void
RaParseComplete (int sig)
{
int i = 0, count = 0;
if (sig >= 0) {
if (!ArgusParser->RaParseCompleting++) {
count = ArgusSorter->ArgusRecordQueue->count;
if (count > 0) {
ArgusSortQueue (ArgusSorter, ArgusSorter->ArgusRecordQueue);
for (i = 0; i < count; i++)
RaSendArgusRecord ((struct ArgusRecordStruct *) ArgusSorter->ArgusRecordQueue->array[i]);
}
}
#ifdef ARGUSDEBUG
ArgusDebug (2, "RaParseComplete(caught signal %d)\n", sig);
#endif
switch (sig) {
case SIGHUP:
case SIGINT:
case SIGTERM:
case SIGQUIT: {
struct ArgusWfileStruct *wfile = NULL;
if (ArgusParser->ArgusWfileList != NULL) {
struct ArgusListObjectStruct *lobj = NULL;
int i, count = ArgusParser->ArgusWfileList->count;
if ((lobj = ArgusParser->ArgusWfileList->start) != NULL) {
for (i = 0; i < count; i++) {
if ((wfile = (struct ArgusWfileStruct *) lobj) != NULL) {
if (wfile->fd != NULL) {
#ifdef ARGUSDEBUG
ArgusDebug (2, "RaParseComplete: closing %s\n", wfile->filename);
#endif
fflush (wfile->fd);
fclose (wfile->fd);
wfile->fd = NULL;
}
}
lobj = lobj->nxt;
}
}
}
exit(0);
break;
}
}
}
}
void
RaParseComplete (int sig)
{
if (sig >= 0) {
if (!ArgusParser->RaParseCompleting++) {
if ((ArgusParser->ArgusWfileList != NULL) && (!(ArgusListEmpty(ArgusParser->ArgusWfileList)))) {
struct ArgusWfileStruct *wfile = NULL, *start = NULL;
if ((wfile = (struct ArgusWfileStruct *) ArgusFrontList(ArgusParser->ArgusWfileList)) != NULL) {
start = wfile;
fflush(wfile->fd);
ArgusPopFrontList(ArgusParser->ArgusWfileList, ARGUS_NOLOCK);
ArgusPushBackList(ArgusParser->ArgusWfileList, (struct ArgusListRecord *) wfile, ARGUS_NOLOCK);
wfile = (struct ArgusWfileStruct *) ArgusFrontList(ArgusParser->ArgusWfileList);
} while (wfile != start);
}
fflush(stdout);
exit(0);
}
}
#ifdef ARGUSDEBUG
ArgusDebug (1, "RaParseComplete (%d) returning\n", sig);
#endif
}
int
ArgusAuthenticate (struct ARGUS_INPUT *input)
{
int retn = 0;
if (ArgusInitializeAuthentication(input)) {
#ifdef ARGUS_SASL
int fd = input->fd;
if ((input->in = fdopen(fd, "r")) == NULL)
ArgusLog (LOG_ERR, "ArgusAuthenticate(0x%x) fdopen in failed %s", strerror(errno));
if ((input->out = fdopen(fd, "w")) == NULL)
ArgusLog (LOG_ERR, "ArgusAuthenticate(0x%x) fdopen out failed %s", strerror(errno));
if ((retn = RaSaslNegotiate(input->in, input->out, input->sasl_conn)) == SASL_OK)
retn = 1;
else
retn = 0;
#endif
}
#ifdef ARGUSDEBUG
ArgusDebug (2, "ArgusAuthenticate (0x%x) returning %d\n", input, retn);
#endif
return (retn);
}
void
ArgusClientTimeout ()
{
#ifdef ARGUSDEBUG
ArgusDebug (6, "ArgusClientTimeout()\n");
#endif
}
void
ArgusUpdateUDPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state)
{
struct udphdr *up = (struct udphdr *) model->ArgusThisUpHdr;
u_char *nxtHdr = (u_char *)(up + 1);
if (STRUCTCAPTURED(model, *up)) {
model->ArgusThisLength -= sizeof(*up);
model->ArgusSnapLength -= sizeof(*up);
model->ArgusThisUpHdr = nxtHdr;
if (*state == ARGUS_START) {
} else {
if ((flowstr->canon.metric.src.pkts + flowstr->canon.metric.dst.pkts) > 2) {
flowstr->timeout = ARGUS_IPTIMEOUT;
}
}
}
#ifdef ARGUSDEBUG
ArgusDebug (8, "ArgusUpdateUDPState(0x%x, %d) returning\n", flowstr, state);
#endif
}
char *
RaProcessAddress (struct ArgusParserStruct *parser, struct ArgusRecordStruct *argus, unsigned int *addr, int type)
{
struct ArgusLabelerStruct *labeler = NULL;
struct RaAddressStruct *raddr;
char *retn = NULL;
if ((labeler = parser->ArgusLabeler) == NULL)
ArgusLog (LOG_ERR, "RaProcessAddress: No labeler\n");
if (labeler->ArgusAddrTree != NULL) {
switch (type) {
case ARGUS_TYPE_IPV4: {
struct RaAddressStruct node;
bzero ((char *)&node, sizeof(node));
