int RaSendArgusRecord(struct ArgusRecordStruct *ns) { int retn = 1; char buf[MAXSTRLEN]; if (ns->status & ARGUS_RECORD_WRITTEN) return (retn); if ((ArgusParser->ArgusWfileList != NULL) && (!(ArgusListEmpty(ArgusParser->ArgusWfileList)))) { struct ArgusWfileStruct *wfile = NULL; struct ArgusListObjectStruct *lobj = NULL; int i, count = ArgusParser->ArgusWfileList->count; if ((lobj = ArgusParser->ArgusWfileList->start) != NULL) { for (i = 0; i < count; i++) { if ((wfile = (struct ArgusWfileStruct *) lobj) != NULL) { int pass = 1; if (wfile->filterstr) { struct nff_insn *wfcode = wfile->filter.bf_insns; pass = ArgusFilterRecord (wfcode, ns); } if (pass != 0) { if ((ArgusParser->exceptfile == NULL) || strcmp(wfile->filename, ArgusParser->exceptfile)) { struct ArgusRecord *argusrec = NULL; char buf[2048]; if ((argusrec = ArgusGenerateRecord (ns, 0L, buf)) != NULL) { #ifdef _LITTLE_ENDIAN ArgusHtoN(argusrec); #endif ArgusWriteNewLogfile (ArgusParser, ns->input, wfile, argusrec); } } } } lobj = lobj->nxt; } } } else { if (!ArgusParser->qflag) { if (ArgusParser->Lflag) { if (ArgusParser->RaLabel == NULL) ArgusParser->RaLabel = ArgusGenerateLabel(ArgusParser, ns); if (!(ArgusParser->RaLabelCounter++ % ArgusParser->Lflag)) printf ("%s\n", ArgusParser->RaLabel); if (ArgusParser->Lflag < 0) ArgusParser->Lflag = 0; } *(int *)&buf = 0; ArgusPrintRecord(ArgusParser, buf, ns, MAXSTRLEN); fprintf (stdout, "%s\n", buf); fflush(stdout); } } ns->status |= ARGUS_RECORD_WRITTEN; return (retn); }
void RaProcessThisRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *argus) { struct ArgusAggregatorStruct *agg = parser->ArgusAggregator; struct ArgusHashStruct *hstruct = NULL; int found = 0; while (agg && !found) { int retn = 0, fretn = -1, lretn = -1; if (agg->filterstr) { struct nff_insn *fcode = agg->filter.bf_insns; fretn = ArgusFilterRecord (fcode, argus); } if (agg->labelstr) { struct ArgusLabelStruct *label; if (((label = (void *)argus->dsrs[ARGUS_LABEL_INDEX]) != NULL)) { if (regexec(&agg->lpreg, label->l_un.label, 0, NULL, 0)) lretn = 0; else lretn = 1; } else lretn = 0; } retn = (lretn < 0) ? ((fretn < 0) ? 1 : fretn) : ((fretn < 0) ? lretn : (lretn && fretn)); if (retn != 0) { struct ArgusRecordStruct *tns, *ns = ArgusCopyRecordStruct(argus); if ((agg->rap = RaFlowModelOverRides(agg, ns)) == NULL) agg->rap = agg->drap; ArgusGenerateNewFlow(agg, ns); if ((hstruct = ArgusGenerateHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL) ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno)); if ((tns = ArgusFindRecord(agg->htable, hstruct)) == NULL) { struct ArgusFlow *flow = (struct ArgusFlow *) ns->dsrs[ARGUS_FLOW_INDEX]; if (!parser->RaMonMode && parser->ArgusReverse) { int tryreverse = 0; if (flow != NULL) { if (agg->correct != NULL) tryreverse = 1; switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_IPV4: { switch (flow->ip_flow.ip_p) { case IPPROTO_ESP: tryreverse = 0; break; } break; } case ARGUS_TYPE_IPV6: { switch (flow->ipv6_flow.ip_p) { case IPPROTO_ESP: tryreverse = 0; break; } break; } } } else tryreverse = 0; if (tryreverse) { if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL) ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno)); if ((tns = ArgusFindRecord(agg->htable, hstruct)) == NULL) { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_IPV4: { switch (flow->ip_flow.ip_p) { case IPPROTO_ICMP: { struct ArgusICMPFlow *icmpFlow = &flow->flow_un.icmp; if (ICMP_INFOTYPE(icmpFlow->type)) { switch (icmpFlow->type) { case ICMP_ECHO: case ICMP_ECHOREPLY: icmpFlow->type = (icmpFlow->type == ICMP_ECHO) ? ICMP_ECHOREPLY : ICMP_ECHO; if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL) tns = ArgusFindRecord(agg->htable, hstruct); icmpFlow->type = (icmpFlow->type == ICMP_ECHO) ? ICMP_ECHOREPLY : ICMP_ECHO; if (tns) ArgusReverseRecord (ns); break; case ICMP_ROUTERADVERT: case ICMP_ROUTERSOLICIT: icmpFlow->type = (icmpFlow->type == ICMP_ROUTERADVERT) ? ICMP_ROUTERSOLICIT : ICMP_ROUTERADVERT; if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL) tns = ArgusFindRecord(agg->htable, hstruct); icmpFlow->type = (icmpFlow->type == ICMP_ROUTERADVERT) ? ICMP_ROUTERSOLICIT : ICMP_ROUTERADVERT; if (tns) ArgusReverseRecord (ns); break; case ICMP_TSTAMP: case ICMP_TSTAMPREPLY: icmpFlow->type = (icmpFlow->type == ICMP_TSTAMP) ? ICMP_TSTAMPREPLY : ICMP_TSTAMP; if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL) tns = ArgusFindRecord(agg->htable, hstruct); icmpFlow->type = (icmpFlow->type == ICMP_TSTAMP) ? ICMP_TSTAMPREPLY : ICMP_TSTAMP; if (tns) ArgusReverseRecord (ns); break; case ICMP_IREQ: case ICMP_IREQREPLY: icmpFlow->type = (icmpFlow->type == ICMP_IREQ) ? ICMP_IREQREPLY : ICMP_IREQ; if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL) tns = ArgusFindRecord(agg->htable, hstruct); icmpFlow->type = (icmpFlow->type == ICMP_IREQ) ? ICMP_IREQREPLY : ICMP_IREQ; if (tns) ArgusReverseRecord (ns); break; case ICMP_MASKREQ: case ICMP_MASKREPLY: icmpFlow->type = (icmpFlow->type == ICMP_MASKREQ) ? ICMP_MASKREPLY : ICMP_MASKREQ; if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL) tns = ArgusFindRecord(agg->htable, hstruct); icmpFlow->type = (icmpFlow->type == ICMP_MASKREQ) ? ICMP_MASKREPLY : ICMP_MASKREQ; if (tns) ArgusReverseRecord (ns); break; } } break; } } } } if ((hstruct = ArgusGenerateHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL) ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno)); } else { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_IPV4: { switch (flow->ip_flow.ip_p) { case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)ns->dsrs[ARGUS_NETWORK_INDEX]; if (tcp != NULL) { struct ArgusTCPObject *ttcp = (struct ArgusTCPObject *)tns->dsrs[ARGUS_NETWORK_INDEX]; if (ttcp != NULL) { if ((tcp->status & ARGUS_SAW_SYN) && !(ttcp->status & ARGUS_SAW_SYN)) { ArgusReverseRecord (tns); } else ArgusReverseRecord (ns); } else ArgusReverseRecord (ns); } else ArgusReverseRecord (ns); break; } default: ArgusReverseRecord (ns); break; } } break; case ARGUS_TYPE_IPV6: { switch (flow->ipv6_flow.ip_p) { case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)ns->dsrs[ARGUS_NETWORK_INDEX]; if (tcp != NULL) { struct ArgusTCPObject *ttcp = (struct ArgusTCPObject *)tns->dsrs[ARGUS_NETWORK_INDEX]; if (ttcp != NULL) { if ((tcp->status & ARGUS_SAW_SYN) && !(ttcp->status & ARGUS_SAW_SYN)) { ArgusReverseRecord (tns); } else ArgusReverseRecord (ns); } else ArgusReverseRecord (ns); } else ArgusReverseRecord (ns); break; } default: ArgusReverseRecord (ns); break; } } break; default: ArgusReverseRecord (ns); } } } } } if (tns != NULL) { if (parser->Aflag) { if ((tns->status & RA_SVCTEST) != (ns->status & RA_SVCTEST)) { RaSendArgusRecord(tns); tns->status &= ~(RA_SVCTEST); tns->status |= (ns->status & RA_SVCTEST); } } if (tns->status & ARGUS_RECORD_WRITTEN) { ArgusZeroRecord (tns); } else { if (agg->statusint || agg->idleint) { double dur, nsst, tnsst, nslt, tnslt; nsst = ArgusFetchStartTime(ns); tnsst = ArgusFetchStartTime(tns); nslt = ArgusFetchLastTime(ns); tnslt = ArgusFetchLastTime(tns); dur = ((tnslt > nslt) ? tnslt : nslt) - ((nsst < tnsst) ? nsst : tnsst); if (agg->statusint && (dur >= agg->statusint)) { RaSendArgusRecord(tns); ArgusZeroRecord(tns); } else { dur = ((nslt < tnsst) ? (tnsst - nslt) : ((tnslt < nsst) ? (nsst - tnslt) : 0.0)); if (agg->idleint && (dur >= agg->idleint)) { RaSendArgusRecord(tns); ArgusZeroRecord(tns); } } } } ArgusMergeRecords (agg, tns, ns); ArgusRemoveFromQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK); ArgusAddToQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK); ArgusDeleteRecordStruct(parser, ns); agg->status |= ARGUS_AGGREGATOR_DIRTY; } else { tns = ns; tns->htblhdr = ArgusAddHashEntry (agg->htable, tns, hstruct); ArgusAddToQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK); agg->status |= ARGUS_AGGREGATOR_DIRTY; } if (agg->cont) agg = agg->nxt; else found++; } else agg = agg->nxt; } }