int Sagan_Search_Load ( int type ) {
FILE *search;
char searchbuf[1024] = { 0 };
char tmpfile[MAXPATH];
/* Init processor info */
processor_info_search = malloc(sizeof(struct _Sagan_Processor_Info));
memset(processor_info_search, 0, sizeof(_Sagan_Processor_Info));
processor_info_search->processor_name = SEARCH_PROCESSOR_NAME;
processor_info_search->processor_generator_id = SEARCH_PROCESSOR_GENERATOR_ID;
processor_info_search->processor_name = SEARCH_PROCESSOR_NAME;
processor_info_search->processor_facility = SEARCH_PROCESSOR_FACILITY;
processor_info_search->processor_priority = SEARCH_PROCESSOR_PRIORITY;
processor_info_search->processor_pri = SEARCH_PROCESSOR_PRI;
processor_info_search->processor_class = SEARCH_PROCESSOR_CLASS;
processor_info_search->processor_tag = SEARCH_PROCESSOR_TAG;
processor_info_search->processor_rev = SEARCH_PROCESSOR_REV;
if ( type == 1 ) {
strlcpy(tmpfile, config->search_nocase_file, sizeof(tmpfile));
} else {
strlcpy(tmpfile, config->search_case_file, sizeof(tmpfile));
}
if (( search = fopen(tmpfile, "r" )) == NULL ) {
Sagan_Log(S_ERROR, "[%s, line %d] No search list to load (%s)", __FILE__, __LINE__, config->search_nocase_file);
}
while(fgets(searchbuf, 1024, search) != NULL) {
/* Skip comments and blank linkes */
if (searchbuf[0] == '#' || searchbuf[0] == 10 || searchbuf[0] == ';' || searchbuf[0] == 32) {
continue;
} else {
if ( type == 1) {
SaganNocaseSearchlist = (_Sagan_Nocase_Searchlist *) realloc(SaganNocaseSearchlist, (counters->search_nocase_count+1) * sizeof(_Sagan_Nocase_Searchlist));
strlcpy(SaganNocaseSearchlist[counters->search_nocase_count].search, Remove_Return(searchbuf), sizeof(SaganNocaseSearchlist[counters->search_nocase_count].search));
counters->search_nocase_count++;
} else {
SaganCaseSearchlist = (_Sagan_Case_Searchlist *) realloc(SaganCaseSearchlist, (counters->search_case_count+1) * sizeof(_Sagan_Case_Searchlist));
strlcpy(SaganCaseSearchlist[counters->search_case_count].search, Remove_Return(searchbuf), sizeof(SaganCaseSearchlist[counters->search_case_count].search));
counters->search_case_count++;
}
}
}
return(0);
}
void Load_Gen_Map( const char *genmap )
{
FILE *genmapfile;
char genbuf[1024];
char *saveptr=NULL;
char *gen1=NULL;
char *gen2=NULL;
char *gen3=NULL;
Sagan_Log(S_NORMAL, "Loading gen-msg.map file. [%s]", genmap);
counters->genmapcount=0;
if (( genmapfile = fopen(genmap, "r" )) == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Cannot open generator file (%s)", __FILE__, __LINE__, genmap);
}
while(fgets(genbuf, 1024, genmapfile) != NULL)
{
/* Skip comments and blank linkes */
if (genbuf[0] == '#' || genbuf[0] == 10 || genbuf[0] == ';' || genbuf[0] == 32)
{
continue;
}
else
{
/* Allocate memory for references, not comments */
generator = (_Sagan_Processor_Generator *) realloc(generator, (counters->genmapcount+1) * sizeof(_Sagan_Processor_Generator));
}
gen1 = Remove_Return(strtok_r(genbuf, "|", &saveptr));
gen2 = Remove_Return(strtok_r(NULL, "|", &saveptr));
gen3 = Remove_Return(strtok_r(NULL, "|", &saveptr));
if ( gen1 == NULL || gen2 == NULL || gen3 == NULL )
{
Sagan_Log(S_ERROR, "%s is incorrect or not correctly formated", genmap);
}
generator[counters->genmapcount].generatorid=atoi(gen1);
generator[counters->genmapcount].alertid=atoi(gen2);
strlcpy(generator[counters->genmapcount].generator_msg, Remove_Return(gen3), sizeof(generator[counters->genmapcount].generator_msg));
counters->genmapcount++;
}
fclose(genmapfile);
Sagan_Log(S_NORMAL, "%d generators loaded.", counters->genmapcount);
}
void Load_Protocol_Map( const char *map )
{
FILE *mapfile;
char mapbuf[1024];
char *saveptr=NULL;
char *map1=NULL;
char *map2=NULL;
char *map3=NULL;
char *map4=NULL;
Sagan_Log(S_NORMAL, "Loading protocol map file. [%s]", map);
counters->mapcount=0;
if (( mapfile = fopen(map, "r" )) == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Cannot open protocol map file (%s)", __FILE__, __LINE__, map);
}
while(fgets(mapbuf, 1024, mapfile) != NULL)
{
/* Skip comments and blank linkes */
if (mapbuf[0] == '#' || mapbuf[0] == 10 || mapbuf[0] == ';' || mapbuf[0] == 32)
{
continue;
}
else
{
/* Allocate memory for references, not comments */
map1 = Remove_Spaces(Remove_Return(strtok_r(mapbuf, "|", &saveptr)));
map2 = Remove_Spaces(Remove_Return(strtok_r(NULL, "|", &saveptr)));
map3 = Remove_Spaces(Remove_Return(strtok_r(NULL, "|", &saveptr)));
map4 = Remove_Return(strtok_r(NULL, "|", &saveptr));
if ( map1 == NULL || map2 == NULL || map3 == NULL || map4 == NULL)
{
Sagan_Log(S_ERROR, "%s is incorrect or not correctly formated", map);
}
if (!strcmp(map1, "message"))
{
map_message = (_Sagan_Protocol_Map_Message *) realloc(map_message, (counters->mapcount_message+1) * sizeof(_Sagan_Protocol_Map_Message));
if ( map_message == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for map_message. Abort!", __FILE__, __LINE__);
}
map_message[counters->mapcount_message].proto = atoi(map2);
if (!strcmp(map3, "nocase")) map_message[counters->mapcount_message].nocase = 1;
strlcpy(map_message[counters->mapcount_message].search, map4, sizeof(map_message[counters->mapcount_message].search));
counters->mapcount_message++;
}
if (!strcmp(map1, "program"))
{
map_program = (_Sagan_Protocol_Map_Program *) realloc(map_program, (counters->mapcount_program+1) * sizeof(_Sagan_Protocol_Map_Program));
