bool Is_IP_Range (char *str) { char *tmp = NULL; int prefix; unsigned int ipint = 0; unsigned char ipbits[MAXIP] = {0}; if(strlen(str) == strspn(str, "0123456789./:")) { if(strspn(str, "./") == 0) { ipint = atol(str); memcpy(ipbits, &ipint, sizeof(ipint)); if ( Bit2IP(ipbits, NULL, 0) == 0 ) { return(false); } } if ( strchr(str, '/') ) { //ip = strtok_r(str, "/", &tmp); (void)strtok_r(str, "/", &tmp); prefix = atoi(strtok_r(NULL, "/", &tmp)); if(prefix < 1 || prefix > 128 ) { return(false); } } return(true); } else { return(false); } }
void Sagan_Report_Clients ( void ) { for(;;) { struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL = NULL; int alertid; int i; char *tmp_ip = NULL; char utime_tmp[20] = { 0 }; time_t t; struct tm *now; uintmax_t utime_u64; t = time(NULL); now=localtime(&t); strftime(utime_tmp, sizeof(utime_tmp), "%s", now); utime_u64 = atol(utime_tmp); struct in_addr ip_addr_syslog; int expired_time = config->pp_sagan_track_clients * 60; /* We populate this later for output plugins */ SaganProcSyslog_LOCAL = malloc(sizeof(struct _Sagan_Proc_Syslog)); if ( SaganProcSyslog_LOCAL == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Failed to allocate memory for SaganProcSyslog_LOCAL. Abort!", __FILE__, __LINE__); } /*********************************/ /* Look through "known" system */ for (i=0; i<counters_ipc->track_clients_client_count; i++) { /* Check if host is in a down state */ if ( SaganTrackClients_ipc[i].status == 1 ) { /* If host was done, verify host last seen time is still not an expired time */ if ( ( utime_u64 - SaganTrackClients_ipc[i].utime ) < expired_time ) { /* Update status and seen time */ Sagan_File_Lock(config->shm_track_clients); SaganTrackClients_ipc[i].status = 0; Sagan_File_Unlock(config->shm_track_clients); /* Update counters */ Sagan_File_Lock(config->shm_counters); counters_ipc->track_clients_down--; Sagan_File_Unlock(config->shm_counters); tmp_ip = Bit2IP(SaganTrackClients_ipc[i].host_u32); Sagan_Log(S_WARN, "[Processor: %s] Logs are being received from %s again.", PROCESSOR_NAME, tmp_ip ); /* Populate SaganProcSyslog_LOCAL for output plugins */ strlcpy(SaganProcSyslog_LOCAL->syslog_host, tmp_ip, sizeof(SaganProcSyslog_LOCAL->syslog_host)); strlcpy(SaganProcSyslog_LOCAL->syslog_facility, PROCESSOR_FACILITY, sizeof(SaganProcSyslog_LOCAL->syslog_facility)); strlcpy(SaganProcSyslog_LOCAL->syslog_priority, PROCESSOR_PRIORITY, sizeof(SaganProcSyslog_LOCAL->syslog_priority)); strlcpy(SaganProcSyslog_LOCAL->syslog_level, "info", sizeof(SaganProcSyslog_LOCAL->syslog_level)); strlcpy(SaganProcSyslog_LOCAL->syslog_tag, "00", sizeof(SaganProcSyslog_LOCAL->syslog_tag)); strlcpy(SaganProcSyslog_LOCAL->syslog_program, PROCESSOR_NAME, sizeof(SaganProcSyslog_LOCAL->syslog_program)); snprintf(SaganProcSyslog_LOCAL->syslog_date, sizeof(SaganProcSyslog_LOCAL->syslog_date), "%s", Sagan_Return_Date(utime_u64)); snprintf(SaganProcSyslog_LOCAL->syslog_time, sizeof(SaganProcSyslog_LOCAL->syslog_time), "%s", Sagan_Return_Time(utime_u64)); snprintf(SaganProcSyslog_LOCAL->syslog_message, sizeof(SaganProcSyslog_LOCAL->syslog_message)-1, "The