static void ArmClasses(Averages av, char *timekey) { double sigma; Item *ip,*classlist = NULL; int i, j, k; char buff[CF_BUFSIZE], ldt_buff[CF_BUFSIZE], name[CF_MAXVARSIZE]; static int anomaly[CF_OBSERVABLES][LDT_BUFSIZE]; extern Item *ALL_INCOMING; extern Item *MON_UDP4, *MON_UDP6, *MON_TCP4, *MON_TCP6; for (i = 0; i < CF_OBSERVABLES; i++) { char desc[CF_BUFSIZE]; GetObservable(i, name, desc); sigma = SetClasses(name, CF_THIS[i], av.Q[i].expect, av.Q[i].var, LOCALAV.Q[i].expect, LOCALAV.Q[i].var, &classlist, timekey); SetVariable(name, CF_THIS[i], av.Q[i].expect, sigma, &classlist); /* LDT */ ldt_buff[0] = '\0'; anomaly[i][LDT_POS] = false; if (!LDT_FULL) { anomaly[i][LDT_POS] = false; } if (LDT_FULL && (CHI[i] > CHI_LIMIT[i])) { anomaly[i][LDT_POS] = true; /* Remember the last anomaly value */ Log(LOG_LEVEL_VERBOSE, "LDT(%d) in %s chi = %.2f thresh %.2f ", LDT_POS, name, CHI[i], CHI_LIMIT[i]); /* Last printed element is now */ for (j = LDT_POS + 1, k = 0; k < LDT_BUFSIZE; j++, k++) { if (j == LDT_BUFSIZE) /* Wrap */ { j = 0; } if (anomaly[i][j]) { snprintf(buff, CF_BUFSIZE, " *%.2f*", LDT_BUF[i][j]); } else { snprintf(buff, CF_BUFSIZE, " %.2f", LDT_BUF[i][j]); } strcat(ldt_buff, buff); } if (CF_THIS[i] > av.Q[i].expect) { snprintf(buff, CF_BUFSIZE, "%s_high_ldt", name); } else { snprintf(buff, CF_BUFSIZE, "%s_high_ldt", name); } AppendItem(&classlist, buff, "2"); EvalContextHeapPersistentSave(buff, "measurements", CF_PERSISTENCE, CONTEXT_STATE_POLICY_PRESERVE); } else { for (j = LDT_POS + 1, k = 0; k < LDT_BUFSIZE; j++, k++) { if (j == LDT_BUFSIZE) /* Wrap */ { j = 0; } if (anomaly[i][j]) { snprintf(buff, CF_BUFSIZE, " *%.2f*", LDT_BUF[i][j]); } else { snprintf(buff, CF_BUFSIZE, " %.2f", LDT_BUF[i][j]); } strcat(ldt_buff, buff); } } } SetMeasurementPromises(&classlist); // Report on the open ports, in various ways AddOpenPortsClasses("listening_ports", ALL_INCOMING, &classlist); AddOpenPortsClasses("listening_udp6_ports", MON_UDP6, &classlist); AddOpenPortsClasses("listening_udp4_ports", MON_UDP4, &classlist); AddOpenPortsClasses("listening_tcp6_ports", MON_TCP6, &classlist); AddOpenPortsClasses("listening_tcp4_ports", MON_TCP4, &classlist); // Port addresses if (ListLen(MON_TCP6) + ListLen(MON_TCP4) > 512) { Log(LOG_LEVEL_INFO, "Disabling address information of TCP ports in LISTEN state: more than 512 listening ports are detected"); } else { for (ip = MON_TCP6; ip != NULL; ip=ip->next) { snprintf(buff,CF_BUFSIZE,"tcp6_port_addr[%s]=%s",ip->name,ip->classes); AppendItem(&classlist,buff,NULL); } for (ip = MON_TCP4; ip != NULL; ip=ip->next) { snprintf(buff,CF_BUFSIZE,"tcp4_port_addr[%s]=%s",ip->name,ip->classes); AppendItem(&classlist,buff,NULL); } } for (ip = MON_UDP6; ip != NULL; ip=ip->next) { snprintf(buff,CF_BUFSIZE,"udp6_port_addr[%s]=%s",ip->name,ip->classes); AppendItem(&classlist,buff,NULL); } for (ip = MON_UDP4; ip != NULL; ip=ip->next) { snprintf(buff,CF_BUFSIZE,"udp4_port_addr[%s]=%s",ip->name,ip->classes); AppendItem(&classlist,buff,NULL); } PublishEnvironment(classlist); DeleteItemList(classlist); }
