/** char *el_vista_getmessage() * Returns a descriptive message of the event - Vista only. */ char *el_vista_getMessage(int evt_id_int, LPTSTR *el_sstring) { DWORD fm_flags = 0; LPSTR message = NULL; char *desc_string; char evt_id[16]; /* Flags for format event */ fm_flags |= FORMAT_MESSAGE_FROM_STRING; fm_flags |= FORMAT_MESSAGE_ALLOCATE_BUFFER; fm_flags |= FORMAT_MESSAGE_ARGUMENT_ARRAY; /* Getting descriptive message. */ evt_id[15] = '\0'; snprintf(evt_id, 15, "%d", evt_id_int); desc_string = OSHash_Get(vista_sec_id_hash, evt_id); if(!desc_string) { return(NULL); } if(!FormatMessage(fm_flags, desc_string, 0, 0, (LPTSTR) &message, 0, el_sstring)) { return(NULL); } return(message); }
/* Returns the event */ char *el_getEventDLL(char *evt_name, char *source, char *event) { char *ret_str; HKEY key; DWORD ret; char keyname[512]; keyname[511] = '\0'; snprintf(keyname, 510, "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s", evt_name, source); /* Check if we have it in memory */ ret_str = OSHash_Get(dll_hash, keyname + 42); if (ret_str) { return (ret_str); } /* Open Registry */ if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, keyname, 0, KEY_ALL_ACCESS, &key) != ERROR_SUCCESS) { return (NULL); } ret = MAX_PATH - 1; if (RegQueryValueEx(key, "EventMessageFile", NULL, NULL, (LPBYTE)event, &ret) != ERROR_SUCCESS) { event[0] = '\0'; RegCloseKey(key); return (NULL); } else { /* Adding to memory */ char *skey; char *sval; skey = strdup(keyname + 42); sval = strdup(event); if (skey && sval) { OSHash_Add(dll_hash, skey, sval); } else { merror(MEM_ERROR, ARGV0, errno, strerror(errno)); } } RegCloseKey(key); return (event); }
int OS_IsAllowedID(keystore *keys, const char *id) { keyentry *entry; if (id == NULL) { return (-1); } entry = (keyentry *) OSHash_Get(keys->keyhash_id, id); if (entry) { return ((int)entry->keyid); } return (-1); }
/* Check if an IP address is allowed to connect */ int OS_IsAllowedIP(keystore *keys, const char *srcip) { keyentry *entry; if (srcip == NULL) { return (-1); } entry = (keyentry *) OSHash_Get(keys->keyhash_ip, srcip); if (entry) { return ((int)entry->keyid); } return (-1); }
/* Used for dynamic IP addresses */ int OS_IsAllowedDynamicID(keystore *keys, const char *id, const char *srcip) { keyentry *entry; if (id == NULL) { return (-1); } entry = (keyentry *) OSHash_Get(keys->keyhash_id, id); if (entry) { if (OS_IPFound(srcip, entry->ip)) { return ((int)entry->keyid); } } return (-1); }
/* Read and generate the integrity data of a file */ static int read_file(const char *file_name, int opts, OSMatch *restriction) { char *buf; char sha1s = '+'; struct stat statbuf; /* Check if the file should be ignored */ if (syscheck.ignore) { int i = 0; while (syscheck.ignore[i] != NULL) { if (strncasecmp(syscheck.ignore[i], file_name, strlen(syscheck.ignore[i])) == 0) { return (0); } i++; } } /* Check in the regex entry */ if (syscheck.ignore_regex) { int i = 0; while (syscheck.ignore_regex[i] != NULL) { if (OSMatch_Execute(file_name, strlen(file_name), syscheck.ignore_regex[i])) { return (0); } i++; } } #ifdef WIN32 /* Win32 does not have lstat */ if (stat(file_name, &statbuf) < 0) #else if (lstat(file_name, &statbuf) < 0) #endif { if(errno == ENOTDIR){ /*Deletion message sending*/ char alert_msg[PATH_MAX+4]; alert_msg[PATH_MAX + 3] = '\0'; snprintf(alert_msg, PATH_MAX + 4, "-1 %s", file_name); send_syscheck_msg(alert_msg); return (0); }else{ merror("%s: Error accessing '%s'.", ARGV0, file_name); return (-1); } } if (S_ISDIR(statbuf.st_mode)) { #ifdef DEBUG verbose("%s: Reading dir: %s\n", ARGV0, file_name); #endif #ifdef WIN32 /* Directory links are not supported */ if (GetFileAttributes(file_name) & FILE_ATTRIBUTE_REPARSE_POINT) { merror("%s: WARN: Links are not supported: '%s'", ARGV0, file_name); return (-1); } #endif return (read_dir(file_name, opts, restriction)); } /* Restrict file types */ if (restriction) { if (!OSMatch_Execute(file_name, strlen(file_name), restriction)) { return (0); } } /* No S_ISLNK on Windows */ #ifdef WIN32 if (S_ISREG(statbuf.st_mode)) #else if (S_ISREG(statbuf.st_mode) || S_ISLNK(statbuf.st_mode)) #endif { os_md5 mf_sum; os_sha1 sf_sum; os_sha1 sf_sum2; os_sha1 sf_sum3; /* Clean sums */ strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); strncpy(sf_sum2, "xxx", 4); strncpy(sf_sum3, "xxx", 4); /* Generate checksums */ if ((opts & CHECK_MD5SUM) || (opts & CHECK_SHA1SUM)) { /* If it is a link, check if dest is valid */ #ifndef WIN32 if (S_ISLNK(statbuf.st_mode)) { struct stat statbuf_lnk; if (stat(file_name, &statbuf_lnk) == 0) { if (S_ISREG(statbuf_lnk.st_mode)) { if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) { strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); } } } } else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) #else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) #endif { strncpy(mf_sum, "xxx", 4); strncpy(sf_sum, "xxx", 4); } if (opts & CHECK_SEECHANGES) { sha1s = 's'; } } else { if (opts & CHECK_SEECHANGES) { sha1s = 'n'; } else { sha1s = '-'; } } buf = (char *) OSHash_Get(syscheck.fp, file_name); if (!buf) { char alert_msg[916 + 1]; /* to accommodate a long */ alert_msg[916] = '\0'; if (opts & CHECK_SEECHANGES) { char *alertdump = seechanges_addfile(file_name); if (alertdump) { free(alertdump); alertdump = NULL; } } snprintf(alert_msg, 916, "%c%c%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s:%s:%s:%ld:%ld", opts & CHECK_SIZE ? '+' : '-', opts & CHECK_PERM ? '+' : '-', opts & CHECK_OWNER ? '+' : '-', opts & CHECK_GROUP ? '+' : '-', opts & CHECK_MD5SUM ? '+' : '-', sha1s, opts & CHECK_MTIME ? '+' : '-', opts & CHECK_INODE ? '+' : '-', opts & CHECK_SIZE ? (long)statbuf.st_size : 0, opts & CHECK_PERM ? (int)statbuf.st_mode : 0, opts & CHECK_OWNER ? (int)statbuf.st_uid : 0, opts & CHECK_GROUP ? (int)statbuf.st_gid : 0, opts & CHECK_MD5SUM ? mf_sum : "xxx", opts & CHECK_SHA1SUM ? sf_sum : "xxx", opts & CHECK_OWNER ? get_user(file_name, statbuf.st_uid) : "", opts & CHECK_GROUP ? get_group(statbuf.st_gid) : "", opts & CHECK_MTIME ? (long)statbuf.st_mtime : 0, opts & CHECK_INODE ? (long)statbuf.st_ino : 0); if (OSHash_Add(syscheck.fp, file_name, strdup(alert_msg)) <= 0) { merror("%s: ERROR: Unable to add file to db: %s", ARGV0, file_name); } /* Send the new checksum to the analysis server */ alert_msg[916] = '\0'; snprintf(alert_msg, 916, "%ld:%d:%d:%d:%s:%s:%s:%s:%ld:%ld %s", opts & CHECK_SIZE ? (long)statbuf.st_size : 0, opts & CHECK_PERM ? (int)statbuf.st_mode : 0, opts & CHECK_OWNER ? (int)statbuf.st_uid : 0, opts & CHECK_GROUP ? (int)statbuf.st_gid : 0, opts & CHECK_MD5SUM ? mf_sum : "xxx", opts & CHECK_SHA1SUM ? sf_sum : "xxx", opts & CHECK_OWNER ? get_user(file_name, statbuf.st_uid) : "", opts & CHECK_GROUP ? get_group(statbuf.st_gid) : "", opts & CHECK_MTIME ? (long)statbuf.st_mtime : 0, opts & CHECK_INODE ? (long)statbuf.st_ino : 0, file_name); send_syscheck_msg(alert_msg); } else { char alert_msg[OS_MAXSTR + 1]; char c_sum[256 + 2]; c_sum[0] = '\0'; c_sum[256] = '\0'; alert_msg[0] = '\0'; alert_msg[OS_MAXSTR] = '\0'; /* If it returns < 0, we have already alerted */ if (c_read_file(file_name, buf, c_sum) < 0) { return (0); } if (strcmp(c_sum, buf + 6) != 0) { /* Send the new checksum to the analysis server */ alert_msg[OS_MAXSTR] = '\0'; char *fullalert = NULL; if (buf[5] == 's' || buf[5] == 'n') { fullalert = seechanges_addfile(file_name); if (fullalert) { snprintf(alert_msg, OS_MAXSTR, "%s %s\n%s", c_sum, file_name, fullalert); free(fullalert); fullalert = NULL; } else { snprintf(alert_msg, 916, "%s %s", c_sum, file_name); } } else { snprintf(alert_msg, 916, "%s %s", c_sum, file_name); } send_syscheck_msg(alert_msg); } } /* Sleep here too */ if (__counter >= (syscheck.sleep_after)) { sleep(syscheck.tsleep); __counter = 0; } __counter++; #ifdef DEBUG verbose("%s: file '%s %s'", ARGV0, file_name, mf_sum); #endif } else { #ifdef DEBUG verbose("%s: *** IRREG file: '%s'\n", ARGV0, file_name); #endif } return (0); }
/* OSSECAlert decoder * Will extract the rule_id and point back to the original rule. * Will also extract srcip and username if available. * Examples: * */ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) { char *oa_id = 0; char *oa_location; char *oa_val; char oa_newlocation[256]; char *tmp_str = NULL; void *rule_pointer; lf->decoder_info->type = OSSEC_ALERT; /* Checking the alert level. */ if(strncmp("Alert Level: ", lf->log, 12) != 0 && strncmp("ossec: Alert Level:", lf->log, 18) != 0) { return(NULL); } /* Going past the level. */ oa_strchr(lf->log, ';', tmp_str); tmp_str++; /* Getting rule id. */ oa_strchr(tmp_str, ':', tmp_str); tmp_str++; if(*tmp_str != ' ') { return(NULL); } tmp_str++; /* Getting id. */ oa_id = tmp_str; oa_strchr(tmp_str, ' ', tmp_str); *tmp_str = '\0'; /* Getting rule structure. */ rule_pointer = OSHash_Get(Config.g_rules_hash, oa_id); if(!rule_pointer) { merror("%s: WARN: Rule id '%s' not found internally.", ARGV0, oa_id); *tmp_str = ' '; return(NULL); } *tmp_str = ' '; oa_strchr(tmp_str, ';', tmp_str); tmp_str++; /* Checking location. */ if(strncmp(" Location: ", tmp_str, 11) != 0) { return(NULL); } tmp_str+=11; /* Setting location; */ oa_location = tmp_str; oa_strchr(tmp_str, ';', tmp_str); *tmp_str = '\0'; /* Setting new location. */ oa_newlocation[255] = '\0'; if(lf->hostname == lf->location) { snprintf(oa_newlocation, 255, "%s|%s", lf->location, oa_location); free(lf->location); os_strdup(oa_newlocation, lf->location); lf->hostname = lf->location; } else { snprintf(oa_newlocation, 255, "%s->%s|%s", lf->hostname, lf->location, oa_location); free(lf->location); os_strdup(oa_newlocation, lf->location); lf->hostname = lf->location; } *tmp_str = ';'; tmp_str++; /* Getting additional fields. */ while((*tmp_str == ' ') && (tmp_str[1] != ' ')) { tmp_str++; oa_val = tmp_str; tmp_str = strchr(tmp_str, ';'); if(!tmp_str) { return(NULL); } *tmp_str = '\0'; if(strncmp(oa_val, "srcip: ", 7) == 0) { os_strdup(oa_val + 7, lf->srcip); } if(strncmp(oa_val, "user: ", 6) == 0) { os_strdup(oa_val + 6, lf->dstuser); } *tmp_str = ';'; tmp_str++; } /* Removing space. */ while(*tmp_str == ' ') tmp_str++; /* Creating new full log. */ free(lf->full_log); os_strdup(tmp_str, lf->full_log); lf->log = lf->full_log; /* Rule that generated. */ lf->generated_rule = rule_pointer; return(NULL); }
