void ArgusClientTimeout () { struct ArgusAggregatorStruct *agg = ArgusParser->ArgusAggregator; while (agg) { int i, count; if (agg->statusint > 0) { if ((count = agg->queue->count) > 0) { for (i = 0; i < count; i++) { struct ArgusRecordStruct *ns = (void *) ArgusPopQueue(agg->queue, ARGUS_LOCK); double nsst = ArgusFetchStartTime(ns); double nslt = ArgusFetchLastTime(ns); double glt = (double)(ArgusParser->ArgusGlobalTime.tv_sec * 1.0) + (double)(ArgusParser->ArgusGlobalTime.tv_usec/1000000.0); if (agg->statusint && ((glt - nsst) >= agg->statusint)) { RaSendArgusRecord(ns); } else { if (agg->idleint && ((glt - nslt) >= agg->idleint)) { ArgusRemoveHashEntry(&ns->htblhdr); RaSendArgusRecord(ns); ArgusDeleteRecordStruct (ArgusParser, ns); ns = NULL; } } if (ns != NULL) ArgusAddToQueue(agg->queue, &ns->qhdr, ARGUS_LOCK); } } } else { if (agg->idleint) { int done = 0; while ((!done) && (agg->queue->count > 0)) { struct ArgusRecordStruct *ns = (void *) agg->queue->start; double nslt = ArgusFetchLastTime(ns); double glt = (double)(ArgusParser->ArgusGlobalTime.tv_sec * 1.0) + (double)(ArgusParser->ArgusGlobalTime.tv_usec/1000000.0); if ((glt - nslt) >= agg->idleint) { ArgusRemoveHashEntry(&ns->htblhdr); RaSendArgusRecord(ns); ArgusDeleteRecordStruct (ArgusParser, ns); } else done = 1; } } } agg = agg->nxt; } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusClientTimeout()\n"); #endif }
void RaParseComplete (int sig) { int i = 0, count = 0; if (sig >= 0) { if (!ArgusParser->RaParseCompleting++) { count = ArgusSorter->ArgusRecordQueue->count; if (count > 0) { ArgusSortQueue (ArgusSorter, ArgusSorter->ArgusRecordQueue); for (i = 0; i < count; i++) RaSendArgusRecord ((struct ArgusRecordStruct *) ArgusSorter->ArgusRecordQueue->array[i]); } } #ifdef ARGUSDEBUG ArgusDebug (2, "RaParseComplete(caught signal %d)\n", sig); #endif switch (sig) { case SIGHUP: case SIGINT: case SIGTERM: case SIGQUIT: { struct ArgusWfileStruct *wfile = NULL; if (ArgusParser->ArgusWfileList != NULL) { struct ArgusListObjectStruct *lobj = NULL; int i, count = ArgusParser->ArgusWfileList->count; if ((lobj = ArgusParser->ArgusWfileList->start) != NULL) { for (i = 0; i < count; i++) { if ((wfile = (struct ArgusWfileStruct *) lobj) != NULL) { if (wfile->fd != NULL) { #ifdef ARGUSDEBUG ArgusDebug (2, "RaParseComplete: closing %s\n", wfile->filename); #endif fflush (wfile->fd); fclose (wfile->fd); wfile->fd = NULL; } } lobj = lobj->nxt; } } } exit(0); break; } } } }
void RaArgusInputComplete (struct ArgusInput *input) { struct ArgusRecordStruct *nsr; struct ArgusWfileStruct *wfile = NULL; char buf[MAXSTRLEN]; int count, label, i, fd; if (ArgusSorter->ArgusReplaceMode) { if (ArgusParser->ArgusWfileList == NULL) ArgusParser->ArgusWfileList = ArgusNewList(); if ((count = ArgusSorter->ArgusRecordQueue->count) > 0) { if (!(ArgusParser->ArgusRandomSeed)) srandom(ArgusParser->ArgusRandomSeed); srandom (ArgusParser->ArgusRealTime.tv_usec); label = random() % 100000; bzero(buf, sizeof(buf)); snprintf (buf, MAXSTRLEN, "%s.tmp%d", input->filename, label); if ((fd = open(buf, O_CREAT|O_EXCL, input->statbuf.st_mode)) < 0) ArgusLog (LOG_ERR, "open %s error: %s", buf, strerror(errno)); close(fd); if ((wfile = (struct ArgusWfileStruct *) ArgusCalloc (1, sizeof (*wfile))) != NULL) { ArgusPushFrontList(ArgusParser->ArgusWfileList, (struct ArgusListRecord *)wfile, ARGUS_NOLOCK); wfile->filename = strdup(buf); } else ArgusLog (LOG_ERR, "setArgusWfile, ArgusCalloc %s", strerror(errno)); ArgusSortQueue (ArgusSorter, ArgusSorter->ArgusRecordQueue); for (i = 0, count = ArgusSorter->ArgusRecordQueue->count; i < count; i++) RaSendArgusRecord ((struct ArgusRecordStruct *)ArgusSorter->ArgusRecordQueue->array[i]); while ((nsr = (struct ArgusRecordStruct *) ArgusPopQueue(ArgusSorter->ArgusRecordQueue, ARGUS_NOLOCK)) != NULL) ArgusDeleteRecordStruct(ArgusParser, nsr); rename (wfile->filename, input->filename); fclose (wfile->fd); ArgusDeleteList (ArgusParser->ArgusWfileList, ARGUS_WFILE_LIST); ArgusParser->ArgusWfileList = NULL; if (ArgusParser->Vflag) ArgusLog(LOG_INFO, "file %s sorted", input->filename); } } }
void RaProcessThisRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *argus) { struct ArgusAggregatorStruct *agg = parser->ArgusAggregator; struct ArgusHashStruct *hstruct = NULL; int found = 0; while (agg && !found) { int retn = 0, fretn = -1, lretn = -1; if (agg->filterstr) { struct nff_insn *fcode = agg->filter.bf_insns; fretn = ArgusFilterRecord (fcode, argus); } if (agg->labelstr) { struct ArgusLabelStruct *label; if (((label = (void *)argus->dsrs[ARGUS_LABEL_INDEX]) != NULL)) { if (regexec(&agg->lpreg, label->l_un.label, 0, NULL, 0)) lretn = 0; else lretn = 1; } else lretn = 0; } retn = (lretn < 0) ? ((fretn < 0) ? 1 : fretn) : ((fretn < 0) ? lretn : (lretn && fretn)); if (retn != 0) { struct ArgusRecordStruct *tns, *ns = ArgusCopyRecordStruct(argus); if ((agg->rap = RaFlowModelOverRides(agg, ns)) == NULL) agg->rap = agg->drap; ArgusGenerateNewFlow(agg, ns); if ((hstruct = ArgusGenerateHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL) ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno)); if ((tns = ArgusFindRecord(agg->htable, hstruct)) == NULL) { struct ArgusFlow *flow = (struct ArgusFlow *) ns->dsrs[ARGUS_FLOW_INDEX]; if (!parser->RaMonMode && parser->ArgusReverse) { int tryreverse = 0; if (flow != NULL) { if (agg->correct != NULL) tryreverse = 1; switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_IPV4: { switch (flow->ip_flow.ip_p) { case IPPROTO_ESP: tryreverse = 0; break; } break; } case ARGUS_TYPE_IPV6: { switch (flow->ipv6_flow.ip_p) { case IPPROTO_ESP: tryreverse = 0; break; } break; } } } else tryreverse = 0; if (tryreverse) { if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL) ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno)); if ((tns = ArgusFindRecord(agg->htable, hstruct)) == NULL) { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_IPV4: { switch (flow->ip_flow.ip_p) { case IPPROTO_ICMP: { struct ArgusICMPFlow *icmpFlow = &flow->flow_un.icmp; if (ICMP_INFOTYPE(icmpFlow->type)) { switch (icmpFlow->type) { case ICMP_ECHO: case ICMP_ECHOREPLY: icmpFlow->type = (icmpFlow->type == ICMP_ECHO) ? ICMP_ECHOREPLY : ICMP_ECHO; if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL) tns = ArgusFindRecord(agg->htable, hstruct); icmpFlow->type = (icmpFlow->type == ICMP_ECHO) ? ICMP_ECHOREPLY : ICMP_ECHO; if (tns) ArgusReverseRecord (ns); break; case ICMP_ROUTERADVERT: case ICMP_ROUTERSOLICIT: icmpFlow->type = (icmpFlow->type == ICMP_ROUTERADVERT) ? ICMP_ROUTERSOLICIT : ICMP_ROUTERADVERT; if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL) tns = ArgusFindRecord(agg->htable, hstruct); icmpFlow->type = (icmpFlow->type == ICMP_ROUTERADVERT) ? ICMP_ROUTERSOLICIT : ICMP_ROUTERADVERT; if (tns) ArgusReverseRecord (ns); break; case ICMP_TSTAMP: case ICMP_TSTAMPREPLY: icmpFlow->type = (icmpFlow->type == ICMP_TSTAMP) ? ICMP_TSTAMPREPLY : ICMP_TSTAMP; if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL) tns = ArgusFindRecord(agg->htable, hstruct); icmpFlow->type = (icmpFlow->type == ICMP_TSTAMP) ? ICMP_TSTAMPREPLY : ICMP_TSTAMP; if (tns) ArgusReverseRecord (ns); break; case ICMP_IREQ: case ICMP_IREQREPLY: icmpFlow->type = (icmpFlow->type == ICMP_IREQ) ? ICMP_IREQREPLY : ICMP_IREQ; if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL) tns = ArgusFindRecord(agg->htable, hstruct); icmpFlow->type = (icmpFlow->type == ICMP_IREQ) ? ICMP_IREQREPLY : ICMP_IREQ; if (tns) ArgusReverseRecord (ns); break; case ICMP_MASKREQ: case ICMP_MASKREPLY: icmpFlow->type = (icmpFlow->type == ICMP_MASKREQ) ? ICMP_MASKREPLY : ICMP_MASKREQ; if ((hstruct = ArgusGenerateReverseHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) != NULL) tns = ArgusFindRecord(agg->htable, hstruct); icmpFlow->type = (icmpFlow->type == ICMP_MASKREQ) ? ICMP_MASKREPLY : ICMP_MASKREQ; if (tns) ArgusReverseRecord (ns); break; } } break; } } } } if ((hstruct = ArgusGenerateHashStruct(agg, ns, (struct ArgusFlow *)&agg->fstruct)) == NULL) ArgusLog (LOG_ERR, "RaProcessThisRecord: ArgusGenerateHashStruct error %s", strerror(errno)); } else { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_IPV4: { switch (flow->ip_flow.ip_p) { case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)ns->dsrs[ARGUS_NETWORK_INDEX]; if (tcp != NULL) { struct ArgusTCPObject *ttcp = (struct ArgusTCPObject *)tns->dsrs[ARGUS_NETWORK_INDEX]; if (ttcp != NULL) { if ((tcp->status & ARGUS_SAW_SYN) && !(ttcp->status & ARGUS_SAW_SYN)) { ArgusReverseRecord (tns); } else ArgusReverseRecord (ns); } else ArgusReverseRecord (ns); } else ArgusReverseRecord (ns); break; } default: ArgusReverseRecord (ns); break; } } break; case ARGUS_TYPE_IPV6: { switch (flow->ipv6_flow.ip_p) { case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)ns->dsrs[ARGUS_NETWORK_INDEX]; if (tcp != NULL) { struct ArgusTCPObject *ttcp = (struct ArgusTCPObject *)tns->dsrs[ARGUS_NETWORK_INDEX]; if (ttcp != NULL) { if ((tcp->status & ARGUS_SAW_SYN) && !(ttcp->status & ARGUS_SAW_SYN)) { ArgusReverseRecord (tns); } else ArgusReverseRecord (ns); } else ArgusReverseRecord (ns); } else ArgusReverseRecord (ns); break; } default: ArgusReverseRecord (ns); break; } } break; default: ArgusReverseRecord (ns); } } } } } if (tns != NULL) { if (parser->Aflag) { if ((tns->status & RA_SVCTEST) != (ns->status & RA_SVCTEST)) { RaSendArgusRecord(tns); tns->status &= ~(RA_SVCTEST); tns->status |= (ns->status & RA_SVCTEST); } } if (tns->status & ARGUS_RECORD_WRITTEN) { ArgusZeroRecord (tns); } else { if (agg->statusint || agg->idleint) { double dur, nsst, tnsst, nslt, tnslt; nsst = ArgusFetchStartTime(ns); tnsst = ArgusFetchStartTime(tns); nslt = ArgusFetchLastTime(ns); tnslt = ArgusFetchLastTime(tns); dur = ((tnslt > nslt) ? tnslt : nslt) - ((nsst < tnsst) ? nsst : tnsst); if (agg->statusint && (dur >= agg->statusint)) { RaSendArgusRecord(tns); ArgusZeroRecord(tns); } else { dur = ((nslt < tnsst) ? (tnsst - nslt) : ((tnslt < nsst) ? (nsst - tnslt) : 0.0)); if (agg->idleint && (dur >= agg->idleint)) { RaSendArgusRecord(tns); ArgusZeroRecord(tns); } } } } ArgusMergeRecords (agg, tns, ns); ArgusRemoveFromQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK); ArgusAddToQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK); ArgusDeleteRecordStruct(parser, ns); agg->status |= ARGUS_AGGREGATOR_DIRTY; } else { tns = ns; tns->htblhdr = ArgusAddHashEntry (agg->htable, tns, hstruct); ArgusAddToQueue (agg->queue, &tns->qhdr, ARGUS_NOLOCK); agg->status |= ARGUS_AGGREGATOR_DIRTY; } if (agg->cont) agg = agg->nxt; else found++; } else agg = agg->nxt; } }
