X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fanalysisd%2Fstats.c;fp=src%2Fanalysisd%2Fstats.c;h=0c16a5cd45207f26cc03d98dd28f47343b02dc52;hp=764b5ed65f085f6be178b143c4d5451ceda3f0d3;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/src/analysisd/stats.c b/src/analysisd/stats.c old mode 100755 new mode 100644 index 764b5ed..0c16a5c --- a/src/analysisd/stats.c +++ b/src/analysisd/stats.c @@ -1,6 +1,3 @@ -/* @(#) $Id: ./src/analysisd/stats.c, 2011/09/08 dcid Exp $ - */ - /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * @@ -10,240 +7,213 @@ * Foundation */ - - #include "shared.h" #include "analysisd.h" #include "stats.h" #include "rules.h" - #include "error_messages/error_messages.h" - #include "headers/file_op.h" #include "alerts/alerts.h" - #include "headers/debug_op.h" +/* Global definition */ +char __stats_comment[192]; -char *(weekdays[])={"Sunday","Monday","Tuesday","Wednesday","Thursday", - "Friday","Saturday"}; -char *(l_month[])={"Jan","Feb","Mar","Apr","May","Jun","Jul","Aug", - "Sep","Oct","Nov","Dec"}; - +static const char *(weekdays[]) = {"Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", + "Friday", "Saturday" + }; +static const char *(l_month[]) = {"Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", + "Sep", "Oct", "Nov", "Dec" + }; -/* Global vars */ +/* Global variables */ /* Hour 25 is internally used */ -int _RWHour[7][25]; -int _CWHour[7][25]; - -int _RHour[25]; -int _CHour[25]; +static int _RWHour[7][25]; +static int _CWHour[7][25]; -int _cignorehour = 0; -int _fired = 0; -int _daily_errors = 0; -int maxdiff = 0; -int mindiff = 0; -int percent_diff = 20; +static int _RHour[25]; +static int _CHour[25]; - -char __stats_comment[192]; +static int _cignorehour = 0; +static int _fired = 0; +static int _daily_errors = 0; +static int maxdiff = 0; +static int mindiff = 0; +static int percent_diff = 20; /* Last msgs, to avoid floods */ -char *_lastmsg; -char *_prevlast; -char *_pprevlast; +static char *_lastmsg; +static char *_prevlast; +static char *_pprevlast; -void print_totals() +static void print_totals(void) { int i, totals = 0; - char logfile[OS_FLSIZE +1]; + char logfile[OS_FLSIZE + 1]; FILE *flog; - - /* Creating the path for the logs */ - snprintf(logfile, OS_FLSIZE,"%s/%d/", STATSAVED, prev_year); - if(IsDir(logfile) == -1) - if(mkdir(logfile,0770) == -1) - { - merror(MKDIR_ERROR,ARGV0,logfile); + /* Create the path for the logs */ + snprintf(logfile, OS_FLSIZE, "%s/%d/", STATSAVED, prev_year); + if (IsDir(logfile) == -1) + if (mkdir(logfile, 0770) == -1) { + merror(MKDIR_ERROR, ARGV0, logfile, errno, strerror(errno)); return; } - snprintf(logfile,OS_FLSIZE,"%s/%d/%s", STATSAVED, prev_year, prev_month); + snprintf(logfile, OS_FLSIZE, "%s/%d/%s", STATSAVED, prev_year, prev_month); - if(IsDir(logfile) == -1) - if(mkdir(logfile,0770) == -1) - { - merror(MKDIR_ERROR, ARGV0, logfile); + if (IsDir(logfile) == -1) + if (mkdir(logfile, 0770) == -1) { + merror(MKDIR_ERROR, ARGV0, logfile, errno, strerror(errno)); return; } - - /* Creating the logfile name */ - snprintf(logfile,OS_FLSIZE,"%s/%d/%s/ossec-%s-%02d.log", - STATSAVED, - prev_year, - prev_month, - "totals", - today); + /* Create