mirror of
https://github.com/BlackLight/Snort_AIPreproc.git
synced 2024-11-14 04:37:16 +01:00
Uniformed error messages format
This commit is contained in:
parent
7bbcb865af
commit
0b1862356c
13 changed files with 175 additions and 169 deletions
|
@ -4,7 +4,7 @@ AUTOMAKE_OPTIONS=foreign no-dependencies
|
||||||
|
|
||||||
libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor
|
libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor
|
||||||
lib_LTLIBRARIES = libsf_ai_preproc.la
|
lib_LTLIBRARIES = libsf_ai_preproc.la
|
||||||
libsf_ai_preproc_la_CFLAGS = -I./uthash -I./include ${LIBXML2_INCLUDES} ${LIBGRAPH_INCLUDES} -DDYNAMIC_PLUGIN -D_XOPEN_SOURCE -D_GNU_SOURCE -fvisibility=hidden -fno-strict-aliasing -Wall -pedantic -pedantic-errors -fstack-protector
|
libsf_ai_preproc_la_CFLAGS = -I./uthash -I./include ${LIBXML2_INCLUDES} ${LIBGRAPH_INCLUDES} -DDYNAMIC_PLUGIN -D_XOPEN_SOURCE -D_GNU_SOURCE -fvisibility=hidden -fno-strict-aliasing -Wall -pedantic -pedantic-errors -std=c99 -fstack-protector
|
||||||
libsf_ai_preproc_la_LDFLAGS = -module -export-dynamic
|
libsf_ai_preproc_la_LDFLAGS = -module -export-dynamic
|
||||||
|
|
||||||
BUILT_SOURCES = \
|
BUILT_SOURCES = \
|
||||||
|
|
|
@ -240,7 +240,7 @@ top_builddir = @top_builddir@
|
||||||
top_srcdir = @top_srcdir@
|
top_srcdir = @top_srcdir@
|
||||||
AUTOMAKE_OPTIONS = foreign no-dependencies
|
AUTOMAKE_OPTIONS = foreign no-dependencies
|
||||||
lib_LTLIBRARIES = libsf_ai_preproc.la
|
lib_LTLIBRARIES = libsf_ai_preproc.la
|
||||||
libsf_ai_preproc_la_CFLAGS = -I./uthash -I./include ${LIBXML2_INCLUDES} ${LIBGRAPH_INCLUDES} -DDYNAMIC_PLUGIN -D_XOPEN_SOURCE -D_GNU_SOURCE -fvisibility=hidden -fno-strict-aliasing -Wall -pedantic -pedantic-errors -fstack-protector
|
libsf_ai_preproc_la_CFLAGS = -I./uthash -I./include ${LIBXML2_INCLUDES} ${LIBGRAPH_INCLUDES} -DDYNAMIC_PLUGIN -D_XOPEN_SOURCE -D_GNU_SOURCE -fvisibility=hidden -fno-strict-aliasing -Wall -pedantic -pedantic-errors -std=c99 -fstack-protector
|
||||||
libsf_ai_preproc_la_LDFLAGS = -module -export-dynamic
|
libsf_ai_preproc_la_LDFLAGS = -module -export-dynamic
|
||||||
BUILT_SOURCES = \
|
BUILT_SOURCES = \
|
||||||
include/sf_dynamic_preproc_lib.c \
|
include/sf_dynamic_preproc_lib.c \
|
||||||
|
|
|
@ -82,15 +82,15 @@ AI_deserialize_alerts ()
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
if ( ! S_ISREG ( st.st_mode ))
|
if ( ! S_ISREG ( st.st_mode ))
|
||||||
_dpd.fatalMsg ( "AIPreproc: '%s' is not a regular file\n", config->alert_history_file );
|
AI_fatal_err ( "The specified alert history file is not a regular file", __FILE__, __LINE__ );
|
||||||
|
|
||||||
if ( !( fp = fopen ( config->alert_history_file, "r" )))
|
if ( !( fp = fopen ( config->alert_history_file, "r" )))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unable to read from the file '%s'\n", config->alert_history_file );
|
AI_fatal_err ( "Unable to read from the alert history file", __FILE__, __LINE__ );
|
||||||
|
|
||||||
AI_alerts_hash_free ( &alerts_hash );
|
AI_alerts_hash_free ( &alerts_hash );
|
||||||
|
|
||||||
if ( fread ( &lists_count, sizeof ( unsigned int ), 1, fp ) <= 0 )
|
if ( fread ( &lists_count, sizeof ( unsigned int ), 1, fp ) <= 0 )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Malformed history file '%s'\n", config->alert_history_file );
|
AI_fatal_err ( "Malformed binary history file", __FILE__, __LINE__ );
|
||||||
|
|
||||||
/* Fill the hash table reading from the file */
|
/* Fill the hash table reading from the file */
|
||||||
for ( i=0; i < lists_count; i++ )
|
for ( i=0; i < lists_count; i++ )
|
||||||
|
@ -99,30 +99,30 @@ AI_deserialize_alerts ()
|
||||||
event_prev = NULL;
|
event_prev = NULL;
|
||||||
|
|
||||||
if ( fread ( &items_count, sizeof ( unsigned int ), 1, fp ) <= 0 )
|
if ( fread ( &items_count, sizeof ( unsigned int ), 1, fp ) <= 0 )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Malformed history file '%s'\n", config->alert_history_file );
|