static void ArmClasses(Averages av, char *timekey) { double sigma; Item *ip,*classlist = NULL; int i, j, k; char buff[CF_BUFSIZE], ldt_buff[CF_BUFSIZE], name[CF_MAXVARSIZE]; static int anomaly[CF_OBSERVABLES][LDT_BUFSIZE]; extern Item *ALL_INCOMING; extern Item *MON_UDP4, *MON_UDP6, *MON_TCP4, *MON_TCP6; CfDebug("Arm classes for %s\n", timekey); for (i = 0; i < CF_OBSERVABLES; i++) { char desc[CF_BUFSIZE]; GetObservable(i, name, desc); sigma = SetClasses(name, CF_THIS[i], av.Q[i].expect, av.Q[i].var, LOCALAV.Q[i].expect, LOCALAV.Q[i].var, &classlist, timekey); SetVariable(name, CF_THIS[i], av.Q[i].expect, sigma, &classlist); /* LDT */ ldt_buff[0] = '\0'; anomaly[i][LDT_POS] = false; if (!LDT_FULL) { anomaly[i][LDT_POS] = false; } if (LDT_FULL && (CHI[i] > CHI_LIMIT[i])) { anomaly[i][LDT_POS] = true; /* Remember the last anomaly value */ CfOut(cf_verbose, "", "LDT(%d) in %s chi = %.2f thresh %.2f \n", LDT_POS, name, CHI[i], CHI_LIMIT[i]); /* Last printed element is now */ for (j = LDT_POS + 1, k = 0; k < LDT_BUFSIZE; j++, k++) { if (j == LDT_BUFSIZE) /* Wrap */ { j = 0; } if (anomaly[i][j]) { snprintf(buff, CF_BUFSIZE, " *%.2f*", LDT_BUF[i][j]); } else { snprintf(buff, CF_BUFSIZE, " %.2f", LDT_BUF[i][j]); } strcat(ldt_buff, buff); } if (CF_THIS[i] > av.Q[i].expect) { snprintf(buff, CF_BUFSIZE, "%s_high_ldt", name); } else { snprintf(buff, CF_BUFSIZE, "%s_high_ldt", name); } AppendItem(&classlist, buff, "2"); NewPersistentContext(buff, CF_PERSISTENCE, cfpreserve); } else { for (j = LDT_POS + 1, k = 0; k < LDT_BUFSIZE; j++, k++) { if (j == LDT_BUFSIZE) /* Wrap */ { j = 0; } if (anomaly[i][j]) { snprintf(buff, CF_BUFSIZE, " *%.2f*", LDT_BUF[i][j]); } else { snprintf(buff, CF_BUFSIZE, " %.2f", LDT_BUF[i][j]); } strcat(ldt_buff, buff); } } } SetMeasurementPromises(&classlist); // Report on the open ports, in various ways ldt_buff[0] = '\0'; PrintItemList(ldt_buff,CF_BUFSIZE,ALL_INCOMING); if (strlen(ldt_buff) < 1500) { snprintf(buff,CF_BUFSIZE,"@listening_ports=%s",ldt_buff); AppendItem(&classlist,buff,NULL); } ldt_buff[0] = '\0'; PrintItemList(ldt_buff,CF_BUFSIZE,MON_UDP6); if (strlen(ldt_buff) < 1500) { snprintf(buff,CF_BUFSIZE,"@listening_udp6_ports=%s",ldt_buff); AppendItem(&classlist,buff,NULL); } ldt_buff[0] = '\0'; PrintItemList(ldt_buff,CF_BUFSIZE,MON_UDP4); if (strlen(ldt_buff) < 1500) { snprintf(buff,CF_BUFSIZE,"@listening_udp4_ports=%s",ldt_buff); AppendItem(&classlist,buff,NULL); } ldt_buff[0] = '\0'; PrintItemList(ldt_buff,CF_BUFSIZE,MON_TCP6); if (strlen(ldt_buff) < 1500) { snprintf(buff,CF_BUFSIZE,"@listening_tcp6_ports=%s",ldt_buff); AppendItem(&classlist,buff,NULL); } ldt_buff[0] = '\0'; PrintItemList(ldt_buff,CF_BUFSIZE,MON_TCP4); if (strlen(ldt_buff) < 1500) { snprintf(buff,CF_BUFSIZE,"@listening_tcp4_ports=%s",ldt_buff); AppendItem(&classlist,buff,NULL); } // Port addresses for (ip = MON_TCP6; ip != NULL; ip=ip->next) { snprintf(buff,CF_BUFSIZE,"tcp6_port_addr[%s]=%s",ip->name,ip->classes); AppendItem(&classlist,buff,NULL); } for (ip = MON_TCP4; ip != NULL; ip=ip->next) { snprintf(buff,CF_BUFSIZE,"tcp4_port_addr[%s]=%s",ip->name,ip->classes); AppendItem(&classlist,buff,NULL); } for (ip = MON_UDP6; ip != NULL; ip=ip->next) { snprintf(buff,CF_BUFSIZE,"udp6_port_addr[%s]=%s",ip->name,ip->classes); AppendItem(&classlist,buff,NULL); } for (ip = MON_UDP4; ip != NULL; ip=ip->next) { snprintf(buff,CF_BUFSIZE,"udp4_port_addr[%s]=%s",ip->name,ip->classes); AppendItem(&classlist,buff,NULL); } MonPublishEnvironment(classlist); }