if ( map_program == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for map_program. Abort!", __FILE__, __LINE__);
}
map_program[counters->mapcount_program].proto = atoi(map2);
if (!strcmp(map3, "nocase")) map_program[counters->mapcount_program].nocase = 1;
strlcpy(map_program[counters->mapcount_program].program, map4, sizeof(map_program[counters->mapcount_program].program));
counters->mapcount_program++;
}
counters->mapcount++;
}
}
fclose(mapfile);
Sagan_Log(S_NORMAL, "%d protocols loaded [Message search: %d|Program search: %d]", counters->mapcount, counters->mapcount_message, counters->mapcount_program);
}
void Load_Config( void )
{
FILE *sagancfg;
char *filename;
char ruleset[MAXPATH];
char normfile[MAXPATH];
char tmpbuf[CONFBUF];
char tmpbuf2[CONFBUF];
char tmpstring[CONFBUF];
char *sagan_option=NULL;
char *sagan_var1=NULL;
char *sagan_var2=NULL;
char *sagan_var3=NULL;
char *ptmp=NULL;
char *tok=NULL;
char *tok2=NULL;
int i,check;
/* Set some system defaults */
strlcpy(config->sagan_alert_filepath, ALERTLOG, sizeof(config->sagan_alert_filepath));
strlcpy(config->sagan_lockfile, LOCKFILE, sizeof(config->sagan_lockfile));
strlcpy(config->sagan_log_path, SAGANLOGPATH, sizeof(config->sagan_log_path));
strlcpy(config->sagan_rule_path, RULE_PATH, sizeof(config->sagan_rule_path));
config->sagan_fifo[0] = '\0';
config->sagan_host[0] = '\0';
config->sagan_port = 514;
#if defined(F_GETPIPE_SZ) && defined(F_SETPIPE_SZ)
config->sagan_fifo_size = MAX_FIFO_SIZE;
#endif
if ( config->sagan_fifo_flag != 1 )
{
strlcpy(config->sagan_fifo, FIFO, sizeof(config->sagan_fifo));
}
#ifdef HAVE_LIBESMTP
strlcpy(config->sagan_email_subject, DEFAULT_SMTP_SUBJECT, sizeof(config->sagan_email_subject));
#endif
config->sagan_proto = 17; /* Default to UDP */
config->max_processor_threads = MAX_PROCESSOR_THREADS;
/* PLOG defaults */
#ifdef HAVE_LIBPCAP
strlcpy(config->plog_interface, PLOG_INTERFACE, sizeof(config->plog_interface));
strlcpy(config->plog_filter, PLOG_FILTER, sizeof(config->plog_filter));
strlcpy(config->plog_logdev, PLOG_LOGDEV, sizeof(config->plog_logdev));
#endif
//config->home_any = 0;
//config->external_any = 0;
/* Start loading configuration */
rulestruct = (_Rule_Struct *) realloc(rulestruct, (counters->rulecount+1) * sizeof(_Rule_Struct));
/* Gather information for the master configuration file */
if ((sagancfg = fopen(config->sagan_config, "r")) == NULL)
{
fprintf(stderr, "[%s, line %d] Cannot open configuration file (%s)\n", __FILE__, __LINE__, config->sagan_config);
exit(1);
}
while(fgets(tmpbuf, sizeof(tmpbuf), sagancfg) != NULL)
{
if (tmpbuf[0] == '#') continue;
if (tmpbuf[0] == ';') continue;
if (tmpbuf[0] == 10 ) continue;
if (tmpbuf[0] == 32 ) continue;
strlcpy(tmpbuf2, tmpbuf, sizeof(tmpbuf2)); /* Retain a copy of the entire line */
sagan_option = strtok_r(tmpbuf, " ", &tok);
if (!strcmp(Remove_Return(sagan_option), "max_processor_threads"))
{
sagan_var1 = strtok_r(NULL, " ", &tok);
if ( sagan_var1 == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] \"max_processor_threads\" is incomplete!", __FILE__, __LINE__);
}
config->max_processor_threads = strtoull(sagan_var1, NULL, 10);
}
if (!strcmp(Remove_Return(sagan_option), "disable_dns_warnings"))
{
Sagan_Log(S_NORMAL, "Supressing DNS warnings");
config->disable_dns_warnings = 1;
}
if (!strcmp(Remove_Return(sagan_option), "syslog_src_lookup"))
{
Sagan_Log(S_NORMAL, "DNS lookup of source address supplied by syslog daemon");
config->syslog_src_lookup = 1;
}
if (!strcmp(Remove_Return(sagan_option), "sagan_host"))
{
sagan_var1 = Remove_Return(strtok_r(NULL, " ", &tok));
if ( sagan_var1 == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] \"sagan_host\" is incomplete!", __FILE__, __LINE__);
}
strlcpy(config->sagan_host, sagan_var1, sizeof(config->sagan_host));
}
if (!strcmp(sagan_option, "sagan_port"))
{
sagan_var1 = strtok_r(NULL, " ", &tok);
if ( sagan_var1 == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] \"sagan_port\" is incomplete!", __FILE__, __LINE__);
}
config->sagan_port = atoi(sagan_var1);
}
#if defined(F_GETPIPE_SZ) && defined(F_SETPIPE_SZ)
if (!strcmp(sagan_option, "sagan_fifo_size"))
{
sagan_var1 = strtok_r(NULL, " ", &tok);
if ( sagan_var1 == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] \"sagan_fifo_size\" is incomplete!", __FILE__, __LINE__);
}
config->sagan_fifo_size = atoi(sagan_var1);
}
#endif
#ifndef HAVE_LIBESMTP
if (!strcmp(sagan_option, "send-to") || !strcmp(sagan_option, "min_email_priority"))
{
Sagan_Log(S_ERROR, "[%s, line %d] \"libesmtp\" support not found. Re-compile with ESMTP support or disable in the sagan.conf.", __FILE__, __LINE__);
}
#endif
#ifdef HAVE_LIBESMTP
if (!strcmp(sagan_option, "send-to"))
{
sagan_var1 = strtok_r(NULL, " ", &tok);
if ( sagan_var1 == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] \"send-to\" is incomplete!", __FILE__, __LINE__);
}
strlcpy(config->sagan_esmtp_to, Remove_Return(sagan_var1), sizeof(config->sagan_esmtp_to));
config->sagan_esmtp_flag=1;
config->sagan_sendto_flag=1;
}
if (!strcmp(sagan_option, "min_email_priority"))
{
sagan_var1 = strtok_r(NULL, " ", &tok);
if ( sagan_var1 == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] \"min_email_priority\" is incomplete!", __FILE__, __LINE__);
}
config->min_email_priority = atoi(sagan_var1);
}
if (!strcmp(sagan_option, "email_subject"))
{
sagan_var1 = strtok_r(NULL, " ", &tok);