AI_fatal_err ( "Malformed history file", __FILE__, __LINE__ );
|
||||||
|
|
||||||
for ( j=0; j < items_count; j++ )
|
for ( j=0; j < items_count; j++ )
|
||||||
{
|
{
|
||||||
if ( j == 0 )
|
if ( j == 0 )
|
||||||
{
|
{
|
||||||
if ( !( event_list = ( AI_alert_event* ) malloc ( sizeof ( AI_alert_event ))))
|
if ( !( event_list = ( AI_alert_event* ) malloc ( sizeof ( AI_alert_event ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
memset ( event_list, 0, sizeof ( AI_alert_event ));
|
memset ( event_list, 0, sizeof ( AI_alert_event ));
|
||||||
event_iterator = event_list;
|
event_iterator = event_list;
|
||||||
} else {
|
} else {
|
||||||
if ( !( event_iterator = ( AI_alert_event* ) malloc ( sizeof ( AI_alert_event ))))
|
if ( !( event_iterator = ( AI_alert_event* ) malloc ( sizeof ( AI_alert_event ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
memset ( event_iterator, 0, sizeof ( AI_alert_event ));
|
memset ( event_iterator, 0, sizeof ( AI_alert_event ));
|
||||||
}
|
}
|
||||||
|
|
||||||
event_iterator->count = items_count;
|
event_iterator->count = items_count;
|
||||||
|
|
||||||
if ( fread ( &( event_iterator->key ), sizeof ( event_iterator->key ), 1, fp ) <= 0 )
|
if ( fread ( &( event_iterator->key ), sizeof ( event_iterator->key ), 1, fp ) <= 0 )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Malformed history file '%s'\n", config->alert_history_file );
|
AI_fatal_err ( "Malformed alert history file", __FILE__, __LINE__ );
|
||||||
|
|
||||||
if ( fread ( &( event_iterator->timestamp ), sizeof ( event_iterator->timestamp ), 1, fp ) <= 0 )
|
if ( fread ( &( event_iterator->timestamp ), sizeof ( event_iterator->timestamp ), 1, fp ) <= 0 )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Malformed history file '%s'\n", config->alert_history_file );
|
AI_fatal_err ( "Malformed alert history file", __FILE__, __LINE__ );
|
||||||
|
|
||||||
if ( event_prev )
|
if ( event_prev )
|
||||||
{
|
{
|
||||||
|
@ -168,7 +168,7 @@ AI_serialize_alerts ( AI_snort_alert **alerts_pool, unsigned int alerts_pool_cou
|
||||||
for ( i=0; i < alerts_pool_count; i++ )
|
for ( i=0; i < alerts_pool_count; i++ )
|
||||||
{
|
{
|
||||||
if ( !( event = ( AI_alert_event* ) malloc ( sizeof ( AI_alert_event ))))
|
if ( !( event = ( AI_alert_event* ) malloc ( sizeof ( AI_alert_event ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
memset ( event, 0, sizeof ( AI_alert_event ));
|
memset ( event, 0, sizeof ( AI_alert_event ));
|
||||||
key.gid = alerts_pool[i]->gid;
|
key.gid = alerts_pool[i]->gid;
|
||||||
|
@ -208,7 +208,7 @@ AI_serialize_alerts ( AI_snort_alert **alerts_pool, unsigned int alerts_pool_cou
|
||||||
hash_count = HASH_COUNT ( alerts_hash );
|
hash_count = HASH_COUNT ( alerts_hash );
|
||||||
|
|
||||||
if ( !( fp = fopen ( config->alert_history_file, "w" )))
|
if ( !( fp = fopen ( config->alert_history_file, "w" )))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unable to write on '%s'\n", config->alert_history_file );
|
AI_fatal_err ( "Unable to write on the alert history file", __FILE__, __LINE__ );
|
||||||
fwrite ( &hash_count, sizeof ( hash_count ), 1, fp );
|
fwrite ( &hash_count, sizeof ( hash_count ), 1, fp );
|
||||||
|
|
||||||
for ( event = alerts_hash; event; event = ( AI_alert_event* ) event->hh.next )
|
for ( event = alerts_hash; event; event = ( AI_alert_event* ) event->hh.next )
|
||||||
|
|
|
@ -98,7 +98,7 @@ AI_alerts_pool_thread ( void *arg )
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if ( pthread_create ( &serializer_thread, NULL, AI_serializer_thread, NULL ) != 0 )
|
if ( pthread_create ( &serializer_thread, NULL, AI_serializer_thread, NULL ) != 0 )
|
||||||
_dpd.fatalMsg ( "Failed to create the alerts' serializer thread\n" );
|
AI_fatal_err ( "Failed to create the alerts' serializer thread", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
pthread_exit ((void*) 0);
|
pthread_exit ((void*) 0);
|
||||||
|
@ -158,28 +158,28 @@ AI_file_alertparser_thread ( void* arg )
|
||||||
|
|
||||||