/* Insert alert into to the db * Returns 1 on success or 0 on error */ int OS_Alert_InsertDB(const alert_data *al_data, DBConfig *db_config) { int i; unsigned int s_ip = 0, d_ip = 0, location_id = 0; unsigned short s_port = 0, d_port = 0; int *loc_id; char sql_query[OS_SIZE_8192 + 1]; char *fulllog = NULL; /* Clear the memory before insert */ sql_query[0] = '\0'; sql_query[OS_SIZE_8192] = '\0'; /* Converting srcip to int */ if(al_data->srcip) { struct in_addr net; /* Extracting ip address */ if(inet_aton(al_data->srcip, &net)) { s_ip = net.s_addr; } } /* Converting dstip to int */ if(al_data->dstip) { struct in_addr net; /* Extracting ip address */ if(inet_aton(al_data->dstip, &net)) { d_ip = net.s_addr; } } /* Source Port */ s_port = al_data->srcport; /* Destination Port */ d_port = al_data->dstport; /* Escape strings */ osdb_escapestr(al_data->user); osdb_escapestr(al_data->location); /* We first need to insert the location */ loc_id = (int *) OSHash_Get(db_config->location_hash, al_data->location); /* If we dont have location id, we must select and/or insert in the db */ if (!loc_id) { location_id = __DBSelectLocation(al_data->location, db_config); if (location_id == 0) { /* Insert it */ __DBInsertLocation(al_data->location, db_config); location_id = __DBSelectLocation(al_data->location, db_config); } if (!location_id) { merror("%s: Unable to insert location: '%s'.", ARGV0, al_data->location); return (0); } /* Add to hash */ os_calloc(1, sizeof(int), loc_id); *loc_id = location_id; OSHash_Add(db_config->location_hash, al_data->location, loc_id); } i = 0; while (al_data->log[i]) { size_t len = strlen(al_data->log[i]); char templog[len + 2]; if (al_data->log[i + 1]) { snprintf(templog, len + 2, "%s\n", al_data->log[i]); } else { snprintf(templog, len + 1, "%s", al_data->log[i]); } fulllog = os_LoadString(fulllog, templog); i++; } if (fulllog == NULL) { merror("%s: Unable to process log.", ARGV0); return (0); } osdb_escapestr(fulllog); if (strlen(fulllog) > 7456) { fulllog[7454] = '.'; fulllog[7455] = '.'; fulllog[7456] = '\0'; } /* Generate final SQL */ switch (db_config->db_type) { case MYSQLDB: snprintf(sql_query, OS_SIZE_8192, "INSERT INTO " "alert(server_id,rule_id,level,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid,user,full_log,tld) " "VALUES ('%u', '%u','%u','%u', '%u', '%lu', '%u', '%lu', '%u', '%s', '%s', '%s','%.2s')", db_config->server_id, al_data->rule, al_data->level, (unsigned int)time(0), *loc_id, (unsigned long)ntohl(s_ip), (unsigned short)s_port, (unsigned long)ntohl(d_ip), (unsigned short)d_port, al_data->alertid, al_data->user, fulllog, al_data->srcgeoip); break; case POSTGDB: snprintf(sql_query, OS_SIZE_8192, "INSERT INTO " "alert(server_id,rule_id,level,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid,\"user\",full_log) " "VALUES ('%u', '%u','%u','%u', '%u', '%s', '%u', '%s', '%u', '%s', '%s', '%s')", db_config->server_id, al_data->rule, al_data->level, (unsigned int)time(0), *loc_id, al_data->srcip, (unsigned short)s_port, al_data->dstip, (unsigned short)d_port, al_data->alertid, al_data->user, fulllog); break; } free(fulllog); fulllog = NULL; /* Insert into the db */ if (!osdb_query_insert(db_config->conn, sql_query)) { merror(DB_GENERROR, ARGV0); } db_config->alert_id++; return (1); }
