Created
August 28, 2012 15:41
-
-
Save reyjrar/3499235 to your computer and use it in GitHub Desktop.
incomplete C code I'm workign on for adding accumulation of attributes to OSSEC-HIDS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| int Accumulate(Eventinfo *lf) | |
| { | |
| // Declare our variables | |
| bool do_update = false; | |
| char _key[OS_ACM_MAXKEY]; | |
| char _data[OS_ACM_MAXDATA]; | |
| char hashed_line[OS_ACM_MAXDATA]; | |
| char hash_buffer[OS_ACM_MAXELM]; | |
| int hash_field = 0; | |
| int hash_idx = 0; | |
| char elm_dstuser[OS_ACM_MAXELM]; | |
| char elm_srcuser[OS_ACM_MAXELM]; | |
| char elm_srcip[OS_ACM_MAXELM]; | |
| char elm_dstip[OS_ACM_MAXELM]; | |
| char elm_data[OS_ACM_MAXELM]; | |
| char tmp_expire[OS_ACM_MAXELM]; | |
| int elm_expire = 0; | |
| int result = 0; | |
| struct timeval tp; | |
| OSListNode *acm_node; | |
| // We need an ID to use the accumulator | |
| if( lf->id == NULL ) { | |
| // TODO: ERROR HERE | |
| return (-1); | |
| } | |
| if( lf->decoder_info == NULL ) { | |
| // TODO: ERROR HERE | |
| return (-1); | |
| } | |
| if( lf->decoder_info->name == NULL ) { | |
| // TODO: ERROR HERE | |
| return (-1); | |
| } | |
| // Initialize variables | |
| // Expire is 30 seconds past now | |
| gettimeofday(&tp, NULL); | |
| elm_expire = tp.tv_sec + 30; | |
| // Ensure elements are empty | |
| memset(elm_dstuser,0,OS_ACM_MAXELM); | |
| memset(elm_srcuser,0,OS_ACM_MAXELM); | |
| memset(elm_dstip, 0,OS_ACM_MAXELM); | |
| memset(elm_srcip, 0,OS_ACM_MAXELM); | |
| memset(elm_data, 0,OS_ACM_MAXELM); | |
| /* Accumulator Key */ | |
| result = snprintf(_key, OS_FLSIZE, "%s %s", | |
| lf->decoder_info->name, | |
| lf->id | |
| ); | |
| if( result < 0 || result >= sizeof(_key) ) { | |
| // TODO: ERROR HERE | |
| return (-1); | |
| } | |
| /** Checking if acm is already present **/ | |
| if((hash_line = OSHash_Get(acm_store, _key)) != NULL) { | |
| { | |
| do_update = true; | |
| int i; | |
| for ( i = 0; i <= OS_ACM_MAXDATA; i++ ) { | |
| if( hash_line[i] == '\0' || hash_line[i] == '\n' || hash_line[i] == '\r') { | |
| break; | |
| } | |
| if( hash_line[i] == ' ' ) { | |
| switch( hash_field ) { | |
| case ACM_EXPIRE: | |
| result = strncpy(tmp_expire, hash_buffer, OS_ACM_MAXELM ); | |
| break; | |
| case ACM_DSTUSER: | |
| result = strncpy(elm_dstuser, hash_buffer, OS_ACM_MAXELM ); | |
| break; | |
| case ACM_SRCUSER: | |
| result = strncpy(elm_srcuser, hash_buffer, OS_ACM_MAXELM ); | |
| break; | |
| case ACM_DSTIP: | |
| result = strncpy(elm_dstip, hash_buffer, OS_ACM_MAXELM ); | |
| break; | |
| case ACM_SRCIP: | |
| result = strncpy(elm_srcip, hash_buffer, OS_ACM_MAXELM ); | |
| break; | |
| case ACM_DATA: | |
| result = strncpy(elm_data, hash_buffer, OS_ACM_MAXELM ); | |
| break; | |
| default: | |
| result = -1; | |
| break; | |
| } | |
| // Check the result of our operation | |
| if( result < 0 || result >= OS_ACM_MAXELM ) { | |
| // TODO: ERROR HERE | |
| return (-1); | |
| } | |
| // Move on to the next field | |
| hash_field++; | |
| hash_idx=0; | |
| memset(hash_buffer, 0, OS_ACM_MAXELM); | |
| } | |
| else { | |
| hash_buffer[hash_idx] = hash_line[i]; | |
| hash_idx++; | |
| } | |
| } | |
| // Convert the tmp_expire to elm_expire | |
| if( tmp_expire != NULL ) { | |
| elm_expire = atoi(tmp_expire); | |
| } | |
| } | |
| if( tp.tv_sec < elm_expire ) { | |
| // Update the event | |
| do { | |
| if ( !lf->dstuser && elm_dstuser != NULL ) { | |
| result = strncpy(lf->dstuser, elm_dstuser, OS_ACM_MAXELM); | |
| (result < 0 || result >= OS_ACM_MAXELM) && break; | |
| } | |
| if ( !lf->srcuser && elm_srcuser != NULL ) { | |
| result = strncpy(lf->srcuser, elm_srcuser, OS_ACM_MAXELM); | |
| (result < 0 || result >= OS_ACM_MAXELM) && break; | |
| } | |
| if ( !lf->dstip && elm_dstip != NULL ) { | |
| result = strncpy(lf->dstip, elm_dstip, OS_ACM_MAXELM); | |
| (result < 0 || result >= OS_ACM_MAXELM) && break; | |
| } | |
| if ( !lf->srcip && elm_srcip != NULL ) { | |
| result = strncpy(lf->srcip, elm_srcip, OS_ACM_MAXELM); | |
| (result < 0 || result >= OS_ACM_MAXELM) && break; | |
| } | |
| if ( !lf->data && elm_data != NULL ) { | |
| result = strncpy(lf->data, elm_data, OS_ACM_MAXELM); | |
| (result < 0 || result >= OS_ACM_MAXELM) && break; | |
| } | |
| }; | |
| if( result < 0 || result >= OS_ACM_MAXELM ) { | |
| // TODO: ERROR HERE | |
| return (-1); | |
| } | |
| // Setup the data for storage | |
| result = snprintf(_data, OS_ACM_MAXDATA, "%d %s %s %s %s %s", | |
| elm_expire, | |
| (lf->dstuser != NULL)?lf->dstuser:"", | |
| (lf->srcuser != NULL)?lf->srcuser:"", | |
| (lf->srcip != NULL)?lf->srcip:"", | |
| (lf->dstip != NULL)?lf->dstip:"", | |
| (lf->data != NULL)?lf->data:"" | |
| ); | |
| if( result < 0 || result >= OS_ACM_MAXDATA) { | |
| // TODO: ERROR HERE | |
| return (-1); | |
| } | |
| // Update or Add to the hash | |
| if( do_update ) { | |
| // Update the hash entry | |
| if(OSHash_Update(acm_store, _key, _data) <= 1) | |
| { | |
| return(0); | |
| } | |
| } | |
| else { | |
| if(OSHash_Add(acm_store, _key, _data) <= 1) | |
| { | |
| return(0); | |
| } | |
| } | |
| } | |
| #ifdef TESTRULE | |
| return(1); | |
| #endif | |
| /* Saving to acm ap */ | |
| fseek(ap_list, 0, SEEK_END); | |
| fprintf(ap_list,"%s|%s\n", _key, _data); | |
| return(1); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment