1 /* @(#) $Id: hostinfo.c,v 1.14 2009/06/24 17:06:23 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
13 /* Hostinfo decoder */
17 #include "os_regex/os_regex.h"
18 #include "eventinfo.h"
19 #include "alerts/alerts.h"
22 #define HOSTINFO_FILE "/queue/fts/hostinfo"
23 #define HOST_HOST "Host: "
24 #define HOST_PORT " open ports: "
26 #define HOST_CHANGED "Host information changed."
27 #define HOST_NEW "New host information added."
28 #define PREV_OPEN "Previously"
31 /** Global variables **/
35 char _hi_buf[OS_MAXSTR +1];
39 /* Hostinfo decoder */
40 OSDecoderInfo *hostinfo_dec = NULL;
44 /* Check if the string matches.
46 static char *__go_after(char *x, char *y)
51 /* X and Y must be not null */
63 /* String does not match */
64 if(strncmp(x,y,y_s) != 0)
77 * Initialize the necessary information to process the host information
85 os_calloc(1, sizeof(OSDecoderInfo), hostinfo_dec);
86 hostinfo_dec->id = getDecoderfromlist(HOSTINFO_MOD);
87 hostinfo_dec->type = OSSEC_RL;
88 hostinfo_dec->name = HOSTINFO_MOD;
89 hostinfo_dec->fts = 0;
90 id_new = getDecoderfromlist(HOSTINFO_NEW);
91 id_mod = getDecoderfromlist(HOSTINFO_MOD);
95 /* Opening HOSTINFO_FILE */
96 snprintf(_hi_buf,OS_SIZE_1024, "%s", HOSTINFO_FILE);
99 /* r+ to read and write. Do not truncate */
100 _hi_fp = fopen(_hi_buf,"r+");
103 /* try opening with a w flag, file probably does not exist */
104 _hi_fp = fopen(_hi_buf, "w");
108 _hi_fp = fopen(_hi_buf, "r+");
113 merror(FOPEN_ERROR, ARGV0, _hi_buf);
118 /* clearing the buffer */
119 memset(_hi_buf, '\0', OS_MAXSTR +1);
127 * Return the file pointer to be used
133 fseek(_hi_fp, 0, SEEK_SET);
142 /* Special decoder for Hostinformation
143 * Not using the default rendering tools for simplicity
144 * and to be less resource intensive.
146 int DecodeHostinfo(Eventinfo *lf)
155 char buffer[OS_MAXSTR + 1];
156 char opened[OS_MAXSTR + 1];
160 /* Checking maximum number of errors */
163 merror("%s: Too many errors handling host information db. "
164 "Ignoring it.", ARGV0);
169 /* Zeroing buffers */
170 buffer[OS_MAXSTR] = '\0';
171 opened[OS_MAXSTR] = '\0';
175 merror("%s: Error handling host information database.",ARGV0);
176 hi_err++; /* Increment hi error */
182 /* Copying log to buffer */
183 strncpy(buffer,lf->log, OS_MAXSTR);
187 tmpstr = __go_after(buffer, HOST_HOST);
190 merror("%s: Error handling host information database.",ARGV0);
199 tmpstr = strchr(tmpstr, ',');
202 merror("%s: Error handling host information database.",ARGV0);
212 /* Getting ip only information -- to store */
213 tmpstr = strchr(ip, ' ');
218 bf_size = strlen(ip);
221 /* Reads the file and search for a possible
224 while(fgets(_hi_buf, OS_MAXSTR -1, fp) != NULL)
226 /* Ignore blank lines and lines with a comment */
227 if(_hi_buf[0] == '\n' || _hi_buf[0] == '#')
232 /* Removing new line */
233 tmpstr = strchr(_hi_buf, '\n');
238 /* Checking for ip */
239 if(strncmp(ip, _hi_buf, bf_size) == 0)
241 /* Cannot use strncmp to avoid errors with crafted files */
242 if(strcmp(portss, _hi_buf + bf_size) == 0)
250 tmp_ports = _hi_buf + (bf_size +1);
251 snprintf(opened, OS_MAXSTR, "%s %s", PREV_OPEN, tmp_ports);
258 /* Adding the new entry at the end of the file */
259 fseek(fp, 0, SEEK_END);
260 fprintf(fp,"%s%s\n", ip, portss);
263 /* Setting decoder */
264 lf->decoder_info = hostinfo_dec;
267 /* Setting comment */
270 hostinfo_dec->id = id_mod;
271 //lf->generated_rule->last_events[0] = opened;
275 hostinfo_dec->id = id_new;