void
RaProcessRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *ns)
{
struct ArgusRecordStruct *tns = NULL;
switch (ns->hdr.type & 0xF0) {
case ARGUS_MAR:
case ARGUS_EVENT: {
break;
}
case ARGUS_NETFLOW:
case ARGUS_FAR: {
if ((tns = ArgusCopyRecordStruct(ns)) == NULL)
ArgusLog (LOG_ERR, "RaProcessRecord: ArgusCopyRecordStruct(0x%x) error\n", ns);
ArgusAddToQueue (ArgusSorter->ArgusRecordQueue, &tns->qhdr, ARGUS_NOLOCK);
break;
}
}
}
void
RaParseComplete (int sig)
{
struct ArgusModeStruct *mode = NULL;
int i = 0, x = 0, nflag = ArgusParser->eNflag;
struct ArgusInput *file = ArgusParser->ArgusCurrentFile;
char buf[MAXSTRLEN];
int label;
if (sig >= 0) {
if (!(ArgusParser->RaParseCompleting++)) {
struct ArgusAggregatorStruct *agg = ArgusParser->ArgusAggregator;
ArgusParser->RaParseCompleting += sig;
if (ArgusParser->ArgusReplaceMode && file) {
if (!(ArgusParser->ArgusRandomSeed))
srandom(ArgusParser->ArgusRandomSeed);
srandom (ArgusParser->ArgusRealTime.tv_usec);
label = random() % 100000;
bzero(buf, sizeof(buf));
snprintf (buf, MAXSTRLEN, "%s.tmp%d", file->filename, label);
setArgusWfile(ArgusParser, buf, NULL);
}
while (agg != NULL) {
if (agg->queue->count) {
struct ArgusRecordStruct *argus;
if (!(ArgusSorter))
if ((ArgusSorter = ArgusNewSorter(ArgusParser)) == NULL)
ArgusLog (LOG_ERR, "RaParseComplete: ArgusNewSorter error %s", strerror(errno));
if ((mode = ArgusParser->ArgusMaskList) != NULL) {
while (mode) {
for (x = 0; x < MAX_SORT_ALG_TYPES; x++) {
if (!strncmp (ArgusSortKeyWords[x], mode->mode, strlen(ArgusSortKeyWords[x]))) {
ArgusSorter->ArgusSortAlgorithms[i++] = ArgusSortAlgorithmTable[x];
break;
}
}
mode = mode->nxt;
}
}
ArgusSortQueue (ArgusSorter, agg->queue);
argus = ArgusCopyRecordStruct((struct ArgusRecordStruct *) agg->queue->array[0]);
if (nflag == 0)
ArgusParser->eNflag = agg->queue->count;
else
ArgusParser->eNflag = nflag > agg->queue->count ? agg->queue->count : nflag;
for (i = 1; i < ArgusParser->eNflag; i++)
ArgusMergeRecords (agg, argus, (struct ArgusRecordStruct *)agg->queue->array[i]);
ArgusParser->ns = argus;
for (i = 0; i < ArgusParser->eNflag; i++) {
RaSendArgusRecord ((struct ArgusRecordStruct *) agg->queue->array[i]);
ArgusDeleteRecordStruct(ArgusParser, (struct ArgusRecordStruct *) agg->queue->array[i]);
}
ArgusDeleteRecordStruct(ArgusParser, ArgusParser->ns);
}
agg = agg->nxt;
}
if (ArgusParser->ArgusAggregator != NULL)
ArgusDeleteAggregator(ArgusParser, ArgusParser->ArgusAggregator);
if (ArgusParser->ArgusReplaceMode && file) {
if (ArgusParser->ArgusWfileList != NULL) {
struct ArgusWfileStruct *wfile = NULL;
if ((wfile = (void *)ArgusParser->ArgusWfileList->start) != NULL) {
fflush (wfile->fd);
rename (wfile->filename, file->filename);
fclose (wfile->fd);
wfile->fd = NULL;
}
ArgusDeleteList(ArgusParser->ArgusWfileList, ARGUS_WFILE_LIST);
ArgusParser->ArgusWfileList = NULL;
if (ArgusParser->Vflag)
ArgusLog(LOG_INFO, "file %s aggregated", file->filename);
}
}
#ifdef ARGUSDEBUG
ArgusDebug (2, "RaParseComplete(caught signal %d)\n", sig);
#endif
switch (sig) {
case SIGHUP:
case SIGINT:
case SIGTERM:
case SIGQUIT: {
struct ArgusWfileStruct *wfile = NULL;
