/** void AR_Init()
* Initializing active response.
*/
void AR_Init()
{
ar_commands = OSList_Create();
active_responses = OSList_Create();
ar_flag = 0;
if(!ar_commands || !active_responses)
{
ErrorExit(LIST_ERROR, ARGV0);
}
}
/* Add the entry to the hash. */
int _os_report_add_tostore(char *key, OSStore *top, void *data)
{
OSList *top_list;
/* Adding data to the hash. */
top_list = OSStore_Get(top, key);
if(top_list)
{
OSList_AddData(top_list, data);
}
else
{
top_list = OSList_Create();
if(!top_list)
{
merror(MEM_ERROR, __local_name);
return(0);
}
OSList_AddData(top_list, data);
OSStore_Put(top, key, top_list);
}
return(1);
}
/* Mark rules that match specific id (for if_matched_sid) */
int OS_MarkID(RuleNode *r_node, RuleInfo *orig_rule)
{
/* If no r_node is given, get first node */
if (r_node == NULL) {
r_node = OS_GetFirstRule();
}
while (r_node) {
if (r_node->ruleinfo->sigid == orig_rule->if_matched_sid) {
/* If child does not have a list, create one */
if (!r_node->ruleinfo->sid_prev_matched) {
r_node->ruleinfo->sid_prev_matched = OSList_Create();
if (!r_node->ruleinfo->sid_prev_matched) {
ErrorExit(MEM_ERROR, ARGV0, errno, strerror(errno));
}
}
/* Assign the parent pointer to it */
orig_rule->sid_search = r_node->ruleinfo->sid_prev_matched;
}
/* Check if the child has a rule */
if (r_node->child) {
OS_MarkID(r_node->child, orig_rule);
}
r_node = r_node->next;
}
return (0);
}
/* os_get_unix_process_list: Get list of Unix processes */
void *os_get_process_list()
{
int i = 1;
pid_t max_pid = MAX_PID;
OSList *p_list = NULL;
char ps[OS_SIZE_1024 +1];
/* Checking where ps is */
memset(ps, '\0', OS_SIZE_1024 +1);
strncpy(ps, "/bin/ps", OS_SIZE_1024);
if(!is_file(ps))
{
strncpy(ps, "/usr/bin/ps", OS_SIZE_1024);
if(!is_file(ps))
{
merror("%s: ERROR: 'ps' not found.", ARGV0);
return(NULL);
}
}
/* Creating process list */
p_list = OSList_Create();
if(!p_list)
{
merror(LIST_ERROR, ARGV0);
return(NULL);
}
for(i = 1; i<= max_pid; i++)
{
/* Checking if the pid is present. */
if((!((getsid(i) == -1)&&(errno == ESRCH))) &&
(!((getpgid(i) == -1)&&(errno == ESRCH))))
{
Proc_Info *p_info;
char *p_name;
p_name = _os_get_runps(ps, (int)i);
if(!p_name)
{
continue;
}
os_calloc(1, sizeof(Proc_Info), p_info);
p_info->p_path = p_name;
p_info->p_name = NULL;
OSList_AddData(p_list, p_info);
}
}
return((void *)p_list);
}
/** int main(int argc, char **argv) v0.1
*/
int WinExecd_Start()
{
int c;
int test_config = 0;
char *cfg = DEFAULTCPATH;
/* Reading config */
if((c = ExecdConfig(cfg)) < 0)
{
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
}
/* Exit if test_config */
if(test_config)
return(0);
/* Active response disabled */
if(c == 1)
{
verbose(EXEC_DISABLED, ARGV0);
return(0);
}
/* Creating list for timeout */
timeout_list = OSList_Create();
if(!timeout_list)
{
ErrorExit(LIST_ERROR, ARGV0);
}
/* Start up message */
verbose(STARTUP_MSG, ARGV0, getpid());
return(1);
}
/* Add the entry to the hash */
static int _os_report_add_tostore(const char *key, OSStore *top, void *data)
{
OSList *top_list;
/* Add data to the hash */
top_list = (OSList *) OSStore_Get(top, key);
if (top_list) {
OSList_AddData(top_list, data);
} else {
top_list = OSList_Create();
if (!top_list) {
merror(MEM_ERROR, __local_name, errno, strerror(errno));
return (0);
}
OSList_AddData(top_list, data);
OSStore_Put(top, key, top_list);
}
return (1);
}
/** void ExecdStart(int q) v0.2
* Main function on the execd. Does all the data receiving ,etc.
