static void SetNetworkEntropyClasses(const char *service, const char *direction, const Item *list) { const Item *ip; Item *addresses = NULL; double entropy; for (ip = list; ip != NULL; ip = ip->next) { if (strlen(ip->name) > 0) { char local[CF_BUFSIZE]; char remote[CF_BUFSIZE]; char vbuff[CF_BUFSIZE]; char *sp; if (strncmp(ip->name, "tcp", 3) == 0) { sscanf(ip->name, "%*s %*s %*s %s %s", local, remote); /* linux-like */ } else { sscanf(ip->name, "%s %s", local, remote); /* solaris-like */ } strncpy(vbuff, remote, CF_BUFSIZE - 1); vbuff[CF_BUFSIZE-1] = '\0'; for (sp = vbuff + strlen(vbuff) - 1; isdigit((int) *sp) && (sp > vbuff); sp--) { } *sp = '\0'; if (!IsItemIn(addresses, vbuff)) { AppendItem(&addresses, vbuff, ""); } IncrementItemListCounter(addresses, vbuff); } } entropy = MonEntropyCalculate(addresses); MonEntropyClassesSet(service, direction, entropy); DeleteItemList(addresses); }
void MonNetworkSnifferGatherData(void) { int i; char vbuff[CF_BUFSIZE]; const char* const statedir = GetStateDir(); for (i = 0; i < CF_NETATTR; i++) { struct stat statbuf; double entropy; time_t now = time(NULL); Log(LOG_LEVEL_DEBUG, "save incoming '%s'", TCPNAMES[i]); snprintf(vbuff, CF_MAXVARSIZE, "%s%ccf_incoming.%s", statedir, FILE_SEPARATOR, TCPNAMES[i]); if (stat(vbuff, &statbuf) != -1) { if (ItemListSize(NETIN_DIST[i]) < statbuf.st_size && now < statbuf.st_mtime + 40 * 60) { Log(LOG_LEVEL_VERBOSE, "New state %s is smaller, retaining old for 40 mins longer", TCPNAMES[i]); DeleteItemList(NETIN_DIST[i]); NETIN_DIST[i] = NULL; continue; } } SaveTCPEntropyData(NETIN_DIST[i], i, "in"); entropy = MonEntropyCalculate(NETIN_DIST[i]); MonEntropyClassesSet(TCPNAMES[i], "in", entropy); DeleteItemList(NETIN_DIST[i]); NETIN_DIST[i] = NULL; } for (i = 0; i < CF_NETATTR; i++) { struct stat statbuf; double entropy; time_t now = time(NULL); Log(LOG_LEVEL_DEBUG, "save outgoing '%s'", TCPNAMES[i]); snprintf(vbuff, CF_MAXVARSIZE, "%s%ccf_outgoing.%s", statedir, FILE_SEPARATOR, TCPNAMES[i]); if (stat(vbuff, &statbuf) != -1) { if (ItemListSize(NETOUT_DIST[i]) < statbuf.st_size && now < statbuf.st_mtime + 40 * 60) { Log(LOG_LEVEL_VERBOSE, "New state '%s' is smaller, retaining old for 40 mins longer", TCPNAMES[i]); DeleteItemList(NETOUT_DIST[i]); NETOUT_DIST[i] = NULL; continue; } } SaveTCPEntropyData(NETOUT_DIST[i], i, "out"); entropy = MonEntropyCalculate(NETOUT_DIST[i]); MonEntropyClassesSet(TCPNAMES[i], "out", entropy); DeleteItemList(NETOUT_DIST[i]); NETOUT_DIST[i] = NULL; } }
void MonNetworkSnifferGatherData(double *cf_this) { int i; char vbuff[CF_BUFSIZE]; for (i = 0; i < CF_NETATTR; i++) { struct stat statbuf; double entropy; time_t now = time(NULL); CfDebug("save incoming %s\n", TCPNAMES[i]); snprintf(vbuff, CF_MAXVARSIZE, "%s/state/cf_incoming.%s", CFWORKDIR, TCPNAMES[i]); if (cfstat(vbuff, &statbuf) != -1) { if ((ByteSizeList(NETIN_DIST[i]) < statbuf.st_size) && (now < statbuf.st_mtime + 40 * 60)) { CfOut(cf_verbose, "", "New state %s is smaller, retaining old for 40 mins longer\n", TCPNAMES[i]); DeleteItemList(NETIN_DIST[i]); NETIN_DIST[i] = NULL; continue; } } SaveTCPEntropyData(NETIN_DIST[i], i, "in"); entropy = MonEntropyCalculate(NETIN_DIST[i]); MonEntropyClassesSet(TCPNAMES[i], "in", entropy); DeleteItemList(NETIN_DIST[i]); NETIN_DIST[i] = NULL; } for (i = 0; i < CF_NETATTR; i++) { struct stat statbuf; double entropy; time_t now = time(NULL); CfDebug("save outgoing %s\n", TCPNAMES[i]); snprintf(vbuff, CF_MAXVARSIZE, "%s/state/cf_outgoing.%s", CFWORKDIR, TCPNAMES[i]); if (cfstat(vbuff, &statbuf) != -1) { if ((ByteSizeList(NETOUT_DIST[i]) < statbuf.st_size) && (now < statbuf.st_mtime + 40 * 60)) { CfOut(cf_verbose, "", "New state %s is smaller, retaining old for 40 mins longer\n", TCPNAMES[i]); DeleteItemList(NETOUT_DIST[i]); NETOUT_DIST[i] = NULL; continue; } } SaveTCPEntropyData(NETOUT_DIST[i], i, "out"); entropy = MonEntropyCalculate(NETOUT_DIST[i]); MonEntropyClassesSet(TCPNAMES[i], "out", entropy); DeleteItemList(NETOUT_DIST[i]); NETOUT_DIST[i] = NULL; } }