-/* @(#) $Id: fts.c,v 1.34 2009/06/24 17:06:22 dcid Exp $ */
+/* @(#) $Id: ./src/analysisd/fts.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 3) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-/* First time seen functions
+/* First time seen functions
*/
int fts_minsize_for_str = 0;
OSList *fts_list = NULL;
-OSStore *fts_store = NULL;
+OSHash *fts_store = NULL;
FILE *fp_list = NULL;
FILE *fp_ignore = NULL;
char _line[OS_FLSIZE + 1];
_line[OS_FLSIZE] = '\0';
-
-
+
+
fts_list = OSList_Create();
if(!fts_list)
{
}
/* Creating store data */
- fts_store = OSStore_Create();
+ fts_store = OSHash_Create();
if(!fts_store)
{
merror(LIST_ERROR, ARGV0);
return(0);
}
-
+ if(!OSHash_setSize(fts_store, 2048))
+ {
+ merror(LIST_ERROR, ARGV0);
+ return(0);
+ }
+
+
/* Getting default list size */
fts_list_size = getDefine_Int("analysisd",
"fts_list_size",
fts_minsize_for_str = getDefine_Int("analysisd",
"fts_min_size_for_str",
6, 128);
-
+
if(!OSList_SetMaxSize(fts_list, fts_list_size))
{
merror(LIST_SIZE_ERROR, ARGV0);
fp_list = fopen(FTS_QUEUE, "w+");
if(fp_list)
fclose(fp_list);
-
+
+ chmod(FTS_QUEUE, 0640);
+
+ int uid = Privsep_GetUser(USER);
+ int gid = Privsep_GetGroup(GROUPGLOBAL);
+ if(uid>=0 && gid>=0)
+ chown(FTS_QUEUE, uid, gid);
+
fp_list = fopen(FTS_QUEUE, "r+");
if(!fp_list)
{
os_strdup(_line, tmp_s);
- if(!OSStore_Put(fts_store, tmp_s, NULL))
+ if(OSHash_Add(fts_store, tmp_s, tmp_s) <= 0)
{
+ free(tmp_s);
merror(LIST_ADD_ERROR, ARGV0);
}
}
-
+
/* Creating ignore list */
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
fp_ignore = fopen(IG_QUEUE, "w+");
if(fp_ignore)
fclose(fp_ignore);
-
+
+ chmod(IG_QUEUE, 0640);
+
+ int uid = Privsep_GetUser(USER);
+ int gid = Privsep_GetGroup(GROUPGLOBAL);
+ if(uid>=0 && gid>=0)
+ chown(IG_QUEUE, uid, gid);
+
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
{
}
debug1("%s: DEBUG: FTSInit completed.", ARGV0);
-
+
return(1);
}
*/
void AddtoIGnore(Eventinfo *lf)
{
- fseek(fp_ignore, 0, SEEK_END);
+ fseek(fp_ignore, 0, SEEK_END);
#ifdef TESTRULE
return;
#endif
-
+
/* Assigning the values to the FTS */
fprintf(fp_ignore, "%s %s %s %s %s %s %s %s\n",
(lf->decoder_info->name && (lf->generated_rule->ignore & FTS_NAME))?
(lf->dstip && (lf->generated_rule->ignore & FTS_DSTIP))?
lf->dstip:"",
(lf->data && (lf->generated_rule->ignore & FTS_DATA))?
- lf->data:"",
+ lf->data:"",
(lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
- lf->systemname:"",
+ lf->systemname:"",
(lf->generated_rule->ignore & FTS_LOCATION)?lf->location:"");
fflush(fp_ignore);
(lf->data && (lf->generated_rule->ignore & FTS_DATA))?
lf->data:"",
(lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
- lf->systemname:"",
+ lf->systemname:"",
(lf->generated_rule->ckignore & FTS_LOCATION)?lf->location:"");
_fline[OS_FLSIZE] = '\0';
/* FTS v0.1
* Check if the word "msg" is present on the "queue".
* If it is not, write it there.
- */
+ */
int FTS(Eventinfo *lf)
{
int number_of_matches = 0;
char _line[OS_FLSIZE + 1];
-
+
char *line_for_list = NULL;
OSListNode *fts_node;
/** Checking if FTS is already present **/
- if(lf->decoder_info->type == WINDOWS)
- {
- /* Windows is case insensitive */
- if(OSStore_NCaseCheck(fts_store, _line))
- {
- return(0);
- }
- }
- else if(OSStore_NCheck(fts_store, _line))
+ if(OSHash_Get(fts_store, _line))
{
return(0);
}
-
+
/* Checking if from the last FTS events, we had
* at least 3 "similars" before. If yes, we just
* ignore it.
fts_node = OSList_GetLastNode(fts_list);
while(fts_node)
{
- if(OS_StrHowClosedMatch((char *)fts_node->data, _line) >
+ if(OS_StrHowClosedMatch((char *)fts_node->data, _line) >
fts_minsize_for_str)
{
number_of_matches++;
os_strdup(_line, line_for_list);
OSList_AddData(fts_list, line_for_list);
}
-
-
+
+
/* Storing new entry */
if(line_for_list == NULL)
{
os_strdup(_line, line_for_list);
}
- if(!OSStore_Put(fts_store, line_for_list, NULL))
+ if(OSHash_Add(fts_store, line_for_list, line_for_list) <= 1)
{
- merror(LIST_ADD_ERROR, ARGV0);
+ return(0);
}
-
+
#ifdef TESTRULE
return(1);
#endif
-
-
+
+
/* Saving to fts fp */
fseek(fp_list, 0, SEEK_END);
fprintf(fp_list,"%s\n", _line);