node.addr.type = AF_INET;
node.addr.len = 4;
node.addr.addr[0] = *addr;
node.addr.masklen = 32;
if ((raddr = RaFindAddress (parser, labeler->ArgusAddrTree[AF_INET], &node, ARGUS_LONGEST_MATCH)) != NULL)
retn = raddr->label;
else {
char *ptr, *sptr;
if ((ptr = ArgusGetName(ArgusParser, (u_char *)addr)) != NULL) {
if ((sptr = strrchr(ptr, '.')) != NULL) {
if (strlen(++sptr) == 2) {
if (!isdigit((int)*sptr)) {
char *tptr = sptr;
int i, ch;
for (i = 0; i < 2; i++, tptr++) {
ch = *tptr;
if (islower(ch)) {
ch = toupper(ch);
*tptr = ch;
}
}
retn = sptr;
}
}
}
}
}
break;
}
case ARGUS_TYPE_IPV6:
break;
}
}
#ifdef ARGUSDEBUG
ArgusDebug (5, "RaProcessAddress (0x%x, 0x%x, 0x%x, %d) returning %s\n", parser, argus, addr, type, retn);
#endif
return (retn);
}
void
RaProcessRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *argus)
{
struct ArgusLabelStruct *lstruct = NULL;
char buf[MAXSTRLEN];
ArgusLabelRecord(parser, argus);
lstruct = (void *) argus->dsrs[ARGUS_LABEL_INDEX];
if (parser->ArgusWfileList != NULL) {
struct ArgusWfileStruct *wfile = NULL;
struct ArgusListObjectStruct *lobj = NULL;
int i, count = parser->ArgusWfileList->count;
if ((lobj = parser->ArgusWfileList->start) != NULL) {
for (i = 0; i < count; i++) {
if ((wfile = (struct ArgusWfileStruct *) lobj) != NULL) {
if ((parser->exceptfile == NULL) || strcmp(wfile->filename, parser->exceptfile)) {
struct ArgusRecord *argusrec = NULL;
static char sbuf[0x10000];
if ((argusrec = ArgusGenerateRecord (argus, 0L, sbuf)) != NULL) {
#ifdef _LITTLE_ENDIAN
ArgusHtoN(argusrec);
#endif
ArgusWriteNewLogfile (parser, argus->input, wfile, argusrec);
}
}
}
lobj = lobj->nxt;
}
}
} else {
if (!parser->qflag) {
if (parser->Lflag) {
if (parser->RaLabel == NULL)
parser->RaLabel = ArgusGenerateLabel(parser, argus);
if (!(parser->RaLabelCounter++ % parser->Lflag))
printf ("%s\n", parser->RaLabel);
if (parser->Lflag < 0)
parser->Lflag = 0;
}
*(int *)&buf = 0;
ArgusPrintRecord(parser, buf, argus, MAXSTRLEN);
fprintf (stdout, "%s\n", buf);
}
}
fflush (stdout);
#ifdef ARGUSDEBUG
ArgusDebug (5, "RaProcessRecord (0x%x) returning\n", argus);
#endif
}
void
ArgusClientTimeout ()
{
#ifdef ARGUSDEBUG
ArgusDebug (4, "ArgusClientTimeout: returning\n");
#endif
}
void
parse_arg (int argc, char**argv)
{
#ifdef ARGUSDEBUG
ArgusDebug (6, "parse_arg (%d, 0x%x) returning\n", argc, argv);
#endif
}
void
ArgusClientTimeout ()
{
struct ArgusAggregatorStruct *agg = ArgusParser->ArgusAggregator;
while (agg) {
int i, count;
if (agg->statusint > 0) {
if ((count = agg->queue->count) > 0) {
for (i = 0; i < count; i++) {
struct ArgusRecordStruct *ns = (void *) ArgusPopQueue(agg->queue, ARGUS_LOCK);
double nsst = ArgusFetchStartTime(ns);
double nslt = ArgusFetchLastTime(ns);
double glt = (double)(ArgusParser->ArgusGlobalTime.tv_sec * 1.0) + (double)(ArgusParser->ArgusGlobalTime.tv_usec/1000000.0);
if (agg->statusint && ((glt - nsst) >= agg->statusint)) {
RaSendArgusRecord(ns);
} else {
if (agg->idleint && ((glt - nslt) >= agg->idleint)) {
ArgusRemoveHashEntry(&ns->htblhdr);
RaSendArgusRecord(ns);
ArgusDeleteRecordStruct (ArgusParser, ns);
ns = NULL;
}
}
if (ns != NULL)
ArgusAddToQueue(agg->queue, &ns->qhdr, ARGUS_LOCK);
}
}
} else {
if (agg->idleint) {
int done = 0;
while ((!done) && (agg->queue->count > 0)) {
struct ArgusRecordStruct *ns = (void *) agg->queue->start;
double nslt = ArgusFetchLastTime(ns);
double glt = (double)(ArgusParser->ArgusGlobalTime.tv_sec * 1.0) + (double)(ArgusParser->ArgusGlobalTime.tv_usec/1000000.0);
if ((glt - nslt) >= agg->idleint) {
ArgusRemoveHashEntry(&ns->htblhdr);
RaSendArgusRecord(ns);