/* Initialize the pool of alerts to be passed to the serialization thread */
|
/* Initialize the pool of alerts to be passed to the serialization thread */
|
||||||
if ( !( alerts_pool = ( AI_snort_alert** ) malloc ( config->alert_bufsize * sizeof ( AI_snort_alert* ))))
|
if ( !( alerts_pool = ( AI_snort_alert** ) malloc ( config->alert_bufsize * sizeof ( AI_snort_alert* ))))
|
||||||
_dpd.fatalMsg ( "Dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
for ( i=0; i < config->alert_bufsize; i++ )
|
for ( i=0; i < config->alert_bufsize; i++ )
|
||||||
alerts_pool[i] = NULL;
|
alerts_pool[i] = NULL;
|
||||||
|
|
||||||
/* Initialize the thread for managing the serialization of alerts' pool */
|
/* Initialize the thread for managing the serialization of alerts' pool */
|
||||||
if ( pthread_create ( &alerts_pool_thread, NULL, AI_alerts_pool_thread, NULL ) != 0 )
|
if ( pthread_create ( &alerts_pool_thread, NULL, AI_alerts_pool_thread, NULL ) != 0 )
|
||||||
_dpd.fatalMsg ( "Failed to create the alerts' pool management thread\n" );
|
AI_fatal_err ( "Failed to create the alerts' pool management thread", __FILE__, __LINE__ );
|
||||||
|
|
||||||
while ( 1 )
|
while ( 1 )
|
||||||
{
|
{
|
||||||
#ifdef LINUX
|
#ifdef LINUX
|
||||||
if (( ifd = inotify_init() ) < 0 )
|
if (( ifd = inotify_init() ) < 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Could not initialize an inotify object on the alert log file" );
|
AI_fatal_err ( "Could not initialize an inotify object on the alert log file", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( stat ( config->alertfile, &st ) < 0 )
|
if ( stat ( config->alertfile, &st ) < 0 )
|
||||||
{
|
{
|
||||||
if (( wd = inotify_add_watch ( ifd, config->alertfile, IN_CREATE )) < 0 )
|
if (( wd = inotify_add_watch ( ifd, config->alertfile, IN_CREATE )) < 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Could not initialize a watch descriptor on the alert log file" );
|
AI_fatal_err ( "Could not initialize a watch descriptor on the alert log file", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
read ( ifd, line, sizeof(line) );
|
read ( ifd, line, sizeof(line) );
|
||||||
|
@ -189,14 +189,14 @@ AI_file_alertparser_thread ( void* arg )
|
||||||
{
|
{
|
||||||
if ( ! (alert_fp = fopen ( config->alertfile, "r" )) )
|
if ( ! (alert_fp = fopen ( config->alertfile, "r" )) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Could not open alert log file for reading" );
|
AI_fatal_err ( "Could not open alert log file for reading", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (( wd = inotify_add_watch ( ifd, config->alertfile, IN_MODIFY )) < 0 )
|
if (( wd = inotify_add_watch ( ifd, config->alertfile, IN_MODIFY )) < 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Could not initialize a watch descriptor on the alert log file" );
|
AI_fatal_err ( "Could not initialize a watch descriptor on the alert log file", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
fseek ( alert_fp, 0, SEEK_END );
|
fseek ( alert_fp, 0, SEEK_END );
|
||||||
|
@ -212,7 +212,7 @@ AI_file_alertparser_thread ( void* arg )
|
||||||
{
|
{
|
||||||
if ( ! (alert_fp = fopen ( config->alertfile, "r" )) )
|
if ( ! (alert_fp = fopen ( config->alertfile, "r" )) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Could not open alert log file for reading" );
|
AI_fatal_err ( "Could not open alert log file for reading", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
else if( fd == -1 ){
|
else if( fd == -1 ){
|
||||||
/*
|
/*
|
||||||
|
@ -283,12 +283,12 @@ AI_file_alertparser_thread ( void* arg )
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( pthread_create ( &serializer_thread, NULL, AI_serializer_thread, alert ) != 0 )
|
if ( pthread_create ( &serializer_thread, NULL, AI_serializer_thread, alert ) != 0 )
|
||||||
_dpd.fatalMsg ( "Failed to create the alerts' serializer thread\n" );
|
AI_fatal_err ( "Failed to create the alerts' serializer thread", __FILE__, __LINE__ );
|
||||||
|
|
||||||
if ( config->outdbtype != outdb_none )
|
if ( config->outdbtype != outdb_none )
|
||||||
{
|
{
|
||||||
if ( pthread_create ( &db_thread, NULL, AI_store_alert_to_db_thread, alert ) != 0 )
|
if ( pthread_create ( &db_thread, NULL, AI_store_alert_to_db_thread, alert ) != 0 )
|
||||||
_dpd.fatalMsg ( "Failed to create the alert to db storing thread\n" );
|
AI_fatal_err ( "Failed to create the alert to db storing thread", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
in_alert = false;
|
in_alert = false;
|
||||||
|
@ -308,7 +308,7 @@ AI_file_alertparser_thread ( void* arg )
|
||||||
|
|
||||||
if ( !( alert = ( AI_snort_alert* ) malloc ( sizeof( AI_snort_alert ))))
|
if ( !( alert = ( AI_snort_alert* ) malloc ( sizeof( AI_snort_alert ))))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "\nDynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
memset ( alert, 0, sizeof(AI_snort_alert) );
|
memset ( alert, 0, sizeof(AI_snort_alert) );
|
||||||
|
@ -324,7 +324,7 @@ AI_file_alertparser_thread ( void* arg )
|
||||||
free ( matches );
|
free ( matches );
|
||||||
matches = NULL;
|
matches = NULL;
|
||||||
} else {
|
} else {
|
||||||
_dpd.fatalMsg ( "Parse error: a line in the alert log cannot be associated to an alert block\n" );
|
AI_fatal_err ( "Parse error: a line in the alert log cannot be associated to an alert block", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
} else if ( preg_match ( "\\[Priority:\\s*([0-9]+)\\]", line, &matches, &nmatches) > 0 ) {
|
} else if ( preg_match ( "\\[Priority:\\s*([0-9]+)\\]", line, &matches, &nmatches) > 0 ) {
|
||||||
alert->priority = (unsigned short) strtoul ( matches[0], NULL, 10 );
|
alert->priority = (unsigned short) strtoul ( matches[0], NULL, 10 );
|
||||||
|
@ -480,7 +480,7 @@ _AI_copy_alerts ( AI_snort_alert *node )
|
||||||
|
|
||||||
if ( !( current = ( AI_snort_alert* ) malloc ( sizeof ( AI_snort_alert )) ))
|
if ( !( current = ( AI_snort_alert* ) malloc ( sizeof ( AI_snort_alert )) ))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Fatal dynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
memcpy ( current, node, sizeof ( AI_snort_alert ));
|
memcpy ( current, node, sizeof ( AI_snort_alert ));
|
||||||
|
|
|
@ -152,7 +152,7 @@ AI_alert_bayesian_correlation ( AI_snort_alert *a, AI_snort_alert *b )
|
||||||
found->latest_computation_time = time ( NULL );
|
found->latest_computation_time = time ( NULL );
|
||||||
} else {
|
} else {
|
||||||
if ( !( found = ( AI_bayesian_correlation* ) malloc ( sizeof ( AI_bayesian_correlation ))))
|
if ( !( found = ( AI_bayesian_correlation* ) malloc ( sizeof ( AI_bayesian_correlation ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
found->key = bayesian_key;
|
found->key = bayesian_key;
|
||||||
found->correlation = corr;
|
found->correlation = corr;
|
||||||
|
|
22
cluster.c
22
cluster.c
|
@ -91,7 +91,7 @@ _heuristic_func ( cluster_type type )
|
||||||
{
|
{
|
||||||
if ( !( value = ( attribute_value* ) malloc ( sizeof ( attribute_value )) ))
|
if ( !( value = ( attribute_value* ) malloc ( sizeof ( attribute_value )) ))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Fatal dynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation failure", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
memset ( value, 0, sizeof ( attribute_value ));
|
memset ( value, 0, sizeof ( attribute_value ));
|
||||||
|
@ -137,7 +137,7 @@ _hierarchy_node_new ( char *label, int min_val, int max_val )
|
||||||
|
|
||||||
if ( !( n = ( hierarchy_node* ) malloc ( sizeof ( hierarchy_node )) ))
|
if ( !( n = ( hierarchy_node* ) malloc ( sizeof ( hierarchy_node )) ))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Dynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation failure", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
n->min_val = min_val;
|
n->min_val = min_val;
|
||||||
|
@ -162,7 +162,7 @@ _hierarchy_node_append ( hierarchy_node *parent, hierarchy_node *child )
|
||||||
{
|
{
|
||||||
