void MonNetworkGatherData(double *cf_this)
{
FILE *pp;
char local[CF_BUFSIZE], remote[CF_BUFSIZE], comm[CF_BUFSIZE];
Item *in[ATTR], *out[ATTR];
char *sp;
int i;
char vbuff[CF_BUFSIZE];
enum cf_netstat_type { cfn_new, cfn_old } type = cfn_new;
enum cf_packet_type { cfn_tcp4, cfn_tcp6 } packet = cfn_tcp4;
CfDebug("GatherSocketData()\n");
for (i = 0; i < ATTR; i++)
{
in[i] = out[i] = NULL;
}
DeleteItemList(ALL_INCOMING);
ALL_INCOMING = NULL;
sscanf(VNETSTAT[VSYSTEMHARDCLASS], "%s", comm);
strcat(comm, " -an");
if ((pp = cf_popen(comm, "r")) == NULL)
{
return;
}
while (!feof(pp))
{
memset(local, 0, CF_BUFSIZE);
memset(remote, 0, CF_BUFSIZE);
CfReadLine(vbuff, CF_BUFSIZE, pp);
if (strstr(vbuff, "UNIX"))
{
break;
}
if (!(strstr(vbuff, ":") || strstr(vbuff, ".")))
{
continue;
}
/* Different formats here ... ugh.. pick a model */
// If this is old style, we look for chapter headings, e.g. "TCP: IPv4"
if (strncmp(vbuff,"TCP:",4) == 0 && strstr(vbuff+4,"6"))
{
packet = cfn_tcp6;
type = cfn_old;
continue;
}
else if (strncmp(vbuff,"TCP:",4) == 0 && strstr(vbuff+4,"4"))
{
packet = cfn_tcp4;
type = cfn_old;
continue;
}
// Line by line state in modern/linux output
if (strncmp(vbuff,"tcp6",4) == 0)
{
packet = cfn_tcp6;
type = cfn_new;
}
else if (strncmp(vbuff,"tcp",3) == 0)
{
packet = cfn_tcp4;
type = cfn_new;
}
// End extract type
switch (type)
{
case cfn_new: sscanf(vbuff, "%*s %*s %*s %s %s", local, remote); /* linux-like */
break;
case cfn_old:
sscanf(vbuff, "%s %s", local, remote);
break;
}
if (strlen(local) == 0)
{
continue;
}
// Extract the port number from the end of the string
for (sp = local + strlen(local); (*sp != '.') && (*sp != ':') && (sp > local); sp--)
{
}
*sp = '\0'; // Separate address from port number
sp++;
if (strstr(vbuff, "LISTEN"))
{
// General bucket
IdempPrependItem(&ALL_INCOMING, sp, NULL);
// Categories the incoming ports by packet types
switch (packet)
{
case cfn_tcp4:
IdempPrependItem(&MON_TCP4, sp, local);
break;
case cfn_tcp6:
IdempPrependItem(&MON_TCP6, sp, local);
break;
default:
break;
}
}
// Now look at outgoing
for (sp = remote + strlen(remote); (sp >= remote) && !isdigit((int) *sp); sp--)
{
}
sp++;
// Now look for the specific vital signs to count frequencies
for (i = 0; i < ATTR; i++)
{
char *spend;
for (spend = local + strlen(local) - 1; isdigit((int) *spend); spend--)
{
}
spend++;
if (strcmp(spend, ECGSOCKS[i].portnr) == 0)
{
cf_this[ECGSOCKS[i].in]++;
AppendItem(&in[i], vbuff, "");
}
for (spend = remote + strlen(remote) - 1; (sp >= remote) && isdigit((int) *spend); spend--)
{
}
spend++;
if (strcmp(spend, ECGSOCKS[i].portnr) == 0)
{
cf_this[ECGSOCKS[i].out]++;
AppendItem(&out[i], vbuff, "");
}
}
}
cf_pclose(pp);
/* Now save the state for ShowState()
the state is not smaller than the last or at least 40 minutes
older. This mirrors the persistence of the maxima classes */
for (i = 0; i < ATTR; i++)
{
struct stat statbuf;
time_t now = time(NULL);
CfDebug("save incoming %s\n", ECGSOCKS[i].name);
snprintf(vbuff, CF_MAXVARSIZE, "%s/state/cf_incoming.%s", CFWORKDIR, ECGSOCKS[i].name);
if (cfstat(vbuff, &statbuf) != -1)
{
if ((ByteSizeList(in[i]) < statbuf.st_size) && (now < statbuf.st_mtime + 40 * 60))
{