ArgusDeleteRecordStruct (ArgusParser, ns);
} else
done = 1;
}
}
}
agg = agg->nxt;
}
#ifdef ARGUSDEBUG
ArgusDebug (6, "ArgusClientTimeout()\n");
#endif
}
int
RaSendArgusRecord(struct ArgusRecordStruct *argus)
{
#ifdef ARGUSDEBUG
ArgusDebug (6, "RaSendArgusRecord (0x%x) returning\n", argus);
#endif
return 1;
}
int
ArgusInitializeAuthentication (struct ARGUS_INPUT *input)
{
int retn = 1;
#ifdef ARGUS_SASL
struct sockaddr_in localaddr, remoteaddr;
int salen, fd = input->fd;
char *localhostname = NULL;
if ((retn = sasl_client_init(RaCallBacks)) != SASL_OK)
ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() sasl_client_init %d", retn);
localhostname = ArgusCalloc (1, 1024);
gethostname(localhostname, 1024);
if (!strchr (localhostname, '.')) {
strcat (localhostname, ".");
getdomainname (&localhostname[strlen(localhostname)], 1024 - strlen(localhostname));
}
if ((retn = sasl_client_new("argus", localhostname, NULL, SASL_SECURITY_LAYER, &input->sasl_conn)) != SASL_OK)
ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() sasl_client_new %d", retn);
/* set external properties here
sasl_setprop(input->sasl_conn, SASL_SSF_EXTERNAL, &extprops); */
/* set required security properties here
sasl_setprop(input->sasl_conn, SASL_SEC_PROPS, &secprops); */
/* set ip addresses */
salen = sizeof(localaddr);
if (getsockname(fd, (struct sockaddr *)&localaddr, &salen) < 0)
perror("getsockname");
salen = sizeof(remoteaddr);
if (getpeername(fd, (struct sockaddr *)&remoteaddr, &salen) < 0)
perror("getpeername");
if ((retn = sasl_setprop(input->sasl_conn, SASL_IP_LOCAL, &localaddr)) != SASL_OK)
ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() error setting localaddr %d", retn);
if ((retn = sasl_setprop(input->sasl_conn, SASL_IP_REMOTE, &remoteaddr)) != SASL_OK)
ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() error setting remoteaddr %d", retn);
retn = 1;
#endif
#ifdef ARGUSDEBUG
ArgusDebug (2, "ArgusInitializeAuthentication () returning %d\n", retn);
#endif
return (retn);
}
void
RaArgusInputComplete (struct ArgusInput *input)
{
if (ArgusProcessFileIndependantly) {
ArgusParser->ArgusCurrentFile = input;
RaParseComplete (0);
ArgusParser->RaInitialized = 0;
ArgusParser->ArgusCurrentFile = NULL;
ArgusClientInit(ArgusParser);
}
#ifdef ARGUSDEBUG
ArgusDebug (7, "RaArgusInputComplete(0x%x) done", input);
#endif
}
int
ArgusGetSaslString(FILE *f, char *buf, int buflen)
{
unsigned int len = -1;
char *s = NULL;
int result;
if (ferror(f))
clearerr(f);
if ((s = fgets(buf, buflen, f)) != NULL) {
switch (*buf) {
case 'C': {
if (!(strncmp(buf, "C: ", 3))) {
buf[strlen(buf) - 1] = '\0';
result = sasl_decode64(buf + 3, (unsigned) strlen(buf + 3), buf, buflen, &len);
if (result != SASL_OK)
ArgusLog (LOG_ERR, "ArgusGetSaslString: sasl_decode64 error");
buf[len] = '\0';
} else
ArgusLog (LOG_ERR, "ArgusGetSaslString: error %s", strerror(errno));
break;
}
default:
case 'N':
len = -1;
break;
}
}
#ifdef ARGUSDEBUG
ArgusDebug (2, "ArgusGetSaslString(0x%x, 0x%x, %d) %s", f, buf, buflen, buf);
#endif
return len;
}
void
RaProcessRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *ns)
{
switch (ns->hdr.type & 0xF0) {
case ARGUS_MAR:
case ARGUS_EVENT: {
break;
}
case ARGUS_NETFLOW:
case ARGUS_FAR: {
struct ArgusFlow *flow = (struct ArgusFlow *) ns->dsrs[ARGUS_FLOW_INDEX];
if (parser->Vflag || parser->Aflag) {
ArgusProcessServiceAvailability(parser, ns);
if (parser->xflag) {
if ((parser->vflag && (ns->status & RA_SVCPASSED)) ||
(!parser->vflag && (ns->status & RA_SVCFAILED))) {
#ifdef ARGUSDEBUG
ArgusDebug (3, "RaProcessRecord (0x%x, 0x%x) service test failed", parser, ns);
#endif
