_count++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
}
/* URL lookup */
else if ( type == BLUEDOT_LOOKUP_URL )
{
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_url_total++;
SaganBluedotURLCache = (_Sagan_Bluedot_URL_Cache *) realloc(SaganBluedotURLCache, (counters->bluedot_url_cache_count+1) * sizeof(_Sagan_Bluedot_URL_Cache));
strlcpy(SaganBluedotURLCache[counters->bluedot_url_cache_count].url, data, sizeof(SaganBluedotURLCache[counters->bluedot_url_cache_count].url));
SaganBluedotURLCache[counters->bluedot_url_cache_count].utime = atol(timet); /* store utime */
SaganBluedotURLCache[counters->bluedot_url_cache_count].alertid = bluedot_alertid;
counters->bluedot_url_cache_count++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
}
/* Filename Lookup */
else if ( type == BLUEDOT_LOOKUP_FILENAME )
{
pthread_mutex_lock(&SaganProcBluedotWorkMutex);
counters->bluedot_filename_total++;
SaganBluedotFilenameCache = (_Sagan_Bluedot_Filename_Cache *) realloc(SaganBluedotFilenameCache, (counters->bluedot_filename_cache_count+1) * sizeof(_Sagan_Bluedot_Filename_Cache));
strlcpy(SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].filename, data, sizeof(SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].filename));
SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].utime = atol(timet);
SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].alertid = bluedot_alertid;
counters->bluedot_filename_cache_count++;
pthread_mutex_unlock(&SaganProcBluedotWorkMutex);
}
Sagan_Bluedot_Clean_Queue(data, type); /* Remove item for "queue" */
json_object_put(json_in); /* Clear json_in as we're done with it */
return(bluedot_alertid);
}
int Sagan_Bluedot_Clean_Queue ( char *data, unsigned char type )
{
uint32_t ip_u32;
int i=0;
int tmp_bluedot_queue_count=0;
/* Remove IP address from lookup queue */
if ( type == BLUEDOT_LOOKUP_IP )
{
ip_u32 = IP2Bit(data); /* Convert "data" to u32 int. */
struct _Sagan_Bluedot_IP_Queue *TmpSaganBluedotIPQueue;
TmpSaganBluedotIPQueue = malloc(sizeof(_Sagan_Bluedot_IP_Queue));
memset(TmpSaganBluedotIPQueue, 0, sizeof(_Sagan_Bluedot_IP_Queue));
for (i=0; i<bluedot_ip_queue; i++)
{
if ( ip_u32 == SaganBluedotIPQueue[i].host )
{
TmpSaganBluedotIPQueue = (_Sagan_Bluedot_IP_Queue *) realloc(TmpSaganBluedotIPQueue, (tmp_bluedot_queue_count+1) * sizeof(_Sagan_Bluedot_IP_Queue));
TmpSaganBluedotIPQueue[tmp_bluedot_queue_count].host = ip_u32;
tmp_bluedot_queue_count++;
}
}
pthread_mutex_lock(&SaganProcBluedotIPWorkMutex);
memset(SaganBluedotIPQueue, 0, sizeof(_Sagan_Bluedot_IP_Queue));
bluedot_ip_queue=0;
for (i=0; i<tmp_bluedot_queue_count; i++)
{
SaganBluedotIPQueue = (_Sagan_Bluedot_IP_Queue *) realloc(SaganBluedotIPQueue, (bluedot_ip_queue+1) * sizeof(_Sagan_Bluedot_IP_Queue));
SaganBluedotIPQueue[bluedot_ip_queue].host = TmpSaganBluedotIPQueue[i].host;
bluedot_ip_queue++;
}
pthread_mutex_unlock(&SaganProcBluedotIPWorkMutex);
free(TmpSaganBluedotIPQueue);
}
else if ( type == BLUEDOT_LOOKUP_HASH )
{
struct _Sagan_Bluedot_Hash_Queue *TmpSaganBluedotHashQueue;
TmpSaganBluedotHashQueue = malloc(sizeof(_Sagan_Bluedot_Hash_Queue));
memset(TmpSaganBluedotHashQueue, 0, sizeof(_Sagan_Bluedot_Hash_Queue));
for (i=0; i<bluedot_hash_queue; i++)
{
if (!strcmp(data, SaganBluedotHashQueue[i].hash))
{
TmpSaganBluedotHashQueue = (_Sagan_Bluedot_Hash_Queue *) realloc(TmpSaganBluedotHashQueue, (tmp_bluedot_queue_count+1) * sizeof(_Sagan_Bluedot_Hash_Queue));
