void Sagan_Bluedot_Load_Cat(void)
{
FILE *bluedot_cat_file;
char buf[1024] = { 0 };
char *saveptr = NULL;
char *bluedot_tok1 = NULL;
char *bluedot_tok2 = NULL;
if (( bluedot_cat_file = fopen(config->bluedot_cat, "r" )) == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] No Bluedot categories list to load (%s)!", __FILE__, __LINE__, config->bluedot_cat);
}
while(fgets(buf, 1024, bluedot_cat_file) != NULL)
{
/* Skip comments and blank linkes */
if (buf[0] == '#' || buf[0] == 10 || buf[0] == ';' || buf[0] == 32)
{
continue;
}
else
{
/* Allocate memory for references, not comments */
SaganBluedotCatList = (_Sagan_Bluedot_Cat_List *) realloc(SaganBluedotCatList, (counters->bluedot_cat_count+1) * sizeof(_Sagan_Bluedot_Cat_List));
/* Normalize the list for later use. Better to do this here than when processing rules */
bluedot_tok1 = Remove_Return(strtok_r(buf, "|", &saveptr));
if ( bluedot_tok1 == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Bluedot categories file appears to be malformed.", __FILE__, __LINE__);
}
Remove_Spaces(bluedot_tok1);
SaganBluedotCatList[counters->bluedot_cat_count].cat_number = atoi(bluedot_tok1);
bluedot_tok2 = Remove_Return(strtok_r(NULL, "|", &saveptr));
if ( bluedot_tok2 == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Bluedot categories file appears to be malformed.", __FILE__, __LINE__);
}
Remove_Return(bluedot_tok2);
Remove_Spaces(bluedot_tok2);
To_LowerC(bluedot_tok2);
strlcpy(SaganBluedotCatList[counters->bluedot_cat_count].cat, bluedot_tok2, sizeof(SaganBluedotCatList[counters->bluedot_cat_count].cat));
counters->bluedot_cat_count++;
}
}
}
void Sagan_BroIntel_Load_File ( void )
{
FILE *brointel_file;
char *value;
char *type;
char *description;
sbool found_flag;
sbool found_flag_array;
char *tok = NULL; ;
char *ptmp = NULL;
int line_count;
int i;
uint32_t u32_ip;
char *brointel_filename = NULL;
char brointelbuf[MAX_BROINTEL_LINE_SIZE] = { 0 };
counters->brointel_dups = 0;
brointel_filename = strtok_r(config->brointel_files, ",", &ptmp);
while ( brointel_filename != NULL )
{
Sagan_Log(S_NORMAL, "Bro Intel Processor Loading File: %s.", brointel_filename);
if (( brointel_file = fopen(brointel_filename, "r")) == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Could not load Bro Intel file! (%s - %s)", __FILE__, __LINE__, brointel_filename, strerror(errno));
}
while(fgets(brointelbuf, MAX_BROINTEL_LINE_SIZE, brointel_file) != NULL)
{
/* Skip comments and blank linkes */
if (brointelbuf[0] == '#' || brointelbuf[0] == 10 || brointelbuf[0] == ';' || brointelbuf[0] == 32 )
{
line_count++;
continue;
}
else
{
Remove_Return(brointelbuf);
value = strtok_r(brointelbuf, "\t", &tok);
type = strtok_r(NULL, "\t", &tok);
description = strtok_r(NULL, "\t", &tok);
if ( value == NULL || type == NULL || description == NULL )
{
Sagan_Log(S_WARN, "[%s, line %d] Got invalid line at %d in %s", __FILE__, __LINE__, line_count, brointel_filename);
}
found_flag = 0;
if (!strcmp(type, "Intel::ADDR"))
{
u32_ip = IP2Bit(value);
found_flag = 1; /* Used to short circuit other 'type' lookups */
found_flag_array = 0; /* Used to short circuit/warn when dups are found. This way we don't waste memory/CPU */
/* Check for duplicates. */
for (i=0; i < counters->brointel_addr_count; i++)
{
if ( u32_ip == Sagan_BroIntel_Intel_Addr[i].u32_ip )
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::ADDR address %s in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Addr = (_Sagan_BroIntel_Intel_Addr *) realloc(Sagan_BroIntel_Intel_Addr, (counters->brointel_addr_count+1) * sizeof(_Sagan_BroIntel_Intel_Addr));
if ( Sagan_BroIntel_Intel_Addr == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Addr. Abort!", __FILE__, __LINE__);
}
Sagan_BroIntel_Intel_Addr[counters->brointel_addr_count].u32_ip = IP2Bit(value);
counters->brointel_addr_count++;
}
}
if (!strcmp(type, "Intel::DOMAIN") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters-> brointel_domain_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_Domain[i].domain, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::DOMAIN '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Domain = (_Sagan_BroIntel_Intel_Domain *) realloc(Sagan_BroIntel_Intel_Domain, (counters->brointel_domain_count+1) * sizeof(_Sagan_BroIntel_Intel_Domain));