/** void ExecdStart(int q) v0.2 * Main function on the execd. Does all the data receiving ,etc. */ static void ExecdStart(int q) { int i, childcount = 0; time_t curr_time; char buffer[OS_MAXSTR + 1]; char *tmp_msg = NULL; char *name; char *command; char *cmd_args[MAX_ARGS +2]; /* Select */ fd_set fdset; struct timeval socket_timeout; /* Clearing the buffer */ memset(buffer, '\0', OS_MAXSTR +1); /* Initializing the cmd arguments */ for(i = 0; i<= MAX_ARGS +1; i++) { cmd_args[i] = NULL; } /* Creating list for timeout */ timeout_list = OSList_Create(); if(!timeout_list) { ErrorExit(LIST_ERROR, ARGV0); } if(repeated_offenders_timeout[0] != 0) { repeated_hash = OSHash_Create(); } else { repeated_hash = NULL; } /* Main loop. */ while(1) { int timeout_value; int added_before = 0; char **timeout_args; timeout_data *timeout_entry; /* Cleaning up any child. */ while (childcount) { int wp; wp = waitpid((pid_t) -1, NULL, WNOHANG); if (wp < 0) { merror(WAITPID_ERROR, ARGV0, errno, strerror(errno)); break; } /* if = 0, we still need to wait for the child process */ else if (wp == 0) { break; } /* Child completed if wp > 0 */ else { childcount--; } } /* Getting currently time */ curr_time = time(0); /* Checking if there is any timeouted command to execute. */ timeout_node = OSList_GetFirstNode(timeout_list); while(timeout_node) { timeout_data *list_entry; list_entry = (timeout_data *)timeout_node->data; /* Timeouted */ if((curr_time - list_entry->time_of_addition) > list_entry->time_to_block) { ExecCmd(list_entry->command); /* Deletecurrently node already sets the pointer to next */ OSList_DeleteCurrentlyNode(timeout_list); timeout_node = OSList_GetCurrentlyNode(timeout_list); /* Clearing the memory */ FreeTimeoutEntry(list_entry); childcount++; } else { timeout_node = OSList_GetNextNode(timeout_list); } } /* Setting timeout to EXECD_TIMEOUT */ socket_timeout.tv_sec = EXECD_TIMEOUT; socket_timeout.tv_usec= 0; /* Setting FD values */ FD_ZERO(&fdset); FD_SET(q, &fdset); /* Adding timeout */ if(select(q+1, &fdset, NULL, NULL, &socket_timeout) == 0) { /* Timeout .. */ continue; } /* Checking for error */ if(!FD_ISSET(q, &fdset)) { merror(SELECT_ERROR, ARGV0, errno, strerror(errno)); continue; } /* Receiving the message */ if(OS_RecvUnix(q, OS_MAXSTR, buffer) == 0) { merror(QUEUE_ERROR, ARGV0, EXECQUEUEPATH, strerror(errno)); continue; } /* Currently time */ curr_time = time(0); /* Getting application name */ name = buffer; /* Zeroing the name */ tmp_msg = strchr(buffer, ' '); if(!tmp_msg) { merror(EXECD_INV_MSG, ARGV0, buffer); continue; } *tmp_msg = '\0'; tmp_msg++; /* Getting the command to execute (valid name) */ command = GetCommandbyName(name, &timeout_value); if(!command) { ReadExecConfig(); command = GetCommandbyName(name, &timeout_value); if(!command) { merror(EXEC_INV_NAME, ARGV0, name); continue; } } /* Command not present. */ if(command[0] == '\0') continue; /* Allocating memory for the timeout argument */ os_calloc(MAX_ARGS+2, sizeof(char *), timeout_args); /* Adding initial variables to the cmd_arg and to the timeout cmd */ cmd_args[0] = command; cmd_args[1] = ADD_ENTRY; os_strdup(command, timeout_args[0]); os_strdup(DELETE_ENTRY, timeout_args[1]); cmd_args[2] = NULL; timeout_args[2] = NULL; /* Getting