X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fsyscheckd%2Frun_realtime.c;h=19f7c7bc12513f23e8bbd31fc519ed11f55d4905;hp=efae8062277a79bc2cc0a54bd1c537aecd047053;hb=301048b51990573e58a30dc4a5bb4ec285cad554;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a diff --git a/src/syscheckd/run_realtime.c b/src/syscheckd/run_realtime.c index efae806..19f7c7b 100755 --- a/src/syscheckd/run_realtime.c +++ b/src/syscheckd/run_realtime.c @@ -1,11 +1,11 @@ -/* @(#) $Id: run_realtime.c,v 1.12 2009/12/01 15:40:08 dcid Exp $ */ +/* @(#) $Id$ */ /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation */ @@ -38,6 +38,10 @@ #ifdef USEINOTIFY #include +#define OS_SIZE_6144 6144 +#define OS_MAXSTR OS_SIZE_6144 /* Size for logs, sockets, etc */ +#else +#include "shared.h" #endif @@ -49,69 +53,56 @@ int c_read_file(char *file_name, char *oldsum, char *newsum); /* Checking sum of the realtime file being monitored. */ int realtime_checksumfile(char *file_name) { - char buf[MAX_LINE +2]; - buf[MAX_LINE +1] = '\0'; - + char *buf; - fseek(syscheck.fp, 0, SEEK_SET); - while(fgets(buf, MAX_LINE, syscheck.fp) != NULL) + buf = OSHash_Get(syscheck.fp, file_name); + if(buf != NULL) { - if((buf[0] != '#') && (buf[0] != ' ') && (buf[0] != '\n')) - { - char *n_buf; - - /* Removing the new line */ - n_buf = strchr(buf,'\n'); - if(n_buf == NULL) - continue; - - *n_buf = '\0'; - - - /* First 6 characters are for internal use */ - n_buf = buf; - n_buf+=6; - - n_buf = strchr(n_buf, ' '); - if(n_buf) - { - n_buf++; - - /* Checking if name matches */ - if(strcmp(n_buf, file_name) == 0) - { - char c_sum[256 +2]; - c_sum[0] = '\0'; - c_sum[255] = '\0'; + char c_sum[256 +2]; + + c_sum[0] = '\0'; + c_sum[255] = '\0'; + + + /* If it returns < 0, we will already have alerted. */ + if(c_read_file(file_name, buf, c_sum) < 0) + { + return(0); + } + + + if(strcmp(c_sum, buf+6) != 0) + { + char *fullalert = NULL; + char alert_msg[OS_MAXSTR +1]; + alert_msg[OS_MAXSTR] = '\0'; + if(buf[5] == 's' || buf[5] == 'n') + { + fullalert = seechanges_addfile(file_name); + if(fullalert) + { + snprintf(alert_msg, OS_MAXSTR, "%s %s\n%s", c_sum, file_name, fullalert); + free(fullalert); + fullalert = NULL; + } + else + { + snprintf(alert_msg, 912, "%s %s", c_sum, file_name); + } + } + else + { + snprintf(alert_msg, 912, "%s %s", c_sum, file_name); + } + send_syscheck_msg(alert_msg); + + return(1); + } + + return(0); - - /* If it returns < 0, we will already have alerted. */ - if(c_read_file(file_name, buf, c_sum) < 0) - continue; - - - if(strcmp(c_sum, buf+6) != 0) - { - char alert_msg[912 +2]; - - /* Sending the new checksum to the analysis server */ - alert_msg[912 +1] = '\0'; - snprintf(alert_msg, 912, "%s %s", c_sum, file_name); - send_syscheck_msg(alert_msg); - - return(1); - } - - return(0); - - } - } - } } - - /* Adding entry if not in there. */ - fseek(syscheck.fp, 0, SEEK_END); return(0); }