if ( sagan_var1 == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] \email_subject\" is incomplete!", __FILE__, __LINE__);
}
strlcpy(config->sagan_email_subject, Remove_Return(Between_Quotes(tmpbuf2)), sizeof(config->sagan_email_subject));
}
void Load_Config( void ) {
FILE *sagancfg;
char *filename;
char ruleset[MAXPATH];
char normfile[MAXPATH];
char tmpbuf[CONFBUF];
char tmpbuf2[CONFBUF];
char tmpstring[CONFBUF];
char *sagan_option=NULL;
char *sagan_var1=NULL;
char *sagan_var2=NULL;
char *ptmp=NULL;
char *tok=NULL;
int i,check;
/* Set some system defaults */
strlcpy(config->sagan_alert_filepath, ALERTLOG, sizeof(config->sagan_alert_filepath));
strlcpy(config->sagan_lockfile, LOCKFILE, sizeof(config->sagan_lockfile));
strlcpy(config->sagan_log_path, SAGANLOGPATH, sizeof(config->sagan_log_path));
if ( config->sagan_fifo_flag != 1 ) strlcpy(config->sagan_fifo, FIFO, sizeof(config->sagan_fifo));
strlcpy(config->sagan_rule_path, RULE_PATH, sizeof(config->sagan_rule_path));
config->sagan_proto = 17; /* Default to UDP */
config->max_processor_threads = MAX_PROCESSOR_THREADS;
/* PLOG defaults */
#ifdef HAVE_LIBPCAP
strlcpy(config->plog_interface, PLOG_INTERFACE, sizeof(config->plog_interface));
strlcpy(config->plog_filter, PLOG_FILTER, sizeof(config->plog_filter));
strlcpy(config->plog_logdev, PLOG_LOGDEV, sizeof(config->plog_logdev));
#endif
//config->home_any = 0;
//config->external_any = 0;
/* Start loading configuration */
rulestruct = (_Rule_Struct *) realloc(rulestruct, (counters->rulecount+1) * sizeof(_Rule_Struct));
/* Gather information for the master configuration file */
if ((sagancfg = fopen(config->sagan_config, "r")) == NULL) {
fprintf(stderr, "[%s, line %d] Cannot open configuration file (%s)\n", __FILE__, __LINE__, config->sagan_config);
exit(1);
}
while(fgets(tmpbuf, sizeof(tmpbuf), sagancfg) != NULL) {
if (tmpbuf[0] == '#') continue;
if (tmpbuf[0] == ';') continue;
if (tmpbuf[0] == 10 ) continue;
if (tmpbuf[0] == 32 ) continue;
strlcpy(tmpbuf2, tmpbuf, sizeof(tmpbuf2)); /* Retain a copy of the entire line */
sagan_option = strtok_r(tmpbuf, " ", &tok);
if (!strcmp(Remove_Return(sagan_option), "max_processor_threads")) {
sagan_var1 = strtok_r(NULL, " ", &tok);
config->max_processor_threads = strtoull(sagan_var1, NULL, 10);
}
if (!strcmp(Remove_Return(sagan_option), "disable_dns_warnings")) {
Sagan_Log(S_NORMAL, "Supressing DNS warnings");
config->disable_dns_warnings = 1;
}
if (!strcmp(Remove_Return(sagan_option), "syslog_src_lookup")) {
Sagan_Log(S_NORMAL, "DNS lookup of source address supplied by syslog daemon");
config->syslog_src_lookup = 1;
}
if (!strcmp(sagan_option, "sagan_host"))
strlcpy(config->sagan_host, Remove_Return(strtok_r(NULL, " " , &tok)), sizeof(config->sagan_host));
if (!strcmp(sagan_option, "sagan_port")) {
sagan_var1 = strtok_r(NULL, " ", &tok);
config->sagan_port = atoi(sagan_var1);
}
#ifndef HAVE_LIBESMTP
if (!strcmp(sagan_option, "send-to") || !strcmp(sagan_option, "min_email_priority"))
Sagan_Log(S_ERROR, "\"libesmtp\" support not found. Re-compile with ESMTP support or disable in the sagan.conf.");
#endif
#ifdef HAVE_LIBESMTP
if (!strcmp(sagan_option, "send-to")) {
sagan_var1 = strtok_r(NULL, " ", &tok);
strlcpy(config->sagan_esmtp_to, Remove_Return(sagan_var1), sizeof(config->sagan_esmtp_to));
config->sagan_esmtp_flag=1;
config->sagan_sendto_flag=1;
}
if (!strcmp(sagan_option, "min_email_priority")) {
sagan_var1 = strtok_r(NULL, " ", &tok);
config->min_email_priority = atoi(sagan_var1);
}
#endif
#ifndef HAVE_LIBPCAP
if (!strcmp(sagan_option, "plog_interface") || !strcmp(sagan_option, "plog_logdev") || !strcmp(sagan_option, "plog_port"))
Sagan_Log(S_ERROR, "\"libpcap\" support not found. Re-compile with PCAP support or disable in the sagan.conf.");
#endif
#ifdef HAVE_LIBPCAP
if (!strcmp(sagan_option, "plog_interface")) {
strlcpy(config->plog_interface, Remove_Return(strtok_r(NULL, " ", &tok)), sizeof(config->plog_interface));
config->plog_flag=1;
}
if (!strcmp(sagan_option, "plog_logdev")) {
strlcpy(config->plog_logdev, Remove_Return(strtok_r(NULL, " ", &tok)), sizeof(config->plog_logdev));
config->plog_flag=1;
}
if (!strcmp(sagan_option, "plog_filter")) {
strlcpy(config->plog_filter, Remove_Return(Between_Quotes(tmpbuf2)), sizeof(config->plog_filter));
config->plog_flag = 1;
}
if (!strcmp(sagan_option, "plog_promiscuous")) {
config->plog_promiscuous = 1;
config->plog_flag = 1;
}
#endif
#ifndef HAVE_LIBLOGNORM
if (!strcmp(sagan_option, "normalize:")) {
Sagan_Log(S_WARN, "WARNING: Sagan was not compiled with \"liblognorm\" support!");
Sagan_Log(S_WARN, "WARNING: Sagan will continue, but _without_ liblognorm!");
}
#endif
#ifdef HAVE_LIBLOGNORM
/*
We load the location for liblognorm's 'rule base/samples'. We don't want to
load them quiet yet. We only want to load samples we need, so we do the
actual ln_loadSamples() after the configuration file and all rules have
been analyzed */
if (!strcmp(sagan_option, "normalize:")) {
liblognormstruct = (liblognorm_struct *) realloc(liblognormstruct, (liblognorm_count+1) * sizeof(liblognorm_struct));
sagan_var1 = strtok_r(NULL, ",", &tok);
Remove_Spaces(sagan_var1);
strlcpy(liblognormstruct[liblognorm_count].type, sagan_var1, sizeof(liblognormstruct[liblognorm_count].type));
strlcpy(tmpstring, strtok_r(NULL, ",", &tok), sizeof(tmpstring));
Remove_Spaces(tmpstring);
Remove_Return(tmpstring);
