sbool Sagan_BroIntel_IPADDR ( uint32_t ip ) { int i; /* If RFC1918, we can short circuit here */ if ( is_rfc1918(ip)) { if ( debug->debugbrointel ) { Sagan_Log(S_DEBUG, "[%s, line %d] %u is RFC1918, link local or invalid.", __FILE__, __LINE__, ip); } return(false); } /* Search array for for the IP address */ for ( i = 0; i < counters->brointel_addr_count; i++) { if ( Sagan_BroIntel_Intel_Addr[i].u32_ip == ip ) { if ( debug->debugbrointel ) { Sagan_Log(S_DEBUG, "[%s, line %d] Found IP %u.", __FILE__, __LINE__, ip); } return(true); } } return(false); }
std::string BGP::api_get_private_origin_as(BGP* bgp, std::vector<std::string> &tokens) { if (tokens.size() < 4) { return "{\"entries\":[\"prefix\":\"invalid number of parameters\"]}"; } bgp->lock_adj_rib_in(); uint32_t asn = string_to_uint32_t(tokens[2]); uint32_t length = string_to_uint32_t(tokens[3]); // container to hold matches std::vector<prefix_matches> ip_matches; uint8_t len = 0; for (bgp_adj_rib::iterator it_entry = bgp->get_adj_rib_in().begin(); it_entry != bgp->get_adj_rib_in().end(); ++it_entry) { if (it_entry->second.as_path != nullptr) { len = (it_entry->second.as_path->length - 1); // if is rfc1918 then lets check the length if (is_rfc1918(it_entry->second.nlri.prefix)) { // we only want blocks larger than or equal to length if (it_entry->second.nlri.prefix_length <= length) { if (it_entry->second.as_path->seg_value[len] == asn) { ip_matches.push_back({it_entry->second.nlri.prefix, it_entry->second.nlri.prefix_length}); } } } } } bgp->unlock_adj_rib_in(); std::stringstream s_s; s_s.clear(); s_s << "{\"entries\":["; if (!ip_matches.empty()) { std::vector<prefix_matches>::iterator it_match; for (it_match = ip_matches.begin(); it_match != ip_matches.end(); ++it_match) { s_s << "\"" << ip_to_string(it_match->ip) << '/' << (int) it_match->length << "\""; if ((it_match + 1) != ip_matches.end()) { s_s << ","; } } } s_s << "]}"; return s_s.str(); }
int Sagan_Bluedot_Lookup(char *data, unsigned char type) { char tmpurl[1024] = { 0 }; char tmpdeviceid[64] = { 0 }; CURL *curl; CURLcode res; struct curl_slist *headers = NULL; char *response=NULL; struct json_object *json_in = NULL; const char *cat=NULL; char cattmp[128] = { 0 }; char *saveptr=NULL; signed char bluedot_alertid = 0; /* -128 to 127 */ int i; char timet[20] = { 0 }; time_t t; struct tm *now=NULL; uint64_t ip = 0; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); /************************************************************************/ /* Lookup types */ /************************************************************************/ /* IP Address Lookup */ if ( type == BLUEDOT_LOOKUP_IP ) { ip = IP2Bit(data); if ( is_rfc1918(ip) ) { if ( debug->debugbluedot ) { Sagan_Log(S_DEBUG, "[%s, line %d] %s is RFC1918.", __FILE__, __LINE__, data); } return(false); } for (i=0; i<counters->bluedot_ip_cache_count; i++) { if ( ip == SaganBluedotIPCache[i].host) { if (debug->debugbluedot) { Sagan_Log(S_DEBUG, "[%s, line %d] Pulled %s (%u) from Bluedot cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotIPCache[i].host, SaganBluedotIPCache[i].alertid); } pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_ip_cache_hit++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); return(SaganBluedotIPCache[i].alertid); } } /* Check Bluedot IP Queue, make sure we aren't looking up something that is already being looked up */ for (i=0; i < bluedot_ip_queue; i++) { if ( ip == SaganBluedotIPQueue[i].host ) { if (debug->debugbluedot) { Sagan_Log(S_DEBUG, "[%s, line %d] %s (%u) is already being looked up. Skipping....", __FILE__, __LINE__, data, SaganBluedotIPQueue[i].host); } return(false); } } /* If not in Bluedot IP queue, add it */ pthread_mutex_lock(&SaganProcBluedotIPWorkMutex); SaganBluedotIPQueue = (_Sagan_Bluedot_IP_Queue *) realloc(SaganBluedotIPQueue, (bluedot_ip_queue+1) * sizeof(_Sagan_Bluedot_IP_Queue)); SaganBluedotIPQueue[bluedot_ip_queue].host = ip; bluedot_ip_queue++; pthread_mutex_unlock(&SaganProcBluedotIPWorkMutex); if (debug->debugbluedot) { Sagan_Log(S_DEBUG, "[%s, line %d] Going to query IP %s (%u) from Bluedot.", __FILE__, __LINE__, data, ip); } snprintf(tmpurl, sizeof(tmpurl), "%s%s%s", config->bluedot_url, BLUEDOT_IP_LOOKUP_URL, data); } /* BLUEDOT_LOOKUP_IP */ if ( type == BLUEDOT_LOOKUP_HASH ) { for (i=0; i<counters->bluedot_hash_cache_count; i++) { if (!strcmp(data, SaganBluedotHashCache[i].hash)) { if (debug->debugbluedot) { Sagan_Log(S_DEBUG, "[%s, line %d] Pulled file hash '%s' from Bluedot hash cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotHashCache[i].alertid); } pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_hash_cache_hit++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); return(SaganBluedotHashCache[i].alertid); } } snprintf(tmpurl, sizeof(tmpurl), "%s%s%s", config->bluedot_url, BLUEDOT_HASH_LOOKUP_URL, data); } if ( type == BLUEDOT_LOOKUP_URL ) { for (i=0; i<counters->bluedot_url_cache_count; i++) { if (!strcmp(data, SaganBluedotURLCache[i].url)) { if (debug->debugbluedot) { Sagan_Log(S_DEBUG, "[%s, line %d] Pulled file URL '%s' from Bluedot URL cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotURLCache[i].alertid); } pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_url_cache_hit++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); return(SaganBluedotURLCache[i].alertid); } } snprintf(tmpurl, sizeof(tmpurl), "%s%s%s", config->bluedot_url, BLUEDOT_URL_LOOKUP_URL, data); } if ( type == BLUEDOT_LOOKUP_FILENAME ) { for (i=0; i<counters->bluedot_filename_cache_count; i++) { if (!strcmp(data, SaganBluedotFilenameCache[i].filename)) { if (debug->debugbluedot) { Sagan_Log(S_DEBUG, "[%s, line %d] Pulled file filename '%s' from Bluedot filename cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotFilenameCache[i].alertid); } pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_filename_cache_hit++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); return(SaganBluedotFilenameCache[i].alertid); } } snprintf(tmpurl, sizeof(tmpurl), "%s%s%s", config->bluedot_url, BLUEDOT_FILENAME_LOOKUP_URL, data); } snprintf(tmpdeviceid, sizeof(tmpdeviceid), "X-BLUEDOT-DEVICEID: %s", config->bluedot_device_id); curl = curl_easy_init(); if (curl) { curl_easy_setopt(curl, CURLOPT_URL, tmpurl); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback_func); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1); /* WIll send SIGALRM if not set */ headers = curl_slist_append (headers, BLUEDOT_PROCESSOR_USER_AGENT); headers = curl_slist_append (headers, tmpdeviceid); // headers = curl_slist_append (headers, "X-Bluedot-Verbose: 1"); /* For more verbose output */ curl_easy_setopt(curl, CURLOPT_HTTPHEADER , headers ); res = curl_easy_perform(curl); } curl_easy_cleanup(curl); if ( response == NULL ) { Sagan_Log(S_WARN, "[%s, line %d] Bluedot returned a empty \"response\".", __FILE__, __LINE__); pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_error_count++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); Sagan_Bluedot_Clean_Queue(data, type); return(false); } json_in = json_tokener_parse(response); if ( type == BLUEDOT_LOOKUP_IP ) { cat = json_object_get_string(json_object_object_get(json_in, "qipcode")); } else if ( type == BLUEDOT_LOOKUP_HASH ) { cat = json_object_get_string(json_object_object_get(json_in, "qhashcode")); } else if ( type == BLUEDOT_LOOKUP_URL ) { cat = json_object_get_string(json_object_object_get(json_in, "qurlcode")); } else if ( type == BLUEDOT_LOOKUP_FILENAME ) { cat = json_object_get_string(json_object_object_get(json_in, "qfilenamecode")); } if ( cat == NULL ) { Sagan_Log(S_WARN, "Bluedot return a bad