*/
static void ExecdStart(int q)
{
int i, childcount = 0;
time_t curr_time;
char buffer[OS_MAXSTR + 1];
char *tmp_msg = NULL;
char *name;
char *command;
char *cmd_args[MAX_ARGS +2];
/* Select */
fd_set fdset;
struct timeval socket_timeout;
/* Clearing the buffer */
memset(buffer, '\0', OS_MAXSTR +1);
/* Initializing the cmd arguments */
for(i = 0; i<= MAX_ARGS +1; i++)
{
cmd_args[i] = NULL;
}
/* Creating list for timeout */
timeout_list = OSList_Create();
if(!timeout_list)
{
ErrorExit(LIST_ERROR, ARGV0);
}
if(repeated_offenders_timeout[0] != 0)
{
repeated_hash = OSHash_Create();
}
else
{
repeated_hash = NULL;
}
/* Main loop. */
while(1)
{
int timeout_value;
int added_before = 0;
char **timeout_args;
timeout_data *timeout_entry;
/* Cleaning up any child. */
while (childcount)
{
int wp;
wp = waitpid((pid_t) -1, NULL, WNOHANG);
if (wp < 0)
{
merror(WAITPID_ERROR, ARGV0, errno, strerror(errno));
break;
}
/* if = 0, we still need to wait for the child process */
else if (wp == 0)
{
break;
}
/* Child completed if wp > 0 */
else
{
childcount--;
}
}
/* Getting currently time */
curr_time = time(0);
/* Checking if there is any timeouted command to execute. */
timeout_node = OSList_GetFirstNode(timeout_list);
while(timeout_node)
{
timeout_data *list_entry;
list_entry = (timeout_data *)timeout_node->data;
/* Timeouted */
if((curr_time - list_entry->time_of_addition) >
list_entry->time_to_block)
{
ExecCmd(list_entry->command);
/* Deletecurrently node already sets the pointer to next */
OSList_DeleteCurrentlyNode(timeout_list);
timeout_node = OSList_GetCurrentlyNode(timeout_list);
/* Clearing the memory */
FreeTimeoutEntry(list_entry);
childcount++;
}
else
{
timeout_node = OSList_GetNextNode(timeout_list);
}
}
/* Setting timeout to EXECD_TIMEOUT */
socket_timeout.tv_sec = EXECD_TIMEOUT;
socket_timeout.tv_usec= 0;
/* Setting FD values */
FD_ZERO(&fdset);
FD_SET(q, &fdset);
/* Adding timeout */
if(select(q+1, &fdset, NULL, NULL, &socket_timeout) == 0)
{
/* Timeout .. */
continue;
}
/* Checking for error */
if(!FD_ISSET(q, &fdset))
{
merror(SELECT_ERROR, ARGV0, errno, strerror(errno));
continue;
}
/* Receiving the message */
if(OS_RecvUnix(q, OS_MAXSTR, buffer) == 0)
{
merror(QUEUE_ERROR, ARGV0, EXECQUEUEPATH, strerror(errno));
continue;
}
/* Currently time */
curr_time = time(0);
/* Getting application name */
name = buffer;
/* Zeroing the name */
tmp_msg = strchr(buffer, ' ');
if(!tmp_msg)
{
merror(EXECD_INV_MSG, ARGV0, buffer);
continue;
}
*tmp_msg = '\0';
tmp_msg++;
/* Getting the command to execute (valid name) */
command = GetCommandbyName(name, &timeout_value);
if(!command)
{
ReadExecConfig();
command = GetCommandbyName(name, &timeout_value);
if(!command)
{
merror(EXEC_INV_NAME, ARGV0, name);
continue;
}
}
/* Command not present. */
if(command[0] == '\0')
continue;
/* Allocating memory for the timeout argument */