strlcpy(normfile, Sagan_Var_To_Value(tmpstring), sizeof(normfile));
Remove_Spaces(normfile);
strlcpy(liblognormstruct[liblognorm_count].filepath, normfile, sizeof(liblognormstruct[liblognorm_count].filepath));
liblognorm_count++;
}
#endif
#ifndef HAVE_LIBGEOIP
if (!strcmp(sagan_option, "country_database")) {
Sagan_Log(S_WARN, "WARNING: Sagan was not compiled with Maxmind \"GeoIP\" support!");
Sagan_Log(S_WARN, "WARNING: Sagan will continue, but _without_ GeoIP enabled!");
}
#endif
#ifdef HAVE_LIBGEOIP
if (!strcmp(sagan_option, "country_database:")) {
sagan_var1 = Remove_Return(strtok_r(NULL, " ", &tok));
strlcpy(config->geoip_country_file, sagan_var1, sizeof(config->geoip_country_file));
Sagan_Log(S_NORMAL, "Loading GeoIP database. [%s]", config->geoip_country_file);
Sagan_Open_GeoIP_Database();
config->have_geoip = 1;
}
#endif
if (!strcmp(sagan_option, "ignore_list:")) {
sagan_var1 = Remove_Return(strtok_r(NULL, " ", &tok));
if ( sagan_var1 == NULL )
Sagan_Log(S_ERROR, "[%s, line %d] No \"ignore file\" specified in the sagan.conf file!", __FILE__, __LINE__);
config->sagan_droplist_flag = 1;
strlcpy(config->sagan_droplistfile, sagan_var1, sizeof(config->sagan_droplistfile));
}
/****************************************************************************
* Processors
****************************************************************************/
if (!strcmp(sagan_option, "processor")) {
sagan_var1 = strtok_r(NULL," ", &tok);
if (!strcmp(sagan_var1, "sagan-track-clients:")) {
sagan_var1 = strtok_r(NULL," ", &tok);
if (!strcmp(sagan_var1, "client_timeout")) {
sagan_var1 = strtok_r(NULL," ", &tok);
config->pp_sagan_track_clients = atoi(sagan_var1);
config->sagan_track_clients_flag = 1;
}
}
if (!strcmp(sagan_var1, "blacklist:")) {
config->blacklist_flag=1;
/* Set defaults */
config->blacklist_priority = BLACKLIST_PROCESSOR_PRI; /* Set default */
config->blacklist_parse_depth = 2;
config->blacklist_parse_src = 1;
config->blacklist_parse_dst = 2;
ptmp = sagan_var1;
while (ptmp != NULL ) {
if (!strcmp(ptmp, "parse_depth")) {
ptmp = strtok_r(NULL, " ", &tok);
config->blacklist_parse_depth = atoi(ptmp);
}
if (!strcmp(ptmp, "blacklist")) {
ptmp = strtok_r(NULL, " ", &tok);
strlcpy(config->blacklist_file, Remove_Return(ptmp), sizeof(config->blacklist_file));
}
if (!strcmp(ptmp, "parse_src")) {
ptmp = strtok_r(NULL, " ", &tok);
config->blacklist_parse_src = atoi(ptmp);
}
if (!strcmp(ptmp, "parse_dst")) {
ptmp = strtok_r(NULL, " ", &tok);
config->blacklist_parse_dst = atoi(ptmp);
}
if (!strcmp(ptmp, "parse_proto")) {
ptmp = strtok_r(NULL, " ", &tok);
if (!strcmp(ptmp, "true") || !strcmp(ptmp, "1")) config->blacklist_parse_proto = 1;
}
if (!strcmp(ptmp, "parse_proto_program")) {
ptmp = strtok_r(NULL, " ", &tok);
if (!strcmp(ptmp, "true") || !strcmp(ptmp, "1")) config->blacklist_parse_proto_program = 1;
}
if (!strcmp(ptmp, "lognorm")) {
ptmp = strtok_r(NULL, " ", &tok);
if (!strcmp(ptmp, "true") || !strcmp(ptmp, "1")) config->blacklist_lognorm = 1;
}
if (!strcmp(ptmp, "priority")) {
ptmp = strtok_r(NULL, " ", &tok);
config->blacklist_priority=atoi(ptmp);
}
ptmp = strtok_r(NULL, "=", &tok);
}
}
if (!strcmp(sagan_var1, "search_nocase:")) {
/* Set defaults */
config->search_nocase_flag=1;
config->search_nocase_parse_depth=2;
config->search_nocase_priority=SEARCH_PROCESSOR_PRI;
ptmp = sagan_var1;
while (ptmp != NULL ) {
if (!strcmp(ptmp, "parse_src")) {
ptmp = strtok_r(NULL, " ", &tok);
config->search_nocase_parse_src = atoi(ptmp);
}
if (!strcmp(ptmp, "parse_dst")) {
ptmp = strtok_r(NULL, " ", &tok);
config->search_nocase_parse_dst = atoi(ptmp);
}
if (!strcmp(ptmp, "parse_proto")) {
ptmp = strtok_r(NULL, " ", &tok);
if (!strcmp(ptmp, "true") || !strcmp(ptmp, "1")) config->search_nocase_parse_proto = 1;
}
if (!strcmp(ptmp, "parse_proto_program")) {
ptmp = strtok_r(NULL, " ", &tok);
if (!strcmp(ptmp, "true") || !strcmp(ptmp, "1")) config->search_nocase_parse_proto_program = 1;
}
if (!strcmp(ptmp, "searchlist")) {
ptmp = strtok_r(NULL, " ", &tok);
strlcpy(config->search_nocase_file, Remove_Return(ptmp), sizeof(config->search_nocase_file));
}
if (!strcmp(ptmp, "lognorm")) {
ptmp = strtok_r(NULL, " ", &tok);
if (!strcmp(ptmp, "true") || !strcmp(ptmp, "1")) config->search_nocase_lognorm = 1;
}
if (!strcmp(ptmp, "priority")) {
ptmp = strtok_r(NULL, " ", &tok);
config->search_nocase_priority=atoi(ptmp);
}
ptmp = strtok_r(NULL, "=", &tok);
}
}
if (!strcmp(sagan_var1, "search_case:")) {
config->search_case_flag=1;
config->search_case_parse_depth=2;
config->search_case_parse_src = 1;
config->search_case_parse_src = 2;
ptmp = sagan_var1;
while (ptmp != NULL ) {
if (!strcmp(ptmp, "parse_src")) {
ptmp = strtok_r(NULL, " ", &tok);
config->search_case_parse_src = atoi(ptmp);
}
if (!strcmp(ptmp, "parse_dst")) {
ptmp = strtok_r(NULL, " ", &tok);
config->search_case_parse_dst = atoi(ptmp);
}
if (!strcmp(ptmp, "parse_proto")) {
ptmp = strtok_r(NULL, " ", &tok);
if (!strcmp(ptmp, "true") || !strcmp(ptmp, "1")) config->search_case_parse_proto = 1;
}
if (!strcmp(ptmp, "parse_proto_program")) {
ptmp = strtok_r(NULL, " ", &tok);
if (!strcmp(ptmp, "true") || !strcmp(ptmp, "1")) config->search_case_parse_proto_program = 1;
}
if (!strcmp(ptmp, "searchlist")) {
ptmp = strtok_r(NULL, " ", &tok);
strlcpy(config->search_case_file, Remove_Return(ptmp), sizeof(config->search_case_file));
}