void RaParseComplete (int sig) { struct ArgusModeStruct *mode = NULL; int i = 0, x = 0, nflag = ArgusParser->eNflag; struct ArgusInput *file = ArgusParser->ArgusCurrentFile; char buf[MAXSTRLEN]; int label; if (sig >= 0) { if (!(ArgusParser->RaParseCompleting++)) { struct ArgusAggregatorStruct *agg = ArgusParser->ArgusAggregator; ArgusParser->RaParseCompleting += sig; if (ArgusParser->ArgusReplaceMode && file) { if (!(ArgusParser->ArgusRandomSeed)) srandom(ArgusParser->ArgusRandomSeed); srandom (ArgusParser->ArgusRealTime.tv_usec); label = random() % 100000; bzero(buf, sizeof(buf)); snprintf (buf, MAXSTRLEN, "%s.tmp%d", file->filename, label); setArgusWfile(ArgusParser, buf, NULL); } while (agg != NULL) { if (agg->queue->count) { struct ArgusRecordStruct *argus; if (!(ArgusSorter)) if ((ArgusSorter = ArgusNewSorter(ArgusParser)) == NULL) ArgusLog (LOG_ERR, "RaParseComplete: ArgusNewSorter error %s", strerror(errno)); if ((mode = ArgusParser->ArgusMaskList) != NULL) { while (mode) { for (x = 0; x < MAX_SORT_ALG_TYPES; x++) { if (!strncmp (ArgusSortKeyWords[x], mode->mode, strlen(ArgusSortKeyWords[x]))) { ArgusSorter->ArgusSortAlgorithms[i++] = ArgusSortAlgorithmTable[x]; break; } } mode = mode->nxt; } } ArgusSortQueue (ArgusSorter, agg->queue); argus = ArgusCopyRecordStruct((struct ArgusRecordStruct *) agg->queue->array[0]); if (nflag == 0) ArgusParser->eNflag = agg->queue->count; else ArgusParser->eNflag = nflag > agg->queue->count ? agg->queue->count : nflag; for (i = 1; i < ArgusParser->eNflag; i++) ArgusMergeRecords (agg, argus, (struct ArgusRecordStruct *)agg->queue->array[i]); ArgusParser->ns = argus; for (i = 0; i < ArgusParser->eNflag; i++) { RaSendArgusRecord ((struct ArgusRecordStruct *) agg->queue->array[i]); ArgusDeleteRecordStruct(ArgusParser, (struct ArgusRecordStruct *) agg->queue->array[i]); } ArgusDeleteRecordStruct(ArgusParser, ArgusParser->ns); } agg = agg->nxt; } if (ArgusParser->ArgusAggregator != NULL) ArgusDeleteAggregator(ArgusParser, ArgusParser->ArgusAggregator); if (ArgusParser->ArgusReplaceMode && file) { if (ArgusParser->ArgusWfileList != NULL) { struct ArgusWfileStruct *wfile = NULL; if ((wfile = (void *)ArgusParser->ArgusWfileList->start) != NULL) { fflush (wfile->fd); rename (wfile->filename, file->filename); fclose (wfile->fd); wfile->fd = NULL; } ArgusDeleteList(ArgusParser->ArgusWfileList, ARGUS_WFILE_LIST); ArgusParser->ArgusWfileList = NULL; if (ArgusParser->Vflag) ArgusLog(LOG_INFO, "file %s aggregated", file->filename); } } #ifdef ARGUSDEBUG ArgusDebug (2, "RaParseComplete(caught signal %d)\n", sig); #endif switch (sig) { case SIGHUP: case SIGINT: case SIGTERM: case SIGQUIT: { struct ArgusWfileStruct *wfile = NULL; ArgusShutDown(sig); if (ArgusParser->ArgusWfileList != NULL) { struct ArgusListObjectStruct *lobj = NULL; int i, count = ArgusParser->ArgusWfileList->count; if ((lobj = ArgusParser->ArgusWfileList->start) != NULL) { for (i = 0; i < count; i++) { if ((wfile = (struct ArgusWfileStruct *) lobj) != NULL) { if (wfile->fd != NULL) { #ifdef ARGUSDEBUG ArgusDebug (2, "RaParseComplete: closing %s\n", wfile->filename); #endif fflush (wfile->fd); fclose (wfile->fd); wfile->fd = NULL; } } lobj = lobj->nxt; } } } exit(0); break; } } } } ArgusParser->eNflag = nflag; #ifdef ARGUSDEBUG ArgusDebug (6, "RaParseComplete(%d) done", sig); #endif }