return;
}
}
}
if (parser->RaMonMode && (flow != NULL)) {
struct ArgusRecordStruct *tns = ArgusCopyRecordStruct(ns);
struct ArgusFlow *flow;
if ((flow = (void *)ns->dsrs[ARGUS_FLOW_INDEX]) != NULL) {
flow->hdr.subtype &= ~ARGUS_REVERSE;
flow->hdr.argus_dsrvl8.qual &= ~ARGUS_DIRECTION;
}
RaProcessThisRecord(parser, ns);
ArgusReverseRecord(tns);
if ((flow = (void *)tns->dsrs[ARGUS_FLOW_INDEX]) != NULL) {
flow->hdr.subtype &= ~ARGUS_REVERSE;
flow->hdr.argus_dsrvl8.qual &= ~ARGUS_DIRECTION;
}
RaProcessThisRecord(parser, tns);
ArgusDeleteRecordStruct(parser, tns);
} else {
struct ArgusAggregatorStruct *agg = parser->ArgusAggregator;
if (flow && agg && agg->ArgusMatrixMode) {
if (agg->mask & ((0x01LL << ARGUS_MASK_SADDR) | (0x01LL << ARGUS_MASK_DADDR))) {
switch (flow->hdr.subtype & 0x3F) {
case ARGUS_FLOW_LAYER_3_MATRIX:
case ARGUS_FLOW_CLASSIC5TUPLE: {
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_TYPE_IPV4: {
if (flow->ip_flow.ip_src > flow->ip_flow.ip_dst)
ArgusReverseRecord(ns);
}
break;
case ARGUS_TYPE_IPV6: {
int i;
for (i = 0; i < 4; i++) {
if (flow->ipv6_flow.ip_src[i] < flow->ipv6_flow.ip_dst[i])
break;
if (flow->ipv6_flow.ip_src[i] > flow->ipv6_flow.ip_dst[i]) {
ArgusReverseRecord(ns);
break;
}
}
}
break;
}
break;
}
default:
break;
}
} else
if (agg->mask & ((0x01LL << ARGUS_MASK_SMAC) | (0x01LL << ARGUS_MASK_DMAC))) {
struct ArgusMacStruct *m1 = NULL;
if ((m1 = (struct ArgusMacStruct *) ns->dsrs[ARGUS_MAC_INDEX]) != NULL) {
switch (m1->hdr.subtype) {
case ARGUS_TYPE_ETHER: {
struct ether_header *e1 = &m1->mac.mac_union.ether.ehdr;
int i;
for (i = 0; i < 6; i++) {
#if defined(HAVE_SOLARIS)
if (e1->ether_shost.ether_addr_octet[i] < e1->ether_dhost.ether_addr_octet[i])
break;
if (e1->ether_shost.ether_addr_octet[i] > e1->ether_dhost.ether_addr_octet[i]) {
ArgusReverseRecord(ns);
break;
}
#else
if (e1->ether_shost[i] < e1->ether_dhost[i])
break;
if (e1->ether_shost[i] > e1->ether_dhost[i]) {
ArgusReverseRecord(ns);
break;
}
#endif
}
break;
}
}
}
}
}
RaProcessThisRecord(parser, ns);
}
break;
}
}
}
void
RaProcessRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *ns)
{
{
double nowTime = ArgusFetchStartTime(ns);
if (parser->ArgusLastRecordTime == 0) {
parser->ArgusLastRecordTime = nowTime;
} else {
if (parser->ArgusLastRecordTime > nowTime)
parser->RaSortedInput = 0;
parser->ArgusLastRecordTime = nowTime;
}
}
ArgusClientTimeout();
switch (ns->hdr.type & 0xF0) {
case ARGUS_MAR:
case ARGUS_EVENT:
case ARGUS_NETFLOW:
break;
case ARGUS_FAR: {
struct ArgusFlow *flow = (struct ArgusFlow *) ns->dsrs[ARGUS_FLOW_INDEX];
if (flow != NULL) {
switch(flow->hdr.subtype & 0x3F) {
case ARGUS_FLOW_LAYER_3_MATRIX:
case ARGUS_FLOW_CLASSIC5TUPLE: {
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_FLOW_ARP: {
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_TYPE_ARP:
case ARGUS_TYPE_RARP: {
ArgusProcessServiceAvailability(parser, ns);
if (ns->status & RA_SVCPASSED) {
#ifdef ARGUSDEBUG
ArgusDebug (3, "RaProcessRecord (%p, %p) service test failed", parser, ns);
#endif
RaProcessThisRecord(parser, ns);
}
break;
}
}
break;
}
}
break;
}
case ARGUS_FLOW_ARP: {
if (RaValidateArpFlowRecord(parser, ns)) {
ArgusProcessServiceAvailability(parser, ns);
if (ns->status & RA_SVCPASSED)
RaProcessThisRecord(parser, ns);
}
break;
}
}
}
break;
}
}
}
void
RaParseComplete (int sig)
{
struct ArgusModeStruct *mode = NULL;
int i = 0, x = 0, nflag = ArgusParser->eNflag;
struct ArgusInput *file = ArgusParser->ArgusCurrentFile;
char buf[MAXSTRLEN];
int label;
if (sig >= 0) {
if (!(ArgusParser->RaParseCompleting++)) {
struct ArgusAggregatorStruct *agg = ArgusParser->ArgusAggregator;
ArgusParser->RaParseCompleting += sig;
if (ArgusParser->ArgusReplaceMode && file) {
if (!(ArgusParser->ArgusRandomSeed))
srandom(ArgusParser->ArgusRandomSeed);
srandom (ArgusParser->ArgusRealTime.tv_usec);
label = random() % 100000;
bzero(buf, sizeof(buf));
snprintf (buf, MAXSTRLEN, "%s.tmp%d", file->filename, label);
setArgusWfile(ArgusParser, buf, NULL);
}
while (agg != NULL) {
if (agg->queue->count) {
struct ArgusRecordStruct *argus;
if (!(ArgusSorter))
if ((ArgusSorter = ArgusNewSorter(ArgusParser)) == NULL)
ArgusLog (LOG_ERR, "RaParseComplete: ArgusNewSorter error %s", strerror(errno));
if ((mode = ArgusParser->ArgusMaskList) != NULL) {
while (mode) {
for (x = 0; x < MAX_SORT_ALG_TYPES; x++) {
if (!strncmp (ArgusSortKeyWords[x], mode->mode, strlen(ArgusSortKeyWords[x]))) {
ArgusSorter->ArgusSortAlgorithms[i++] = ArgusSortAlgorithmTable[x];
break;
}
}
mode = mode->nxt;
}
}
ArgusSortQueue (ArgusSorter, agg->queue);
argus = ArgusCopyRecordStruct((struct ArgusRecordStruct *) agg->queue->array[0]);
if (nflag == 0)
ArgusParser->eNflag = agg->queue->count;
else
ArgusParser->eNflag = nflag > agg->queue->count ? agg->queue->count : nflag;
for (i = 1; i < ArgusParser->eNflag; i++)
ArgusMergeRecords (agg, argus, (struct ArgusRecordStruct *)agg->queue->array[i]);
ArgusParser->ns = argus;
for (i = 0; i < ArgusParser->eNflag; i++) {
RaSendArgusRecord ((struct ArgusRecordStruct *) agg->queue->array[i]);
ArgusDeleteRecordStruct(ArgusParser, (struct ArgusRecordStruct *) agg->queue->array[i]);
}
ArgusDeleteRecordStruct(ArgusParser, ArgusParser->ns);
}
agg = agg->nxt;
}
if (ArgusParser->ArgusAggregator != NULL)
ArgusDeleteAggregator(ArgusParser, ArgusParser->ArgusAggregator);
if (ArgusParser->ArgusReplaceMode && file) {
if (ArgusParser->ArgusWfileList != NULL) {
struct ArgusWfileStruct *wfile = NULL;
if ((wfile = (void *)ArgusParser->ArgusWfileList->start) != NULL) {
fflush (wfile->fd);
rename (wfile->filename, file->filename);
fclose (wfile->fd);
wfile->fd = NULL;
}
ArgusDeleteList(ArgusParser->ArgusWfileList, ARGUS_WFILE_LIST);
ArgusParser->ArgusWfileList = NULL;
if (ArgusParser->Vflag)
ArgusLog(LOG_INFO, "file %s aggregated", file->filename);
}
}
#ifdef ARGUSDEBUG
ArgusDebug (2, "RaParseComplete(caught signal %d)\n", sig);
#endif
switch (sig) {
case SIGHUP:
case SIGINT:
case SIGTERM:
case SIGQUIT: {
struct ArgusWfileStruct *wfile = NULL;
ArgusShutDown(sig);
if (ArgusParser->ArgusWfileList != NULL) {
struct ArgusListObjectStruct *lobj = NULL;
int i, count = ArgusParser->ArgusWfileList->count;
if ((lobj = ArgusParser->ArgusWfileList->start) != NULL) {
for (i = 0; i < count; i++) {
if ((wfile = (struct ArgusWfileStruct *) lobj) != NULL) {
if (wfile->fd != NULL) {
#ifdef ARGUSDEBUG
ArgusDebug (2, "RaParseComplete: closing %s\n", wfile->filename);
#endif
fflush (wfile->fd);
fclose (wfile->fd);
wfile->fd = NULL;
}
}
lobj = lobj->nxt;
}
}
}
exit(0);
break;
}
}
}
}
ArgusParser->eNflag = nflag;
#ifdef ARGUSDEBUG
ArgusDebug (6, "RaParseComplete(%d) done", sig);
#endif
}
void
ArgusUpdateUDToEState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state)
{
struct udtoe_header *udt = (struct udtoe_header *) model->ArgusThisUpHdr;
u_char *nxtHdr = (u_char *)(udt + 1);
if (STRUCTCAPTURED(model, *udt)) {
model->ArgusThisLength -= sizeof(*udt);
model->ArgusSnapLength -= sizeof(*udt);
model->ArgusThisUpHdr = nxtHdr;
if (*state == ARGUS_START) {
} else {
struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX];
struct ArgusUDTObjectMetrics *ArgusThisUdtMetric;
if (model->ArgusThisDir) {
ArgusThisUdtMetric = &net->net_union.udt.src;