if (!strcmp(ptmp, "lognorm")) {
ptmp = strtok_r(NULL, " ", &tok);
if (!strcmp(ptmp, "true") || !strcmp(ptmp, "1")) config->search_case_lognorm = 1;
}
if (!strcmp(ptmp, "priority")) {
ptmp = strtok_r(NULL, " ", &tok);
config->search_case_priority=atoi(ptmp);
}
ptmp = strtok_r(NULL, "=", &tok);
}
}
#ifdef WITH_WEBSENSE
if (!strcmp(sagan_var1, "websense:")) {
config->websense_flag=1;
/* Set defaults */
config->websense_parse_depth=2; /* default */
strlcpy(config->websense_device_id, "NO_DEVICE_ID", sizeof(config->websense_device_id));
config->websense_parse_src = 1;
config->websense_parse_dst = 2;
config->websense_priority = WEBSENSE_PROCESSOR_PRI;
ptmp = sagan_var1;
while (ptmp != NULL ) {
if (!strcmp(ptmp, "parse_depth")) {
ptmp = strtok_r(NULL, " ", &tok);
config->websense_parse_depth = atoi(ptmp);
}
if (!strcmp(ptmp, "auth")) {
ptmp = strtok_r(NULL, " ", &tok);
strlcpy(config->websense_auth, Remove_Return(ptmp), sizeof(config->websense_auth));
}
if (!strcmp(ptmp, "url")) {
ptmp = strtok_r(NULL, " ", &tok);
strlcpy(config->websense_url, Remove_Return(ptmp), sizeof(config->websense_url));
}
if (!strcmp(ptmp, "max_cache")) {
ptmp = strtok_r(NULL, " ", &tok);
config->websense_max_cache = strtoull(ptmp, NULL, 10);
}
if (!strcmp(ptmp, "cache_timeout")) {
ptmp = strtok_r(NULL, " ", &tok);
config->websense_timeout = atoi(ptmp) * 60;
}
if (!strcmp(ptmp, "ignore_list")) {
ptmp = strtok_r(NULL, " ", &tok);
strlcpy(config->websense_ignore_list, Remove_Return(ptmp), sizeof(config->websense_ignore_list));
}
if (!strcmp(ptmp, "device_id")) {
ptmp = strtok_r(NULL, " ", &tok);
strlcpy(config->websense_device_id, Remove_Return(ptmp), sizeof(config->websense_device_id));
}
if (!strcmp(ptmp, "parse_src")) {
ptmp = strtok_r(NULL, " ", &tok);
config->websense_parse_src = atoi(ptmp);
}
if (!strcmp(ptmp, "parse_dst")) {
ptmp = strtok_r(NULL, " ", &tok);
config->websense_parse_dst = atoi(ptmp);
}
if (!strcmp(ptmp, "parse_proto")) {
ptmp = strtok_r(NULL, " ", &tok);
if (!strcmp(ptmp, "true") || !strcmp(ptmp, "1")) config->websense_parse_proto = 1;
}
if (!strcmp(ptmp, "parse_proto_program")) {
ptmp = strtok_r(NULL, " ", &tok);
if (!strcmp(ptmp, "true") || !strcmp(ptmp, "1")) config->websense_parse_proto_program = 1;
}
if (!strcmp(ptmp, "lognorm")) {
ptmp = strtok_r(NULL, " ", &tok);
if (!strcmp(ptmp, "true") || !strcmp(ptmp, "1")) config->websense_lognorm = 1;
}
if (!strcmp(ptmp, "priority")) {
ptmp = strtok_r(NULL, " ", &tok);
config->websense_priority=atoi(ptmp);
}
ptmp = strtok_r(NULL, "=", &tok);
}
}
/* ERROR CHECKING HERE? */
#endif
}
/****************************************************************************
* Output formats
****************************************************************************/
if (!strcmp(sagan_option, "output")) {
config->output_thread_flag = 1;
sagan_var1 = strtok_r(NULL," ", &tok);
if (!strcmp(sagan_var1, "external:")) {
config->sagan_ext_flag=1;
config->sagan_external_output_flag=1;
strlcpy(config->sagan_extern, Remove_Return(strtok_r(NULL, " ", &tok)), sizeof(config->sagan_extern));
if (strstr(strtok_r(NULL, " ", &tok), "parsable")) config->sagan_exttype=1;
}
#ifdef WITH_SNORTSAM
if (!strcmp(sagan_var1, "alert_fwsam:")) {
strlcpy(config->sagan_fwsam_info, Remove_Return(strtok_r(NULL, " ", &tok)), sizeof(config->sagan_fwsam_info));
config->sagan_fwsam_flag=1;
}
#endif
#if !defined(HAVE_DNET_H) && !defined(HAVE_DUMBNET_H)
if (!strcmp(sagan_var1, "unified2:")) {
Sagan_Log(S_WARN,"\"libdnet\" support not found. This is needed for unified2.");
Sagan_Log(S_WARN, "Re-compile with libdnet support or disable in the sagan.conf.");
}
#endif
#if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H)
if (!strcmp(sagan_var1, "unified2:")) {
config->sagan_unified2_flag = 1;
ptmp = sagan_var1;
Remove_Return(ptmp);
while (ptmp != NULL ) {
if (!strcmp(ptmp, "filename")) {
ptmp = strtok_r(NULL, ",", &tok);
snprintf(config->unified2_filepath, sizeof(config->unified2_filepath)-1, "%s/%s", config->sagan_log_path, ptmp);
}
if (!strcmp(ptmp, "limit")) {
ptmp = strtok_r(NULL, " ", &tok);
config->unified2_limit = atoi(ptmp) * 1024 * 1024;
}
if (!strcmp(ptmp, "nostamp")) config->unified2_nostamp = 1;
ptmp = strtok_r(NULL, " ", &tok);
}
}
#endif
#ifdef HAVE_LIBESMTP
if (!strcmp(sagan_var1, "email:")) {
ptmp = sagan_var1;
while (ptmp != NULL ) {
if (!strcmp(ptmp, "from")) {
ptmp = strtok_r(NULL, " ", &tok);
strlcpy(config->sagan_esmtp_from, Remove_Return(ptmp), sizeof(config->sagan_esmtp_from));
}
if (!strcmp(ptmp, "smtpserver")) {
ptmp = strtok_r(NULL, " ", &tok);
strlcpy(config->sagan_esmtp_server, Remove_Return(ptmp), sizeof(config->sagan_esmtp_server));
}
ptmp = strtok_r(NULL, "=", &tok);
}
}
#endif
}
/* var */
if (!strcmp(sagan_option, "var")) {
sagan_var1 = strtok_r(NULL, " ", &tok);
var = (_SaganVar *) realloc(var, (counters->var_count+1) * sizeof(_SaganVar)); /* Allocate memory */
snprintf(var[counters->var_count].var_name, sizeof(var[counters->var_count].var_name)-1, "$%s", sagan_var1);
sagan_var2 = strtok_r(NULL, " ", &tok); /* Move to position of value of var */
strlcpy(var[counters->var_count].var_value, Remove_Return(sagan_var2), sizeof(var[counters->var_count].var_value));
counters->var_count++;
/* Required var's - all others are optional */
if (!strcmp(sagan_var1, "FIFO") && config->sagan_fifo_flag != 1) strlcpy(config->sagan_fifo, sagan_var2, sizeof(config->sagan_fifo));
