1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
10 /* Hostinfo decoder */
14 #include "os_regex/os_regex.h"
15 #include "eventinfo.h"
16 #include "alerts/alerts.h"
18 #define HOSTINFO_FILE "/queue/fts/hostinfo"
19 #define HOST_HOST "Host: "
20 /*#define HOST_PORT " open ports: "
21 #define HOST_CHANGED "Host information changed."
22 #define HOST_NEW "New host information added."*/
23 #define PREV_OPEN "Previously"
26 static int hi_err = 0;
27 static int id_new = 0;
28 static int id_mod = 0;
29 static char _hi_buf[OS_MAXSTR + 1];
30 static FILE *_hi_fp = NULL;
32 /* Hostinfo decoder */
33 static OSDecoderInfo *hostinfo_dec = NULL;
36 /* Check if the string matches */
37 static char *__go_after(char *x, const char *y)
42 /* X and Y must be not null */
54 /* String does not match */
55 if (strncmp(x, y, y_s) != 0) {
64 /* Initialize the necessary information to process the host information */
70 os_calloc(1, sizeof(OSDecoderInfo), hostinfo_dec);
71 hostinfo_dec->id = getDecoderfromlist(HOSTINFO_MOD);
72 hostinfo_dec->type = OSSEC_RL;
73 hostinfo_dec->name = HOSTINFO_MOD;
74 hostinfo_dec->fts = 0;
75 id_new = getDecoderfromlist(HOSTINFO_NEW);
76 id_mod = getDecoderfromlist(HOSTINFO_MOD);
78 /* Open HOSTINFO_FILE */
79 snprintf(_hi_buf, OS_SIZE_1024, "%s", HOSTINFO_FILE);
81 /* r+ to read and write. Do not truncate */
82 _hi_fp = fopen(_hi_buf, "r+");
84 /* Try opening with a w flag, file probably does not exist */
85 _hi_fp = fopen(_hi_buf, "w");
88 _hi_fp = fopen(_hi_buf, "r+");
92 merror(FOPEN_ERROR, ARGV0, _hi_buf, errno, strerror(errno));
96 /* Clear the buffer */
97 memset(_hi_buf, '\0', OS_MAXSTR + 1);
102 /* Return the file pointer to be used */
103 static FILE *HI_File(void)
106 fseek(_hi_fp, 0, SEEK_SET);
113 /* Special decoder for Hostinformation
114 * Not using the default rendering tools for simplicity
115 * and to be less resource intensive
117 int DecodeHostinfo(Eventinfo *lf)
126 char buffer[OS_MAXSTR + 1];
127 char opened[OS_MAXSTR + 1];
130 /* Check maximum number of errors */
132 merror("%s: Too many errors handling host information db. "
133 "Ignoring it.", ARGV0);
138 buffer[OS_MAXSTR] = '\0';
139 opened[OS_MAXSTR] = '\0';
142 merror("%s: Error handling host information database.", ARGV0);
147 /* Copy log to buffer */
148 strncpy(buffer, lf->log, OS_MAXSTR);
151 tmpstr = __go_after(buffer, HOST_HOST);
153 merror("%s: Error handling host information database.", ARGV0);
161 tmpstr = strchr(tmpstr, ',');
163 merror("%s: Error handling host information database.", ARGV0);
172 /* Get IP only information -- to store */
173 tmpstr = strchr(ip, ' ');
177 bf_size = strlen(ip);
179 /* Read the file and search for a possible entry */
180 while (fgets(_hi_buf, OS_MAXSTR - 1, fp) != NULL) {
181 /* Ignore blank lines and lines with a comment */
182 if (_hi_buf[0] == '\n' || _hi_buf[0] == '#') {
187 tmpstr = strchr(_hi_buf, '\n');
193 if (strncmp(ip, _hi_buf, bf_size) == 0) {
194 /* Cannot use strncmp to avoid errors with crafted files */
195 if (strcmp(portss, _hi_buf + bf_size) == 0) {
200 tmp_ports = _hi_buf + (bf_size + 1);
201 snprintf(opened, OS_MAXSTR, "%s %s", PREV_OPEN, tmp_ports);
207 /* Add the new entry at the end of the file */
208 fseek(fp, 0, SEEK_END);
209 fprintf(fp, "%s%s\n", ip, portss);
212 lf->decoder_info = hostinfo_dec;
216 hostinfo_dec->id = id_mod;
217 /* lf->generated_rule->last_events[0] = opened; */
219 hostinfo_dec->id = id_new;