ArgusShutDown(sig);
if (ArgusParser->ArgusWfileList != NULL) {
struct ArgusListObjectStruct *lobj = NULL;
int i, count = ArgusParser->ArgusWfileList->count;
if ((lobj = ArgusParser->ArgusWfileList->start) != NULL) {
for (i = 0; i < count; i++) {
if ((wfile = (struct ArgusWfileStruct *) lobj) != NULL) {
if (wfile->fd != NULL) {
#ifdef ARGUSDEBUG
ArgusDebug (2, "RaParseComplete: closing %s\n", wfile->filename);
#endif
fflush (wfile->fd);
fclose (wfile->fd);
wfile->fd = NULL;
}
}
lobj = lobj->nxt;
}
}
}
exit(0);
break;
}
}
}
}
ArgusParser->eNflag = nflag;
#ifdef ARGUSDEBUG
ArgusDebug (6, "RaParseComplete(%d) done", sig);
#endif
}
void
RaProcessThisRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *argus)
{
struct ArgusAggregatorStruct *agg = parser->ArgusAggregator;
struct ArgusHashStruct *hstruct = NULL;
int found = 0;
while (agg && !found) {
int retn = 0, fretn = -1, lretn = -1;
if (agg->filterstr) {
struct nff_insn *fcode = agg->filter.bf_insns;
fretn = ArgusFilterRecord (fcode, argus);
}
if (agg->labelstr) {
struct ArgusLabelStruct *label;
if (((label = (void *)argus->dsrs[ARGUS_LABEL_INDEX]) != NULL)) {
if (regexec(&agg->lpreg, label->l_un.label, 0, NULL, 0))
lretn = 0;
else
lretn = 1;
} else
lretn = 0;
}
retn = (lretn < 0) ? ((fretn < 0) ? 1 : fretn) : ((fretn < 0) ? lretn : (lretn && fretn));
if (retn != 0) {
struct ArgusRecordStruct *tns, *ns = ArgusCopyRecordStruct(argus);
if ((agg->rap = RaFlowModelOverRides(agg, ns)) == NULL)
agg->rap = agg->drap;
ArgusGenerateNewFlow(agg, ns);
if ((hstruct = ArgusGenerateHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL)
ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno));
if ((tns = ArgusFindRecord(agg->htable, hstruct)) == NULL) {
struct ArgusFlow *flow = (struct ArgusFlow *) ns->dsrs[ARGUS_FLOW_INDEX];
if (!parser->RaMonMode && parser->ArgusReverse) {
int tryreverse = 0;
if (flow != NULL) {
if (agg->correct != NULL)
tryreverse = 1;
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_TYPE_IPV4: {
switch (flow->ip_flow.ip_p) {
case IPPROTO_ESP:
tryreverse = 0;
break;
}
break;
}
case ARGUS_TYPE_IPV6: {
switch (flow->ipv6_flow.ip_p) {
case IPPROTO_ESP:
tryreverse = 0;
break;
}
break;
}
}
} else
tryreverse = 0;
if (tryreverse) {
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL)
ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno));
if ((tns = ArgusFindRecord(agg->htable, hstruct)) == NULL) {
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_TYPE_IPV4: {
switch (flow->ip_flow.ip_p) {
case IPPROTO_ICMP: {
struct ArgusICMPFlow *icmpFlow = &flow->flow_un.icmp;
if (ICMP_INFOTYPE(icmpFlow->type)) {
switch (icmpFlow->type) {
case ICMP_ECHO:
case ICMP_ECHOREPLY:
icmpFlow->type = (icmpFlow->type == ICMP_ECHO) ? ICMP_ECHOREPLY : ICMP_ECHO;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_ECHO) ? ICMP_ECHOREPLY : ICMP_ECHO;
if (tns)
ArgusReverseRecord (ns);
break;
case ICMP_ROUTERADVERT:
case ICMP_ROUTERSOLICIT:
icmpFlow->type = (icmpFlow->type == ICMP_ROUTERADVERT) ? ICMP_ROUTERSOLICIT : ICMP_ROUTERADVERT;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_ROUTERADVERT) ? ICMP_ROUTERSOLICIT : ICMP_ROUTERADVERT;