if (!strcmp(sagan_var1, "LOCKFILE" )) strlcpy(config->sagan_lockfile, sagan_var2, sizeof(config->sagan_lockfile));
if (!strcmp(sagan_var1, "ALERTLOG" )) strlcpy(config->sagan_alert_filepath, sagan_var2, sizeof(config->sagan_alert_filepath));
if (!strcmp(sagan_var1, "SAGANLOGPATH" )) strlcpy(config->sagan_log_path, sagan_var2, sizeof(config->sagan_log_path));
/*
if (!strcmp(sagan_var1, "HOME_NET" )) {
if (strcasestr(sagan_var2, "any" )) config->home_any = 1;
}
if (!strcmp(sagan_var1, "EXTERNAL_NET" )) {
if (strcasestr(sagan_var2, "any" )) config->external_any = 1;
}
*/
}
/* "include */
if (!strcmp(sagan_option, "include" )) {
strlcpy(tmpstring, Remove_Return(strtok_r(NULL, " ", &tok)), sizeof(tmpstring));
strlcpy(ruleset, Sagan_Var_To_Value(tmpstring), sizeof(ruleset));
Remove_Spaces(ruleset);
filename=Get_Filename(ruleset); /* Get the file name to figure out "what" we're loading */
if (!strcmp(filename, "classification.config")) Load_Classifications(ruleset);
if (!strcmp(filename, "reference.config")) Load_Reference(ruleset);
if (!strcmp(filename, "gen-msg.map")) Load_Gen_Map(ruleset);
if (!strcmp(filename, "protocol.map")) Load_Protocol_Map(ruleset);
/* It's not reference.config, classification.config, gen-msg.map or protocol.map, it must be a ruleset */
if (strcmp(filename, "reference.config") && strcmp(filename, "classification.config") && strcmp(filename, "gen-msg.map") && strcmp(filename, "protocol.map")) {
Load_Rules(ruleset);
}
}
}
fclose(sagancfg);
/* Check rules for duplicate sid. We can't have that! */
for (i = 0; i < counters->rulecount; i++) {
for ( check = i+1; check < counters->rulecount; check ++) {
if (!strcmp (rulestruct[check].s_sid, rulestruct[i].s_sid ))
Sagan_Log(S_ERROR, "[%s, line %d] Detected duplicate signature id [sid] number %s. Please correct this.", __FILE__, __LINE__, rulestruct[check].s_sid, rulestruct[i].s_sid);
}
}
/* If we have the "send-to" option, verify the configuration has the proper smtpserver, etc. */
#ifdef HAVE_LIBESMTP
if (config->sagan_esmtp_flag && !strcmp(config->sagan_esmtp_server, "")) Sagan_Log(S_ERROR, "[%s, line %d] Configuration SMTP 'smtpserver' field is missing! |%s|", __FILE__, __LINE__, config->sagan_esmtp_server);
if (config->sagan_esmtp_flag && !strcmp(config->sagan_esmtp_from, "" )) Sagan_Log(S_ERROR, "[%s, line %d] Configuration SMTP 'from' field is missing!", __FILE__, __LINE__);
#endif
if (!strcmp(config->sagan_fifo, "")) Sagan_Log(S_ERROR, "No FIFO option found which is required! Aborting!");
if (!strcmp(config->sagan_host, "" )) Sagan_Log(S_ERROR, "The 'sagan_host' option was not found and is required.");
if ( config->sagan_port == 0 ) Sagan_Log(S_ERROR, "The 'sagan_port' option was not set and is required.");
#ifdef HAVE_LIBGEOIP
if ( config->have_geoip ) {
if ( Sagan_Check_Var("$HOME_COUNTRY") == 0 ) {
Sagan_Log(S_ERROR, "[%s, line %d] GeoIP is in use, but $HOME_COUNTRY was never set in your configuration. Abort.", __FILE__, __LINE__);
}
}
#endif
}
void Sagan_BroIntel_Load_File ( void )
{
FILE *brointel_file;
char *value;
char *type;
char *description;
sbool found_flag;
sbool found_flag_array;
char *tok = NULL; ;
char *ptmp = NULL;
int line_count;
int i;
uint32_t u32_ip;
char *brointel_filename = NULL;
char brointelbuf[MAX_BROINTEL_LINE_SIZE] = { 0 };
counters->brointel_dups = 0;
brointel_filename = strtok_r(config->brointel_files, ",", &ptmp);
while ( brointel_filename != NULL )
{
Sagan_Log(S_NORMAL, "Bro Intel Processor Loading File: %s.", brointel_filename);
if (( brointel_file = fopen(brointel_filename, "r")) == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Could not load Bro Intel file! (%s - %s)", __FILE__, __LINE__, brointel_filename, strerror(errno));
}
while(fgets(brointelbuf, MAX_BROINTEL_LINE_SIZE, brointel_file) != NULL)
{
/* Skip comments and blank linkes */
if (brointelbuf[0] == '#' || brointelbuf[0] == 10 || brointelbuf[0] == ';' || brointelbuf[0] == 32 )
{
line_count++;
continue;
}
else
{
Remove_Return(brointelbuf);
value = strtok_r(brointelbuf, "\t", &tok);
type = strtok_r(NULL, "\t", &tok);
description = strtok_r(NULL, "\t", &tok);
if ( value == NULL || type == NULL || description == NULL )
{
Sagan_Log(S_WARN, "[%s, line %d] Got invalid line at %d in %s", __FILE__, __LINE__, line_count, brointel_filename);
}
found_flag = 0;
if (!strcmp(type, "Intel::ADDR"))
{
u32_ip = IP2Bit(value);
found_flag = 1; /* Used to short circuit other 'type' lookups */
found_flag_array = 0; /* Used to short circuit/warn when dups are found. This way we don't waste memory/CPU */
/* Check for duplicates. */
for (i=0; i < counters->brointel_addr_count; i++)
{
if ( u32_ip == Sagan_BroIntel_Intel_Addr[i].u32_ip )
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::ADDR address %s in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Addr = (_Sagan_BroIntel_Intel_Addr *) realloc(Sagan_BroIntel_Intel_Addr, (counters->brointel_addr_count+1) * sizeof(_Sagan_BroIntel_Intel_Addr));
if ( Sagan_BroIntel_Intel_Addr == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Addr. Abort!", __FILE__, __LINE__);
}
Sagan_BroIntel_Intel_Addr[counters->brointel_addr_count].u32_ip = IP2Bit(value);
counters->brointel_addr_count++;
}
}
