void
ArgusClientTimeout ()
{
struct ArgusAggregatorStruct *agg = ArgusParser->ArgusAggregator;
while (agg) {
int i, count;
if (agg->statusint > 0) {
if ((count = agg->queue->count) > 0) {
for (i = 0; i < count; i++) {
struct ArgusRecordStruct *ns = (void *) ArgusPopQueue(agg->queue, ARGUS_LOCK);
double nsst = ArgusFetchStartTime(ns);
double nslt = ArgusFetchLastTime(ns);
double glt = (double)(ArgusParser->ArgusGlobalTime.tv_sec * 1.0) + (double)(ArgusParser->ArgusGlobalTime.tv_usec/1000000.0);
if (agg->statusint && ((glt - nsst) >= agg->statusint)) {
RaSendArgusRecord(ns);
} else {
if (agg->idleint && ((glt - nslt) >= agg->idleint)) {
ArgusRemoveHashEntry(&ns->htblhdr);
RaSendArgusRecord(ns);
ArgusDeleteRecordStruct (ArgusParser, ns);
ns = NULL;
}
}
if (ns != NULL)
ArgusAddToQueue(agg->queue, &ns->qhdr, ARGUS_LOCK);
}
}
} else {
if (agg->idleint) {
int done = 0;
while ((!done) && (agg->queue->count > 0)) {
struct ArgusRecordStruct *ns = (void *) agg->queue->start;
double nslt = ArgusFetchLastTime(ns);
double glt = (double)(ArgusParser->ArgusGlobalTime.tv_sec * 1.0) + (double)(ArgusParser->ArgusGlobalTime.tv_usec/1000000.0);
if ((glt - nslt) >= agg->idleint) {
ArgusRemoveHashEntry(&ns->htblhdr);
RaSendArgusRecord(ns);
ArgusDeleteRecordStruct (ArgusParser, ns);
} else
done = 1;
}
}
}
agg = agg->nxt;
}
#ifdef ARGUSDEBUG
ArgusDebug (6, "ArgusClientTimeout()\n");
#endif
}
void
RaParseComplete (int sig)
{
int i = 0, count = 0;
if (sig >= 0) {
if (!ArgusParser->RaParseCompleting++) {
count = ArgusSorter->ArgusRecordQueue->count;
if (count > 0) {
ArgusSortQueue (ArgusSorter, ArgusSorter->ArgusRecordQueue);
for (i = 0; i < count; i++)
RaSendArgusRecord ((struct ArgusRecordStruct *) ArgusSorter->ArgusRecordQueue->array[i]);
}
}
#ifdef ARGUSDEBUG
ArgusDebug (2, "RaParseComplete(caught signal %d)\n", sig);
#endif
switch (sig) {
case SIGHUP:
case SIGINT:
case SIGTERM:
case SIGQUIT: {
struct ArgusWfileStruct *wfile = NULL;
if (ArgusParser->ArgusWfileList != NULL) {
struct ArgusListObjectStruct *lobj = NULL;
int i, count = ArgusParser->ArgusWfileList->count;
if ((lobj = ArgusParser->ArgusWfileList->start) != NULL) {
for (i = 0; i < count; i++) {
if ((wfile = (struct ArgusWfileStruct *) lobj) != NULL) {
if (wfile->fd != NULL) {
#ifdef ARGUSDEBUG
ArgusDebug (2, "RaParseComplete: closing %s\n", wfile->filename);
#endif
fflush (wfile->fd);
fclose (wfile->fd);
wfile->fd = NULL;
}
}
lobj = lobj->nxt;
}
}
}
exit(0);
break;
}
}
}
}
void
RaArgusInputComplete (struct ArgusInput *input)
{
struct ArgusRecordStruct *nsr;
struct ArgusWfileStruct *wfile = NULL;
char buf[MAXSTRLEN];
int count, label, i, fd;
if (ArgusSorter->ArgusReplaceMode) {
if (ArgusParser->ArgusWfileList == NULL)
ArgusParser->ArgusWfileList = ArgusNewList();
if ((count = ArgusSorter->ArgusRecordQueue->count) > 0) {
if (!(ArgusParser->ArgusRandomSeed))
srandom(ArgusParser->ArgusRandomSeed);
srandom (ArgusParser->ArgusRealTime.tv_usec);
label = random() % 100000;
bzero(buf, sizeof(buf));
snprintf (buf, MAXSTRLEN, "%s.tmp%d", input->filename, label);
if ((fd = open(buf, O_CREAT|O_EXCL, input->statbuf.st_mode)) < 0)
ArgusLog (LOG_ERR, "open %s error: %s", buf, strerror(errno));
close(fd);
if ((wfile = (struct ArgusWfileStruct *) ArgusCalloc (1, sizeof (*wfile))) != NULL) {
ArgusPushFrontList(ArgusParser->ArgusWfileList, (struct ArgusListRecord *)wfile, ARGUS_NOLOCK);