if (tns)
ArgusReverseRecord (ns);
break;
case ICMP_TSTAMP:
case ICMP_TSTAMPREPLY:
icmpFlow->type = (icmpFlow->type == ICMP_TSTAMP) ? ICMP_TSTAMPREPLY : ICMP_TSTAMP;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_TSTAMP) ? ICMP_TSTAMPREPLY : ICMP_TSTAMP;
if (tns)
ArgusReverseRecord (ns);
break;
case ICMP_IREQ:
case ICMP_IREQREPLY:
icmpFlow->type = (icmpFlow->type == ICMP_IREQ) ? ICMP_IREQREPLY : ICMP_IREQ;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_IREQ) ? ICMP_IREQREPLY : ICMP_IREQ;
if (tns)
ArgusReverseRecord (ns);
break;
case ICMP_MASKREQ:
case ICMP_MASKREPLY:
icmpFlow->type = (icmpFlow->type == ICMP_MASKREQ) ? ICMP_MASKREPLY : ICMP_MASKREQ;
if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL)
tns = ArgusFindRecord(agg->htable, hstruct);
icmpFlow->type = (icmpFlow->type == ICMP_MASKREQ) ? ICMP_MASKREPLY : ICMP_MASKREQ;
if (tns)
ArgusReverseRecord (ns);
break;
}
}
break;
}
}
}
}
if ((hstruct = ArgusGenerateHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL)
ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno));
} else {
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_TYPE_IPV4: {
switch (flow->ip_flow.ip_p) {
case IPPROTO_TCP: {
struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)ns->dsrs[ARGUS_NETWORK_INDEX];
if (tcp != NULL) {
struct ArgusTCPObject *ttcp = (struct ArgusTCPObject *)tns->dsrs[ARGUS_NETWORK_INDEX];
if (ttcp != NULL) {
if ((tcp->status & ARGUS_SAW_SYN) && !(ttcp->status & ARGUS_SAW_SYN)) {
ArgusReverseRecord (tns);
} else
ArgusReverseRecord (ns);
} else
ArgusReverseRecord (ns);
} else
ArgusReverseRecord (ns);
break;
}
default:
ArgusReverseRecord (ns);
break;
}
}
break;
case ARGUS_TYPE_IPV6: {
switch (flow->ipv6_flow.ip_p) {
case IPPROTO_TCP: {
struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)ns->dsrs[ARGUS_NETWORK_INDEX];
if (tcp != NULL) {
struct ArgusTCPObject *ttcp = (struct ArgusTCPObject *)tns->dsrs[ARGUS_NETWORK_INDEX];
if (ttcp != NULL) {
if ((tcp->status & ARGUS_SAW_SYN) && !(ttcp->status & ARGUS_SAW_SYN)) {
ArgusReverseRecord (tns);
} else
ArgusReverseRecord (ns);
} else
ArgusReverseRecord (ns);
} else
ArgusReverseRecord (ns);
break;
}
default:
ArgusReverseRecord (ns);
break;
}
}
break;
default:
ArgusReverseRecord (ns);
}
}
}
}
}
if (tns != NULL) {
if (parser->Aflag) {
if ((tns->status & RA_SVCTEST) != (ns->status & RA_SVCTEST)) {
RaSendArgusRecord(tns);
tns->status &= ~(RA_SVCTEST);
tns->status |= (ns->status & RA_SVCTEST);
}
}
if (tns->status & ARGUS_RECORD_WRITTEN) {
ArgusZeroRecord (tns);
} else {
if (agg->statusint || agg->idleint) {
double dur, nsst, tnsst, nslt, tnslt;
nsst = ArgusFetchStartTime(ns);
tnsst = ArgusFetchStartTime(tns);
nslt = ArgusFetchLastTime(ns);
tnslt = ArgusFetchLastTime(tns);
dur = ((tnslt > nslt) ? tnslt : nslt) - ((nsst < tnsst) ? nsst : tnsst);
if (agg->statusint && (dur >= agg->statusint)) {
RaSendArgusRecord(tns);
ArgusZeroRecord(tns);
} else {
dur = ((nslt < tnsst) ? (tnsst - nslt) : ((tnslt < nsst) ? (nsst - tnslt) : 0.0));
if (agg->idleint && (dur >= agg->idleint)) {
RaSendArgusRecord(tns);
ArgusZeroRecord(tns);
}
}
}
}