if ( !( parent->children = ( hierarchy_node** ) realloc ( parent->children, (++(parent->nchildren)) * sizeof ( hierarchy_node* )) ))
|
if ( !( parent->children = ( hierarchy_node** ) realloc ( parent->children, (++(parent->nchildren)) * sizeof ( hierarchy_node* )) ))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Dynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation failure", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
parent->children[ parent->nchildren - 1 ] = child;
|
parent->children[ parent->nchildren - 1 ] = child;
|
||||||
|
@ -286,25 +286,25 @@ _AI_merge_alerts ( AI_snort_alert **log )
|
||||||
if ( config->outdbtype != outdb_none )
|
if ( config->outdbtype != outdb_none )
|
||||||
{
|
{
|
||||||
if ( !( alerts_couple = (AI_alerts_couple*) malloc ( sizeof ( AI_alerts_couple ))))
|
if ( !( alerts_couple = (AI_alerts_couple*) malloc ( sizeof ( AI_alerts_couple ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
alerts_couple->alert1 = tmp;
|
alerts_couple->alert1 = tmp;
|
||||||
alerts_couple->alert2 = tmp2->next;
|
alerts_couple->alert2 = tmp2->next;
|
||||||
|
|
||||||
if ( pthread_create ( &db_thread, NULL, AI_store_cluster_to_db_thread, alerts_couple ) != 0 )
|
if ( pthread_create ( &db_thread, NULL, AI_store_cluster_to_db_thread, alerts_couple ) != 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Failed to create the cluster-to-database thread: %s\n", strerror(errno) );
|
AI_fatal_err ( "Failed to create the cluster-to-database thread", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( pthread_join ( db_thread, NULL ) != 0 )
|
if ( pthread_join ( db_thread, NULL ) != 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Could not join the cluster-to-database thread: %s\n", strerror(errno) );
|
AI_fatal_err ( "Could not join the cluster-to-database thread", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Merge the two alerts */
|
/* Merge the two alerts */
|
||||||
if ( !( tmp->grouped_alerts = ( AI_snort_alert** ) realloc ( tmp->grouped_alerts, (++(tmp->grouped_alerts_count)) * sizeof ( AI_snort_alert* ))))
|
if ( !( tmp->grouped_alerts = ( AI_snort_alert** ) realloc ( tmp->grouped_alerts, (++(tmp->grouped_alerts_count)) * sizeof ( AI_snort_alert* ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
tmp->grouped_alerts[ tmp->grouped_alerts_count - 1 ] = tmp2->next;
|
tmp->grouped_alerts[ tmp->grouped_alerts_count - 1 ] = tmp2->next;
|
||||||
count++;
|
count++;
|
||||||
|
@ -354,7 +354,7 @@ _AI_get_alerts_heterogeneity ( int *alert_count )
|
||||||
if ( !found )
|
if ( !found )
|
||||||
{
|
{
|
||||||
if ( !( found = (AI_alert_occurrence*) malloc ( sizeof ( AI_alert_occurrence ))))
|
if ( !( found = (AI_alert_occurrence*) malloc ( sizeof ( AI_alert_occurrence ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
found->key = key;
|
found->key = key;
|
||||||
found->count = 1;
|
found->count = 1;
|
||||||
|
@ -674,7 +674,7 @@ AI_hierarchies_build ( hierarchy_node **nodes, int n_nodes )
|
||||||
|
|
||||||
if ( _AI_check_duplicate ( nodes[i], root ))
|
if ( _AI_check_duplicate ( nodes[i], root ))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Parse error: duplicate cluster range '%d-%d' in configuration\n", nodes[i]->min_val, nodes[i]->max_val );
|
AI_fatal_err ( "Parse error: duplicate cluster range in module configuration", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( j=0; j < n_nodes; j++ )
|
for ( j=0; j < n_nodes; j++ )
|
||||||
|
@ -709,7 +709,7 @@ AI_hierarchies_build ( hierarchy_node **nodes, int n_nodes )
|
||||||
|
|
||||||
if ( pthread_create ( &cluster_thread, NULL, _AI_cluster_thread, NULL ) != 0 )
|
if ( pthread_create ( &cluster_thread, NULL, _AI_cluster_thread, NULL ) != 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Failed to create the hash cleanup thread\n" );
|
AI_fatal_err ( "Failed to create the hash cleanup thread", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
} /* ----- end of function AI_hierarchies_build ----- */
|