the logfile name */ + snprintf(logfile, OS_FLSIZE, "%s/%d/%s/ossec-%s-%02d.log", + STATSAVED, + prev_year, + prev_month, + "totals", + today); flog = fopen(logfile, "a"); - if(!flog) - { - merror(FOPEN_ERROR, ARGV0, logfile); + if (!flog) { + merror(FOPEN_ERROR, ARGV0, logfile, errno, strerror(errno)); return; } - /* Printing the hourly stats */ - for(i=0;i<=23;i++) - { - fprintf(flog,"Hour totals - %d:%d\n", i, _CHour[i]); - totals+=_CHour[i]; + /* Print the hourly stats */ + for (i = 0; i <= 23; i++) { + fprintf(flog, "Hour totals - %d:%d\n", i, _CHour[i]); + totals += _CHour[i]; } - fprintf(flog,"Total events for day:%d\n", totals); + fprintf(flog, "Total events for day:%d\n", totals); fclose(flog); } - -/* gethour: v0.2 - * Return the parameter (event_number + 20 % of it) +/* Return the parameter (event_number + 20 % of it) * If event_number < mindiff, return mindiff * If event_number > maxdiff, return maxdiff */ -int gethour(int event_number) +static int gethour(int event_number) { int event_diff; - event_diff = (event_number * percent_diff)/100; - + event_diff = (event_number * percent_diff) / 100; event_diff++; - if(event_diff < mindiff) - return(event_number + mindiff); - else if(event_diff > maxdiff) - return(event_number + maxdiff); + if (event_diff < mindiff) { + return (event_number + mindiff); + } else if (event_diff > maxdiff) { + return (event_number + maxdiff); + } - return(event_number + event_diff); + return (event_number + event_diff); } - -/* Update_Hour: done daily */ +/* Update_Hour: done daily */ void Update_Hour() { - int i,j; + int i, j; int inter; - /* Print total number of logs received per hour */ print_totals(); - /* Hourly update */ _RHour[24]++; inter = _RHour[24]; - if(inter > 7) + if (inter > 7) { inter = 7; + } - for(i=0;i<=24;i++) - { + for (i = 0; i <= 24; i++) { char _hourly[128]; /* _hourly file */ FILE *fp; - if(i != 24) - { + if (i != 24) { /* If saved hourly = 0, just copy the current hourly rate */ - if(_CHour[i] == 0) + if (_CHour[i] == 0) { continue; + } - if(_RHour[i] == 0) - _RHour[i]=_CHour[i] + 20; + if (_RHour[i] == 0) { + _RHour[i] = _CHour[i] + 20; + } - else - { + else { /* If we had too many errors this day */ - if(_daily_errors >= 3) - { - _RHour[i]=(((3*_CHour[i])+(inter*_RHour[i]))/(inter+3))+25; + if (_daily_errors >= 3) { + _RHour[i] = (((3 * _CHour[i]) + (inter * _RHour[i])) / (inter + 3)) + 25; } - else - { + else { /* The average is going to be the number of interactions + - * the currently hourly rate, divided by 4 */ - _RHour[i]=((_CHour[i]+(inter*_RHour[i]))/(inter+1))+5; + * the current hourly rate, divided by 4 */ + _RHour[i] = ((_CHour[i] + (inter * _RHour[i])) / (inter + 1)) + 5; } } } - snprintf(_hourly,128,"%s/%d",STATQUEUE,i); + snprintf(_hourly, 128, "%s/%d", STATQUEUE, i); fp = fopen(_hourly, "w"); - if(fp) - { - fprintf(fp,"%d",_RHour[i]); + if (fp) { + fprintf(fp, "%d", _RHour[i]); fclose(fp); } - - else - { - merror(FOPEN_ERROR, "logstats", _hourly); + + else { + merror(FOPEN_ERROR, "logstats", _hourly, errno, strerror(errno)); } - _CHour[i] = 0; /* Zeroing the currently hour */ + _CHour[i] = 0; /* Zero the current hour */ } /* Weekly */ - for(i=0;i <= 6;i++) - { + for (i = 0; i <= 6; i++) { char _weekly[128]; FILE *fp; _CWHour[i][24]++; inter = _CWHour[i][24]; - if(inter > 7) + if (inter > 7) { inter = 7; + } - for(j=0;j<=24;j++) - { - if(j != 24) - { - if(_CWHour[i][j] == 0) - continue; - - if(_RWHour[i][j] == 0) - _RWHour[i][j] = _CWHour[i][j] + 20; - - else - { - if(_daily_errors >= 3) - { - _RWHour[i][j]=(((3*_CWHour[i][j])+(inter*_RWHour[i][j]))/(inter+3))+25; - } - else - { - _RWHour[i][j]=((_CWHour[i][j]+(inter*_RWHour[i][j]))/(inter+1))+5; + for (j = 0; j <= 24; j++) { + if (j != 24) { + if (_CWHour[i][j] == 0) { + continue; + } + + if (_RWHour[i][j] == 0) { + _RWHour[i][j] = _CWHour[i][j] + 20; + } + + else { + if (_daily_errors >= 3) { + _RWHour[i][j] = (((3 * _CWHour[i][j]) + (inter * _RWHour[i][j])) / (inter + 3)) + 25; + } else { + _RWHour[i][j] = ((_CWHour[i][j] + (inter * _RWHour[i][j])) / (inter + 1)) + 5; } } } - snprintf(_weekly,128,"%s/%d/%d",STATWQUEUE,i,j); + snprintf(_weekly, 128, "%s/%d/%d", STATWQUEUE, i, j); fp = fopen(_weekly, "w"); - if(fp) - { - fprintf(fp,"%d",_RWHour[i][j]); + if (fp) { + fprintf(fp, "%d", _RWHour[i][j]); fclose(fp); - } - else - { - merror(FOPEN_ERROR, "logstats", _weekly); + } else { + merror(FOPEN_ERROR, "logstats", _weekly, errno, strerror(errno)); } - _CWHour[i][j] = 0; + _CWHour[i][j] = 0; } } @@ -251,86 +221,77 @@ void Update_Hour() return; } - /* Check Hourly stats */ -int Check_Hour(Eventinfo *lf) +int Check_Hour() { _CHour[__crt_hour]++; - _CWHour[__crt_wday][__crt_hour]++; + _CWHour[__crt_wday][__crt_hour]++; - if(_RHour[24] <= 2) - { - return(0); + if (_RHour[24] <= 2) { + return (0); } - /* checking if any message was already fired for this hour */ - if((_daily_errors >= 3)||((_fired == 1)&&(_cignorehour == __crt_hour))) - return(0); + /* Checking if any message was already fired for this hour */ + if ((_daily_errors >= 3) || ((_fired == 1) && (_cignorehour == __crt_hour))) { + return (0); + } - else if(_cignorehour != __crt_hour) - { - _cignorehour=__crt_hour; + else if (_cignorehour != __crt_hour) { + _cignorehour = __crt_hour; _fired = 0; } - - /* checking if passed the threshold */ - if(_RHour[__crt_hour] != 0) - { - if(_CHour[__crt_hour] > (_RHour[__crt_hour])) - { - if(_CHour[__crt_hour] > (gethour(_RHour[__crt_hour]))) - { + /* Check if passed the threshold */ + if (_RHour[__crt_hour] != 0) { + if (_CHour[__crt_hour] > (_RHour[__crt_hour])) { + if (_CHour[__crt_hour] > (gethour(_RHour[__crt_hour]))) { /* snprintf will null terminate */ snprintf(__stats_comment, 191, - "The average number of logs" - " between %d:00 and %d:00 is %d. We " - "reached %d.",__crt_hour,__crt_hour+1, - _RHour[__crt_hour],_CHour[__crt_hour]); + "The average number of logs" + " between %d:00 and %d:00 is %d. We " + "reached %d.", __crt_hour, __crt_hour + 1, + _RHour[__crt_hour], _CHour[__crt_hour]); _fired = 1; _daily_errors++; - return(1); + return (1); } } } - /* We need to have at least 3 days of stats */ - if(_RWHour[__crt_wday][24] <= 2) - return(0); - - /* checking for the hour during a specific day of the week */ - if(_RWHour[__crt_wday][__crt_hour] != 0) - { - if(_CWHour[__crt_wday][__crt_hour] > _RWHour[__crt_wday][__crt_hour]) - { - if(_CWHour[__crt_wday][__crt_hour] > - gethour(_RWHour[__crt_wday][__crt_hour])) - { + if (_RWHour[__crt_wday][24] <= 2) { + return (0); + } + + /* Check for the hour during a specific day of the week */ + if (_RWHour[__crt_wday][__crt_hour] != 0) { + if (_CWHour[__crt_wday][__crt_hour] > _RWHour[__crt_wday][__crt_hour]) { + if (_CWHour[__crt_wday][__crt_hour] > + gethour(_RWHour[__crt_wday][__crt_hour])) { snprintf(__stats_comment, 191, - "The average number of logs" - " between %d:00 and %d:00 on %s is %d. We" - " reached %d.",__crt_hour,__crt_hour+1, - weekdays[__crt_wday], - _RWHour[__crt_wday][__crt_hour], - _CWHour[__crt_wday][__crt_hour]); + "The average number of logs" + " between %d:00 and %d:00 on %s is %d. We" + " reached %d.", __crt_hour, __crt_hour + 1, + weekdays[__crt_wday], + _RWHour[__crt_wday][__crt_hour], + _CWHour[__crt_wday][__crt_hour]); _fired = 1; _daily_errors++; - return(1); + return (1); } } } - return(0); + return (0); } -/* Starting hourly stats and other necessary variables */ +/* Start hourly stats and other necessary variables */ int Start_Hour() { - int i=0,j=0; + int i = 0, j = 0; struct tm *p; /* Current time */ @@ -346,175 +307,159 @@ int Start_Hour() strncpy(prev_month, l_month[p->tm_mon], 3); prev_month[3] = '\0'; - - /* Clearing some memory */ + /* Clear some memory */ memset(__stats_comment, '\0', 192); - - /* Getting maximum/minimum diffs */ + /* Get maximum/minimum diffs */ maxdiff = getDefine_Int("analysisd", "stats_maxdiff", - 10, 99999); + 10, 999999); mindiff = getDefine_Int("analysisd", "stats_mindiff", - 10, 99999); + 10, 999999); percent_diff = getDefine_Int("analysisd", "stats_percent_diff", - 5, 999); - + 5, 9999); /* Last three messages * They are used to keep track of the last - * messages received to avoid floods. + * messages received to avoid floods */ _lastmsg = NULL; _prevlast = NULL; _pprevlast = NULL; - /* They should not be null */ os_strdup(" ", _lastmsg); os_strdup(" ", _prevlast); os_strdup(" ", _pprevlast); - - /* Creating the stat queue directories */ - if(IsDir(STATWQUEUE) == -1) - if(mkdir(STATWQUEUE,0770) == -1) - { + /* Create the stat queue directories */ + if (IsDir(STATWQUEUE) == -1) { + if (mkdir(STATWQUEUE, 0770) == -1) { merror("%s: logstat: Unable to create stat queue: %s", - ARGV0, STATWQUEUE); - return(-1); + ARGV0, STATWQUEUE); + return (-1); } + } - if(IsDir(STATQUEUE) == -1) - if(mkdir(STATQUEUE,0770) == -1) - { + if (IsDir(STATQUEUE) == -1) { + if (mkdir(STATQUEUE, 0770) == -1) { merror("%s: logstat: Unable to create stat queue: %s", - ARGV0, STATQUEUE); - return(-1); + ARGV0, STATQUEUE); + return (-1); } + } - /* Creating store dir */ - if(IsDir(STATSAVED) == -1) - if(mkdir(STATSAVED,0770) == -1) - { + /* Create store dir */ + if (IsDir(STATSAVED) == -1) { + if (mkdir(STATSAVED, 0770) == -1) { merror("%s: logstat: Unable to create stat directory: %s", - ARGV0, STATQUEUE); - return(-1); + ARGV0, STATSAVED); + return (-1); } + } - /* Creating hourly directory (24 hour is the stats) */ - for(i=0;i<=24;i++) - { + /* Create hourly directory (24 hour is the stats) */ + for (i = 0; i <= 24; i++) { char _hourly[128]; - snprintf(_hourly,128,"%s/%d",STATQUEUE,i); + snprintf(_hourly, 128, "%s/%d", STATQUEUE, i); - _CHour[i]=0; - if(File_DateofChange(_hourly) < 0) + _CHour[i] = 0; + if (File_DateofChange(_hourly) < 0) { _RHour[i] = 0; + } - else - { + else { FILE *fp; fp = fopen(_hourly, "r"); - if(!fp) + if (!fp) { _RHour[i] = 0; - else - { - if(fscanf(fp,"%d",&_RHour[i]) <= 0) + } else { + if (fscanf(fp, "%d", &_RHour[i]) <= 0) { _RHour[i] = 0; + } - if(_RHour[i] < 0) + if (_RHour[i] < 0) { _RHour[i] = 0; + } fclose(fp); - } + } } } - /* Creating weekly/hourly directories */ - for(i=0;i<=6;i++) - { + /* Create weekly/hourly directories */ + for (i = 0; i <= 6; i++) { char _weekly[128]; - snprintf(_weekly,128,"%s/%d",STATWQUEUE,i); - if(IsDir(_weekly) == -1) - if(mkdir(_weekly,0770) == -1) - { + snprintf(_weekly, 128, "%s/%d", STATWQUEUE, i); + if (IsDir(_weekly) == -1) + if (mkdir(_weekly, 0770) == -1) { merror("%s: logstat: Unable to create stat queue: %s", - ARGV0, _weekly); - return(-1); + ARGV0, _weekly); + return (-1); } - for(j=0;j<=24;j++) - { - _CWHour[i][j]=0; - snprintf(_weekly,128,"%s/%d/%d",STATWQUEUE,i,j); - if(File_DateofChange(_weekly) < 0) + for (j = 0; j <= 24; j++) { + _CWHour[i][j] = 0; + snprintf(_weekly, 128, "%s/%d/%d", STATWQUEUE, i, j); + if (File_DateofChange(_weekly) < 0) { _RWHour[i][j] = 0; - else - { + } else { FILE *fp; fp = fopen(_weekly, "r"); - if(!fp) + if (!fp) { _RWHour[i][j] = 0; - else - { - if(fscanf(fp,"%d",&_RWHour[i][j]) <= 0) + } else { + if (fscanf(fp, "%d", &_RWHour[i][j]) <= 0) { _RWHour[i][j] = 0; + } - if(_RWHour[i][j] < 0) + if (_RWHour[i][j] < 0) { _RWHour[i][j] = 0; + } fclose(fp); - } - } - } + } + } + } } - return(0); + return (0); } - -/* LastMsg_Stats: v0.3: 2006/03/21 - * v0.3: Some performance fixes (2006/03/21). - * v0.2: 2005/03/17 - * check if the message received is repeated. Doing - * it to avoid floods from same message. +/* Check if the message received is repeated to avoid + * floods of the same message */ -int LastMsg_Stats(char *log) +int LastMsg_Stats(const char *log) { - if(strcmp(log,_lastmsg) == 0) - return(1); - - else if(strcmp(log,_prevlast) == 0) - return(1); - - else if(strcmp(log,_pprevlast) == 0) - return(1); - - return(0); + if (strcmp(log, _lastmsg) == 0) { + return (1); + } + + else if (strcmp(log, _prevlast) == 0) { + return (1); + } + + else if (strcmp(log, _pprevlast) == 0) { + return (1); + } + + return (0); } -/* LastMsg_Change: v0.3: 2006/03/21 - * v0.3: 2006/03/21: Some performance fixes. - * v0.2: 2005/03/17 - * If the message is not repeated, rearrange the last +/* If the message is not repeated, rearrange the last * received messages */ -void LastMsg_Change(char *log) +void LastMsg_Change(const char *log) { - /* Removing the last one */ + /* Remove the last one */ free(_pprevlast); - /* Moving the second to third and the last to second */ + /* Move the second to third and the last to second */ _pprevlast = _prevlast; - _prevlast = _lastmsg; - os_strdup(log, _lastmsg); return; } - -/* EOF */