projects
/
ossec-hids.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
novi upstream verzije 2.8.3
[ossec-hids.git]
/
src
/
analysisd
/
fts.c
diff --git
a/src/analysisd/fts.c
b/src/analysisd/fts.c
index
34eecbd
..
9ab65c6
100755
(executable)
--- a/
src/analysisd/fts.c
+++ b/
src/analysisd/fts.c
@@
-1,19
+1,20
@@
-/* @(#) $Id: fts.c,v 1.34 2009/06/24 17:06:22 dcid Exp $ */
+/* @(#) $Id: ./src/analysisd/fts.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 3) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation.
*
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
* online at: http://www.ossec.net/en/licensing.html
*/
-/* First time seen functions
+/* First time seen functions
*/
*/
@@
-23,7
+24,7
@@
int fts_minsize_for_str = 0;
OSList *fts_list = NULL;
int fts_minsize_for_str = 0;
OSList *fts_list = NULL;
-OSStore *fts_store = NULL;
+OSHash *fts_store = NULL;
FILE *fp_list = NULL;
FILE *fp_ignore = NULL;
FILE *fp_list = NULL;
FILE *fp_ignore = NULL;
@@
-38,8
+39,8
@@
int FTS_Init()
char _line[OS_FLSIZE + 1];
_line[OS_FLSIZE] = '\0';
char _line[OS_FLSIZE + 1];
_line[OS_FLSIZE] = '\0';
-
-
+
+
fts_list = OSList_Create();
if(!fts_list)
{
fts_list = OSList_Create();
if(!fts_list)
{
@@
-48,13
+49,19
@@
int FTS_Init()
}
/* Creating store data */
}
/* Creating store data */
- fts_store = OSStore_Create();
+ fts_store = OSHash_Create();
if(!fts_store)
{
merror(LIST_ERROR, ARGV0);
return(0);
}
if(!fts_store)
{
merror(LIST_ERROR, ARGV0);
return(0);
}
-
+ if(!OSHash_setSize(fts_store, 2048))
+ {
+ merror(LIST_ERROR, ARGV0);
+ return(0);
+ }
+
+
/* Getting default list size */
fts_list_size = getDefine_Int("analysisd",
"fts_list_size",
/* Getting default list size */
fts_list_size = getDefine_Int("analysisd",
"fts_list_size",
@@
-64,7
+71,7
@@
int FTS_Init()
fts_minsize_for_str = getDefine_Int("analysisd",
"fts_min_size_for_str",
6, 128);
fts_minsize_for_str = getDefine_Int("analysisd",
"fts_min_size_for_str",
6, 128);
-
+
if(!OSList_SetMaxSize(fts_list, fts_list_size))
{
merror(LIST_SIZE_ERROR, ARGV0);
if(!OSList_SetMaxSize(fts_list, fts_list_size))
{
merror(LIST_SIZE_ERROR, ARGV0);
@@
-80,7
+87,14
@@
int FTS_Init()
fp_list = fopen(FTS_QUEUE, "w+");
if(fp_list)
fclose(fp_list);
fp_list = fopen(FTS_QUEUE, "w+");
if(fp_list)
fclose(fp_list);
-
+
+ chmod(FTS_QUEUE, 0640);
+
+ int uid = Privsep_GetUser(USER);
+ int gid = Privsep_GetGroup(GROUPGLOBAL);
+ if(uid>=0 && gid>=0)
+ chown(FTS_QUEUE, uid, gid);
+
fp_list = fopen(FTS_QUEUE, "r+");
if(!fp_list)
{
fp_list = fopen(FTS_QUEUE, "r+");
if(!fp_list)
{
@@
-105,13
+119,14
@@
int FTS_Init()
os_strdup(_line, tmp_s);
os_strdup(_line, tmp_s);
- if(!OSStore_Put(fts_store, tmp_s, NULL))
+ if(OSHash_Add(fts_store, tmp_s, tmp_s) <= 0)
{
{
+ free(tmp_s);
merror(LIST_ADD_ERROR, ARGV0);
}
}
merror(LIST_ADD_ERROR, ARGV0);
}
}
-
+
/* Creating ignore list */
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
/* Creating ignore list */
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
@@
-120,7
+135,14
@@
int FTS_Init()
fp_ignore = fopen(IG_QUEUE, "w+");
if(fp_ignore)
fclose(fp_ignore);
fp_ignore = fopen(IG_QUEUE, "w+");
if(fp_ignore)
fclose(fp_ignore);
-
+
+ chmod(IG_QUEUE, 0640);
+
+ int uid = Privsep_GetUser(USER);
+ int gid = Privsep_GetGroup(GROUPGLOBAL);
+ if(uid>=0 && gid>=0)
+ chown(IG_QUEUE, uid, gid);
+
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
{
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
{
@@
-130,7
+152,7
@@
int FTS_Init()
}
debug1("%s: DEBUG: FTSInit completed.", ARGV0);
}
debug1("%s: DEBUG: FTSInit completed.", ARGV0);
-
+
return(1);
}
return(1);
}
@@
-138,12
+160,12
@@
int FTS_Init()
*/
void AddtoIGnore(Eventinfo *lf)
{
*/
void AddtoIGnore(Eventinfo *lf)
{
- fseek(fp_ignore, 0, SEEK_END);
+ fseek(fp_ignore, 0, SEEK_END);
#ifdef TESTRULE
return;
#endif
#ifdef TESTRULE
return;
#endif
-
+
/* Assigning the values to the FTS */
fprintf(fp_ignore, "%s %s %s %s %s %s %s %s\n",
(lf->decoder_info->name && (lf->generated_rule->ignore & FTS_NAME))?