} /* ----- end of function AI_hierarchies_build ----- */
|
||||||
|
|
||||||
|
@ -736,7 +736,7 @@ _AI_copy_clustered_alerts ( AI_snort_alert *node )
|
||||||
|
|
||||||
if ( !( current = ( AI_snort_alert* ) malloc ( sizeof ( AI_snort_alert )) ))
|
if ( !( current = ( AI_snort_alert* ) malloc ( sizeof ( AI_snort_alert )) ))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Fatal dynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation failure", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
memcpy ( current, node, sizeof ( AI_snort_alert ));
|
memcpy ( current, node, sizeof ( AI_snort_alert ));
|
||||||
|
|
|
@ -197,7 +197,7 @@ _AI_get_function_arguments ( char *orig_stmt, int *n_args )
|
||||||
|
|
||||||
while ( tok ) {
|
while ( tok ) {
|
||||||
if ( !( args = (char**) realloc ( args, (++(*n_args)) * sizeof ( char* ))))
|
if ( !( args = (char**) realloc ( args, (++(*n_args)) * sizeof ( char* ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
args [ (*n_args) - 1 ] = strdup ( tok );
|
args [ (*n_args) - 1 ] = strdup ( tok );
|
||||||
tok = (char*) strtok ( NULL, " " );
|
tok = (char*) strtok ( NULL, " " );
|
||||||
|
@ -296,15 +296,15 @@ _AI_kb_correlation_coefficient ( AI_snort_alert *a, AI_snort_alert *b )
|
||||||
if ( preg_match ( "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$", args2[k], NULL, NULL ))
|
if ( preg_match ( "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$", args2[k], NULL, NULL ))
|
||||||
{
|
{
|
||||||
if (( netmask = strtol ( matches[1], NULL, 10 )) > 32 )
|
if (( netmask = strtol ( matches[1], NULL, 10 )) > 32 )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Invalid netmask value in '%s'\n", args1[k] );
|
AI_fatal_err ( "Invalid IP netmask value in configuration", __FILE__, __LINE__ );
|
||||||
|
|
||||||
if (( min_addr = inet_addr ( matches[0] )) == INADDR_NONE )
|
if (( min_addr = inet_addr ( matches[0] )) == INADDR_NONE )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Invalid base IP address in '%s'\n", args1[k] );
|
AI_fatal_err ( "Invalid base IP address in configuration", __FILE__, __LINE__ );
|
||||||
|
|
||||||
ipaddr = inet_addr ( args2[k] );
|
ipaddr = inet_addr ( args2[k] );
|
||||||
|
|
||||||
if ( ipaddr == INADDR_NONE )
|
if ( ipaddr == INADDR_NONE )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Invalid base IP address in '%s'\n", args2[k] );
|
AI_fatal_err ( "Invalid base IP address in configuration", __FILE__, __LINE__ );
|
||||||
|
|
||||||
netmask = 1 << (( 8*sizeof ( uint32_t )) - netmask );
|
netmask = 1 << (( 8*sizeof ( uint32_t )) - netmask );
|
||||||
min_addr = ntohl ( min_addr ) & (~(netmask - 1));
|
min_addr = ntohl ( min_addr ) & (~(netmask - 1));
|
||||||
|
@ -328,15 +328,15 @@ _AI_kb_correlation_coefficient ( AI_snort_alert *a, AI_snort_alert *b )
|
||||||
if ( preg_match ( "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$", args1[k], NULL, NULL ))
|
if ( preg_match ( "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$", args1[k], NULL, NULL ))
|
||||||
{
|
{
|
||||||
if (( netmask = strtol ( matches[1], NULL, 10 )) > 32 )
|
if (( netmask = strtol ( matches[1], NULL, 10 )) > 32 )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Invalid netmask value in '%s'\n", args2[k] );
|
AI_fatal_err ( "Invalid IP netmask value in configuration", __FILE__, __LINE__ );
|
||||||
|
|
||||||
if (( min_addr = inet_addr ( matches[0] )) == INADDR_NONE )
|
if (( min_addr = inet_addr ( matches[0] )) == INADDR_NONE )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Invalid base IP address in '%s'\n", args2[k] );
|
AI_fatal_err ( "Invalid base IP address in configuration", __FILE__, __LINE__ );
|
||||||
|
|
||||||
ipaddr = inet_addr ( args1[k] );
|
ipaddr = inet_addr ( args1[k] );
|
||||||
|
|
||||||
if ( ipaddr == INADDR_NONE )
|
if ( ipaddr == INADDR_NONE )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Invalid base IP address in '%s'\n", args1[k] );
|
AI_fatal_err ( "Invalid base IP address in configuration", __FILE__, __LINE__ );
|
||||||
