3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 2) as published by the FSF - Free Software
11 * License details at the LICENSE file included with OSSEC or
12 * online at: http://www.ossec.net/en/licensing.html
16 /* First time seen functions
21 #include "eventinfo.h"
23 int fts_minsize_for_str = 0;
25 OSList *fts_list = NULL;
26 OSHash *fts_store = NULL;
29 FILE *fp_ignore = NULL;
33 * Starts the FTS module.
38 char _line[OS_FLSIZE + 1];
40 _line[OS_FLSIZE] = '\0';
43 fts_list = OSList_Create();
46 merror(LIST_ERROR, ARGV0);
50 /* Creating store data */
51 fts_store = OSHash_Create();
54 merror(LIST_ERROR, ARGV0);
57 if(!OSHash_setSize(fts_store, 2048))
59 merror(LIST_ERROR, ARGV0);
64 /* Getting default list size */
65 fts_list_size = getDefine_Int("analysisd",
69 /* Getting minimum string size */
70 fts_minsize_for_str = getDefine_Int("analysisd",
71 "fts_min_size_for_str",
74 if(!OSList_SetMaxSize(fts_list, fts_list_size))
76 merror(LIST_SIZE_ERROR, ARGV0);
81 /* creating fts list */
82 fp_list = fopen(FTS_QUEUE, "r+");
85 /* Create the file if we cant open it */
86 fp_list = fopen(FTS_QUEUE, "w+");
90 fp_list = fopen(FTS_QUEUE, "r+");
93 merror(FOPEN_ERROR, ARGV0, FTS_QUEUE);
99 /* Adding content from the files to memory */
100 fseek(fp_list, 0, SEEK_SET);
101 while(fgets(_line, OS_FLSIZE , fp_list) != NULL)
105 /* Removing new lines */
106 tmp_s = strchr(_line, '\n');
113 os_strdup(_line, tmp_s);
114 if(OSHash_Add(fts_store, tmp_s, tmp_s) <= 0)
117 merror(LIST_ADD_ERROR, ARGV0);
122 /* Creating ignore list */
123 fp_ignore = fopen(IG_QUEUE, "r+");
126 /* Create the file if we cant open it */
127 fp_ignore = fopen(IG_QUEUE, "w+");
131 fp_ignore = fopen(IG_QUEUE, "r+");
134 merror(FOPEN_ERROR, ARGV0, IG_QUEUE);
139 debug1("%s: DEBUG: FTSInit completed.", ARGV0);
144 /* AddtoIGnore -- adds a pattern to be ignored.
146 void AddtoIGnore(Eventinfo *lf)
148 fseek(fp_ignore, 0, SEEK_END);
154 /* Assigning the values to the FTS */
155 fprintf(fp_ignore, "%s %s %s %s %s %s %s %s\n",
156 (lf->decoder_info->name && (lf->generated_rule->ignore & FTS_NAME))?
157 lf->decoder_info->name:"",
158 (lf->id && (lf->generated_rule->ignore & FTS_ID))?lf->id:"",
159 (lf->dstuser&&(lf->generated_rule->ignore & FTS_DSTUSER))?
161 (lf->srcip && (lf->generated_rule->ignore & FTS_SRCIP))?
163 (lf->dstip && (lf->generated_rule->ignore & FTS_DSTIP))?
165 (lf->data && (lf->generated_rule->ignore & FTS_DATA))?
167 (lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
169 (lf->generated_rule->ignore & FTS_LOCATION)?lf->location:"");
178 * Check if the event is to be ignored.
179 * Only after an event is matched (generated_rule must be set).
181 int IGnore(Eventinfo *lf)
183 char _line[OS_FLSIZE + 1];
184 char _fline[OS_FLSIZE +1];
186 _line[OS_FLSIZE] = '\0';
189 /* Assigning the values to the FTS */
190 snprintf(_line,OS_FLSIZE, "%s %s %s %s %s %s %s %s\n",
191 (lf->decoder_info->name && (lf->generated_rule->ckignore & FTS_NAME))?
192 lf->decoder_info->name:"",
193 (lf->id && (lf->generated_rule->ckignore & FTS_ID))?lf->id:"",
194 (lf->dstuser && (lf->generated_rule->ckignore & FTS_DSTUSER))?
196 (lf->srcip && (lf->generated_rule->ckignore & FTS_SRCIP))?
198 (lf->dstip && (lf->generated_rule->ckignore & FTS_DSTIP))?
200 (lf->data && (lf->generated_rule->ignore & FTS_DATA))?
202 (lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
204 (lf->generated_rule->ckignore & FTS_LOCATION)?lf->location:"");
206 _fline[OS_FLSIZE] = '\0';
209 /** Checking if the ignore is present **/
210 /* Pointing to the beginning of the file */
211 fseek(fp_ignore, 0, SEEK_SET);
212 while(fgets(_fline, OS_FLSIZE , fp_ignore) != NULL)
214 if(strcmp(_fline, _line) != 0)
217 /* If we match, we can return 1 */
226 * Check if the word "msg" is present on the "queue".
227 * If it is not, write it there.
229 int FTS(Eventinfo *lf)
231 int number_of_matches = 0;
233 char _line[OS_FLSIZE + 1];
235 char *line_for_list = NULL;
237 OSListNode *fts_node;
239 _line[OS_FLSIZE] = '\0';
242 /* Assigning the values to the FTS */
243 snprintf(_line, OS_FLSIZE, "%s %s %s %s %s %s %s %s %s",
244 lf->decoder_info->name,
245 (lf->id && (lf->decoder_info->fts & FTS_ID))?lf->id:"",
246 (lf->dstuser && (lf->decoder_info->fts & FTS_DSTUSER))?lf->dstuser:"",
247 (lf->srcuser && (lf->decoder_info->fts & FTS_SRCUSER))?lf->srcuser:"",
248 (lf->srcip && (lf->decoder_info->fts & FTS_SRCIP))?lf->srcip:"",
249 (lf->dstip && (lf->decoder_info->fts & FTS_DSTIP))?lf->dstip:"",
250 (lf->data && (lf->decoder_info->fts & FTS_DATA))?lf->data:"",
251 (lf->systemname && (lf->decoder_info->fts & FTS_SYSTEMNAME))?lf->systemname:"",
252 (lf->decoder_info->fts & FTS_LOCATION)?lf->location:"");
255 /** Checking if FTS is already present **/
256 if(OSHash_Get(fts_store, _line))
262 /* Checking if from the last FTS events, we had
263 * at least 3 "similars" before. If yes, we just
266 if(lf->decoder_info->type == IDS)
268 fts_node = OSList_GetLastNode(fts_list);
271 if(OS_StrHowClosedMatch((char *)fts_node->data, _line) >
276 /* We go and add this new entry to the list */
277 if(number_of_matches > 2)
279 _line[fts_minsize_for_str] = '\0';
284 fts_node = OSList_GetPrevNode(fts_list);
287 os_strdup(_line, line_for_list);
288 OSList_AddData(fts_list, line_for_list);
292 /* Storing new entry */
293 if(line_for_list == NULL)
295 os_strdup(_line, line_for_list);
298 if(OSHash_Add(fts_store, line_for_list, line_for_list) <= 1)
309 /* Saving to fts fp */
310 fseek(fp_list, 0, SEEK_END);
311 fprintf(fp_list,"%s\n", _line);