ArgusMergeRecords (agg, tns, ns);
ArgusRemoveFromQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK);
ArgusAddToQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK);
ArgusDeleteRecordStruct(parser, ns);
agg->status |= ARGUS_AGGREGATOR_DIRTY;
} else {
tns = ns;
tns->htblhdr = ArgusAddHashEntry (agg->htable, tns, hstruct);
ArgusAddToQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK);
agg->status |= ARGUS_AGGREGATOR_DIRTY;
}
if (agg->cont)
agg = agg->nxt;
else
found++;
} else
agg = agg->nxt;
}
}
void
RaProcessRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *ns)
{
switch (ns->hdr.type & 0xF0) {
case ARGUS_MAR:
case ARGUS_EVENT: {
break;
}
case ARGUS_NETFLOW:
case ARGUS_FAR: {
struct ArgusFlow *flow = (struct ArgusFlow *) ns->dsrs[ARGUS_FLOW_INDEX];
if (parser->Vflag || parser->Aflag) {
ArgusProcessServiceAvailability(parser, ns);
if (parser->xflag) {
if ((parser->vflag && (ns->status & RA_SVCPASSED)) ||
(!parser->vflag && (ns->status & RA_SVCFAILED))) {
#ifdef ARGUSDEBUG
ArgusDebug (3, "RaProcessRecord (0x%x, 0x%x) service test failed", parser, ns);
#endif
return;
}
}
}
if (parser->RaMonMode && (flow != NULL)) {
struct ArgusRecordStruct *tns = ArgusCopyRecordStruct(ns);
struct ArgusFlow *flow;
if ((flow = (void *)ns->dsrs[ARGUS_FLOW_INDEX]) != NULL) {
flow->hdr.subtype &= ~ARGUS_REVERSE;
flow->hdr.argus_dsrvl8.qual &= ~ARGUS_DIRECTION;
}
RaProcessThisRecord(parser, ns);
ArgusReverseRecord(tns);
if ((flow = (void *)tns->dsrs[ARGUS_FLOW_INDEX]) != NULL) {
flow->hdr.subtype &= ~ARGUS_REVERSE;
flow->hdr.argus_dsrvl8.qual &= ~ARGUS_DIRECTION;
}
RaProcessThisRecord(parser, tns);
ArgusDeleteRecordStruct(parser, tns);
} else {
struct ArgusAggregatorStruct *agg = parser->ArgusAggregator;
if (flow && agg && agg->ArgusMatrixMode) {
if (agg->mask & ((0x01LL << ARGUS_MASK_SADDR) | (0x01LL << ARGUS_MASK_DADDR))) {
switch (flow->hdr.subtype & 0x3F) {
case ARGUS_FLOW_LAYER_3_MATRIX:
case ARGUS_FLOW_CLASSIC5TUPLE: {
switch (flow->hdr.argus_dsrvl8.qual & 0x1F) {
case ARGUS_TYPE_IPV4: {
if (flow->ip_flow.ip_src > flow->ip_flow.ip_dst)
ArgusReverseRecord(ns);
}
break;
case ARGUS_TYPE_IPV6: {
int i;
for (i = 0; i < 4; i++) {
if (flow->ipv6_flow.ip_src[i] < flow->ipv6_flow.ip_dst[i])
break;
if (flow->ipv6_flow.ip_src[i] > flow->ipv6_flow.ip_dst[i]) {
ArgusReverseRecord(ns);
break;
}
}
}
break;
}
break;
}
default:
break;
}
} else
if (agg->mask & ((0x01LL << ARGUS_MASK_SMAC) | (0x01LL << ARGUS_MASK_DMAC))) {
struct ArgusMacStruct *m1 = NULL;
if ((m1 = (struct ArgusMacStruct *) ns->dsrs[ARGUS_MAC_INDEX]) != NULL) {
switch (m1->hdr.subtype) {
case ARGUS_TYPE_ETHER: {
struct ether_header *e1 = &m1->mac.mac_union.ether.ehdr;
int i;
for (i = 0; i < 6; i++) {
#if defined(HAVE_SOLARIS)
if (e1->ether_shost.ether_addr_octet[i] < e1->ether_dhost.ether_addr_octet[i])
break;
if (e1->ether_shost.ether_addr_octet[i] > e1->ether_dhost.ether_addr_octet[i]) {
ArgusReverseRecord(ns);
break;
}
#else
if (e1->ether_shost[i] < e1->ether_dhost[i])
break;
if (e1->ether_shost[i] > e1->ether_dhost[i]) {
ArgusReverseRecord(ns);
break;
}
#endif
}
break;
}
}
}
}
}
RaProcessThisRecord(parser, ns);
}
break;
}
}
}