os_calloc(MAX_ARGS+2, sizeof(char *), timeout_args);
/* Adding initial variables to the cmd_arg and to the timeout cmd */
cmd_args[0] = command;
cmd_args[1] = ADD_ENTRY;
os_strdup(command, timeout_args[0]);
os_strdup(DELETE_ENTRY, timeout_args[1]);
cmd_args[2] = NULL;
timeout_args[2] = NULL;
/* Getting the arguments. */
i = 2;
while(i < (MAX_ARGS -1))
{
cmd_args[i] = tmp_msg;
cmd_args[i+1] = NULL;
tmp_msg = strchr(tmp_msg, ' ');
if(!tmp_msg)
{
timeout_args[i] = strdup(cmd_args[i]);
timeout_args[i+1] = NULL;
break;
}
*tmp_msg = '\0';
tmp_msg++;
timeout_args[i] = strdup(cmd_args[i]);
timeout_args[i+1] = NULL;
i++;
}
/* Check this command was already executed. */
timeout_node = OSList_GetFirstNode(timeout_list);
added_before = 0;
/* Checking for the username and ip argument */
if(!timeout_args[2] || !timeout_args[3])
{
added_before = 1;
merror("%s: Invalid number of arguments.", ARGV0);
}
while(timeout_node)
{
timeout_data *list_entry;
list_entry = (timeout_data *)timeout_node->data;
if((strcmp(list_entry->command[3], timeout_args[3]) == 0) &&
(strcmp(list_entry->command[0], timeout_args[0]) == 0))
{
/* Means we executed this command before
* and we don't need to add it again.
*/
added_before = 1;
/* updating the timeout */
list_entry->time_of_addition = curr_time;
if(repeated_offenders_timeout[0] != 0 &&
repeated_hash != NULL &&
strncmp(timeout_args[3],"-", 1) != 0)
{
char *ntimes = NULL;
char rkey[256];
rkey[255] = '\0';
snprintf(rkey, 255, "%s%s", list_entry->command[0],
timeout_args[3]);
if((ntimes = (char *) OSHash_Get(repeated_hash, rkey)))
{
int ntimes_int = 0;
int i2 = 0;
int new_timeout = 0;
ntimes_int = atoi(ntimes);
while(repeated_offenders_timeout[i2] != 0)
{
i2++;
}
if(ntimes_int >= i2)
{
new_timeout = repeated_offenders_timeout[i2 - 1]*60;
}
else
{
free(ntimes); // In hash_op.c, data belongs to caller
os_calloc(10, sizeof(char), ntimes);
new_timeout = repeated_offenders_timeout[ntimes_int]*60;
ntimes_int++;
snprintf(ntimes, 9, "%d", ntimes_int);
OSHash_Update(repeated_hash,rkey,ntimes);
}
list_entry->time_to_block = new_timeout;
}
}
break;
}
/* Continue with the next entry in timeout list*/
timeout_node = OSList_GetNextNode(timeout_list);
}
/* If it wasn't added before, do it now */
if(!added_before)
{
/* executing command */
ExecCmd(cmd_args);
/* We don't need to add to the list if the timeout_value == 0 */
if(timeout_value)
{
char *ntimes;
char rkey[256];
rkey[255] = '\0';
snprintf(rkey, 255, "%s%s", timeout_args[0],
timeout_args[3]);
if(repeated_hash != NULL)
{
if((ntimes = (char *) OSHash_Get(repeated_hash, rkey)))
{
int ntimes_int = 0;
int i2 = 0;
int new_timeout = 0;
ntimes_int = atoi(ntimes);
while(repeated_offenders_timeout[i2] != 0)
{
i2++;
}
if(ntimes_int >= i2)
{
new_timeout = repeated_offenders_timeout[i2 - 1]*60;
}
else
{
os_calloc(10, sizeof(char), ntimes);
new_timeout = repeated_offenders_timeout[ntimes_int]*60;
