1 /* @(#) $Id: ./src/analysisd/fts.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
12 * License details at the LICENSE file included with OSSEC or
13 * online at: http://www.ossec.net/en/licensing.html
17 /* First time seen functions
22 #include "eventinfo.h"
24 int fts_minsize_for_str = 0;
26 OSList *fts_list = NULL;
27 OSHash *fts_store = NULL;
30 FILE *fp_ignore = NULL;
34 * Starts the FTS module.
39 char _line[OS_FLSIZE + 1];
41 _line[OS_FLSIZE] = '\0';
44 fts_list = OSList_Create();
47 merror(LIST_ERROR, ARGV0);
51 /* Creating store data */
52 fts_store = OSHash_Create();
55 merror(LIST_ERROR, ARGV0);
58 if(!OSHash_setSize(fts_store, 2048))
60 merror(LIST_ERROR, ARGV0);
65 /* Getting default list size */
66 fts_list_size = getDefine_Int("analysisd",
70 /* Getting minimum string size */
71 fts_minsize_for_str = getDefine_Int("analysisd",
72 "fts_min_size_for_str",
75 if(!OSList_SetMaxSize(fts_list, fts_list_size))
77 merror(LIST_SIZE_ERROR, ARGV0);
82 /* creating fts list */
83 fp_list = fopen(FTS_QUEUE, "r+");
86 /* Create the file if we cant open it */
87 fp_list = fopen(FTS_QUEUE, "w+");
91 chmod(FTS_QUEUE, 0640);
93 int uid = Privsep_GetUser(USER);
94 int gid = Privsep_GetGroup(GROUPGLOBAL);
96 chown(FTS_QUEUE, uid, gid);
98 fp_list = fopen(FTS_QUEUE, "r+");
101 merror(FOPEN_ERROR, ARGV0, FTS_QUEUE);
107 /* Adding content from the files to memory */
108 fseek(fp_list, 0, SEEK_SET);
109 while(fgets(_line, OS_FLSIZE , fp_list) != NULL)
113 /* Removing new lines */
114 tmp_s = strchr(_line, '\n');
121 os_strdup(_line, tmp_s);
122 if(OSHash_Add(fts_store, tmp_s, tmp_s) <= 0)
125 merror(LIST_ADD_ERROR, ARGV0);
130 /* Creating ignore list */
131 fp_ignore = fopen(IG_QUEUE, "r+");
134 /* Create the file if we cant open it */
135 fp_ignore = fopen(IG_QUEUE, "w+");
139 chmod(IG_QUEUE, 0640);
141 int uid = Privsep_GetUser(USER);
142 int gid = Privsep_GetGroup(GROUPGLOBAL);
144 chown(IG_QUEUE, uid, gid);
146 fp_ignore = fopen(IG_QUEUE, "r+");
149 merror(FOPEN_ERROR, ARGV0, IG_QUEUE);
154 debug1("%s: DEBUG: FTSInit completed.", ARGV0);
159 /* AddtoIGnore -- adds a pattern to be ignored.
161 void AddtoIGnore(Eventinfo *lf)
163 fseek(fp_ignore, 0, SEEK_END);
169 /* Assigning the values to the FTS */
170 fprintf(fp_ignore, "%s %s %s %s %s %s %s %s\n",
171 (lf->decoder_info->name && (lf->generated_rule->ignore & FTS_NAME))?
172 lf->decoder_info->name:"",
173 (lf->id && (lf->generated_rule->ignore & FTS_ID))?lf->id:"",
174 (lf->dstuser&&(lf->generated_rule->ignore & FTS_DSTUSER))?
176 (lf->srcip && (lf->generated_rule->ignore & FTS_SRCIP))?
178 (lf->dstip && (lf->generated_rule->ignore & FTS_DSTIP))?
180 (lf->data && (lf->generated_rule->ignore & FTS_DATA))?
182 (lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
184 (lf->generated_rule->ignore & FTS_LOCATION)?lf->location:"");
193 * Check if the event is to be ignored.