CfOut(cf_verbose, "", "New state %s is smaller, retaining old for 40 mins longer\n", ECGSOCKS[i].name);
DeleteItemList(in[i]);
continue;
}
}
SetNetworkEntropyClasses(ECGSOCKS[i].name, "in", in[i]);
RawSaveItemList(in[i], vbuff);
DeleteItemList(in[i]);
CfDebug("Saved in netstat data in %s\n", vbuff);
}
for (i = 0; i < ATTR; i++)
{
struct stat statbuf;
time_t now = time(NULL);
CfDebug("save outgoing %s\n", ECGSOCKS[i].name);
snprintf(vbuff, CF_MAXVARSIZE, "%s/state/cf_outgoing.%s", CFWORKDIR, ECGSOCKS[i].name);
if (cfstat(vbuff, &statbuf) != -1)
{
if ((ByteSizeList(out[i]) < statbuf.st_size) && (now < statbuf.st_mtime + 40 * 60))
{
CfOut(cf_verbose, "", "New state %s is smaller, retaining old for 40 mins longer\n", ECGSOCKS[i].name);
DeleteItemList(out[i]);
continue;
}
}
SetNetworkEntropyClasses(ECGSOCKS[i].name, "out", out[i]);
RawSaveItemList(out[i], vbuff);
CfDebug("Saved out netstat data in %s\n", vbuff);
DeleteItemList(out[i]);
}
}
void MonNetworkSnifferGatherData(void)
{
int i;
char vbuff[CF_BUFSIZE];
for (i = 0; i < CF_NETATTR; i++)
{
struct stat statbuf;
double entropy;
time_t now = time(NULL);
Log(LOG_LEVEL_DEBUG, "save incoming '%s'", TCPNAMES[i]);
snprintf(vbuff, CF_MAXVARSIZE, "%s/state/cf_incoming.%s", CFWORKDIR, TCPNAMES[i]);
if (stat(vbuff, &statbuf) != -1)
{
if ((ByteSizeList(NETIN_DIST[i]) < statbuf.st_size) && (now < statbuf.st_mtime + 40 * 60))
{
Log(LOG_LEVEL_VERBOSE, "New state %s is smaller, retaining old for 40 mins longer", TCPNAMES[i]);
DeleteItemList(NETIN_DIST[i]);
NETIN_DIST[i] = NULL;
continue;
}
}
SaveTCPEntropyData(NETIN_DIST[i], i, "in");
entropy = MonEntropyCalculate(NETIN_DIST[i]);
MonEntropyClassesSet(TCPNAMES[i], "in", entropy);
DeleteItemList(NETIN_DIST[i]);
NETIN_DIST[i] = NULL;
}
for (i = 0; i < CF_NETATTR; i++)
{
struct stat statbuf;
double entropy;
time_t now = time(NULL);
Log(LOG_LEVEL_DEBUG, "save outgoing '%s'", TCPNAMES[i]);
snprintf(vbuff, CF_MAXVARSIZE, "%s/state/cf_outgoing.%s", CFWORKDIR, TCPNAMES[i]);
if (stat(vbuff, &statbuf) != -1)
{
if ((ByteSizeList(NETOUT_DIST[i]) < statbuf.st_size) && (now < statbuf.st_mtime + 40 * 60))
{
Log(LOG_LEVEL_VERBOSE, "New state '%s' is smaller, retaining old for 40 mins longer", TCPNAMES[i]);
DeleteItemList(NETOUT_DIST[i]);
NETOUT_DIST[i] = NULL;
continue;
}
}
SaveTCPEntropyData(NETOUT_DIST[i], i, "out");
entropy = MonEntropyCalculate(NETOUT_DIST[i]);
MonEntropyClassesSet(TCPNAMES[i], "out", entropy);
DeleteItemList(NETOUT_DIST[i]);
NETOUT_DIST[i] = NULL;
}
}
void MonNetworkGatherData(double *cf_this)
{
FILE *pp;
char local[CF_BUFSIZE],remote[CF_BUFSIZE],comm[CF_BUFSIZE];
struct Item *in[ATTR],*out[ATTR];
char *sp;
int i;
char vbuff[CF_BUFSIZE];
Debug("GatherSocketData()\n");
for (i = 0; i < ATTR; i++)
{
in[i] = out[i] = NULL;
}
if (ALL_INCOMING != NULL)
{
DeleteItemList(ALL_INCOMING);
ALL_INCOMING = NULL;
}
if (ALL_OUTGOING != NULL)
{
DeleteItemList(ALL_OUTGOING);
ALL_OUTGOING = NULL;
}
sscanf(VNETSTAT[VSYSTEMHARDCLASS],"%s",comm);
strcat(comm," -n");
if ((pp = cf_popen(comm,"r")) == NULL)
{
return;
}
while (!feof(pp))
{
memset(local,0,CF_BUFSIZE);
memset(remote,0,CF_BUFSIZE);
CfReadLine(vbuff,CF_BUFSIZE,pp);
if (strstr(vbuff,"UNIX"))
{
break;
}
if (!strstr(vbuff,"."))
