projects
/
ossec-hids.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Imported Upstream version 2.7
[ossec-hids.git]
/
src
/
analysisd
/
fts.c
diff --git
a/src/analysisd/fts.c
b/src/analysisd/fts.c
index
2f155bf
..
9ab65c6
100755
(executable)
--- a/
src/analysisd/fts.c
+++ b/
src/analysisd/fts.c
@@
-1,4
+1,5
@@
-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/fts.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
@@
-8,12
+9,12
@@
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
* online at: http://www.ossec.net/en/licensing.html
*/
-/* First time seen functions
+/* First time seen functions
*/
*/
@@
-38,8
+39,8
@@
int FTS_Init()
char _line[OS_FLSIZE + 1];
_line[OS_FLSIZE] = '\0';
char _line[OS_FLSIZE + 1];
_line[OS_FLSIZE] = '\0';
-
-
+
+
fts_list = OSList_Create();
if(!fts_list)
{
fts_list = OSList_Create();
if(!fts_list)
{
@@
-59,7
+60,7
@@
int FTS_Init()
merror(LIST_ERROR, ARGV0);
return(0);
}
merror(LIST_ERROR, ARGV0);
return(0);
}
-
+
/* Getting default list size */
fts_list_size = getDefine_Int("analysisd",
/* Getting default list size */
fts_list_size = getDefine_Int("analysisd",
@@
-70,7
+71,7
@@
int FTS_Init()
fts_minsize_for_str = getDefine_Int("analysisd",
"fts_min_size_for_str",
6, 128);
fts_minsize_for_str = getDefine_Int("analysisd",
"fts_min_size_for_str",
6, 128);
-
+
if(!OSList_SetMaxSize(fts_list, fts_list_size))
{
merror(LIST_SIZE_ERROR, ARGV0);
if(!OSList_SetMaxSize(fts_list, fts_list_size))
{
merror(LIST_SIZE_ERROR, ARGV0);
@@
-86,7
+87,14
@@
int FTS_Init()
fp_list = fopen(FTS_QUEUE, "w+");
if(fp_list)
fclose(fp_list);
fp_list = fopen(FTS_QUEUE, "w+");
if(fp_list)
fclose(fp_list);
-
+
+ chmod(FTS_QUEUE, 0640);
+
+ int uid = Privsep_GetUser(USER);
+ int gid = Privsep_GetGroup(GROUPGLOBAL);
+ if(uid>=0 && gid>=0)
+ chown(FTS_QUEUE, uid, gid);
+
fp_list = fopen(FTS_QUEUE, "r+");
if(!fp_list)
{
fp_list = fopen(FTS_QUEUE, "r+");
if(!fp_list)
{
@@
-118,7
+126,7
@@
int FTS_Init()
}
}
}
}
-
+
/* Creating ignore list */
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
/* Creating ignore list */
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
@@
-127,7
+135,14
@@
int FTS_Init()
fp_ignore = fopen(IG_QUEUE, "w+");
if(fp_ignore)
fclose(fp_ignore);
fp_ignore = fopen(IG_QUEUE, "w+");
if(fp_ignore)
fclose(fp_ignore);
-
+
+ chmod(IG_QUEUE, 0640);
+
+ int uid = Privsep_GetUser(USER);
+ int gid = Privsep_GetGroup(GROUPGLOBAL);
+ if(uid>=0 && gid>=0)
+ chown(IG_QUEUE, uid, gid);
+
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
{
fp_ignore = fopen(IG_QUEUE, "r+");
if(!fp_ignore)
{
@@
-137,7
+152,7
@@
int FTS_Init()
}
debug1("%s: DEBUG: FTSInit completed.", ARGV0);
}
debug1("%s: DEBUG: FTSInit completed.", ARGV0);
-
+
return(1);
}
return(1);
}
@@
-145,12
+160,12
@@
int FTS_Init()
*/
void AddtoIGnore(Eventinfo *lf)
{
*/
void AddtoIGnore(Eventinfo *lf)
{
- fseek(fp_ignore, 0, SEEK_END);
+ fseek(fp_ignore, 0, SEEK_END);
#ifdef TESTRULE
return;
#endif
#ifdef TESTRULE
return;
#endif
-
+
/* Assigning the values to the FTS */
fprintf(fp_ignore, "%s %s %s %s %s %s %s %s\n",
(lf->decoder_info->name && (lf->generated_rule->ignore & FTS_NAME))?