the arguments. */ i = 2; while(i < (MAX_ARGS -1)) { cmd_args[i] = tmp_msg; cmd_args[i+1] = NULL; tmp_msg = strchr(tmp_msg, ' '); if(!tmp_msg) { timeout_args[i] = strdup(cmd_args[i]); timeout_args[i+1] = NULL; break; } *tmp_msg = '\0'; tmp_msg++; timeout_args[i] = strdup(cmd_args[i]); timeout_args[i+1] = NULL; i++; } /* Check this command was already executed. */ timeout_node = OSList_GetFirstNode(timeout_list); added_before = 0; /* Checking for the username and ip argument */ if(!timeout_args[2] || !timeout_args[3]) { added_before = 1; merror("%s: Invalid number of arguments.", ARGV0); } while(timeout_node) { timeout_data *list_entry; list_entry = (timeout_data *)timeout_node->data; if((strcmp(list_entry->command[3], timeout_args[3]) == 0) && (strcmp(list_entry->command[0], timeout_args[0]) == 0)) { /* Means we executed this command before * and we don't need to add it again. */ added_before = 1; /* updating the timeout */ list_entry->time_of_addition = curr_time; if(repeated_offenders_timeout[0] != 0 && repeated_hash != NULL && strncmp(timeout_args[3],"-", 1) != 0) { char *ntimes = NULL; char rkey[256]; rkey[255] = '\0'; snprintf(rkey, 255, "%s%s", list_entry->command[0], timeout_args[3]); if((ntimes = (char *) OSHash_Get(repeated_hash, rkey))) { int ntimes_int = 0; int i2 = 0; int new_timeout = 0; ntimes_int = atoi(ntimes); while(repeated_offenders_timeout[i2] != 0) { i2++; } if(ntimes_int >= i2) { new_timeout = repeated_offenders_timeout[i2 - 1]*60; } else { free(ntimes); // In hash_op.c, data belongs to caller os_calloc(10, sizeof(char), ntimes); new_timeout = repeated_offenders_timeout[ntimes_int]*60; ntimes_int++; snprintf(ntimes, 9, "%d", ntimes_int); OSHash_Update(repeated_hash,rkey,ntimes); } list_entry->time_to_block = new_timeout; } } break; } /* Continue with the next entry in timeout list*/ timeout_node = OSList_GetNextNode(timeout_list); } /* If it wasn't added before, do it now */ if(!added_before) { /* executing command */ ExecCmd(cmd_args); /* We don't need to add to the list if the timeout_value == 0 */ if(timeout_value) { char *ntimes; char rkey[256]; rkey[255] = '\0'; snprintf(rkey, 255, "%s%s", timeout_args[0], timeout_args[3]); if(repeated_hash != NULL) { if((ntimes = (char *) OSHash_Get(repeated_hash, rkey))) { int ntimes_int = 0; int i2 = 0; int new_timeout = 0; ntimes_int = atoi(ntimes); while(repeated_offenders_timeout[i2] != 0) { i2++; } if(ntimes_int >= i2) { new_timeout = repeated_offenders_timeout[i2 - 1]*60; } else { os_calloc(10, sizeof(char), ntimes); new_timeout = repeated_offenders_timeout[ntimes_int]*60; ntimes_int++; snprintf(ntimes, 9, "%d", ntimes_int); OSHash_Update(repeated_hash, rkey, ntimes); } timeout_value = new_timeout; } else { /* Adding to the repeated offenders list. */ OSHash_Add(repeated_hash, rkey, strdup("0")); } } /* Creating the timeout entry */ os_calloc(1, sizeof(timeout_data), timeout_entry); timeout_entry->command = timeout_args; timeout_entry->time_of_addition = curr_time; timeout_entry->time_to_block = timeout_value; /* Adding command to the timeout list */ if(!OSList_AddData(timeout_list, timeout_entry)) { merror(LIST_ADD_ERROR, ARGV0); FreeTimeoutEntry(timeout_entry); } } /* If no timeout, we still need to free it in here */ else { char **ss_ta = timeout_args; while(*timeout_args) { os_free(*timeout_args); *timeout_args = NULL; timeout_args++; } os_free(ss_ta); } childcount++; } /* We didn't add it to the timeout list */ else { char **ss_ta = timeout_args; /* Clear the timeout arguments */ while(*timeout_args) { os_free(*timeout_args); *timeout_args = NULL; timeout_args++; } os_free(ss_ta); } /* Some cleanup */ while(i > 0) { cmd_args[i] = NULL; i--; } } }