wfile->filename = strdup(buf);
} else
ArgusLog (LOG_ERR, "setArgusWfile, ArgusCalloc %s", strerror(errno));
ArgusSortQueue (ArgusSorter, ArgusSorter->ArgusRecordQueue);
for (i = 0, count = ArgusSorter->ArgusRecordQueue->count; i < count; i++)
RaSendArgusRecord ((struct ArgusRecordStruct *)ArgusSorter->ArgusRecordQueue->array[i]);
while ((nsr = (struct ArgusRecordStruct *) ArgusPopQueue(ArgusSorter->ArgusRecordQueue, ARGUS_NOLOCK)) != NULL)
ArgusDeleteRecordStruct(ArgusParser, nsr);
rename (wfile->filename, input->filename);
fclose (wfile->fd);
ArgusDeleteList (ArgusParser->ArgusWfileList, ARGUS_WFILE_LIST);
ArgusParser->ArgusWfileList = NULL;
if (ArgusParser->Vflag)
ArgusLog(LOG_INFO, "file %s sorted", input->filename);
}
}
}
void
RaProcessThisRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *argus)
{
struct ArgusAggregatorStruct *agg = parser->ArgusAggregator;
struct ArgusHashStruct *hstruct = NULL;
int found = 0;
while (agg && !found) {
int retn = 0, fretn = -1, lretn = -1;
if (agg->filterstr) {
struct nff_insn *fcode = agg->filter.bf_insns;
fretn = ArgusFilterRecord (fcode, argus);
}
if (agg->labelstr) {
struct ArgusLabelStruct *label;
if (((label = (void *)argus->dsrs[ARGUS_LABEL_INDEX]) != NULL)) {
if (regexec(&agg->lpreg, label->l_un.label, 0, NULL, 0))
lretn = 0;
else
lretn = 1;
} else
lretn = 0;
}
retn = (lretn < 0) ? ((fretn < 0) ? 1 : fretn) : ((fretn < 0) ? lretn : (lretn && fretn));
if (retn != 0) {
struct ArgusRecordStruct *tns, *ns = ArgusCopyRecordStruct(argus);
if ((agg->rap = RaFlowModelOverRides(agg, ns)) == NULL)
agg->rap = agg->drap;
ArgusGenerateNewFlow(agg, ns);
if ((hstruct = ArgusGenerateHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL)
ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno));
if ((tns = ArgusFindRecord(agg->htable, hstruct)) == NULL) {
struct ArgusFlow *flow = (struct ArgusFlow *) ns->dsrs[ARGUS_FLOW_INDEX];
if (!parser->RaMonMode && parser->ArgusReverse) {
int tryreverse = 0;
if (flow != NULL) {
if (agg->correct != NULL)
tryreverse = 1;
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_TYPE_IPV4: {
switch (flow->ip_flow.ip_p) {
case IPPROTO_ESP:
tryreverse = 0;
break;
}
break;
}
case ARGUS_TYPE_IPV6: {
switch (flow->ipv6_flow.ip_p) {
case IPPROTO_ESP:
tryreverse = 0;
break;
}
break;
}
}
} else
tryreverse = 0;
if (tryreverse) {
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL)
ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno));
if ((tns = ArgusFindRecord(agg->htable, hstruct)) == NULL) {
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_TYPE_IPV4: {
switch (flow->ip_flow.ip_p) {
case IPPROTO_ICMP: {
struct ArgusICMPFlow *icmpFlow = &flow->flow_un.icmp;
if (ICMP_INFOTYPE(icmpFlow->type)) {
switch (icmpFlow->type) {
case ICMP_ECHO:
case ICMP_ECHOREPLY:
icmpFlow->type = (icmpFlow->type == ICMP_ECHO) ? ICMP_ECHOREPLY : ICMP_ECHO;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_ECHO) ? ICMP_ECHOREPLY : ICMP_ECHO;
if (tns)
ArgusReverseRecord (ns);
break;
case ICMP_ROUTERADVERT:
case ICMP_ROUTERSOLICIT:
icmpFlow->type = (icmpFlow->type == ICMP_ROUTERADVERT) ? ICMP_ROUTERSOLICIT : ICMP_ROUTERADVERT;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_ROUTERADVERT) ? ICMP_ROUTERSOLICIT : ICMP_ROUTERADVERT;
if (tns)
ArgusReverseRecord (ns);
break;
case ICMP_TSTAMP:
case ICMP_TSTAMPREPLY:
icmpFlow->type = (icmpFlow->type == ICMP_TSTAMP) ? ICMP_TSTAMPREPLY : ICMP_TSTAMP;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_TSTAMP) ? ICMP_TSTAMPREPLY : ICMP_TSTAMP;
if (tns)
ArgusReverseRecord (ns);
break;
case ICMP_IREQ:
case ICMP_IREQREPLY:
icmpFlow->type = (icmpFlow->type == ICMP_IREQ) ? ICMP_IREQREPLY : ICMP_IREQ;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_IREQ) ? ICMP_IREQREPLY : ICMP_IREQ;
if (tns)
ArgusReverseRecord (ns);
break;
case ICMP_MASKREQ:
case ICMP_MASKREPLY:
icmpFlow->type = (icmpFlow->type == ICMP_MASKREQ) ? ICMP_MASKREPLY : ICMP_MASKREQ;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_MASKREQ) ? ICMP_MASKREPLY : ICMP_MASKREQ;
if (tns)
ArgusReverseRecord (ns);
break;
}
}
break;
}
}
}
}
if ((hstruct = ArgusGenerateHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL)
ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno));
} else {
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_TYPE_IPV4: {
switch (flow->ip_flow.ip_p) {
case IPPROTO_TCP: {
struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)ns->dsrs[ARGUS_NETWORK_INDEX];
if (tcp != NULL) {
struct ArgusTCPObject *ttcp = (struct ArgusTCPObject *)tns->dsrs[ARGUS_NETWORK_INDEX];
if (ttcp != NULL) {
if ((tcp->status & ARGUS_SAW_SYN) && !(ttcp->status & ARGUS_SAW_SYN)) {
ArgusReverseRecord (tns);
} else
ArgusReverseRecord (ns);
} else
ArgusReverseRecord (ns);
} else
ArgusReverseRecord (ns);
break;
}
default:
ArgusReverseRecord (ns);
break;
}
}
break;
case ARGUS_TYPE_IPV6: {
switch (flow->ipv6_flow.ip_p) {
case IPPROTO_TCP: {
struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)ns->dsrs[ARGUS_NETWORK_INDEX];
if (tcp != NULL) {
struct ArgusTCPObject *ttcp = (struct ArgusTCPObject *)tns->dsrs[ARGUS_NETWORK_INDEX];
if (ttcp != NULL) {
if ((tcp->status & ARGUS_SAW_SYN) && !(ttcp->status & ARGUS_SAW_SYN)) {
ArgusReverseRecord (tns);
} else
ArgusReverseRecord (ns);
} else
ArgusReverseRecord (ns);
} else
ArgusReverseRecord (ns);
break;
}
default:
ArgusReverseRecord (ns);
break;
}
}
break;
default:
ArgusReverseRecord (ns);
}
}
}
}
}
if (tns != NULL) {
if (parser->Aflag) {
if ((tns->status & RA_SVCTEST) != (ns->status & RA_SVCTEST)) {
RaSendArgusRecord(tns);
tns->status &= ~(RA_SVCTEST);
tns->status |= (ns->status & RA_SVCTEST);
}
}
if (tns->status & ARGUS_RECORD_WRITTEN) {
ArgusZeroRecord (tns);
} else {
if (agg->statusint || agg->idleint) {
double dur, nsst, tnsst, nslt, tnslt;
nsst = ArgusFetchStartTime(ns);
tnsst = ArgusFetchStartTime(tns);
nslt = ArgusFetchLastTime(ns);
tnslt = ArgusFetchLastTime(tns);
dur = ((tnslt > nslt) ? tnslt : nslt) - ((nsst < tnsst) ? nsst : tnsst);
if (agg->statusint && (dur >= agg->statusint)) {
RaSendArgusRecord(tns);
ArgusZeroRecord(tns);
} else {
dur = ((nslt < tnsst) ? (tnsst - nslt) : ((tnslt < nsst) ? (nsst - tnslt) : 0.0));
if (agg->idleint && (dur >= agg->idleint)) {
RaSendArgusRecord(tns);
ArgusZeroRecord(tns);
}
}
}
}
ArgusMergeRecords (agg, tns, ns);
ArgusRemoveFromQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK);
ArgusAddToQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK);
ArgusDeleteRecordStruct(parser, ns);
agg->status |= ARGUS_AGGREGATOR_DIRTY;
} else {
tns = ns;
tns->htblhdr = ArgusAddHashEntry (agg->htable, tns, hstruct);
ArgusAddToQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK);
agg->status |= ARGUS_AGGREGATOR_DIRTY;
}
if (agg->cont)
agg = agg->nxt;
else
found++;