/* Assigning the values to the FTS */
fprintf(fp_ignore, "%s %s %s %s %s %s %s %s\n",
(lf->decoder_info->name && (lf->generated_rule->ignore & FTS_NAME))?
@@
-163,9
+178,9
@@
void AddtoIGnore(Eventinfo *lf)
(lf->dstip && (lf->generated_rule->ignore & FTS_DSTIP))?
lf->dstip:"",
(lf->data && (lf->generated_rule->ignore & FTS_DATA))?
(lf->dstip && (lf->generated_rule->ignore & FTS_DSTIP))?
lf->dstip:"",
(lf->data && (lf->generated_rule->ignore & FTS_DATA))?
- lf->data:"",
+ lf->data:"",
(lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
(lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
- lf->systemname:"",
+ lf->systemname:"",
(lf->generated_rule->ignore & FTS_LOCATION)?lf->location:"");
fflush(fp_ignore);
(lf->generated_rule->ignore & FTS_LOCATION)?lf->location:"");
fflush(fp_ignore);
@@
-200,7
+215,7
@@
int IGnore(Eventinfo *lf)
(lf->data && (lf->generated_rule->ignore & FTS_DATA))?
lf->data:"",
(lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
(lf->data && (lf->generated_rule->ignore & FTS_DATA))?
lf->data:"",
(lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
- lf->systemname:"",
+ lf->systemname:"",
(lf->generated_rule->ckignore & FTS_LOCATION)?lf->location:"");
_fline[OS_FLSIZE] = '\0';
(lf->generated_rule->ckignore & FTS_LOCATION)?lf->location:"");
_fline[OS_FLSIZE] = '\0';
@@
-225,13
+240,13
@@
int IGnore(Eventinfo *lf)
/* FTS v0.1
* Check if the word "msg" is present on the "queue".
* If it is not, write it there.
/* FTS v0.1
* Check if the word "msg" is present on the "queue".
* If it is not, write it there.
- */
+ */
int FTS(Eventinfo *lf)
{
int number_of_matches = 0;
char _line[OS_FLSIZE + 1];
int FTS(Eventinfo *lf)
{
int number_of_matches = 0;
char _line[OS_FLSIZE + 1];
-
+
char *line_for_list = NULL;
OSListNode *fts_node;
char *line_for_list = NULL;
OSListNode *fts_node;
@@
-256,9
+271,9
@@
int FTS(Eventinfo *lf)
if(OSHash_Get(fts_store, _line))
{
return(0);
if(OSHash_Get(fts_store, _line))
{
return(0);
- }
+ }
+
-
/* Checking if from the last FTS events, we had
* at least 3 "similars" before. If yes, we just
* ignore it.
/* Checking if from the last FTS events, we had
* at least 3 "similars" before. If yes, we just
* ignore it.
@@
-268,7
+283,7
@@
int FTS(Eventinfo *lf)
fts_node = OSList_GetLastNode(fts_list);
while(fts_node)
{
fts_node = OSList_GetLastNode(fts_list);
while(fts_node)
{
- if(OS_StrHowClosedMatch((char *)fts_node->data, _line) >
+ if(OS_StrHowClosedMatch((char *)fts_node->data, _line) >
fts_minsize_for_str)
{
number_of_matches++;
fts_minsize_for_str)
{
number_of_matches++;
@@
-287,8
+302,8
@@
int FTS(Eventinfo *lf)
os_strdup(_line, line_for_list);
OSList_AddData(fts_list, line_for_list);
}
os_strdup(_line, line_for_list);
OSList_AddData(fts_list, line_for_list);
}
-
-
+
+
/* Storing new entry */
if(line_for_list == NULL)
{
/* Storing new entry */
if(line_for_list == NULL)
{
@@
-300,12
+315,12
@@
int FTS(Eventinfo *lf)
return(0);
}
return(0);
}
-
+
#ifdef TESTRULE
return(1);
#endif
#ifdef TESTRULE
return(1);
#endif
-
-
+
+
/* Saving to fts fp */
fseek(fp_list, 0, SEEK_END);
fprintf(fp_list,"%s\n", _line);
/* Saving to fts fp */
fseek(fp_list, 0, SEEK_END);
fprintf(fp_list,"%s\n", _line);