strlcpy(TmpSaganBluedotHashQueue[tmp_bluedot_queue_count].hash, data, sizeof(TmpSaganBluedotHashQueue[tmp_bluedot_queue_count].hash));
tmp_bluedot_queue_count++;
}
}
pthread_mutex_lock(&SaganProcBluedotHashWorkMutex);
memset(SaganBluedotHashQueue, 0, sizeof(_Sagan_Bluedot_Hash_Queue));
bluedot_hash_queue=0;
for (i=0; i<tmp_bluedot_queue_count; i++)
{
SaganBluedotHashQueue = (_Sagan_Bluedot_Hash_Queue *) realloc(SaganBluedotHashQueue, (bluedot_hash_queue+1) * sizeof(_Sagan_Bluedot_Hash_Queue));
strlcpy(SaganBluedotHashQueue[bluedot_hash_queue].hash, TmpSaganBluedotHashQueue[i].hash, sizeof(SaganBluedotHashQueue[bluedot_hash_queue].hash));
bluedot_hash_queue++;
}
pthread_mutex_unlock(&SaganProcBluedotHashWorkMutex);
free(TmpSaganBluedotHashQueue);
}
else if ( type == BLUEDOT_LOOKUP_URL )
{
struct _Sagan_Bluedot_URL_Queue *TmpSaganBluedotURLQueue;
TmpSaganBluedotURLQueue = malloc(sizeof(_Sagan_Bluedot_URL_Queue));
memset(TmpSaganBluedotURLQueue, 0, sizeof(_Sagan_Bluedot_URL_Queue));
for (i=0; i<bluedot_url_queue; i++)
{
if (!strcmp(data, SaganBluedotURLQueue[i].url))
{
TmpSaganBluedotURLQueue = (_Sagan_Bluedot_URL_Queue *) realloc(TmpSaganBluedotURLQueue, (tmp_bluedot_queue_count+1) * sizeof(_Sagan_Bluedot_URL_Queue));
strlcpy(TmpSaganBluedotURLQueue[tmp_bluedot_queue_count].url, data, sizeof(TmpSaganBluedotURLQueue[tmp_bluedot_queue_count].url));
tmp_bluedot_queue_count++;
}
}
pthread_mutex_lock(&SaganProcBluedotURLWorkMutex);
memset(SaganBluedotURLQueue, 0, sizeof(_Sagan_Bluedot_URL_Queue));
bluedot_url_queue=0;
for (i=0; i<tmp_bluedot_queue_count; i++)
{
SaganBluedotURLQueue = (_Sagan_Bluedot_URL_Queue *) realloc(SaganBluedotURLQueue, (bluedot_url_queue+1) * sizeof(_Sagan_Bluedot_URL_Queue));
strlcpy(SaganBluedotURLQueue[bluedot_url_queue].url, TmpSaganBluedotURLQueue[i].url, sizeof(SaganBluedotURLQueue[bluedot_url_queue].url));
bluedot_url_queue++;
}
pthread_mutex_unlock(&SaganProcBluedotURLWorkMutex);
free(TmpSaganBluedotURLQueue);
}
else if ( type == BLUEDOT_LOOKUP_FILENAME )
{
struct _Sagan_Bluedot_Filename_Queue *TmpSaganBluedotFilenameQueue;
TmpSaganBluedotFilenameQueue = malloc(sizeof(_Sagan_Bluedot_Filename_Queue));
memset(TmpSaganBluedotFilenameQueue, 0, sizeof(_Sagan_Bluedot_Filename_Queue));
for (i=0; i<bluedot_filename_queue; i++)
{
if (!strcmp(data, SaganBluedotFilenameQueue[i].filename))
{
TmpSaganBluedotFilenameQueue = (_Sagan_Bluedot_Filename_Queue *) realloc(TmpSaganBluedotFilenameQueue, (tmp_bluedot_queue_count+1) * sizeof(_Sagan_Bluedot_Filename_Queue));
strlcpy(TmpSaganBluedotFilenameQueue[tmp_bluedot_queue_count].filename, data, sizeof(TmpSaganBluedotFilenameQueue[tmp_bluedot_queue_count].filename));
tmp_bluedot_queue_count++;
}
}
pthread_mutex_lock(&SaganProcBluedotFilenameWorkMutex);
memset(SaganBluedotFilenameQueue, 0, sizeof(_Sagan_Bluedot_Filename_Queue));
bluedot_filename_queue=0;
for (i=0; i<tmp_bluedot_queue_count; i++)
{
SaganBluedotFilenameQueue = (_Sagan_Bluedot_Filename_Queue *) realloc(SaganBluedotFilenameQueue, (bluedot_filename_queue+1) * sizeof(_Sagan_Bluedot_Filename_Queue));
strlcpy(SaganBluedotFilenameQueue[bluedot_filename_queue].filename, TmpSaganBluedotFilenameQueue[i].filename, sizeof(SaganBluedotFilenameQueue[bluedot_filename_queue].filename));
bluedot_filename_queue++;
}
pthread_mutex_unlock(&SaganProcBluedotFilenameWorkMutex);
free(TmpSaganBluedotFilenameQueue);
}
}