} else {
ArgusThisUdtMetric = &net->net_union.udt.dst;
}
if ((flowstr->canon.metric.src.pkts + flowstr->canon.metric.dst.pkts) > 2)
flowstr->timeout = ARGUS_IPTIMEOUT;
switch (udt->un_udt.cntl.type & UDTOE_PACKET_MASK) {
case UDTOE_CONTROL_PACKET: {
struct udtoe_control_hdr *udtc = (void *) ((char *)udt + UDTOECONTROLPAD);
unsigned char type = ((udtc->type & 0x7F) >> 3);
model->ArgusThisLength -= 48;
switch (type & UDTOE_CONTROL_TYPE_MASK) {
case UDTOE_CONTROL_HANDSHAKE: {
struct udt_control_handshake *hshake = (void *) (udtc + 1);
if (ntohl(hshake->version) == 4) {
ArgusThisUdtHshake = hshake;
hshake->version = ntohl(hshake->version);
hshake->socktype = ntohl(hshake->socktype);
hshake->initseq = ntohl(hshake->initseq);
hshake->psize = ntohl(hshake->psize);
hshake->wsize = ntohl(hshake->wsize);
hshake->conntype = ntohl(hshake->conntype);
hshake->sockid = ntohl(hshake->sockid);
} else {
// ArgusLog(LOG_ERR, "ArgusUpdateUDToEState: hshake version is %d", ntohl(hshake->version));
}
#ifdef ARGUSDEBUG
ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_HANDSHAKE type %d seqNum %d size %d maxWin %d conn %d sockid 0x%x\n",
flowstr, *state, hshake->socktype, hshake->initseq, hshake->psize, hshake->wsize, hshake->conntype, hshake->sockid);
#endif
break;
}
case UDTOE_CONTROL_KEEPALIVE: {
#ifdef ARGUSDEBUG
ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_KEEPALIVE\n", flowstr, *state);
#endif
break;
}
case UDTOE_CONTROL_ACK: {
struct udt_control_ack *ack = (void *) (udtc + 1);
int len = model->ArgusThisLength/4;
if (len--) { ArgusThisUdtMetric->ack = ntohl(ack->ackseqnum);
if (len--) { ArgusThisUdtMetric->rtt = ntohl(ack->rtt);
if (len--) { ArgusThisUdtMetric->var = ntohl(ack->var);
if (len--) { ArgusThisUdtMetric->bsize = ntohl(ack->bsize);
if (ack->bsize == 0) {
net->net_union.udt.status |= ARGUS_WINDOW_SHUT;
}
if (len--) { ArgusThisUdtMetric->rate = ntohl(ack->rate);
if (len--) { ArgusThisUdtMetric->lcap = ntohl(ack->lcap); }}}}}}
#ifdef ARGUSDEBUG
ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_ACK, sockid 0x%x ack = 0x%x\n",
flowstr, *state, ntohl(udtc->sockid), net->net_union.udt.src.ack);
#endif
break;
}
case UDTOE_CONTROL_NAK: {
struct udt_control_nak *nak = (void *) (udtc + 1);
int num = 0, len = model->ArgusThisLength/4;
unsigned int *sptr = &nak->seqnum;
int i, fitem, sseq, eseq, range;
#ifdef ARGUSDEBUG
char buf[256];
*buf = '\0';
#endif
for (i = 0, fitem = 0; i < len; i++, sptr++) {
*sptr = ntohl(*sptr);
if (*sptr & 0x80000000) {
sseq = *sptr & 0x7FFFFFFF;
range = 1;
} else {
eseq = *sptr;
if (range) {
#ifdef ARGUSDEBUG
if (fitem++)
sprintf(&buf[strlen(buf)], ",0x%x-0x%x", sseq, eseq);
else
sprintf(&buf[strlen(buf)], "0x%x-0x%x", sseq, eseq);
#endif
num += (eseq - sseq) + 1;
range = 0;
} else {
#ifdef ARGUSDEBUG
if (fitem++)
sprintf(&buf[strlen(buf)], ",0x%x", eseq);
else
sprintf(&buf[strlen(buf)], "0x%x", eseq);
#endif
fitem++;
num++;
}
}
}
#ifdef ARGUSDEBUG
ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_NAK, sockid 0x%x nak.comp[%d] num %d %s",
flowstr, *state, ntohl(udtc->sockid), len, num, buf);
#endif
if (num)
ArgusThisUdtMetric->nacked += num;
break;
}
case UDTOE_CONTROL_CONGEST: {
net->net_union.udt.status |= ARGUS_ECN_CONGESTED;
#ifdef ARGUSDEBUG
ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_CONGEST, sockid 0x%x",
flowstr, *state, ntohl(udtc->sockid));
#endif
break;
}
case UDTOE_CONTROL_SHUTDOWN: {
#ifdef ARGUSDEBUG
ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_SHUTDOWN\n", flowstr, *state);
#endif
break;
}
case UDTOE_CONTROL_ACKACK: {
#ifdef ARGUSDEBUG
ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_ACKACK\n", flowstr, *state);
#endif
break;
}
case UDTOE_CONTROL_DROPREQ: {
struct udt_control_dropreq *drop = (void *)(udtc + 1);
if (drop->firstseqnum == 0)
ArgusLog(LOG_ERR, "drop request firstseqnum is 0");
#ifdef ARGUSDEBUG
ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_DROPREQ\n", flowstr, *state);
#endif
break;
}
default: {
#ifdef ARGUSDEBUG
ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_UNKNOWN\n", flowstr, *state);
#endif
break;
}
}
break;
}
/*
struct ArgusUDTObjectMetrics {
struct ArgusTime lasttime;
unsigned int seq, tstamp, ack, rtt, var, bsize, rate, lcap;
int solo, first, middle, last, drops, retrans, nacked;
};
struct ArgusUDTObject {
unsigned int state, status;
struct udt_control_handshake hshake;
struct ArgusUDTObjectMetrics src;
};
*/
case UDT_DATA_PACKET: {
struct udt_data_hdr *udtd = (void *) udt;
unsigned int seqnum = ntohl(udtd->seqnum);
unsigned int msgnum = ntohl(udtd->msgnum);
unsigned int tstamp = ntohl(udtd->tstamp);
#ifdef ARGUSDEBUG
unsigned int sockid = ntohl(udtd->sockid);
#endif
int seq = ArgusThisUdtMetric->seq;
int loss = 0;;
#define ARGUS_UDT_MSGTYPE 0xC0000000
#define ARGUS_UDT_SOLO_MSG 0xC0000000
#define ARGUS_UDT_FIRST_MSG 0x80000000
#define ARGUS_UDT_MIDDLE_MSG 0x00000000
#define ARGUS_UDT_LAST_MSG 0x40000000
switch (msgnum & ARGUS_UDT_MSGTYPE) {
case ARGUS_UDT_SOLO_MSG:
ArgusThisUdtMetric->solo++;
break;
case ARGUS_UDT_FIRST_MSG:
ArgusThisUdtMetric->first++;
break;
case ARGUS_UDT_MIDDLE_MSG:
ArgusThisUdtMetric->middle++;
break;
case ARGUS_UDT_LAST_MSG:
ArgusThisUdtMetric->last++;
break;
}
/*
msgnum &= 0x1FFFFFFF;
*/
if (seqnum == (seq + 1)) {
ArgusThisUdtMetric->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec;
ArgusThisUdtMetric->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec;
ArgusThisUdtMetric->tstamp = tstamp;
ArgusThisUdtMetric->seq = seqnum;
} else {
if (seq > 0) {
if (seqnum > (seq + 2)) {
loss = seqnum - (seq + 1);
ArgusThisUdtMetric->drops += loss;
net->net_union.udt.status |= ARGUS_PKTS_DROP;
ArgusThisUdtMetric->seq = seqnum;
} else {
if (seqnum != (seq + 1)) {
ArgusThisUdtMetric->retrans++;
net->net_union.udt.status |= ARGUS_PKTS_RETRANS;
} else {
ArgusThisUdtMetric->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec;
ArgusThisUdtMetric->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec;
ArgusThisUdtMetric->tstamp = tstamp;
ArgusThisUdtMetric->seq = seqnum;
}
}
} else {
ArgusThisUdtMetric->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec;
ArgusThisUdtMetric->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec;
ArgusThisUdtMetric->tstamp = tstamp;
ArgusThisUdtMetric->seq = seqnum;
}
}
#ifdef ARGUSDEBUG
ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_DATA_PACKET seq 0x%x msgnum 0x%x tstmp 0x%x sockid 0x%x loss %d\n",
flowstr, *state, seqnum, msgnum, tstamp, sockid, loss);
#endif
break;
}
}
}
}
int
ArgusAuthenticateClient (struct ArgusClientData *client)
{
int retn = 1;
#ifdef ARGUS_SASL
unsigned int rlen = 0;
int len, mechnum = 0;
char buf[8192], chosenmech[512];
const char *data;
sasl_conn_t *conn = NULL;
// int SASLOpts = (SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS);
FILE *in, *out;
conn = client->sasl_conn;
if ((retn = sasl_listmech(conn, NULL, "{", ", ", "}", &data, &rlen, &mechnum)) != SASL_OK)
ArgusLog (LOG_ERR, "ArgusAuthenticateClient: Error generating mechanism list");
if ((in = fdopen (client->fd, "r")) < 0)
ArgusLog (LOG_ERR, "ArgusAuthenticateClient: fdopen() error %s", strerror(errno));
if ((out = fdopen (client->fd, "w")) < 0)
ArgusLog (LOG_ERR, "ArgusAuthenticateClient: fdopen() error %s", strerror(errno));