if ( Sagan_BroIntel_Intel_Domain == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Domain. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_Domain[counters->brointel_domain_count].domain, value, sizeof(Sagan_BroIntel_Intel_Domain[counters->brointel_domain_count].domain));
counters->brointel_domain_count++;
}
}
if (!strcmp(type, "Intel::FILE_HASH") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_file_hash_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_File_Hash[i].hash, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::FILE_HASH '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_File_Hash = (_Sagan_BroIntel_Intel_File_Hash *) realloc(Sagan_BroIntel_Intel_File_Hash, (counters->brointel_file_hash_count+1) * sizeof(_Sagan_BroIntel_Intel_File_Hash));
if ( Sagan_BroIntel_Intel_File_Hash == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_File_Hash. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_File_Hash[counters->brointel_file_hash_count].hash, value, sizeof(Sagan_BroIntel_Intel_File_Hash[counters->brointel_file_hash_count].hash));
counters->brointel_file_hash_count++;
}
}
if (!strcmp(type, "Intel::URL") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_url_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_URL[i].url, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::URL '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_URL = (_Sagan_BroIntel_Intel_URL *) realloc(Sagan_BroIntel_Intel_URL, (counters->brointel_url_count+1) * sizeof(_Sagan_BroIntel_Intel_URL));
if ( Sagan_BroIntel_Intel_URL == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_URL. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_URL[counters->brointel_url_count].url, value, sizeof(Sagan_BroIntel_Intel_URL[counters->brointel_url_count].url));
counters->brointel_url_count++;
}
}
if (!strcmp(type, "Intel::SOFTWARE") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_software_count++; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_Software[i].software, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::SOFTWARE '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Software = (_Sagan_BroIntel_Intel_Software *) realloc(Sagan_BroIntel_Intel_Software, (counters->brointel_software_count+1) * sizeof(_Sagan_BroIntel_Intel_Software));
if ( Sagan_BroIntel_Intel_Software == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Software. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_Software[counters->brointel_software_count].software, value, sizeof(Sagan_BroIntel_Intel_Software[counters->brointel_software_count].software));
counters->brointel_software_count++;
}
}
if (!strcmp(type, "Intel::EMAIL") && found_flag == 0)
{
To_LowerC(value);
found_flag_array = 0;
for (i=0; i < counters->brointel_email_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_Email[i].email, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::EMAIL '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Email = (_Sagan_BroIntel_Intel_Email *) realloc(Sagan_BroIntel_Intel_Email, (counters->brointel_email_count+1) * sizeof(_Sagan_BroIntel_Intel_Email));
if ( Sagan_BroIntel_Intel_Email == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Email. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_Email[counters->brointel_email_count].email, value, sizeof(Sagan_BroIntel_Intel_Email[counters->brointel_email_count].email));
counters->brointel_email_count++;
found_flag = 1;
}
}
if (!strcmp(type, "Intel::USER_NAME") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_user_name_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_User_Name[i].username, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::USER_NAME '%s' in %s on line %.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_User_Name = (_Sagan_BroIntel_Intel_User_Name *) realloc(Sagan_BroIntel_Intel_User_Name, (counters->brointel_user_name_count+1) * sizeof(_Sagan_BroIntel_Intel_User_Name));
