/** void ExecdStart(int q) v0.2
* Main function on the execd. Does all the data receiving ,etc.
*/
static void ExecdStart(int q)
{
int i, childcount = 0;
time_t curr_time;
char buffer[OS_MAXSTR + 1];
char *tmp_msg = NULL;
char *name;
char *command;
char *cmd_args[MAX_ARGS +2];
/* Select */
fd_set fdset;
struct timeval socket_timeout;
/* Clearing the buffer */
memset(buffer, '\0', OS_MAXSTR +1);
/* Initializing the cmd arguments */
for(i = 0; i<= MAX_ARGS +1; i++)
{
cmd_args[i] = NULL;
}
/* Creating list for timeout */
timeout_list = OSList_Create();
if(!timeout_list)
{
ErrorExit(LIST_ERROR, ARGV0);
}
if(repeated_offenders_timeout[0] != 0)
{
repeated_hash = OSHash_Create();
}
else
{
repeated_hash = NULL;
}
/* Main loop. */
while(1)
{
int timeout_value;
int added_before = 0;
char **timeout_args;
timeout_data *timeout_entry;
/* Cleaning up any child. */
while (childcount)
{
int wp;
wp = waitpid((pid_t) -1, NULL, WNOHANG);
if (wp < 0)
{
merror(WAITPID_ERROR, ARGV0, errno, strerror(errno));
break;
}
/* if = 0, we still need to wait for the child process */
else if (wp == 0)
{
break;
}
/* Child completed if wp > 0 */
else
{
childcount--;
}
}
/* Getting currently time */
curr_time = time(0);
/* Checking if there is any timeouted command to execute. */
timeout_node = OSList_GetFirstNode(timeout_list);
while(timeout_node)
{
timeout_data *list_entry;
list_entry = (timeout_data *)timeout_node->data;
/* Timeouted */
if((curr_time - list_entry->time_of_addition) >
list_entry->time_to_block)
{
ExecCmd(list_entry->command);
/* Deletecurrently node already sets the pointer to next */
OSList_DeleteCurrentlyNode(timeout_list);
timeout_node = OSList_GetCurrentlyNode(timeout_list);
/* Clearing the memory */
FreeTimeoutEntry(list_entry);
childcount++;
}
else
{
timeout_node = OSList_GetNextNode(timeout_list);
}
}
/* Setting timeout to EXECD_TIMEOUT */
socket_timeout.tv_sec = EXECD_TIMEOUT;
socket_timeout.tv_usec= 0;
/* Setting FD values */
FD_ZERO(&fdset);
FD_SET(q, &fdset);
/* Adding timeout */
if(select(q+1, &fdset, NULL, NULL, &socket_timeout) == 0)
{
/* Timeout .. */
continue;
}
/* Checking for error */
if(!FD_ISSET(q, &fdset))
{
merror(SELECT_ERROR, ARGV0, errno, strerror(errno));
continue;
}
/* Receiving the message */
if(OS_RecvUnix(q, OS_MAXSTR, buffer) == 0)
{
merror(QUEUE_ERROR, ARGV0, EXECQUEUEPATH, strerror(errno));
continue;
}
/* Currently time */
curr_time = time(0);
/* Getting application name */
name = buffer;
/* Zeroing the name */
tmp_msg = strchr(buffer, ' ');
if(!tmp_msg)
{
merror(EXECD_INV_MSG, ARGV0, buffer);
continue;
}
*tmp_msg = '\0';
tmp_msg++;
/* Getting the command to execute (valid name) */
command = GetCommandbyName(name, &timeout_value);
if(!command)
{
ReadExecConfig();
command = GetCommandbyName(name, &timeout_value);
if(!command)
{
merror(EXEC_INV_NAME, ARGV0, name);
continue;
}
}
/* Command not present. */
if(command[0] == '\0')
continue;
/* Allocating memory for the timeout argument */
os_calloc(MAX_ARGS+2, sizeof(char *), timeout_args);
/* Adding initial variables to the cmd_arg and to the timeout cmd */
cmd_args[0] = command;
cmd_args[1] = ADD_ENTRY;
os_strdup(command, timeout_args[0]);
os_strdup(DELETE_ENTRY, timeout_args[1]);
cmd_args[2] = NULL;
timeout_args[2] = NULL;
/* Getting the arguments. */
i = 2;
while(i < (MAX_ARGS -1))
{
cmd_args[i] = tmp_msg;
cmd_args[i+1] = NULL;
tmp_msg = strchr(tmp_msg, ' ');
if(!tmp_msg)
{
timeout_args[i] = strdup(cmd_args[i]);
timeout_args[i+1] = NULL;
break;
}
*tmp_msg = '\0';
tmp_msg++;
timeout_args[i] = strdup(cmd_args[i]);
timeout_args[i+1] = NULL;
i++;
}
/* Check this command was already executed. */
timeout_node = OSList_GetFirstNode(timeout_list);
added_before = 0;
/* Checking for the username and ip argument */
if(!timeout_args[2] || !timeout_args[3])
{
added_before = 1;
merror("%s: Invalid number of arguments.", ARGV0);
}
while(timeout_node)
{
timeout_data *list_entry;
list_entry = (timeout_data *)timeout_node->data;
if((strcmp(list_entry->command[3], timeout_args[3]) == 0) &&
(strcmp(list_entry->command[0], timeout_args[0]) == 0))
{
/* Means we executed this command before
* and we don't need to add it again.