|
|
||||||
netmask = 1 << (( 8*sizeof ( uint32_t )) - netmask );
|
netmask = 1 << (( 8*sizeof ( uint32_t )) - netmask );
|
||||||
min_addr = ntohl ( min_addr ) & (~(netmask - 1));
|
min_addr = ntohl ( min_addr ) & (~(netmask - 1));
|
||||||
|
@ -535,7 +535,7 @@ _AI_hyperalert_from_XML ( AI_hyperalert_key key )
|
||||||
|
|
||||||
if ( !( hyp = ( AI_hyperalert_info* ) malloc ( sizeof ( AI_hyperalert_info ))))
|
if ( !( hyp = ( AI_hyperalert_info* ) malloc ( sizeof ( AI_hyperalert_info ))))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
memset ( hyp, 0, sizeof ( AI_hyperalert_info ));
|
memset ( hyp, 0, sizeof ( AI_hyperalert_info ));
|
||||||
|
@ -563,59 +563,59 @@ _AI_hyperalert_from_XML ( AI_hyperalert_key key )
|
||||||
if ( !strcasecmp ((const char*) tagname, "hyperalert" ))
|
if ( !strcasecmp ((const char*) tagname, "hyperalert" ))
|
||||||
{
|
{
|
||||||
if ( xmlFlags[inHyperAlert] )
|
if ( xmlFlags[inHyperAlert] )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': the hyperalert tag was opened twice\n", hyperalert_file );
|
AI_fatal_err ( "Error in XML correlation rules: the hyperalert tag was opened twice", __FILE__, __LINE__ );
|
||||||
else
|
else
|
||||||
xmlFlags[inHyperAlert] = true;
|
xmlFlags[inHyperAlert] = true;
|
||||||
} else if ( !strcasecmp ((const char*) tagname, "snort-id" )) {
|
} else if ( !strcasecmp ((const char*) tagname, "snort-id" )) {
|
||||||
if ( xmlFlags[inSnortIdTag] )
|
if ( xmlFlags[inSnortIdTag] )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': 'snort-id' tag open inside of another 'snort-id' tag\n", hyperalert_file );
|
AI_fatal_err ( "Error in XML correlation rules: 'snort-id' tag open inside of another 'snort-id' tag", __FILE__, __LINE__ );
|
||||||
else if ( !xmlFlags[inHyperAlert] )
|
else if ( !xmlFlags[inHyperAlert] )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': 'snort-id' tag open outside of 'hyperalert' tag\n", hyperalert_file );
|
AI_fatal_err ( "Error in XML correlation rules: 'snort-id' tag open outside of 'hyperalert' tag", __FILE__, __LINE__ );
|
||||||
else
|
else
|
||||||
xmlFlags[inSnortIdTag] = true;
|
xmlFlags[inSnortIdTag] = true;
|
||||||
} else if ( !strcasecmp ((const char*) tagname, "pre" )) {
|
} else if ( !strcasecmp ((const char*) tagname, "pre" )) {
|
||||||
if ( xmlFlags[inPreTag] )
|
if ( xmlFlags[inPreTag] )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': 'pre' tag open inside of another 'pre' tag\n", hyperalert_file );
|
AI_fatal_err ( "Error in XML correlation rules: 'pre' tag open inside of another 'pre' tag", __FILE__, __LINE__ );
|
||||||
else if ( !xmlFlags[inHyperAlert] )
|
else if ( !xmlFlags[inHyperAlert] )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': 'pre' tag open outside of 'hyperalert' tag\n", hyperalert_file );
|
AI_fatal_err ( "Error in XML correlation rules: 'pre' tag open outside of 'hyperalert' tag", __FILE__, __LINE__ );
|
||||||
else
|
else
|
||||||
xmlFlags[inPreTag] = true;
|
xmlFlags[inPreTag] = true;
|
||||||
} else if ( !strcasecmp ((const char*) tagname, "post" )) {
|
} else if ( !strcasecmp ((const char*) tagname, "post" )) {
|
||||||
if ( xmlFlags[inPostTag] )
|
if ( xmlFlags[inPostTag] )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': 'post' tag open inside of another 'post' tag\n", hyperalert_file );
|
AI_fatal_err ( "Error in XML correlation rules: 'post' tag open inside of another 'post' tag", __FILE__, __LINE__ );
|
||||||
else if ( !xmlFlags[inHyperAlert] )
|
else if ( !xmlFlags[inHyperAlert] )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': 'post' tag open outside of 'hyperalert' tag\n", hyperalert_file );
|
AI_fatal_err ( "Error in XML correlation rules: 'post' tag open outside of 'hyperalert' tag", __FILE__, __LINE__ );
|
||||||
else
|
else
|
||||||
xmlFlags[inPostTag] = true;
|
xmlFlags[inPostTag] = true;
|
||||||
} else if ( !strcasecmp ((const char*) tagname, "desc" )) {}
|
} else if ( !strcasecmp ((const char*) tagname, "desc" )) {}
|
||||||
else {
|