ArgusSendSaslString (out, data, rlen, SASL_OK);
if ((len = ArgusGetSaslString (in, chosenmech, sizeof(chosenmech))) <= 0) {
#ifdef ARGUSDEBUG
ArgusDebug (2, "ArgusAuthenticateClient: Error ArgusGetSaslString returned %d\n", len);
#endif
return 0;
}
if ((len = ArgusGetSaslString (in, buf, sizeof(buf))) <= 0) {
#ifdef ARGUSDEBUG
ArgusDebug (2, "ArgusAuthenticateClient: Error ArgusGetSaslString returned %d\n", len);
#endif
return 0;
}
if (*buf == 'Y') {
if ((len = ArgusGetSaslString (in, buf, sizeof(buf))) <= 0) {
#ifdef ARGUSDEBUG
ArgusDebug (2, "ArgusAuthenticateClient: Error ArgusGetSaslString returned %d\n", len);
#endif
return 0;
}
retn = sasl_server_start(conn, chosenmech, buf, len, &data, &rlen);
} else {
retn = sasl_server_start(conn, chosenmech, NULL, 0, &data, &rlen);
}
if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) {
sprintf (buf, "%s", sasl_errstring(retn, NULL, NULL));
#ifdef ARGUSDEBUG
ArgusDebug (2, "ArgusAuthenticateClient: Error starting SASL negotiation");
#endif
ArgusSendSaslString(out, buf, strlen(buf), retn);
return 0;
}
while (retn == SASL_CONTINUE) {
if (data) {
#ifdef ARGUSDEBUG
ArgusDebug(2, "sending response length %d...\n", rlen);
#endif
ArgusSendSaslString(out, data, rlen, retn);
} else {
#ifdef ARGUSDEBUG
ArgusDebug(2, "no data to send? ...\n");
#endif
}
#ifdef ARGUSDEBUG
ArgusDebug(2, "waiting for client reply...\n");
#endif
len = ArgusGetSaslString(in, buf, sizeof(buf));
if (len < 0) {
#ifdef ARGUSDEBUG
ArgusDebug(2, "client disconnected ...\n");
#endif
return 0;
}
retn = sasl_server_step(conn, buf, len, &data, &rlen);
if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) {
sprintf (buf, "%s", sasl_errstring(retn, NULL, NULL));
#ifdef ARGUSDEBUG
ArgusDebug(2, "Authentication failed %s\n", sasl_errstring(retn, NULL, NULL));
#endif
ArgusSendSaslString(out, buf, strlen(buf), retn);
return 0;
}
}
if (retn == SASL_OK)
ArgusSendSaslString(out, NULL, 0, SASL_OK);
#endif
#ifdef ARGUSDEBUG
ArgusDebug (1, "ArgusAuthenticateClient() returning %d\n", retn);
#endif
return (retn);
}
void ArgusWindowClose(void) {
#ifdef ARGUSDEBUG
ArgusDebug (6, "ArgusWindowClose () returning\n");
#endif
}
int
ArgusSendSaslString(FILE *f, const char *s, int l, int mode)
{
char *buf = NULL, *ptr = NULL, error[128];
unsigned int al, len;
int result, size, tsize;
switch (mode) {
case SASL_OK: {
if ((s == NULL) || (l == 0)) {
ptr = "D: ";
tsize = 3;
break;
}
}
case SASL_CONTINUE: {
ptr = "S: ";
tsize = 3;
break;
}
default: {
sprintf (error, "E: [%d]", mode);
ptr = error;
tsize = strlen(error);
break;
}
}
if (ferror(f))
clearerr(f);
while ((size = fwrite(ptr, 1, tsize, f)) != tsize) {
if (size >= 0) {
tsize -= size;
ptr += size;
} else {
if (ferror(f))
ArgusLog (LOG_ERR, "ArgusSendSaslString: error %d", ferror(f));
}
}
if (l > 0) {
al = (((l / 3) + 1) * 4) + 1;
if ((buf = malloc(al)) == NULL)
ArgusLog (LOG_ERR, "malloc: error %s", strerror(errno));
if ((ptr = buf) != NULL) {
result = sasl_encode64(s, l, buf, al, &len);
if (result == SASL_OK) {
tsize = len;
while ((size = fwrite(ptr, 1, tsize, f)) != tsize) {
if (size >= 0) {
tsize -= size;
ptr += size;
} else {
if (ferror(f))
ArgusLog (LOG_ERR, "ArgusSendSaslString: error %d", ferror(f));
}
}
}
}
free(buf);
}
ptr = "\n";
tsize = 1;
while ((size = fwrite(ptr, 1, tsize, f)) != tsize) {
if (size >= 0) {
tsize -= size;
ptr += size;
} else {
if (ferror(f))
ArgusLog (LOG_ERR, "ArgusSendSaslString: error %d", ferror(f));
}
}
fflush(f);
#ifdef ARGUSDEBUG
ArgusDebug (2, "ArgusSendSaslString(0x%x, 0x%x, %d) %s", f, s, l, s);
#endif
return len;
}