*/
added_before = 1;
/* updating the timeout */
list_entry->time_of_addition = curr_time;
if(repeated_offenders_timeout[0] != 0 &&
repeated_hash != NULL &&
strncmp(timeout_args[3],"-", 1) != 0)
{
char *ntimes = NULL;
char rkey[256];
rkey[255] = '\0';
snprintf(rkey, 255, "%s%s", list_entry->command[0],
timeout_args[3]);
if((ntimes = (char *) OSHash_Get(repeated_hash, rkey)))
{
int ntimes_int = 0;
int i2 = 0;
int new_timeout = 0;
ntimes_int = atoi(ntimes);
while(repeated_offenders_timeout[i2] != 0)
{
i2++;
}
if(ntimes_int >= i2)
{
new_timeout = repeated_offenders_timeout[i2 - 1]*60;
}
else
{
free(ntimes); // In hash_op.c, data belongs to caller
os_calloc(10, sizeof(char), ntimes);
new_timeout = repeated_offenders_timeout[ntimes_int]*60;
ntimes_int++;
snprintf(ntimes, 9, "%d", ntimes_int);
OSHash_Update(repeated_hash,rkey,ntimes);
}
list_entry->time_to_block = new_timeout;
}
}
break;
}
/* Continue with the next entry in timeout list*/
timeout_node = OSList_GetNextNode(timeout_list);
}
/* If it wasn't added before, do it now */
if(!added_before)
{
/* executing command */
ExecCmd(cmd_args);
/* We don't need to add to the list if the timeout_value == 0 */
if(timeout_value)
{
char *ntimes;
char rkey[256];
rkey[255] = '\0';
snprintf(rkey, 255, "%s%s", timeout_args[0],
timeout_args[3]);
if(repeated_hash != NULL)
{
if((ntimes = (char *) OSHash_Get(repeated_hash, rkey)))
{
int ntimes_int = 0;
int i2 = 0;
int new_timeout = 0;
ntimes_int = atoi(ntimes);
while(repeated_offenders_timeout[i2] != 0)
{
i2++;
}
if(ntimes_int >= i2)
{
new_timeout = repeated_offenders_timeout[i2 - 1]*60;
}
else
{
os_calloc(10, sizeof(char), ntimes);
new_timeout = repeated_offenders_timeout[ntimes_int]*60;
ntimes_int++;
snprintf(ntimes, 9, "%d", ntimes_int);
OSHash_Update(repeated_hash, rkey, ntimes);
}
timeout_value = new_timeout;
}
else
{
/* Adding to the repeated offenders list. */
OSHash_Add(repeated_hash,
rkey, strdup("0"));
}
}
/* Creating the timeout entry */
os_calloc(1, sizeof(timeout_data), timeout_entry);
timeout_entry->command = timeout_args;
timeout_entry->time_of_addition = curr_time;
timeout_entry->time_to_block = timeout_value;
/* Adding command to the timeout list */
if(!OSList_AddData(timeout_list, timeout_entry))
{
merror(LIST_ADD_ERROR, ARGV0);
FreeTimeoutEntry(timeout_entry);
}
}
/* If no timeout, we still need to free it in here */
else
{
char **ss_ta = timeout_args;
while(*timeout_args)
{
os_free(*timeout_args);
*timeout_args = NULL;
timeout_args++;
}
os_free(ss_ta);
}
childcount++;
}
/* We didn't add it to the timeout list */
else
{
char **ss_ta = timeout_args;
/* Clear the timeout arguments */
while(*timeout_args)
{
os_free(*timeout_args);
*timeout_args = NULL;
timeout_args++;
}
os_free(ss_ta);
}
/* Some cleanup */
while(i > 0)
{
cmd_args[i] = NULL;
i--;
}
}
}
/* Accumulate v0.1
* Accumulate data from events sharing the same id
*/
Eventinfo* Accumulate(Eventinfo *lf)
{
// Declare our variables
int result;
int do_update = 0;
char _key[OS_ACM_MAXKEY];
OS_ACM_Store *stored_data = 0;
// Timing Variables
int current_ts;
struct timeval tp;
// Check to make sure lf is valid
if ( lf == NULL ) {
debug1("accumulator: DEBUG: Received NULL EventInfo");
return lf;
}
// We need an ID to use the accumulator
if( lf->id == NULL ) {
debug2("accumulator: DEBUG: No id available");
return lf;
}
if( lf->decoder_info == NULL ) {
debug1("accumulator: DEBUG: No decoder_info available");
return lf;
}
if( lf->decoder_info->name == NULL ) {
debug1("accumulator: DEBUG: No decoder name available");
return lf;
}
// Purge the cache as needed
Accumulate_CleanUp();
// Initialize variables
// Timing data
