static void SetNetworkEntropyClasses(const char *service, const char *direction, const Item *list)
{
const Item *ip;
Item *addresses = NULL;
double entropy;
for (ip = list; ip != NULL; ip = ip->next)
{
if (strlen(ip->name) > 0)
{
char local[CF_BUFSIZE];
char remote[CF_BUFSIZE];
char vbuff[CF_BUFSIZE];
char *sp;
if (strncmp(ip->name, "tcp", 3) == 0)
{
sscanf(ip->name, "%*s %*s %*s %s %s", local, remote); /* linux-like */
}
else
{
sscanf(ip->name, "%s %s", local, remote); /* solaris-like */
}
strncpy(vbuff, remote, CF_BUFSIZE - 1);
vbuff[CF_BUFSIZE-1] = '\0';
for (sp = vbuff + strlen(vbuff) - 1; isdigit((int) *sp) && (sp > vbuff); sp--)
{
}
*sp = '\0';
if (!IsItemIn(addresses, vbuff))
{
AppendItem(&addresses, vbuff, "");
}
IncrementItemListCounter(addresses, vbuff);
}
}
entropy = MonEntropyCalculate(addresses);
MonEntropyClassesSet(service, direction, entropy);
DeleteItemList(addresses);
}
void MonNetworkSnifferGatherData(void)
{
int i;
char vbuff[CF_BUFSIZE];
const char* const statedir = GetStateDir();
for (i = 0; i < CF_NETATTR; i++)
{
struct stat statbuf;
double entropy;
time_t now = time(NULL);
Log(LOG_LEVEL_DEBUG, "save incoming '%s'", TCPNAMES[i]);
snprintf(vbuff, CF_MAXVARSIZE, "%s%ccf_incoming.%s", statedir, FILE_SEPARATOR, TCPNAMES[i]);
if (stat(vbuff, &statbuf) != -1)
{
if (ItemListSize(NETIN_DIST[i]) < statbuf.st_size &&
now < statbuf.st_mtime + 40 * 60)
{
Log(LOG_LEVEL_VERBOSE, "New state %s is smaller, retaining old for 40 mins longer", TCPNAMES[i]);
DeleteItemList(NETIN_DIST[i]);
NETIN_DIST[i] = NULL;
continue;
}
}
SaveTCPEntropyData(NETIN_DIST[i], i, "in");
entropy = MonEntropyCalculate(NETIN_DIST[i]);
MonEntropyClassesSet(TCPNAMES[i], "in", entropy);
DeleteItemList(NETIN_DIST[i]);
NETIN_DIST[i] = NULL;
}
for (i = 0; i < CF_NETATTR; i++)
{
struct stat statbuf;
double entropy;
time_t now = time(NULL);
Log(LOG_LEVEL_DEBUG, "save outgoing '%s'", TCPNAMES[i]);
snprintf(vbuff, CF_MAXVARSIZE, "%s%ccf_outgoing.%s", statedir, FILE_SEPARATOR, TCPNAMES[i]);
if (stat(vbuff, &statbuf) != -1)
{
if (ItemListSize(NETOUT_DIST[i]) < statbuf.st_size &&
now < statbuf.st_mtime + 40 * 60)
{
Log(LOG_LEVEL_VERBOSE, "New state '%s' is smaller, retaining old for 40 mins longer", TCPNAMES[i]);
DeleteItemList(NETOUT_DIST[i]);
NETOUT_DIST[i] = NULL;
continue;
}
}
SaveTCPEntropyData(NETOUT_DIST[i], i, "out");
entropy = MonEntropyCalculate(NETOUT_DIST[i]);
MonEntropyClassesSet(TCPNAMES[i], "out", entropy);
DeleteItemList(NETOUT_DIST[i]);
NETOUT_DIST[i] = NULL;
}
}
void MonNetworkSnifferGatherData(double *cf_this)
{
int i;
char vbuff[CF_BUFSIZE];
for (i = 0; i < CF_NETATTR; i++)
{
struct stat statbuf;
double entropy;
time_t now = time(NULL);
CfDebug("save incoming %s\n", TCPNAMES[i]);
snprintf(vbuff, CF_MAXVARSIZE, "%s/state/cf_incoming.%s", CFWORKDIR, TCPNAMES[i]);
if (cfstat(vbuff, &statbuf) != -1)
{
if ((ByteSizeList(NETIN_DIST[i]) < statbuf.st_size) && (now < statbuf.st_mtime + 40 * 60))
{
CfOut(cf_verbose, "", "New state %s is smaller, retaining old for 40 mins longer\n", TCPNAMES[i]);
DeleteItemList(NETIN_DIST[i]);
NETIN_DIST[i] = NULL;
continue;
}
}
SaveTCPEntropyData(NETIN_DIST[i], i, "in");
entropy = MonEntropyCalculate(NETIN_DIST[i]);
MonEntropyClassesSet(TCPNAMES[i], "in", entropy);
DeleteItemList(NETIN_DIST[i]);
NETIN_DIST[i] = NULL;
}
for (i = 0; i < CF_NETATTR; i++)
{
struct stat statbuf;
double entropy;
time_t now = time(NULL);
CfDebug("save outgoing %s\n", TCPNAMES[i]);
snprintf(vbuff, CF_MAXVARSIZE, "%s/state/cf_outgoing.%s", CFWORKDIR, TCPNAMES[i]);
if (cfstat(vbuff, &statbuf) != -1)
{
if ((ByteSizeList(NETOUT_DIST[i]) < statbuf.st_size) && (now < statbuf.st_mtime + 40 * 60))
{
CfOut(cf_verbose, "", "New state %s is smaller, retaining old for 40 mins longer\n", TCPNAMES[i]);
DeleteItemList(NETOUT_DIST[i]);
NETOUT_DIST[i] = NULL;
continue;
}
}
SaveTCPEntropyData(NETOUT_DIST[i], i, "out");
entropy = MonEntropyCalculate(NETOUT_DIST[i]);
MonEntropyClassesSet(TCPNAMES[i], "out", entropy);
DeleteItemList(NETOUT_DIST[i]);
NETOUT_DIST[i] = NULL;
}
}
