int
RaSendArgusRecord(struct ArgusRecordStruct *ns)
{
int retn = 1;
char buf[MAXSTRLEN];
if (ns->status & ARGUS_RECORD_WRITTEN)
return (retn);
if ((ArgusParser->ArgusWfileList != NULL) && (!(ArgusListEmpty(ArgusParser->ArgusWfileList)))) {
struct ArgusWfileStruct *wfile = NULL;
struct ArgusListObjectStruct *lobj = NULL;
int i, count = ArgusParser->ArgusWfileList->count;
if ((lobj = ArgusParser->ArgusWfileList->start) != NULL) {
for (i = 0; i < count; i++) {
if ((wfile = (struct ArgusWfileStruct *) lobj) != NULL) {
int pass = 1;
if (wfile->filterstr) {
struct nff_insn *wfcode = wfile->filter.bf_insns;
pass = ArgusFilterRecord (wfcode, ns);
}
if (pass != 0) {
if ((ArgusParser->exceptfile == NULL) || strcmp(wfile->filename, ArgusParser->exceptfile)) {
struct ArgusRecord *argusrec = NULL;
char buf[2048];
if ((argusrec = ArgusGenerateRecord (ns, 0L, buf)) != NULL) {
#ifdef _LITTLE_ENDIAN
ArgusHtoN(argusrec);
#endif
ArgusWriteNewLogfile (ArgusParser, ns->input, wfile, argusrec);
}
}
}
}
lobj = lobj->nxt;
}
}
} else {
if (!ArgusParser->qflag) {
if (ArgusParser->Lflag) {
if (ArgusParser->RaLabel == NULL)
ArgusParser->RaLabel = ArgusGenerateLabel(ArgusParser, ns);
if (!(ArgusParser->RaLabelCounter++ % ArgusParser->Lflag))
printf ("%s\n", ArgusParser->RaLabel);
if (ArgusParser->Lflag < 0)
ArgusParser->Lflag = 0;
}
*(int *)&buf = 0;
ArgusPrintRecord(ArgusParser, buf, ns, MAXSTRLEN);
fprintf (stdout, "%s\n", buf);
fflush(stdout);
}
}
ns->status |= ARGUS_RECORD_WRITTEN;
return (retn);
}
void
RaProcessThisRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *argus)
{
struct ArgusAggregatorStruct *agg = parser->ArgusAggregator;
struct ArgusHashStruct *hstruct = NULL;
int found = 0;
while (agg && !found) {
int retn = 0, fretn = -1, lretn = -1;
if (agg->filterstr) {
struct nff_insn *fcode = agg->filter.bf_insns;
fretn = ArgusFilterRecord (fcode, argus);
}
if (agg->labelstr) {
struct ArgusLabelStruct *label;
if (((label = (void *)argus->dsrs[ARGUS_LABEL_INDEX]) != NULL)) {
if (regexec(&agg->lpreg, label->l_un.label, 0, NULL, 0))
lretn = 0;
else
lretn = 1;
} else
lretn = 0;
}
retn = (lretn < 0) ? ((fretn < 0) ? 1 : fretn) : ((fretn < 0) ? lretn : (lretn && fretn));
if (retn != 0) {
struct ArgusRecordStruct *tns, *ns = ArgusCopyRecordStruct(argus);
if ((agg->rap = RaFlowModelOverRides(agg, ns)) == NULL)
agg->rap = agg->drap;
ArgusGenerateNewFlow(agg, ns);
if ((hstruct = ArgusGenerateHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL)
ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno));
if ((tns = ArgusFindRecord(agg->htable, hstruct)) == NULL) {
struct ArgusFlow *flow = (struct ArgusFlow *) ns->dsrs[ARGUS_FLOW_INDEX];
if (!parser->RaMonMode && parser->ArgusReverse) {
int tryreverse = 0;
if (flow != NULL) {
if (agg->correct != NULL)
tryreverse = 1;
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_TYPE_IPV4: {
switch (flow->ip_flow.ip_p) {
case IPPROTO_ESP:
tryreverse = 0;
break;
}
break;
}
case ARGUS_TYPE_IPV6: {
switch (flow->ipv6_flow.ip_p) {
case IPPROTO_ESP:
tryreverse = 0;
break;
}
break;
}
}
} else
tryreverse = 0;
if (tryreverse) {
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL)
ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno));
if ((tns = ArgusFindRecord(agg->htable, hstruct)) == NULL) {
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_TYPE_IPV4: {
switch (flow->ip_flow.ip_p) {
case IPPROTO_ICMP: {
struct ArgusICMPFlow *icmpFlow = &flow->flow_un.icmp;
if (ICMP_INFOTYPE(icmpFlow->type)) {
switch (icmpFlow->type) {
case ICMP_ECHO:
case ICMP_ECHOREPLY:
icmpFlow->type = (icmpFlow->type == ICMP_ECHO) ? ICMP_ECHOREPLY : ICMP_ECHO;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_ECHO) ? ICMP_ECHOREPLY : ICMP_ECHO;
if (tns)
ArgusReverseRecord (ns);
break;