/* Assigning the values to the FTS */
fprintf(fp_ignore, "%s %s %s %s %s %s %s %s\n",
(lf->decoder_info->name && (lf->generated_rule->ignore & FTS_NAME))?
@@
-156,9
+178,9
@@
void AddtoIGnore(Eventinfo *lf)
(lf->dstip && (lf->generated_rule->ignore & FTS_DSTIP))?
lf->dstip:"",
(lf->data && (lf->generated_rule->ignore & FTS_DATA))?
(lf->dstip && (lf->generated_rule->ignore & FTS_DSTIP))?
lf->dstip:"",
(lf->data && (lf->generated_rule->ignore & FTS_DATA))?
- lf->data:"",
+ lf->data:"",
(lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
(lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
- lf->systemname:"",
+ lf->systemname:"",
(lf->generated_rule->ignore & FTS_LOCATION)?lf->location:"");
fflush(fp_ignore);
(lf->generated_rule->ignore & FTS_LOCATION)?lf->location:"");
fflush(fp_ignore);
@@
-193,7
+215,7
@@
int IGnore(Eventinfo *lf)
(lf->data && (lf->generated_rule->ignore & FTS_DATA))?
lf->data:"",
(lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
(lf->data && (lf->generated_rule->ignore & FTS_DATA))?
lf->data:"",
(lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
- lf->systemname:"",
+ lf->systemname:"",
(lf->generated_rule->ckignore & FTS_LOCATION)?lf->location:"");
_fline[OS_FLSIZE] = '\0';
(lf->generated_rule->ckignore & FTS_LOCATION)?lf->location:"");
_fline[OS_FLSIZE] = '\0';
@@
-218,13
+240,13
@@
int IGnore(Eventinfo *lf)
/* FTS v0.1
* Check if the word "msg" is present on the "queue".
* If it is not, write it there.
/* FTS v0.1
* Check if the word "msg" is present on the "queue".
* If it is not, write it there.
- */
+ */
int FTS(Eventinfo *lf)
{
int number_of_matches = 0;
char _line[OS_FLSIZE + 1];
int FTS(Eventinfo *lf)
{
int number_of_matches = 0;
char _line[OS_FLSIZE + 1];
-
+
char *line_for_list = NULL;
OSListNode *fts_node;
char *line_for_list = NULL;
OSListNode *fts_node;
@@
-246,20
+268,12
@@
int FTS(Eventinfo *lf)
/** Checking if FTS is already present **/
/** Checking if FTS is already present **/
- if(lf->decoder_info->type == WINDOWS)
- {
- /* Windows is case insensitive */
- if(OSStore_NCaseCheck(fts_store, _line))
- {
- return(0);
- }
- }
- else if(OSStore_NCheck(fts_store, _line))
+ if(OSHash_Get(fts_store, _line))
{
return(0);
}
{
return(0);
}
-
+
/* Checking if from the last FTS events, we had
* at least 3 "similars" before. If yes, we just
* ignore it.
/* Checking if from the last FTS events, we had
* at least 3 "similars" before. If yes, we just
* ignore it.
@@
-269,7
+283,7
@@
int FTS(Eventinfo *lf)
fts_node = OSList_GetLastNode(fts_list);
while(fts_node)
{
fts_node = OSList_GetLastNode(fts_list);
while(fts_node)
{
- if(OS_StrHowClosedMatch((char *)fts_node->data, _line) >
+ if(OS_StrHowClosedMatch((char *)fts_node->data, _line) >
fts_minsize_for_str)
{
number_of_matches++;
fts_minsize_for_str)
{
number_of_matches++;
@@
-288,25
+302,25
@@
int FTS(Eventinfo *lf)
os_strdup(_line, line_for_list);
OSList_AddData(fts_list, line_for_list);
}
os_strdup(_line, line_for_list);
OSList_AddData(fts_list, line_for_list);
}
-
-
+
+
/* Storing new entry */
if(line_for_list == NULL)
{
os_strdup(_line, line_for_list);
}
/* Storing new entry */
if(line_for_list == NULL)
{
os_strdup(_line, line_for_list);
}
- if(!OSStore_Put(fts_store, line_for_list, NULL))
+ if(OSHash_Add(fts_store, line_for_list, line_for_list) <= 1)
{
{
- merror(LIST_ADD_ERROR, ARGV0);
+ return(0);
}
}
-
+
#ifdef TESTRULE
return(1);
#endif
#ifdef TESTRULE
return(1);
#endif
-
-
+
+
/* Saving to fts fp */
fseek(fp_list, 0, SEEK_END);
fprintf(fp_list,"%s\n", _line);
/* Saving to fts fp */
fseek(fp_list, 0, SEEK_END);
fprintf(fp_list,"%s\n", _line);