} else
agg = agg->nxt;
}
}
void
RaParseComplete (int sig)
{
struct ArgusModeStruct *mode = NULL;
int i = 0, x = 0, nflag = ArgusParser->eNflag;
struct ArgusInput *file = ArgusParser->ArgusCurrentFile;
char buf[MAXSTRLEN];
int label;
if (sig >= 0) {
if (!(ArgusParser->RaParseCompleting++)) {
struct ArgusAggregatorStruct *agg = ArgusParser->ArgusAggregator;
ArgusParser->RaParseCompleting += sig;
if (ArgusParser->ArgusReplaceMode && file) {
if (!(ArgusParser->ArgusRandomSeed))
srandom(ArgusParser->ArgusRandomSeed);
srandom (ArgusParser->ArgusRealTime.tv_usec);
label = random() % 100000;
bzero(buf, sizeof(buf));
snprintf (buf, MAXSTRLEN, "%s.tmp%d", file->filename, label);
setArgusWfile(ArgusParser, buf, NULL);
}
while (agg != NULL) {
if (agg->queue->count) {
struct ArgusRecordStruct *argus;
if (!(ArgusSorter))
if ((ArgusSorter = ArgusNewSorter(ArgusParser)) == NULL)
ArgusLog (LOG_ERR, "RaParseComplete: ArgusNewSorter error %s", strerror(errno));
if ((mode = ArgusParser->ArgusMaskList) != NULL) {
while (mode) {
for (x = 0; x < MAX_SORT_ALG_TYPES; x++) {
if (!strncmp (ArgusSortKeyWords[x], mode->mode, strlen(ArgusSortKeyWords[x]))) {
ArgusSorter->ArgusSortAlgorithms[i++] = ArgusSortAlgorithmTable[x];
break;
}
}
mode = mode->nxt;
}
}
ArgusSortQueue (ArgusSorter, agg->queue);
argus = ArgusCopyRecordStruct((struct ArgusRecordStruct *) agg->queue->array[0]);
if (nflag == 0)
ArgusParser->eNflag = agg->queue->count;
else
ArgusParser->eNflag = nflag > agg->queue->count ? agg->queue->count : nflag;
for (i = 1; i < ArgusParser->eNflag; i++)
ArgusMergeRecords (agg, argus, (struct ArgusRecordStruct *)agg->queue->array[i]);
ArgusParser->ns = argus;
for (i = 0; i < ArgusParser->eNflag; i++) {
RaSendArgusRecord ((struct ArgusRecordStruct *) agg->queue->array[i]);
ArgusDeleteRecordStruct(ArgusParser, (struct ArgusRecordStruct *) agg->queue->array[i]);
}
ArgusDeleteRecordStruct(ArgusParser, ArgusParser->ns);
}
agg = agg->nxt;
}
if (ArgusParser->ArgusAggregator != NULL)
ArgusDeleteAggregator(ArgusParser, ArgusParser->ArgusAggregator);
if (ArgusParser->ArgusReplaceMode && file) {
if (ArgusParser->ArgusWfileList != NULL) {
struct ArgusWfileStruct *wfile = NULL;
if ((wfile = (void *)ArgusParser->ArgusWfileList->start) != NULL) {
fflush (wfile->fd);
rename (wfile->filename, file->filename);
fclose (wfile->fd);
wfile->fd = NULL;
}
ArgusDeleteList(ArgusParser->ArgusWfileList, ARGUS_WFILE_LIST);
ArgusParser->ArgusWfileList = NULL;
if (ArgusParser->Vflag)
ArgusLog(LOG_INFO, "file %s aggregated", file->filename);
}
}
#ifdef ARGUSDEBUG
ArgusDebug (2, "RaParseComplete(caught signal %d)\n", sig);
#endif
switch (sig) {
case SIGHUP:
case SIGINT:
case SIGTERM:
case SIGQUIT: {
struct ArgusWfileStruct *wfile = NULL;
ArgusShutDown(sig);
if (ArgusParser->ArgusWfileList != NULL) {
struct ArgusListObjectStruct *lobj = NULL;
int i, count = ArgusParser->ArgusWfileList->count;
if ((lobj = ArgusParser->ArgusWfileList->start) != NULL) {
for (i = 0; i < count; i++) {
if ((wfile = (struct ArgusWfileStruct *) lobj) != NULL) {
if (wfile->fd != NULL) {
#ifdef ARGUSDEBUG
ArgusDebug (2, "RaParseComplete: closing %s\n", wfile->filename);
#endif
fflush (wfile->fd);
fclose (wfile->fd);
wfile->fd = NULL;
}
}
lobj = lobj->nxt;
}
}
}
exit(0);
break;
}
}
}
}
ArgusParser->eNflag = nflag;
#ifdef ARGUSDEBUG
ArgusDebug (6, "RaParseComplete(%d) done", sig);
#endif
}