/* Accumulate v0.1 * Accumulate data from events sharing the same id */ Eventinfo* Accumulate(Eventinfo *lf) { // Declare our variables int result; int do_update = 0; char _key[OS_ACM_MAXKEY]; OS_ACM_Store *stored_data = 0; // Timing Variables int current_ts; struct timeval tp; // Check to make sure lf is valid if ( lf == NULL ) { debug1("accumulator: DEBUG: Received NULL EventInfo"); return lf; } // We need an ID to use the accumulator if( lf->id == NULL ) { debug2("accumulator: DEBUG: No id available"); return lf; } if( lf->decoder_info == NULL ) { debug1("accumulator: DEBUG: No decoder_info available"); return lf; } if( lf->decoder_info->name == NULL ) { debug1("accumulator: DEBUG: No decoder name available"); return lf; } // Purge the cache as needed Accumulate_CleanUp(); // Initialize variables // Timing data gettimeofday(&tp, NULL); current_ts = tp.tv_sec; /* Accumulator Key */ result = snprintf(_key, OS_FLSIZE, "%s %s %s", lf->hostname, lf->decoder_info->name, lf->id ); if( result < 0 || result >= sizeof(_key) ) { debug1("accumulator: DEBUG: error setting accumulator key, id:%s,name:%s", lf->id, lf->decoder_info->name); return lf; } /** Checking if acm is already present **/ if((stored_data = (OS_ACM_Store *)OSHash_Get(acm_store, _key)) != NULL) { debug2("accumulator: DEBUG: Lookup for '%s' found a stored value!", _key); if( stored_data->timestamp > 0 && stored_data->timestamp < current_ts - OS_ACM_EXPIRE_ELM ) { if( OSHash_Delete(acm_store, _key) != NULL ) { debug1("accumulator: DEBUG: Deleted expired hash entry for '%s'", _key); // Clear this memory FreeACMStore(stored_data); // Reallocate what we need stored_data = InitACMStore(); } } else { // Update the event do_update = 1; if (acm_str_replace(&lf->dstuser,stored_data->dstuser) == 0) debug2("accumulator: DEBUG: (%s) updated lf->dstuser to %s", _key, lf->dstuser); if (acm_str_replace(&lf->srcuser,stored_data->srcuser) == 0) debug2("accumulator: DEBUG: (%s) updated lf->srcuser to %s", _key, lf->srcuser); if (acm_str_replace(&lf->dstip,stored_data->dstip) == 0) debug2("accumulator: DEBUG: (%s) updated lf->dstip to %s", _key, lf->dstip); if (acm_str_replace(&lf->srcip,stored_data->srcip) == 0) debug2("accumulator: DEBUG: (%s) updated lf->srcip to %s", _key, lf->srcip); if (acm_str_replace(&lf->dstport,stored_data->dstport) == 0) debug2("accumulator: DEBUG: (%s) updated lf->dstport to %s", _key, lf->dstport); if (acm_str_replace(&lf->srcport,stored_data->srcport) == 0) debug2("accumulator: DEBUG: (%s) updated lf->srcport to %s", _key, lf->srcport); if (acm_str_replace(&lf->data,stored_data->data) == 0) debug2("accumulator: DEBUG: (%s) updated lf->data to %s", _key, lf->data); } } else { stored_data = InitACMStore(); } // Store the object in the cache stored_data->timestamp = current_ts; if (acm_str_replace(&stored_data->dstuser,lf->dstuser) == 0) debug2("accumulator: DEBUG: (%s) updated stored_data->dstuser to %s", _key, stored_data->dstuser); if (acm_str_replace(&stored_data->srcuser,lf->srcuser) == 0) debug2("accumulator: DEBUG: (%s) updated stored_data->srcuser to %s", _key, stored_data->srcuser); if (acm_str_replace(&stored_data->dstip,lf->dstip) == 0) debug2("accumulator: DEBUG: (%s) updated stored_data->dstip to %s", _key, stored_data->dstip); if (acm_str_replace(&stored_data->srcip,lf->srcip) == 0) debug2("accumulator: DEBUG: (%s) updated stored_data->srcip to %s", _key, stored_data->srcip); if (acm_str_replace(&stored_data->dstport,lf->dstport) == 0) debug2("accumulator: DEBUG: (%s) updated stored_data->dstport to %s", _key, stored_data->dstport); if (acm_str_replace(&stored_data->srcport,lf->srcport) == 0) debug2("accumulator: DEBUG: (%s) updated stored_data->srcport to %s", _key, stored_data->srcport); if (acm_str_replace(&stored_data->data,lf->data) == 0) debug2("accumulator: DEBUG: (%s) updated stored_data->data to %s", _key, stored_data->data); // Update or Add to the hash if( do_update == 1 ) { // Update the hash entry if( (result = OSHash_Update(acm_store, _key, stored_data)) != 1) { verbose("accumulator: ERROR: Update of stored data for %s failed (%d).", _key, result); } else { debug1("accumulator: DEBUG: Updated stored data for %s", _key); } } else { if((result = OSHash_Add(acm_store, _key, stored_data)) != 2 ) { verbose("accumulator: ERROR: Addition of stored data for %s failed (%d).", _key, result); } else { debug1("accumulator: DEBUG: Added stored data for %s", _key); } } return lf; }
/* FTS v0.1 * Check if the word "msg" is present on the "queue". * If it is not, write it there. */ int FTS(Eventinfo *lf) { int number_of_matches = 0; char _line[OS_FLSIZE + 1]; char *line_for_list = NULL; OSListNode *fts_node; _line[OS_FLSIZE] = '\0'; /* Assigning the values to the FTS */ snprintf(_line, OS_FLSIZE, "%s %s %s %s %s %s %s %s %s", lf->decoder_info->name, (lf->id && (lf->decoder_info->fts & FTS_ID))?lf->id:"", (lf->dstuser && (lf->decoder_info->fts & FTS_DSTUSER))?lf->dstuser:"", (lf->srcuser && (lf->decoder_info->fts & FTS_SRCUSER))?lf->srcuser:"", (lf->srcip && (lf->decoder_info->fts & FTS_SRCIP))?lf->srcip:"", (lf->dstip && (lf->decoder_info->fts & FTS_DSTIP))?lf->dstip:"", (lf->data && (lf->decoder_info->fts & FTS_DATA))?lf->data:"", (lf->systemname && (lf->decoder_info->fts & FTS_SYSTEMNAME))?lf->systemname:"", (lf->decoder_info->fts & FTS_LOCATION)?lf->location:""); /** Checking if FTS is already present **/ if(OSHash_Get(fts_store, _line)) { return(0); } /* Checking if from the last FTS events, we had * at least 3 "similars" before. If yes, we just * ignore it. */ if(lf->decoder_info->type == IDS) { fts_node = OSList_GetLastNode(fts_list); while(fts_node) { if(OS_StrHowClosedMatch((char *)fts_node->data, _line) > fts_minsize_for_str) { number_of_matches++; /* We go and add this new entry to the list */ if(number_of_matches > 2) { _line[fts_minsize_for_str] = '\0'; break; } } fts_node = OSList_GetPrevNode(fts_list); } os_strdup(_line, line_for_list); OSList_AddData(fts_list, line_for_list); } /* Storing new entry */ if(line_for_list == NULL) { os_strdup(_line, line_for_list); } if(OSHash_Add(fts_store, line_for_list, line_for_list) <= 1) { return(0); } #ifdef TESTRULE return(1); #endif /* Saving to fts fp */ fseek(fp_list, 0, SEEK_END); fprintf(fp_list,"%s\n", _line); fflush(fp_list); return(1); }