if (!strcmp(type, "Intel::DOMAIN") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters-> brointel_domain_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_Domain[i].domain, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::DOMAIN '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Domain = (_Sagan_BroIntel_Intel_Domain *) realloc(Sagan_BroIntel_Intel_Domain, (counters->brointel_domain_count+1) * sizeof(_Sagan_BroIntel_Intel_Domain));
if ( Sagan_BroIntel_Intel_Domain == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Domain. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_Domain[counters->brointel_domain_count].domain, value, sizeof(Sagan_BroIntel_Intel_Domain[counters->brointel_domain_count].domain));
counters->brointel_domain_count++;
}
}
if (!strcmp(type, "Intel::FILE_HASH") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_file_hash_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_File_Hash[i].hash, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::FILE_HASH '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_File_Hash = (_Sagan_BroIntel_Intel_File_Hash *) realloc(Sagan_BroIntel_Intel_File_Hash, (counters->brointel_file_hash_count+1) * sizeof(_Sagan_BroIntel_Intel_File_Hash));
if ( Sagan_BroIntel_Intel_File_Hash == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_File_Hash. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_File_Hash[counters->brointel_file_hash_count].hash, value, sizeof(Sagan_BroIntel_Intel_File_Hash[counters->brointel_file_hash_count].hash));
counters->brointel_file_hash_count++;
}
}
if (!strcmp(type, "Intel::URL") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_url_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_URL[i].url, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::URL '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_URL = (_Sagan_BroIntel_Intel_URL *) realloc(Sagan_BroIntel_Intel_URL, (counters->brointel_url_count+1) * sizeof(_Sagan_BroIntel_Intel_URL));
if ( Sagan_BroIntel_Intel_URL == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_URL. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_URL[counters->brointel_url_count].url, value, sizeof(Sagan_BroIntel_Intel_URL[counters->brointel_url_count].url));
counters->brointel_url_count++;
}
}
if (!strcmp(type, "Intel::SOFTWARE") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_software_count++; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_Software[i].software, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::SOFTWARE '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Software = (_Sagan_BroIntel_Intel_Software *) realloc(Sagan_BroIntel_Intel_Software, (counters->brointel_software_count+1) * sizeof(_Sagan_BroIntel_Intel_Software));
if ( Sagan_BroIntel_Intel_Software == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Software. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_Software[counters->brointel_software_count].software, value, sizeof(Sagan_BroIntel_Intel_Software[counters->brointel_software_count].software));
counters->brointel_software_count++;
}
}
if (!strcmp(type, "Intel::EMAIL") && found_flag == 0)
{
To_LowerC(value);
found_flag_array = 0;
for (i=0; i < counters->brointel_email_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_Email[i].email, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::EMAIL '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Email = (_Sagan_BroIntel_Intel_Email *) realloc(Sagan_BroIntel_Intel_Email, (counters->brointel_email_count+1) * sizeof(_Sagan_BroIntel_Intel_Email));
if ( Sagan_BroIntel_Intel_Email == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Email. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_Email[counters->brointel_email_count].email, value, sizeof(Sagan_BroIntel_Intel_Email[counters->brointel_email_count].email));
counters->brointel_email_count++;
found_flag = 1;
}
}
if (!strcmp(type, "Intel::USER_NAME") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_user_name_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_User_Name[i].username, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::USER_NAME '%s' in %s on line %.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_User_Name = (_Sagan_BroIntel_Intel_User_Name *) realloc(Sagan_BroIntel_Intel_User_Name, (counters->brointel_user_name_count+1) * sizeof(_Sagan_BroIntel_Intel_User_Name));
if ( Sagan_BroIntel_Intel_User_Name == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_User_Name. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_User_Name[counters->brointel_user_name_count].username, value, sizeof(Sagan_BroIntel_Intel_User_Name[counters->brointel_user_name_count].username));
counters->brointel_user_name_count++;
}
}
if (!strcmp(type, "Intel::FILE_NAME") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_file_name_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_File_Name[i].file_name, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::FILE_NAME '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_File_Name = (_Sagan_BroIntel_Intel_File_Name *) realloc(Sagan_BroIntel_Intel_File_Name, (counters->brointel_file_name_count+1) * sizeof(_Sagan_BroIntel_Intel_File_Name));
if ( Sagan_BroIntel_Intel_File_Name == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_File_Name. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_File_Name[counters->brointel_file_name_count].file_name, value, sizeof(Sagan_BroIntel_Intel_File_Name[counters->brointel_file_name_count].file_name));