194 * Only after an event is matched (generated_rule must be set).
196 int IGnore(Eventinfo *lf)
198 char _line[OS_FLSIZE + 1];
199 char _fline[OS_FLSIZE +1];
201 _line[OS_FLSIZE] = '\0';
204 /* Assigning the values to the FTS */
205 snprintf(_line,OS_FLSIZE, "%s %s %s %s %s %s %s %s\n",
206 (lf->decoder_info->name && (lf->generated_rule->ckignore & FTS_NAME))?
207 lf->decoder_info->name:"",
208 (lf->id && (lf->generated_rule->ckignore & FTS_ID))?lf->id:"",
209 (lf->dstuser && (lf->generated_rule->ckignore & FTS_DSTUSER))?
211 (lf->srcip && (lf->generated_rule->ckignore & FTS_SRCIP))?
213 (lf->dstip && (lf->generated_rule->ckignore & FTS_DSTIP))?
215 (lf->data && (lf->generated_rule->ignore & FTS_DATA))?
217 (lf->systemname && (lf->generated_rule->ignore & FTS_SYSTEMNAME))?
219 (lf->generated_rule->ckignore & FTS_LOCATION)?lf->location:"");
221 _fline[OS_FLSIZE] = '\0';
224 /** Checking if the ignore is present **/
225 /* Pointing to the beginning of the file */
226 fseek(fp_ignore, 0, SEEK_SET);
227 while(fgets(_fline, OS_FLSIZE , fp_ignore) != NULL)
229 if(strcmp(_fline, _line) != 0)
232 /* If we match, we can return 1 */
241 * Check if the word "msg" is present on the "queue".
242 * If it is not, write it there.
244 int FTS(Eventinfo *lf)
246 int number_of_matches = 0;
248 char _line[OS_FLSIZE + 1];
250 char *line_for_list = NULL;
252 OSListNode *fts_node;
254 _line[OS_FLSIZE] = '\0';
257 /* Assigning the values to the FTS */
258 snprintf(_line, OS_FLSIZE, "%s %s %s %s %s %s %s %s %s",
259 lf->decoder_info->name,
260 (lf->id && (lf->decoder_info->fts & FTS_ID))?lf->id:"",
261 (lf->dstuser && (lf->decoder_info->fts & FTS_DSTUSER))?lf->dstuser:"",
262 (lf->srcuser && (lf->decoder_info->fts & FTS_SRCUSER))?lf->srcuser:"",
263 (lf->srcip && (lf->decoder_info->fts & FTS_SRCIP))?lf->srcip:"",
264 (lf->dstip && (lf->decoder_info->fts & FTS_DSTIP))?lf->dstip:"",
265 (lf->data && (lf->decoder_info->fts & FTS_DATA))?lf->data:"",
266 (lf->systemname && (lf->decoder_info->fts & FTS_SYSTEMNAME))?lf->systemname:"",
267 (lf->decoder_info->fts & FTS_LOCATION)?lf->location:"");
270 /** Checking if FTS is already present **/
271 if(OSHash_Get(fts_store, _line))
277 /* Checking if from the last FTS events, we had
278 * at least 3 "similars" before. If yes, we just
281 if(lf->decoder_info->type == IDS)
283 fts_node = OSList_GetLastNode(fts_list);
286 if(OS_StrHowClosedMatch((char *)fts_node->data, _line) >
291 /* We go and add this new entry to the list */
292 if(number_of_matches > 2)
294 _line[fts_minsize_for_str] = '\0';
299 fts_node = OSList_GetPrevNode(fts_list);
302 os_strdup(_line, line_for_list);
303 OSList_AddData(fts_list, line_for_list);
307 /* Storing new entry */
308 if(line_for_list == NULL)
310 os_strdup(_line, line_for_list);
313 if(OSHash_Add(fts_store, line_for_list, line_for_list) <= 1)
324 /* Saving to fts fp */
325 fseek(fp_list, 0, SEEK_END);
326 fprintf(fp_list,"%s\n", _line);