void Sagan_Bluedot_Load_Cat(void) { FILE *bluedot_cat_file; char buf[1024] = { 0 }; char *saveptr = NULL; char *bluedot_tok1 = NULL; char *bluedot_tok2 = NULL; if (( bluedot_cat_file = fopen(config->bluedot_cat, "r" )) == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] No Bluedot categories list to load (%s)!", __FILE__, __LINE__, config->bluedot_cat); } while(fgets(buf, 1024, bluedot_cat_file) != NULL) { /* Skip comments and blank linkes */ if (buf[0] == '#' || buf[0] == 10 || buf[0] == ';' || buf[0] == 32) { continue; } else { /* Allocate memory for references, not comments */ SaganBluedotCatList = (_Sagan_Bluedot_Cat_List *) realloc(SaganBluedotCatList, (counters->bluedot_cat_count+1) * sizeof(_Sagan_Bluedot_Cat_List)); /* Normalize the list for later use. Better to do this here than when processing rules */ bluedot_tok1 = Remove_Return(strtok_r(buf, "|", &saveptr)); if ( bluedot_tok1 == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Bluedot categories file appears to be malformed.", __FILE__, __LINE__); } Remove_Spaces(bluedot_tok1); SaganBluedotCatList[counters->bluedot_cat_count].cat_number = atoi(bluedot_tok1); bluedot_tok2 = Remove_Return(strtok_r(NULL, "|", &saveptr)); if ( bluedot_tok2 == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Bluedot categories file appears to be malformed.", __FILE__, __LINE__); } Remove_Return(bluedot_tok2); Remove_Spaces(bluedot_tok2); To_LowerC(bluedot_tok2); strlcpy(SaganBluedotCatList[counters->bluedot_cat_count].cat, bluedot_tok2, sizeof(SaganBluedotCatList[counters->bluedot_cat_count].cat)); counters->bluedot_cat_count++; } } }
void Sagan_BroIntel_Load_File ( void ) { FILE *brointel_file; char *value; char *type; char *description; sbool found_flag; sbool found_flag_array; char *tok = NULL; ; char *ptmp = NULL; int line_count; int i; uint32_t u32_ip; char *brointel_filename = NULL; char brointelbuf[MAX_BROINTEL_LINE_SIZE] = { 0 }; counters->brointel_dups = 0; brointel_filename = strtok_r(config->brointel_files, ",", &ptmp); while ( brointel_filename != NULL ) { Sagan_Log(S_NORMAL, "Bro Intel Processor Loading File: %s.", brointel_filename); if (( brointel_file = fopen(brointel_filename, "r")) == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Could not load Bro Intel file! (%s - %s)", __FILE__, __LINE__, brointel_filename, strerror(errno)); } while(fgets(brointelbuf, MAX_BROINTEL_LINE_SIZE, brointel_file) != NULL) { /* Skip comments and blank linkes */ if (brointelbuf[0] == '#' || brointelbuf[0] == 10 || brointelbuf[0] == ';' || brointelbuf[0] == 32 ) { line_count++; continue; } else { Remove_Return(brointelbuf); value = strtok_r(brointelbuf, "\t", &tok); type = strtok_r(NULL, "\t", &tok); description = strtok_r(NULL, "\t", &tok); if ( value == NULL || type == NULL || description == NULL ) { Sagan_Log(S_WARN, "[%s, line %d] Got invalid line at %d in %s", __FILE__, __LINE__, line_count, brointel_filename); } found_flag = 0; if (!strcmp(type, "Intel::ADDR")) { u32_ip = IP2Bit(value); found_flag = 1; /* Used to short circuit other 'type' lookups */ found_flag_array = 0; /* Used to short circuit/warn when dups are found. This way we don't waste memory/CPU */ /* Check for duplicates. */ for (i=0; i < counters->brointel_addr_count; i++) { if ( u32_ip == Sagan_BroIntel_Intel_Addr[i].u32_ip ) { Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::ADDR address %s in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); counters->brointel_dups++; found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_Addr = (_Sagan_BroIntel_Intel_Addr *) realloc(Sagan_BroIntel_Intel_Addr, (counters->brointel_addr_count+1) * sizeof(_Sagan_BroIntel_Intel_Addr)); if ( Sagan_BroIntel_Intel_Addr == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Addr. Abort!", __FILE__, __LINE__); } Sagan_BroIntel_Intel_Addr[counters->brointel_addr_count].u32_ip = IP2Bit(value); counters->brointel_addr_count++; } } if (!strcmp(type, "Intel::DOMAIN") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters-> brointel_domain_count; i++) { if (!strcmp(Sagan_BroIntel_Intel_Domain[i].domain, value)) { Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::DOMAIN '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); counters->brointel_dups++; found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_Domain = (_Sagan_BroIntel_Intel_Domain *) realloc(Sagan_BroIntel_Intel_Domain, (counters->brointel_domain_count+1) * sizeof(_Sagan_BroIntel_Intel_Domain)); if ( Sagan_BroIntel_Intel_Domain == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Domain. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_Domain[counters->brointel_domain_count].domain, value, sizeof(Sagan_BroIntel_Intel_Domain[counters->brointel_domain_count].domain)); counters->brointel_domain_count++; } } if (!strcmp(type, "Intel::FILE_HASH") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters->brointel_file_hash_count; i++) { if (!strcmp(Sagan_BroIntel_Intel_File_Hash[i].hash, value)) { Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::FILE_HASH '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); counters->brointel_dups++; found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_File_Hash = (_Sagan_BroIntel_Intel_File_Hash *) realloc(Sagan_BroIntel_Intel_File_Hash, (counters->brointel_file_hash_count+1) * sizeof(_Sagan_BroIntel_Intel_File_Hash)); if ( Sagan_BroIntel_Intel_File_Hash == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_File_Hash. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_File_Hash[counters->brointel_file_hash_count].hash, value, sizeof(Sagan_BroIntel_Intel_File_Hash[counters->brointel_file_hash_count].hash)); counters->brointel_file_hash_count++; } } if (!strcmp(type, "Intel::URL") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters->brointel_url_count; i++) { if (!strcmp(Sagan_BroIntel_Intel_URL[i].url, value)) { Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::URL '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); counters->brointel_dups++; found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_URL = (_Sagan_BroIntel_Intel_URL *) realloc(Sagan_BroIntel_Intel_URL, (counters->brointel_url_count+1) * sizeof(_Sagan_BroIntel_Intel_URL)); if ( Sagan_BroIntel_Intel_URL == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_URL. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_URL[counters->brointel_url_count].url, value, sizeof(Sagan_BroIntel_Intel_URL[counters->brointel_url_count].url)); counters->brointel_url_count++; } } if (!strcmp(type, "Intel::SOFTWARE") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters->brointel_software_count++; i++) { if (!strcmp(Sagan_BroIntel_Intel_Software[i].software, value)) { Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::SOFTWARE '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); counters->brointel_dups++; found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_Software = (_Sagan_BroIntel_Intel_Software *) realloc(Sagan_BroIntel_Intel_Software, (counters->brointel_software_count+1) * sizeof(_Sagan_BroIntel_Intel_Software)); if ( Sagan_BroIntel_Intel_Software == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Software. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_Software[counters->brointel_software_count].software, value, sizeof(Sagan_BroIntel_Intel_Software[counters->brointel_software_count].software)); counters->brointel_software_count++; } } if (!strcmp(type, "Intel::EMAIL") && found_flag == 0) { To_LowerC(value); found_flag_array = 0; for (i=0; i < counters->brointel_email_count; i++) { if (!strcmp(Sagan_BroIntel_Intel_Email[i].email, value)) { Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::EMAIL '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); counters->brointel_dups++; found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_Email = (_Sagan_BroIntel_Intel_Email *) realloc(Sagan_BroIntel_Intel_Email, (counters->brointel_email_count+1) * sizeof(_Sagan_BroIntel_Intel_Email)); if ( Sagan_BroIntel_Intel_Email == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Email. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_Email[counters->brointel_email_count].email, value, sizeof(Sagan_BroIntel_Intel_Email[counters->brointel_email_count].email)); counters->brointel_email_count++; found_flag = 1; } } if (!strcmp(type, "Intel::USER_NAME") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters->brointel_user_name_count; i++) { if (!strcmp(Sagan_BroIntel_Intel_User_Name[i].username, value)) { Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::USER_NAME '%s' in %s on line %.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); counters->brointel_dups++; found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_User_Name = (_Sagan_BroIntel_Intel_User_Name *) realloc(Sagan_BroIntel_Intel_User_Name, (counters->brointel_user_name_count+1) * sizeof(_Sagan_BroIntel_Intel_User_Name)); if ( Sagan_BroIntel_Intel_User_Name == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_User_Name. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_User_Name[counters->brointel_user_name_count].username, value, sizeof(Sagan_BroIntel_Intel_User_Name[counters->brointel_user_name_count].username)); counters->brointel_user_name_count++; } } if (!strcmp(type, "Intel::FILE_NAME") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters->brointel_file_name_count; i++) { if (!strcmp(Sagan_BroIntel_Intel_File_Name[i].file_name, value)) { Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::FILE_NAME '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); counters->brointel_dups++; found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_File_Name = (_Sagan_BroIntel_Intel_File_Name *) realloc(Sagan_BroIntel_Intel_File_Name, (counters->brointel_file_name_count+1) * sizeof(_Sagan_BroIntel_Intel_File_Name)); if ( Sagan_BroIntel_Intel_File_Name == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_File_Name. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_File_Name[counters->brointel_file_name_count].file_name, value, sizeof(Sagan_BroIntel_Intel_File_Name[counters->brointel_file_name_count].file_name)); counters->brointel_file_name_count++; } } if (!strcmp(type, "Intel::CERT_HASH") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters->brointel_cert_hash_count; i++) { if (!strcmp(Sagan_BroIntel_Intel_Cert_Hash[i].cert_hash, value)) { Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::CERT_HASH '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); counters->brointel_dups++; found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_Cert_Hash = (_Sagan_BroIntel_Intel_Cert_Hash *) realloc(Sagan_BroIntel_Intel_Cert_Hash, (counters->brointel_cert_hash_count+1) * sizeof(_Sagan_BroIntel_Intel_Cert_Hash)); if ( Sagan_BroIntel_Intel_Cert_Hash == NULL ) { Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Cert_Hash. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_Cert_Hash[counters->brointel_cert_hash_count].cert_hash, value, sizeof(Sagan_BroIntel_Intel_Cert_Hash[counters->brointel_cert_hash_count].cert_hash)); counters->brointel_cert_hash_count++; } } } line_count++; } fclose(brointel_file); brointel_filename = strtok_r(NULL, ",", &ptmp); line_count = 0; } }
void Sagan_Verify_Categories( char *categories, int rule_number, const char *ruleset, int linecount, unsigned char type ) { char tmp2[64]; char *tmptoken; char *saveptrrule; int i; sbool found; tmptoken = strtok_r(categories, "," , &saveptrrule); while ( tmptoken != NULL ) { strlcpy(tmp2, tmptoken, sizeof(tmp2)); Remove_Spaces(tmptoken); To_LowerC(tmptoken); found = 0; for ( i = 0; i < counters->bluedot_cat_count; i++ ) { if (!strcmp(SaganBluedotCatList[i].cat, tmptoken)) { found = 1; if ( type == BLUEDOT_LOOKUP_IP ) { if ( rulestruct[rule_number].bluedot_ip_cat_count <= BLUEDOT_MAX_CAT ) { rulestruct[rule_number].bluedot_ip_cats[rulestruct[rule_number].bluedot_ip_cat_count] = SaganBluedotCatList[i].cat_number; rulestruct[rule_number].bluedot_ip_cat_count++; } else { Sagan_Log(S_WARN, "[%s, line %d] To many Bluedot IP catagories detected in %s at line %d", __FILE__, __LINE__, ruleset, linecount); } } if ( type == BLUEDOT_LOOKUP_HASH ) { if ( rulestruct[rule_number].bluedot_hash_cat_count <= BLUEDOT_MAX_CAT ) { rulestruct[rule_number].bluedot_hash_cats[rulestruct[rule_number].bluedot_hash_cat_count] = SaganBluedotCatList[i].cat_number; rulestruct[rule_number].bluedot_hash_cat_count++; } else { Sagan_Log(S_WARN, "[%s, line %d] To many Bluedot hash catagories detected in %s at line %d", __FILE__, __LINE__, ruleset, linecount); } } if ( type == BLUEDOT_LOOKUP_URL ) { if ( rulestruct[rule_number].bluedot_url_cat_count <= BLUEDOT_MAX_CAT ) { rulestruct[rule_number].bluedot_url_cats[rulestruct[rule_number].bluedot_url_cat_count] = SaganBluedotCatList[i].cat_number; rulestruct[rule_number].bluedot_url_cat_count++; } else { Sagan_Log(S_WARN, "[%s, line %d] To many Bluedot URL catagories detected in %s at line %d", __FILE__, __LINE__, ruleset, linecount); } } } } if ( found == 0 ) { Sagan_Log(S_ERROR, "[%s, line %d] Unknown Bluedot category '%s' found in %s at line %d. Abort!", __FILE__, __LINE__, tmp2, ruleset, linecount); } tmptoken = strtok_r(NULL, "," , &saveptrrule); } }