category."); pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_error_count++; // DEBUG <- Total error count pthread_mutex_unlock(&SaganProcBluedotWorkMutex); Sagan_Bluedot_Clean_Queue(data, type); return(false); } /* strtok_r() doesn't like const char *cat */ snprintf(cattmp, sizeof(cattmp), "%s", cat); strtok_r(cattmp, "\"", &saveptr); bluedot_alertid = atoi(strtok_r(NULL, "\"", &saveptr)); if ( debug->debugbluedot) { Sagan_Log(S_DEBUG, "[%s, line %d] Bluedot return category \"%d\" for %s.", __FILE__, __LINE__, bluedot_alertid, data); } if ( bluedot_alertid == -1 ) { Sagan_Log(S_WARN, "Bluedot reports an invalid API key. Lookup aborted!"); counters->bluedot_error_count++; return(false); } /************************************************************************/ /* Add entries to cache */ /************************************************************************/ /* IP Address lookup */ if ( type == BLUEDOT_LOOKUP_IP ) { pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_ip_total++; SaganBluedotIPCache = (_Sagan_Bluedot_IP_Cache *) realloc(SaganBluedotIPCache, (counters->bluedot_ip_cache_count+1) * sizeof(_Sagan_Bluedot_IP_Cache)); SaganBluedotIPCache[counters->bluedot_ip_cache_count].host = ip; SaganBluedotIPCache[counters->bluedot_ip_cache_count].utime = atol(timet); /* store utime */ SaganBluedotIPCache[counters->bluedot_ip_cache_count].alertid = bluedot_alertid; counters->bluedot_ip_cache_count++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); } /* File hash lookup */ else if ( type == BLUEDOT_LOOKUP_HASH ) { pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_hash_total++; SaganBluedotHashCache = (_Sagan_Bluedot_Hash_Cache *) realloc(SaganBluedotHashCache, (counters->bluedot_hash_cache_count+1) * sizeof(_Sagan_Bluedot_Hash_Cache)); strlcpy(SaganBluedotHashCache[counters->bluedot_hash_cache_count].hash, data, sizeof(SaganBluedotHashCache[counters->bluedot_hash_cache_count].hash)); SaganBluedotHashCache[counters->bluedot_hash_cache_count].utime = atol(timet); /* store utime */ SaganBluedotHashCache[counters->bluedot_hash_cache_count].alertid = bluedot_alertid; counters->bluedot_hash_cache_count++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); } /* URL lookup */ else if ( type == BLUEDOT_LOOKUP_URL ) { pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_url_total++; SaganBluedotURLCache = (_Sagan_Bluedot_URL_Cache *) realloc(SaganBluedotURLCache, (counters->bluedot_url_cache_count+1) * sizeof(_Sagan_Bluedot_URL_Cache)); strlcpy(SaganBluedotURLCache[counters->bluedot_url_cache_count].url, data, sizeof(SaganBluedotURLCache[counters->bluedot_url_cache_count].url)); SaganBluedotURLCache[counters->bluedot_url_cache_count].utime = atol(timet); /* store utime */ SaganBluedotURLCache[counters->bluedot_url_cache_count].alertid = bluedot_alertid; counters->bluedot_url_cache_count++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); } /* Filename Lookup */ else if ( type == BLUEDOT_LOOKUP_FILENAME ) { pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_filename_total++; SaganBluedotFilenameCache = (_Sagan_Bluedot_Filename_Cache *) realloc(SaganBluedotFilenameCache, (counters->bluedot_filename_cache_count+1) * sizeof(_Sagan_Bluedot_Filename_Cache)); strlcpy(SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].filename, data, sizeof(SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].filename)); SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].utime = atol(timet); SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].alertid = bluedot_alertid; counters->bluedot_filename_cache_count++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); } Sagan_Bluedot_Clean_Queue(data, type); /* Remove item for "queue" */ json_object_put(json_in); /* Clear json_in as we're done with it */ return(bluedot_alertid); }