ntimes_int++;
snprintf(ntimes, 9, "%d", ntimes_int);
OSHash_Update(repeated_hash, rkey, ntimes);
}
timeout_value = new_timeout;
}
else
{
/* Adding to the repeated offenders list. */
OSHash_Add(repeated_hash,
rkey, strdup("0"));
}
}
/* Creating the timeout entry */
os_calloc(1, sizeof(timeout_data), timeout_entry);
timeout_entry->command = timeout_args;
timeout_entry->time_of_addition = curr_time;
timeout_entry->time_to_block = timeout_value;
/* Adding command to the timeout list */
if(!OSList_AddData(timeout_list, timeout_entry))
{
merror(LIST_ADD_ERROR, ARGV0);
FreeTimeoutEntry(timeout_entry);
}
}
/* If no timeout, we still need to free it in here */
else
{
char **ss_ta = timeout_args;
while(*timeout_args)
{
os_free(*timeout_args);
*timeout_args = NULL;
timeout_args++;
}
os_free(ss_ta);
}
childcount++;
}
/* We didn't add it to the timeout list */
else
{
char **ss_ta = timeout_args;
/* Clear the timeout arguments */
while(*timeout_args)
{
os_free(*timeout_args);
*timeout_args = NULL;
timeout_args++;
}
os_free(ss_ta);
}
/* Some cleanup */
while(i > 0)
{
cmd_args[i] = NULL;
i--;
}
}
}
/** int FTS_Init()
* Starts the FTS module.
*/
int FTS_Init()
{
int fts_list_size;
char _line[OS_FLSIZE + 1];
_line[OS_FLSIZE] = '\0';
fts_list = OSList_Create();
if(!fts_list)
{
merror(LIST_ERROR, ARGV0);
return(0);
}
/* Creating store data */
fts_store = OSHash_Create();
if(!fts_store)
{
merror(LIST_ERROR, ARGV0);
return(0);
}
if(!OSHash_setSize(fts_store, 2048))
{
merror(LIST_ERROR, ARGV0);
return(0);
}
/* Getting default list size */
fts_list_size = getDefine_Int("analysisd",
"fts_list_size",
12,512);
/* Getting minimum string size */
fts_minsize_for_str = getDefine_Int("analysisd",
"fts_min_size_for_str",
6, 128);
if(!OSList_SetMaxSize(fts_list, fts_list_size))
{
merror(LIST_SIZE_ERROR, ARGV0);
return(0);
}
/* creating fts list */
fp_list = fopen(FTS_QUEUE, "r+");
if(!fp_list)
{
/* Create the file if we cant open it */
fp_list = fopen(FTS_QUEUE, "w+");
if(fp_list)
fclose(fp_list);
chmod(FTS_QUEUE, 0777);
fp_list = fopen(FTS_QUEUE, "r+");
if(!fp_list)
{
merror(FOPEN_ERROR, ARGV0, FTS_QUEUE);
return(0);
}
}
/* Adding content from the files to memory */
fseek(fp_list, 0, SEEK_SET);
while(fgets(_line, OS_FLSIZE , fp_list) != NULL)
{
char *tmp_s;
/* Removing new lines */
tmp_s = strchr(_line, '\n');
if(tmp_s)
{
*tmp_s = '\0';
}
os_strdup(_line, tmp_s);
if(OSHash_Add(fts_store, tmp_s, tmp_s) <= 0)
{
free(tmp_s);
merror(LIST_ADD_ERROR, ARGV0);
}
}
/* Creating ignore list */
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
{
/* Create the file if we cant open it */
fp_ignore = fopen(IG_QUEUE, "w+");
if(fp_ignore)
fclose(fp_ignore);
chmod(IG_QUEUE, 0777);
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
{
merror(FOPEN_ERROR, ARGV0, IG_QUEUE);
return(0);
}
}
debug1("%s: DEBUG: FTSInit completed.", ARGV0);
return(1);
}