if ( Sagan_BroIntel_Intel_User_Name == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_User_Name. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_User_Name[counters->brointel_user_name_count].username, value, sizeof(Sagan_BroIntel_Intel_User_Name[counters->brointel_user_name_count].username));
counters->brointel_user_name_count++;
}
}
if (!strcmp(type, "Intel::FILE_NAME") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_file_name_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_File_Name[i].file_name, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::FILE_NAME '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_File_Name = (_Sagan_BroIntel_Intel_File_Name *) realloc(Sagan_BroIntel_Intel_File_Name, (counters->brointel_file_name_count+1) * sizeof(_Sagan_BroIntel_Intel_File_Name));
if ( Sagan_BroIntel_Intel_File_Name == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_File_Name. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_File_Name[counters->brointel_file_name_count].file_name, value, sizeof(Sagan_BroIntel_Intel_File_Name[counters->brointel_file_name_count].file_name));
counters->brointel_file_name_count++;
}
}
if (!strcmp(type, "Intel::CERT_HASH") && found_flag == 0)
{
To_LowerC(value);
found_flag = 1;
found_flag_array = 0;
for (i=0; i < counters->brointel_cert_hash_count; i++)
{
if (!strcmp(Sagan_BroIntel_Intel_Cert_Hash[i].cert_hash, value))
{
Sagan_Log(S_WARN, "[%s, line %d] Got duplicate Intel::CERT_HASH '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1);
counters->brointel_dups++;
found_flag_array = 1;
}
}
if ( found_flag_array == 0 )
{
Sagan_BroIntel_Intel_Cert_Hash = (_Sagan_BroIntel_Intel_Cert_Hash *) realloc(Sagan_BroIntel_Intel_Cert_Hash, (counters->brointel_cert_hash_count+1) * sizeof(_Sagan_BroIntel_Intel_Cert_Hash));
if ( Sagan_BroIntel_Intel_Cert_Hash == NULL )
{
Sagan_Log(S_ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Cert_Hash. Abort!", __FILE__, __LINE__);
}
strlcpy(Sagan_BroIntel_Intel_Cert_Hash[counters->brointel_cert_hash_count].cert_hash, value, sizeof(Sagan_BroIntel_Intel_Cert_Hash[counters->brointel_cert_hash_count].cert_hash));
counters->brointel_cert_hash_count++;
}
}
}
line_count++;
}
fclose(brointel_file);
brointel_filename = strtok_r(NULL, ",", &ptmp);
line_count = 0;
}
}
void Sagan_Verify_Categories( char *categories, int rule_number, const char *ruleset, int linecount, unsigned char type )
{
char tmp2[64];
char *tmptoken;
char *saveptrrule;
int i;
sbool found;
tmptoken = strtok_r(categories, "," , &saveptrrule);
while ( tmptoken != NULL )
{
strlcpy(tmp2, tmptoken, sizeof(tmp2));
Remove_Spaces(tmptoken);
To_LowerC(tmptoken);
found = 0;
for ( i = 0; i < counters->bluedot_cat_count; i++ )
{
if (!strcmp(SaganBluedotCatList[i].cat, tmptoken))
{
found = 1;
if ( type == BLUEDOT_LOOKUP_IP )
{
if ( rulestruct[rule_number].bluedot_ip_cat_count <= BLUEDOT_MAX_CAT )
{
rulestruct[rule_number].bluedot_ip_cats[rulestruct[rule_number].bluedot_ip_cat_count] = SaganBluedotCatList[i].cat_number;
rulestruct[rule_number].bluedot_ip_cat_count++;
}
else
{
Sagan_Log(S_WARN, "[%s, line %d] To many Bluedot IP catagories detected in %s at line %d", __FILE__, __LINE__, ruleset, linecount);
}
}
if ( type == BLUEDOT_LOOKUP_HASH )
{
if ( rulestruct[rule_number].bluedot_hash_cat_count <= BLUEDOT_MAX_CAT )
{
rulestruct[rule_number].bluedot_hash_cats[rulestruct[rule_number].bluedot_hash_cat_count] = SaganBluedotCatList[i].cat_number;
rulestruct[rule_number].bluedot_hash_cat_count++;
}
else
{
Sagan_Log(S_WARN, "[%s, line %d] To many Bluedot hash catagories detected in %s at line %d", __FILE__, __LINE__, ruleset, linecount);
}
}
if ( type == BLUEDOT_LOOKUP_URL )
{
if ( rulestruct[rule_number].bluedot_url_cat_count <= BLUEDOT_MAX_CAT )
{
rulestruct[rule_number].bluedot_url_cats[rulestruct[rule_number].bluedot_url_cat_count] = SaganBluedotCatList[i].cat_number;
rulestruct[rule_number].bluedot_url_cat_count++;
}
else
{
Sagan_Log(S_WARN, "[%s, line %d] To many Bluedot URL catagories detected in %s at line %d", __FILE__, __LINE__, ruleset, linecount);
}
}
}
}
if ( found == 0 )
{
Sagan_Log(S_ERROR, "[%s, line %d] Unknown Bluedot category '%s' found in %s at line %d. Abort!", __FILE__, __LINE__, tmp2, ruleset, linecount);
}
tmptoken = strtok_r(NULL, "," , &saveptrrule);
}
}