case ICMP_ROUTERADVERT:
case ICMP_ROUTERSOLICIT:
icmpFlow->type = (icmpFlow->type == ICMP_ROUTERADVERT) ? ICMP_ROUTERSOLICIT : ICMP_ROUTERADVERT;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_ROUTERADVERT) ? ICMP_ROUTERSOLICIT : ICMP_ROUTERADVERT;
if (tns)
ArgusReverseRecord (ns);
break;
case ICMP_TSTAMP:
case ICMP_TSTAMPREPLY:
icmpFlow->type = (icmpFlow->type == ICMP_TSTAMP) ? ICMP_TSTAMPREPLY : ICMP_TSTAMP;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_TSTAMP) ? ICMP_TSTAMPREPLY : ICMP_TSTAMP;
if (tns)
ArgusReverseRecord (ns);
break;
case ICMP_IREQ:
case ICMP_IREQREPLY:
icmpFlow->type = (icmpFlow->type == ICMP_IREQ) ? ICMP_IREQREPLY : ICMP_IREQ;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_IREQ) ? ICMP_IREQREPLY : ICMP_IREQ;
if (tns)
ArgusReverseRecord (ns);
break;
case ICMP_MASKREQ:
case ICMP_MASKREPLY:
icmpFlow->type = (icmpFlow->type == ICMP_MASKREQ) ? ICMP_MASKREPLY : ICMP_MASKREQ;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_MASKREQ) ? ICMP_MASKREPLY : ICMP_MASKREQ;
if (tns)
ArgusReverseRecord (ns);
break;
}
}
break;
}
}
}
}
if ((hstruct = ArgusGenerateHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL)
ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno));
} else {
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_TYPE_IPV4: {
switch (flow->ip_flow.ip_p) {
case IPPROTO_TCP: {
struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)ns->dsrs[ARGUS_NETWORK_INDEX];
if (tcp != NULL) {
struct ArgusTCPObject *ttcp = (struct ArgusTCPObject *)tns->dsrs[ARGUS_NETWORK_INDEX];
if (ttcp != NULL) {
if ((tcp->status & ARGUS_SAW_SYN) && !(ttcp->status & ARGUS_SAW_SYN)) {
ArgusReverseRecord (tns);
} else
ArgusReverseRecord (ns);
} else
ArgusReverseRecord (ns);
} else
ArgusReverseRecord (ns);
break;
}
default:
ArgusReverseRecord (ns);
break;
}
}
break;
case ARGUS_TYPE_IPV6: {
switch (flow->ipv6_flow.ip_p) {
case IPPROTO_TCP: {
struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)ns->dsrs[ARGUS_NETWORK_INDEX];
if (tcp != NULL) {
struct ArgusTCPObject *ttcp = (struct ArgusTCPObject *)tns->dsrs[ARGUS_NETWORK_INDEX];
if (ttcp != NULL) {
if ((tcp->status & ARGUS_SAW_SYN) && !(ttcp->status & ARGUS_SAW_SYN)) {
ArgusReverseRecord (tns);
} else
ArgusReverseRecord (ns);
} else
ArgusReverseRecord (ns);
} else
ArgusReverseRecord (ns);
break;
}
default:
ArgusReverseRecord (ns);
break;
}
}
break;
default:
ArgusReverseRecord (ns);
}
}
}
}
}
if (tns != NULL) {
if (parser->Aflag) {
if ((tns->status & RA_SVCTEST) != (ns->status & RA_SVCTEST)) {
RaSendArgusRecord(tns);
tns->status &= ~(RA_SVCTEST);
tns->status |= (ns->status & RA_SVCTEST);
}
}
if (tns->status & ARGUS_RECORD_WRITTEN) {
ArgusZeroRecord (tns);
} else {
if (agg->statusint || agg->idleint) {
double dur, nsst, tnsst, nslt, tnslt;
nsst = ArgusFetchStartTime(ns);
tnsst = ArgusFetchStartTime(tns);
nslt = ArgusFetchLastTime(ns);
tnslt = ArgusFetchLastTime(tns);
dur = ((tnslt > nslt) ? tnslt : nslt) - ((nsst < tnsst) ? nsst : tnsst);
if (agg->statusint && (dur >= agg->statusint)) {
RaSendArgusRecord(tns);
ArgusZeroRecord(tns);
} else {
dur = ((nslt < tnsst) ? (tnsst - nslt) : ((tnslt < nsst) ? (nsst - tnslt) : 0.0));
if (agg->idleint && (dur >= agg->idleint)) {
RaSendArgusRecord(tns);
ArgusZeroRecord(tns);
}
}
}
}
ArgusMergeRecords (agg, tns, ns);
ArgusRemoveFromQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK);
ArgusAddToQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK);
ArgusDeleteRecordStruct(parser, ns);
agg->status |= ARGUS_AGGREGATOR_DIRTY;
} else {
tns = ns;
tns->htblhdr = ArgusAddHashEntry (agg->htable, tns, hstruct);
ArgusAddToQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK);
agg->status |= ARGUS_AGGREGATOR_DIRTY;
}
if (agg->cont)
agg = agg->nxt;
else
found++;
} else
agg = agg->nxt;
}
}
