X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=src%2Fsyscheckd%2Frun_realtime.c;h=839e5b85eb54a043d60535c7d4d5df977b0188f8;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hp=efae8062277a79bc2cc0a54bd1c537aecd047053;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git diff --git a/src/syscheckd/run_realtime.c b/src/syscheckd/run_realtime.c index efae806..839e5b8 100755 --- a/src/syscheckd/run_realtime.c +++ b/src/syscheckd/run_realtime.c @@ -1,11 +1,12 @@ -/* @(#) $Id: run_realtime.c,v 1.12 2009/12/01 15:40:08 dcid Exp $ */ +/* @(#) $Id: ./src/syscheckd/run_realtime.c, 2011/09/08 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation */ @@ -38,6 +39,10 @@ #ifdef USEINOTIFY #include +#define OS_SIZE_6144 6144 +#define OS_MAXSTR OS_SIZE_6144 /* Size for logs, sockets, etc */ +#else +#include "shared.h" #endif @@ -49,69 +54,56 @@ int c_read_file(char *file_name, char *oldsum, char *newsum); /* Checking sum of the realtime file being monitored. */ int realtime_checksumfile(char *file_name) { - char buf[MAX_LINE +2]; - buf[MAX_LINE +1] = '\0'; + char *buf; - - fseek(syscheck.fp, 0, SEEK_SET); - while(fgets(buf, MAX_LINE, syscheck.fp) != NULL) + buf = OSHash_Get(syscheck.fp, file_name); + if(buf != NULL) { - if((buf[0] != '#') && (buf[0] != ' ') && (buf[0] != '\n')) - { - char *n_buf; - - /* Removing the new line */ - n_buf = strchr(buf,'\n'); - if(n_buf == NULL) - continue; - - *n_buf = '\0'; - - - /* First 6 characters are for internal use */ - n_buf = buf; - n_buf+=6; - - n_buf = strchr(n_buf, ' '); - if(n_buf) - { - n_buf++; - - /* Checking if name matches */ - if(strcmp(n_buf, file_name) == 0) - { - char c_sum[256 +2]; - c_sum[0] = '\0'; - c_sum[255] = '\0'; - + char c_sum[256 +2]; + + c_sum[0] = '\0'; + c_sum[255] = '\0'; + + + /* If it returns < 0, we will already have alerted. */ + if(c_read_file(file_name, buf, c_sum) < 0) + { + return(0); + } + + + if(strcmp(c_sum, buf+6) != 0) + { + char *fullalert = NULL; + char alert_msg[OS_MAXSTR +1]; + alert_msg[OS_MAXSTR] = '\0'; + if(buf[5] == 's' || buf[5] == 'n') + { + fullalert = seechanges_addfile(file_name); + if(fullalert) + { + snprintf(alert_msg, OS_MAXSTR, "%s %s\n%s", c_sum, file_name, fullalert); + free(fullalert); + fullalert = NULL; + } + else + { + snprintf(alert_msg, 912, "%s %s", c_sum, file_name); + } + } + else + { + snprintf(alert_msg, 912, "%s %s", c_sum, file_name); + } + send_syscheck_msg(alert_msg); + + return(1); + } + + return(0); - /* If it returns < 0, we will already have alerted. */ - if(c_read_file(file_name, buf, c_sum) < 0) - continue; - - - if(strcmp(c_sum, buf+6) != 0) - { - char alert_msg[912 +2]; - - /* Sending the new checksum to the analysis server */ - alert_msg[912 +1] = '\0'; - snprintf(alert_msg, 912, "%s %s", c_sum, file_name); - send_syscheck_msg(alert_msg); - - return(1); - } - - return(0); - - } - } - } } - - /* Adding entry if not in there. */ - fseek(syscheck.fp, 0, SEEK_END); return(0); } @@ -122,7 +114,7 @@ int realtime_checksumfile(char *file_name) #include -#define REALTIME_MONITOR_FLAGS