{
continue;
}
/* Different formats here ... ugh.. */
if (strncmp(vbuff,"tcp",3) == 0)
{
sscanf(vbuff,"%*s %*s %*s %s %s",local,remote); /* linux-like */
}
else
{
sscanf(vbuff,"%s %s",local,remote); /* solaris-like */
}
if (strlen(local) == 0)
{
continue;
}
for (sp = local+strlen(local); (*sp != '.') && (sp > local); sp--)
{
}
sp++;
if ((strlen(sp) < 5) &&!IsItemIn(ALL_INCOMING,sp))
{
PrependItem(&ALL_INCOMING,sp,NULL);
}
for (sp = remote+strlen(remote); (sp >= remote) && !isdigit((int)*sp); sp--)
{
}
sp++;
if ((strlen(sp) < 5) && !IsItemIn(ALL_OUTGOING,sp))
{
PrependItem(&ALL_OUTGOING,sp,NULL);
}
for (i = 0; i < ATTR; i++)
{
char *spend;
for (spend = local+strlen(local)-1; isdigit((int)*spend); spend--)
{
}
spend++;
if (strcmp(spend,ECGSOCKS[i].portnr) == 0)
{
cf_this[ECGSOCKS[i].in]++;
AppendItem(&in[i],vbuff,"");
}
for (spend = remote+strlen(remote)-1; (sp >= remote) && isdigit((int)*spend); spend--)
{
}
spend++;
if (strcmp(spend,ECGSOCKS[i].portnr) == 0)
{
cf_this[ECGSOCKS[i].out]++;
AppendItem(&out[i],vbuff,"");
}
}
}
cf_pclose(pp);
/* Now save the state for ShowState() cf2 version alert function IFF
the state is not smaller than the last or at least 40 minutes
older. This mirrors the persistence of the maxima classes */
for (i = 0; i < ATTR; i++)
{
struct stat statbuf;
time_t now = time(NULL);
Debug("save incoming %s\n",ECGSOCKS[i].name);
snprintf(vbuff,CF_MAXVARSIZE,"%s/state/cf_incoming.%s",CFWORKDIR,ECGSOCKS[i].name);
if (cfstat(vbuff,&statbuf) != -1)
{
if ((ByteSizeList(in[i]) < statbuf.st_size) && (now < statbuf.st_mtime+40*60))
{
CfOut(cf_verbose,"","New state %s is smaller, retaining old for 40 mins longer\n",ECGSOCKS[i].name);
DeleteItemList(in[i]);
continue;
}
}
SetNetworkEntropyClasses(ECGSOCKS[i].name,"in",in[i]);
RawSaveItemList(in[i],vbuff);
DeleteItemList(in[i]);
Debug("Saved in netstat data in %s\n",vbuff);
}
for (i = 0; i < ATTR; i++)
{
struct stat statbuf;
time_t now = time(NULL);
Debug("save outgoing %s\n",ECGSOCKS[i].name);
snprintf(vbuff,CF_MAXVARSIZE,"%s/state/cf_outgoing.%s",CFWORKDIR,ECGSOCKS[i].name);
if (cfstat(vbuff,&statbuf) != -1)
{
if ((ByteSizeList(out[i]) < statbuf.st_size) && (now < statbuf.st_mtime+40*60))
{
CfOut(cf_verbose,"","New state %s is smaller, retaining old for 40 mins longer\n",ECGSOCKS[i].name);
DeleteItemList(out[i]);
continue;
}
}
SetNetworkEntropyClasses(ECGSOCKS[i].name,"out",out[i]);
RawSaveItemList(out[i],vbuff);
Debug("Saved out netstat data in %s\n",vbuff);
DeleteItemList(out[i]);
}
}