3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 2) as published by the FSF - Free Software
12 /* Basic e-mailing operations */
19 #include "active-response.h"
21 #include "os_net/os_net.h"
22 #include "os_regex/os_regex.h"
23 #include "os_execd/execd.h"
25 #include "eventinfo.h"
30 void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar)
32 char exec_msg[OS_SIZE_1024 +1];
38 if(lf->srcip && (ar->ar_cmd->expect & SRCIP))
40 ip = strrchr(lf->srcip, ':');
51 /* Checking if IP is to ignored */
54 if(OS_IPFoundList(ip, Config.white_list))
60 /* Checking if it is a hostname */
61 if(Config.hostname_white_list)
66 srcip_size = strlen(ip);
68 wl = Config.hostname_white_list;
71 if(OSMatch_Execute(ip, srcip_size, *wl))
83 /* Getting username */
84 if(lf->dstuser && (ar->ar_cmd->expect & USERNAME))
94 /* active response on the server.
95 * The response must be here if the ar->location is set to AS
96 * or the ar->location is set to local (REMOTE_AGENT) and the
97 * event location is from here.
99 if((ar->location & AS_ONLY) ||
100 ((ar->location & REMOTE_AGENT) && (lf->location[0] != '(')) )
102 if(!(Config.ar & LOCAL_AR))
105 snprintf(exec_msg, OS_SIZE_1024,
106 "%s %s %s %d.%ld %d %s",
112 lf->generated_rule->sigid,
115 if(OS_SendUnix(*execq, exec_msg, 0) < 0)
117 merror("%s: Error communicating with execd.", ARGV0);
122 /* Active response to the forwarder */
123 else if((Config.ar & REMOTE_AR) && (lf->location[0] == '('))
126 snprintf(exec_msg, OS_SIZE_1024,
127 "%s %c%c%c %s %s %s %s %d.%ld %d %s",
129 (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
130 (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
131 (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
132 ar->agent_id != NULL? ar->agent_id: "(null)",
138 lf->generated_rule->sigid,
141 if((rc = OS_SendUnix(*arq, exec_msg, 0)) < 0)
143 if(rc == OS_SOCKBUSY)
145 merror("%s: AR socket busy.", ARGV0);
149 merror("%s: AR socket error (shutdown?).", ARGV0);
151 merror("%s: Error communicating with ar queue (%d).", ARGV0, rc);