IP address %s was previously not sending logs. The system appears to be sending logs again at %s", tmp_ip, ctime(&SaganTrackClients_ipc[i].utime) ); alertid=101; /* See gen-msg.map */ /* Send alert to output plugins */ Sagan_Send_Alert(SaganProcSyslog_LOCAL, processor_info_track_client, SaganProcSyslog_LOCAL->syslog_host, config->sagan_host, "\0", "\0", config->sagan_proto, alertid, config->sagan_port, config->sagan_port, 0); } /* End last seen check time */ } else { /**** Check if last seen time of host has exceeded track time meaning it's down! ****/ if ( ( utime_u64 - SaganTrackClients_ipc[i].utime ) >= expired_time ) { /* Update status and utime */ Sagan_File_Lock(config->shm_track_clients); SaganTrackClients_ipc[i].status = 1; Sagan_File_Unlock(config->shm_track_clients); /* Update counters */ Sagan_File_Lock(config->shm_counters); counters_ipc->track_clients_down++; Sagan_File_Unlock(config->shm_counters); tmp_ip = Bit2IP(SaganTrackClients_ipc[i].host_u32); Sagan_Log(S_WARN, "[Processor: %s] Logs have not been seen from %s for %d minute(s).", PROCESSOR_NAME, tmp_ip, config->pp_sagan_track_clients); /* Populate SaganProcSyslog_LOCAL for output plugins */ strlcpy(SaganProcSyslog_LOCAL->syslog_host, tmp_ip, sizeof(SaganProcSyslog_LOCAL->syslog_host)); strlcpy(SaganProcSyslog_LOCAL->syslog_facility, PROCESSOR_FACILITY, sizeof(SaganProcSyslog_LOCAL->syslog_facility)); strlcpy(SaganProcSyslog_LOCAL->syslog_priority, PROCESSOR_PRIORITY, sizeof(SaganProcSyslog_LOCAL->syslog_priority)); strlcpy(SaganProcSyslog_LOCAL->syslog_level, "info", sizeof(SaganProcSyslog_LOCAL->syslog_level)); strlcpy(SaganProcSyslog_LOCAL->syslog_tag, "00", sizeof(SaganProcSyslog_LOCAL->syslog_tag)); strlcpy(SaganProcSyslog_LOCAL->syslog_program, PROCESSOR_NAME, sizeof(SaganProcSyslog_LOCAL->syslog_program)); snprintf(SaganProcSyslog_LOCAL->syslog_date, sizeof(SaganProcSyslog_LOCAL->syslog_date), "%s", Sagan_Return_Date(utime_u64)); snprintf(SaganProcSyslog_LOCAL->syslog_time, sizeof(SaganProcSyslog_LOCAL->syslog_time), "%s", Sagan_Return_Time(utime_u64)); snprintf(SaganProcSyslog_LOCAL->syslog_message, sizeof(SaganProcSyslog_LOCAL->syslog_message)-1, "Sagan has not recieved any logs from the IP address %s in over %d minute(s). Last log was seen at %s. This could be an indication that the system is down.", tmp_ip, config->pp_sagan_track_clients, ctime(&SaganTrackClients_ipc[i].utime) ); alertid=100; /* See gen-msg.map */ /* Send alert to output plugins */ Sagan_Send_Alert(SaganProcSyslog_LOCAL, processor_info_track_client, SaganProcSyslog_LOCAL->syslog_host, config->sagan_host, "\0", "\0", config->sagan_proto, alertid, config->sagan_port, config->sagan_port, 0); } /* End of existing utime check */ } /* End of else */ } /* End for 'for' loop */ free(SaganProcSyslog_LOCAL); sleep(60); } /* End Ifinite Loop */ } /* End Sagan_report_clients */