IN_MODIFY|IN_ATTRIB|IN_MOVED_TO|IN_DELETE|IN_MOVED_FROM +#define REALTIME_MONITOR_FLAGS IN_MODIFY|IN_ATTRIB|IN_MOVED_FROM|IN_MOVED_TO|IN_CREATE|IN_DELETE|IN_DELETE_SELF #define REALTIME_EVENT_SIZE (sizeof (struct inotify_event)) #define REALTIME_EVENT_BUFFER (2048 * (REALTIME_EVENT_SIZE + 16)) @@ -148,7 +140,7 @@ int realtime_start() merror("%s: ERROR: Unable to initialize inotify.", ARGV0); return(-1); } - #endif + #endif return(1); } @@ -175,10 +167,10 @@ int realtime_adddir(char *dir) wd = inotify_add_watch(syscheck.realtime->fd, dir, - REALTIME_MONITOR_FLAGS); + REALTIME_MONITOR_FLAGS); if(wd < 0) { - merror("%s: ERROR: Unable to add directory to real time " + merror("%s: ERROR: Unable to add directory to real time " "monitoring: '%s'. %d %d", ARGV0, dir, wd, errno); } else @@ -220,13 +212,13 @@ int realtime_process() len = read(syscheck.realtime->fd, buf, REALTIME_EVENT_BUFFER); - if (len < 0) + if (len < 0) { merror("%s: ERROR: Unable to read from real time buffer.", ARGV0); - } + } else if (len > 0) { - while (i < len) + while (i < len) { event = (struct inotify_event *) &buf[i]; @@ -240,7 +232,7 @@ int realtime_process() snprintf(wdchar, 32, "%d", event->wd); - snprintf(final_name, MAX_LINE, "%s/%s", + snprintf(final_name, MAX_LINE, "%s/%s", (char *)OSHash_Get(syscheck.realtime->dirtb, wdchar), event->name); realtime_checksumfile(final_name); @@ -289,7 +281,7 @@ void CALLBACK RTCallBack(DWORD dwerror, DWORD dwBytes, LPOVERLAPPED overlap) if(dwerror != ERROR_SUCCESS) { - merror("%s: ERROR: real time call back called, but error is set.", + merror("%s: ERROR: real time call back called, but error is set.", ARGV0); return; } @@ -301,12 +293,12 @@ void CALLBACK RTCallBack(DWORD dwerror, DWORD dwBytes, LPOVERLAPPED overlap) rtlocald = OSHash_Get(syscheck.realtime->dirtb, wdchar); if(rtlocald == NULL) { - merror("%s: ERROR: real time call back called, but hash is empty.", + merror("%s: ERROR: real time call back called, but hash is empty.", ARGV0); return; } - + do { @@ -378,11 +370,11 @@ int realtime_win32read(win32rtfim *rtlocald) TRUE, FILE_NOTIFY_CHANGE_FILE_NAME|FILE_NOTIFY_CHANGE_DIR_NAME|FILE_NOTIFY_CHANGE_SIZE|FILE_NOTIFY_CHANGE_LAST_WRITE, 0, - &rtlocald->overlap, + &rtlocald->overlap, RTCallBack); if(rc == 0) { - merror("%s: ERROR: Unable to set directory for monitoring: %s", + merror("%s: ERROR: Unable to set directory for monitoring: %s", ARGV0, rtlocald->dir); sleep(2); } @@ -412,7 +404,7 @@ int realtime_adddir(char *dir) os_calloc(1, sizeof(win32rtfim), rtlocald); - + rtlocald->h = CreateFile(dir, FILE_LIST_DIRECTORY, @@ -423,8 +415,8 @@ int realtime_adddir(char *dir) NULL); - if(rtlocald->h == INVALID_HANDLE_VALUE || - rtlocald->h == NULL) + if(rtlocald->h == INVALID_HANDLE_VALUE || + rtlocald->h == NULL) { free(rtlocald); rtlocald = NULL; @@ -444,7 +436,7 @@ int realtime_adddir(char *dir) if(OSHash_Get(syscheck.realtime->dirtb, wdchar)) { - merror("%s: ERROR: Entry already in the real time hash: %s", + merror("%s: ERROR: Entry already in the real time hash: %s", ARGV0, wdchar); CloseHandle(rtlocald->overlap.hEvent); free(rtlocald);