X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Fanalysisd%2Ffts.c;h=9ab65c6681f5a138fa29b859097716e759489cae;hb=789cbc8e52da68eba3517b920ef22e000cf3c9fd;hp=34eecbd811c5abd37dc55c88c2439af489e970d1;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git diff --git a/src/analysisd/fts.c b/src/analysisd/fts.c index 34eecbd..9ab65c6 100755 --- a/src/analysisd/fts.c +++ b/src/analysisd/fts.c @@ -1,19 +1,20 @@ -/* @(#) $Id: fts.c,v 1.34 2009/06/24 17:06:22 dcid Exp $ */ +/* @(#) $Id: ./src/analysisd/fts.c, 2011/09/08 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All rights reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation. * - * License details at the LICENSE file included with OSSEC or + * License details at the LICENSE file included with OSSEC or * online at: http://www.ossec.net/en/licensing.html */ -/* First time seen functions +/* First time seen functions */ @@ -23,7 +24,7 @@ int fts_minsize_for_str = 0; OSList *fts_list = NULL; -OSStore *fts_store = NULL; +OSHash *fts_store = NULL; FILE *fp_list = NULL; FILE *fp_ignore = NULL; @@ -38,8 +39,8 @@ int FTS_Init() char _line[OS_FLSIZE + 1]; _line[OS_FLSIZE] = '\0'; - - + + fts_list = OSList_Create(); if(!fts_list) { @@ -48,13 +49,19 @@ int FTS_Init() } /* Creating store data */ - fts_store = OSStore_Create(); + fts_store = OSHash_Create(); if(!fts_store) { merror(LIST_ERROR, ARGV0); return(0); } - + if(!OSHash_setSize(fts_store, 2048)) + { + merror(LIST_ERROR, ARGV0); + return(0); + } + + /* Getting default list size */ fts_list_size = getDefine_Int("analysisd", "fts_list_size", @@ -64,7 +71,7 @@ int FTS_Init() fts_minsize_for_str = getDefine_Int("analysisd", "fts_min_size_for_str", 6, 128); - + if(!OSList_SetMaxSize(fts_list, fts_list_size)) { merror(LIST_SIZE_ERROR, ARGV0); @@ -80,7 +87,14 @@ int FTS_Init() fp_list = fopen(FTS_QUEUE, "w+"); if(fp_list) fclose(fp_list); - + + chmod(FTS_QUEUE, 0640); + + int uid = Privsep_GetUser(USER); + int gid = Privsep_GetGroup(GROUPGLOBAL); + if(uid>=0 && gid>=0) + chown(FTS_QUEUE, uid, gid); + fp_list = fopen(FTS_QUEUE, "r+"); if(!fp_list) { @@ -105,13 +119,14 @@ int FTS_Init() os_strdup(_line, tmp_s); - if(!OSStore_Put(fts_store, tmp_s, NULL)) + if(OSHash_Add(fts_store, tmp_s, tmp_s) <= 0) { + free(tmp_s); merror(LIST_ADD_ERROR, ARGV0); } } - + /* Creating ignore list */ fp_ignore = fopen(IG_QUEUE, "r+"); if(!fp_ignore) @@ -120,7 +135,14 @@ int FTS_Init() fp_ignore = fopen(IG_QUEUE, "w+"); if(fp_ignore) fclose(fp_ignore); - + + chmod(IG_QUEUE, 0640); + + int uid = Privsep_GetUser(USER); + int gid = Privsep_GetGroup(GROUPGLOBAL); + if(uid>=0 && gid>=0) + chown(IG_QUEUE, uid, gid); + fp_ignore = fopen(IG_QUEUE, "r+"); if(!fp_ignore) { @@ -130,7 +152,7 @@ int FTS_Init() } debug1("%s: DEBUG: FTSInit completed.", ARGV0); - + return(1); } @@ -138,12 +160,12 @@ int FTS_Init() */ void AddtoIGnore(Eventinfo *lf) { - fseek(fp_ignore, 0, SEEK_END); + fseek(fp_ignore, 0, SEEK_END); #ifdef TESTRULE return; #endif - + /* Assigning the values to the FTS */ fprintf(fp_ignore, "%s %s %s %s %s %s %s %s\n", (lf->decoder_info->name && (lf->generated_rule->ignore & FTS_NAME))? @@ -156,9 +178,9 @@ void AddtoIGnore(Eventinfo *lf) (lf->dstip && (lf->generated_rule->ignore & FTS_DSTIP))? lf->dstip:"", (lf->data && (lf->generated_rule->ignore & FTS_DATA))? - lf->data:"", + lf->data:"", (lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))? - lf->systemname:"", + lf->systemname:"", (lf->generated_rule->ignore & FTS_LOCATION)?lf->location:""); fflush(fp_ignore); @@ -193,7 +215,7 @@ int IGnore(Eventinfo *lf) (lf->data && (lf->generated_rule->ignore & FTS_DATA))? lf->data:"", (lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))? - lf->systemname:"", + lf->systemname:"", (lf->generated_rule->ckignore & FTS_LOCATION)?lf->location:""); _fline[OS_FLSIZE] = '\0'; @@ -218,13 +240,13 @@ int IGnore(Eventinfo *lf) /* FTS v0.1 * Check if the word "msg" is present on the "queue". * If it is not, write it there. - */ + */ int FTS(Eventinfo *lf) { int number_of_matches = 0; char _line[OS_FLSIZE + 1]; - + char *line_for_list = NULL; OSListNode *fts_node; @@ -246,20 +268,12 @@ int FTS(Eventinfo *lf) /** Checking if FTS is already present **/ - if(lf->decoder_info->type == WINDOWS) - { - /* Windows is case insensitive */ - if(OSStore_NCaseCheck(fts_store, _line)) - { - return(0); - } - } - else if(OSStore_NCheck(fts_store, _line)) + if(OSHash_Get(fts_store, _line)) { return(0); } - + /* Checking if from the last FTS events, we had * at least 3 "similars" before. If yes, we just * ignore it. @@ -269,7 +283,7 @@ int FTS(Eventinfo *lf) fts_node = OSList_GetLastNode(fts_list); while(fts_node) { - if(OS_StrHowClosedMatch((char *)fts_node->data, _line) > + if(OS_StrHowClosedMatch((char *)fts_node->data, _line) > fts_minsize_for_str) { number_of_matches++; @@ -288,25 +302,25 @@ int FTS(Eventinfo *lf) os_strdup(_line, line_for_list); OSList_AddData(fts_list, line_for_list); } - - + + /* Storing new entry */ if(line_for_list == NULL) { os_strdup(_line, line_for_list); } - if(!OSStore_Put(fts_store, line_for_list, NULL)) + if(OSHash_Add(fts_store, line_for_list, line_for_list) <= 1) { - merror(LIST_ADD_ERROR, ARGV0); + return(0); } - + #ifdef TESTRULE return(1); #endif - - + + /* Saving to fts fp */ fseek(fp_list, 0, SEEK_END); fprintf(fp_list,"%s\n", _line);