gettimeofday(&tp, NULL);
current_ts = tp.tv_sec;
/* Accumulator Key */
result = snprintf(_key, OS_FLSIZE, "%s %s %s",
lf->hostname,
lf->decoder_info->name,
lf->id
);
if( result < 0 || result >= sizeof(_key) ) {
debug1("accumulator: DEBUG: error setting accumulator key, id:%s,name:%s", lf->id, lf->decoder_info->name);
return lf;
}
/** Checking if acm is already present **/
if((stored_data = (OS_ACM_Store *)OSHash_Get(acm_store, _key)) != NULL) {
debug2("accumulator: DEBUG: Lookup for '%s' found a stored value!", _key);
if( stored_data->timestamp > 0 && stored_data->timestamp < current_ts - OS_ACM_EXPIRE_ELM ) {
if( OSHash_Delete(acm_store, _key) != NULL ) {
debug1("accumulator: DEBUG: Deleted expired hash entry for '%s'", _key);
// Clear this memory
FreeACMStore(stored_data);
// Reallocate what we need
stored_data = InitACMStore();
}
}
else {
// Update the event
do_update = 1;
if (acm_str_replace(&lf->dstuser,stored_data->dstuser) == 0)
debug2("accumulator: DEBUG: (%s) updated lf->dstuser to %s", _key, lf->dstuser);
if (acm_str_replace(&lf->srcuser,stored_data->srcuser) == 0)
debug2("accumulator: DEBUG: (%s) updated lf->srcuser to %s", _key, lf->srcuser);
if (acm_str_replace(&lf->dstip,stored_data->dstip) == 0)
debug2("accumulator: DEBUG: (%s) updated lf->dstip to %s", _key, lf->dstip);
if (acm_str_replace(&lf->srcip,stored_data->srcip) == 0)
debug2("accumulator: DEBUG: (%s) updated lf->srcip to %s", _key, lf->srcip);
if (acm_str_replace(&lf->dstport,stored_data->dstport) == 0)
debug2("accumulator: DEBUG: (%s) updated lf->dstport to %s", _key, lf->dstport);
if (acm_str_replace(&lf->srcport,stored_data->srcport) == 0)
debug2("accumulator: DEBUG: (%s) updated lf->srcport to %s", _key, lf->srcport);
if (acm_str_replace(&lf->data,stored_data->data) == 0)
debug2("accumulator: DEBUG: (%s) updated lf->data to %s", _key, lf->data);
}
}
else {
stored_data = InitACMStore();
}
// Store the object in the cache
stored_data->timestamp = current_ts;
if (acm_str_replace(&stored_data->dstuser,lf->dstuser) == 0)
debug2("accumulator: DEBUG: (%s) updated stored_data->dstuser to %s", _key, stored_data->dstuser);
if (acm_str_replace(&stored_data->srcuser,lf->srcuser) == 0)
debug2("accumulator: DEBUG: (%s) updated stored_data->srcuser to %s", _key, stored_data->srcuser);
if (acm_str_replace(&stored_data->dstip,lf->dstip) == 0)
debug2("accumulator: DEBUG: (%s) updated stored_data->dstip to %s", _key, stored_data->dstip);
if (acm_str_replace(&stored_data->srcip,lf->srcip) == 0)
debug2("accumulator: DEBUG: (%s) updated stored_data->srcip to %s", _key, stored_data->srcip);
if (acm_str_replace(&stored_data->dstport,lf->dstport) == 0)
debug2("accumulator: DEBUG: (%s) updated stored_data->dstport to %s", _key, stored_data->dstport);
if (acm_str_replace(&stored_data->srcport,lf->srcport) == 0)
debug2("accumulator: DEBUG: (%s) updated stored_data->srcport to %s", _key, stored_data->srcport);
if (acm_str_replace(&stored_data->data,lf->data) == 0)
debug2("accumulator: DEBUG: (%s) updated stored_data->data to %s", _key, stored_data->data);
// Update or Add to the hash
if( do_update == 1 ) {
// Update the hash entry
if( (result = OSHash_Update(acm_store, _key, stored_data)) != 1) {
verbose("accumulator: ERROR: Update of stored data for %s failed (%d).", _key, result);
}
else {
debug1("accumulator: DEBUG: Updated stored data for %s", _key);
}
}
else {
if((result = OSHash_Add(acm_store, _key, stored_data)) != 2 ) {
verbose("accumulator: ERROR: Addition of stored data for %s failed (%d).", _key, result);
}
else {
debug1("accumulator: DEBUG: Added stored data for %s", _key);
}
}
return lf;
}