counters->brointel_file_name_count++;
}
}
if (!strcmp(type, "Intel::CERT_HASH") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_cert_hash_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_Cert_Hash[i].cert_hash, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::CERT_HASH '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Cert_Hash = (_Sagan_BroIntel_Intel_Cert_Hash *) realloc(Sagan_BroIntel_Intel_Cert_Hash, (counters->brointel_cert_hash_count+1) * sizeof(_Sagan_BroIntel_Intel_Cert_Hash));
if ( Sagan_BroIntel_Intel_Cert_Hash == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Cert_Hash. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_Cert_Hash[counters->brointel_cert_hash_count].cert_hash, value, sizeof(Sagan_BroIntel_Intel_Cert_Hash[counters->brointel_cert_hash_count].cert_hash));
counters->brointel_cert_hash_count++;
}
}
}
line_count++;
}
fclose(brointel_file);
brointel_filename = strtok_r(NULL, ",", &ptmp);
line_count = 0;
}
}
void Load_Gen_Map( const char *genmap )
{
FILE *genmapfile;
char genbuf[1024];
char *saveptr=NULL;
char *gen1=NULL;
char *gen2=NULL;
char *gen3=NULL;
Sagan_Log(NORMAL, "Loading gen-msg.map file. [%s]", genmap);
__atomic_store_n (&counters->genmapcount, 0, __ATOMIC_SEQ_CST);
if (( genmapfile = fopen(genmap, "r" )) == NULL )
{
Sagan_Log(ERROR, "[%s, line %d] Cannot open generator file (%s)", __FILE__, __LINE__, genmap);
}
while(fgets(genbuf, 1024, genmapfile) != NULL)
{
/* Skip comments and blank linkes */
if (genbuf[0] == '#' || genbuf[0] == 10 || genbuf[0] == ';' || genbuf[0] == 32)
{
continue;
}
/* Allocate memory for references, not comments */
generator = (_Sagan_Processor_Generator *) realloc(generator, (counters->genmapcount+1) * sizeof(_Sagan_Processor_Generator));
if ( generator == NULL )
{
Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for generator. Abort!", __FILE__, __LINE__);
}
memset(&generator[counters->genmapcount], 0, sizeof(_Sagan_Processor_Generator));
gen1 = strtok_r(genbuf, "|", &saveptr);
if ( gen1 == NULL )
{
Sagan_Log(ERROR, "%s is incorrect or not correctly formated (gen1) ", genmap);
}
Remove_Return(gen1);
gen2 = strtok_r(NULL, "|", &saveptr);
if ( gen2 == NULL )
{
Sagan_Log(ERROR, "%s is incorrect or not correctly formated (gen2) ", genmap);
}
Remove_Return(gen2);
gen3 = strtok_r(NULL, "|", &saveptr);
if ( gen3 == NULL )
{
Sagan_Log(ERROR, "%s is incorrect or not correctly formated (gen3) ", genmap);
}
Remove_Return(gen3);
generator[counters->genmapcount].generatorid=atoi(gen1);
generator[counters->genmapcount].alertid=atoi(gen2);
strlcpy(generator[counters->genmapcount].generator_msg, gen3, sizeof(generator[counters->genmapcount].generator_msg));
__atomic_add_fetch(&counters->genmapcount, 1, __ATOMIC_SEQ_CST);
}
fclose(genmapfile);
Sagan_Log(NORMAL, "%d generators loaded.", counters->genmapcount);
}
void Sagan_Bluedot_Load_Cat(void)
{
FILE *bluedot_cat_file;
char buf[1024] = { 0 };
char *saveptr = NULL;
char *bluedot_tok1 = NULL;
char *bluedot_tok2 = NULL;
if (( bluedot_cat_file = fopen(config->bluedot_cat, "r" )) == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] No Bluedot categories list to load (%s)!", __FILE__, __LINE__, config->bluedot_cat);
}
while(fgets(buf, 1024, bluedot_cat_file) != NULL)
{
/* Skip comments and blank linkes */
if (buf[0] == '#' || buf[0] == 10 || buf[0] == ';' || buf[0] == 32)
{
continue;
}
else
{
/* Allocate memory for references, not comments */
SaganBluedotCatList = (_Sagan_Bluedot_Cat_List *) realloc(SaganBluedotCatList, (counters->bluedot_cat_count+1) * sizeof(_Sagan_Bluedot_Cat_List));
/* Normalize the list for later use. Better to do this here than when processing rules */
bluedot_tok1 = Remove_Return(strtok_r(buf, "|", &saveptr));
if ( bluedot_tok1 == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Bluedot categories file appears to be malformed.", __FILE__, __LINE__);
}
Remove_Spaces(bluedot_tok1);
SaganBluedotCatList[counters->bluedot_cat_count].cat_number = atoi(bluedot_tok1);
bluedot_tok2 = Remove_Return(strtok_r(NULL, "|", &saveptr));
if ( bluedot_tok2 == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Bluedot categories file appears to be malformed.", __FILE__, __LINE__);
}
Remove_Return(bluedot_tok2);
Remove_Spaces(bluedot_tok2);
To_LowerC(bluedot_tok2);
strlcpy(SaganBluedotCatList[counters->bluedot_cat_count].cat, bluedot_tok2, sizeof(SaganBluedotCatList[counters->bluedot_cat_count].cat));
counters->bluedot_cat_count++;
}
}
}
void Load_Ignore_List ( void ) {
FILE *droplist;
char droplistbuf[1024] = { 0 };
if ( config->sagan_droplist_flag ) {
if (( droplist = fopen(config->sagan_droplistfile, "r" )) == NULL ) {
Sagan_Log(1, "[%s, line %d] No drop list/ignore list to load (%s)", __FILE__, __LINE__, config->sagan_droplistfile);
config->sagan_droplist_flag=0;
}
while(fgets(droplistbuf, 1024, droplist) != NULL) {
/* Skip comments and blank linkes */
if (droplistbuf[0] == '#' || droplistbuf[0] == 10 || droplistbuf[0] == ';' || droplistbuf[0] == 32) {
continue;
} else {
/* Allocate memory for references, not comments */
SaganDroplist = (_Sagan_Droplist *) realloc(SaganDroplist, (counters->droplist_count+1) * sizeof(_Sagan_Droplist));
snprintf(SaganDroplist[counters->droplist_count].ignore_string, sizeof(SaganDroplist[counters->droplist_count].ignore_string), "%s", Remove_Return(droplistbuf));
counters->droplist_count++;
}
}
}
}