else {
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unrecognized tag '%s' in XML file '%s'\n", tagname, hyperalert_file );
|
AI_fatal_err ( "Unrecognized tag in XML correlation rules", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
} else if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_END_ELEMENT ) {
|
} else if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_END_ELEMENT ) {
|
||||||
if ( !strcasecmp ((const char*) tagname, "hyperalert" ))
|
if ( !strcasecmp ((const char*) tagname, "hyperalert" ))
|
||||||
{
|
{
|
||||||
if ( !xmlFlags[inHyperAlert] )
|
if ( !xmlFlags[inHyperAlert] )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': hyperalert tag closed but never opend\n", hyperalert_file );
|
AI_fatal_err ( "Error in XML correlation rules: hyperalert tag closed but never opend", __FILE__, __LINE__ );
|
||||||
else
|
else
|
||||||
xmlFlags[inHyperAlert] = false;
|
xmlFlags[inHyperAlert] = false;
|
||||||
} else if ( !strcasecmp ((const char*) tagname, "snort-id" )) {
|
} else if ( !strcasecmp ((const char*) tagname, "snort-id" )) {
|
||||||
if ( !xmlFlags[inSnortIdTag] )
|
if ( !xmlFlags[inSnortIdTag] )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': snort-id tag closed but never opend\n", hyperalert_file );
|
AI_fatal_err ( "Error in XML correlation rules: snort-id tag closed but never opend", __FILE__, __LINE__ );
|
||||||
else
|
else
|
||||||
xmlFlags[inSnortIdTag] = false;
|
xmlFlags[inSnortIdTag] = false;
|
||||||
} else if ( !strcasecmp ((const char*) tagname, "pre" )) {
|
} else if ( !strcasecmp ((const char*) tagname, "pre" )) {
|
||||||
if ( !xmlFlags[inPreTag] )
|
if ( !xmlFlags[inPreTag] )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': pre tag closed but never opend\n", hyperalert_file );
|
AI_fatal_err ( "Error in XML correlation rules: pre tag closed but never opend", __FILE__, __LINE__ );
|
||||||
else
|
else
|
||||||
xmlFlags[inPreTag] = false;
|
xmlFlags[inPreTag] = false;
|
||||||
} else if ( !strcasecmp ((const char*) tagname, "post" )) {
|
} else if ( !strcasecmp ((const char*) tagname, "post" )) {
|
||||||
if ( !xmlFlags[inPostTag] )
|
if ( !xmlFlags[inPostTag] )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': post tag closed but never opend\n", hyperalert_file );
|
AI_fatal_err ( "Error in XML correlation rules: post tag closed but never opend", __FILE__, __LINE__ );
|
||||||
else
|
else
|
||||||
xmlFlags[inPostTag] = false;
|
xmlFlags[inPostTag] = false;
|
||||||
} else if ( !strcasecmp ((const char*) tagname, "desc" )) {}
|
} else if ( !strcasecmp ((const char*) tagname, "desc" )) {}
|
||||||
else {
|
else {
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unrecognized tag '%s' in XML file '%s'\n", tagname, hyperalert_file );
|
AI_fatal_err ( "Unrecognized tag in XML correlation rules", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
} else if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_TEXT ) {
|
} else if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_TEXT ) {
|
||||||
if ( !( tagvalue = xmlTextReaderConstValue ( xml )))
|
if ( !( tagvalue = xmlTextReaderConstValue ( xml )))
|
||||||
|
@ -635,14 +635,12 @@ _AI_hyperalert_from_XML ( AI_hyperalert_key key )
|
||||||
}
|
}
|
||||||
} else if ( xmlFlags[inPreTag] ) {
|
} else if ( xmlFlags[inPreTag] ) {
|
||||||
if ( !( hyp->preconds = (char**) realloc ( hyp->preconds, (++hyp->n_preconds)*sizeof(char*) )))
|
if ( !( hyp->preconds = (char**) realloc ( hyp->preconds, (++hyp->n_preconds)*sizeof(char*) )))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal allocation memory error at %s:%d\n",
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
__FILE__, __LINE__ );
|
|
||||||
|
|
||||||
hyp->preconds[hyp->n_preconds-1] = strdup ((const char*) tagvalue );
|
hyp->preconds[hyp->n_preconds-1] = strdup ((const char*) tagvalue );
|
||||||
} else if ( xmlFlags[inPostTag] ) {
|
} else if ( xmlFlags[inPostTag] ) {
|
||||||
if ( !( hyp->postconds = (char**) realloc ( hyp->postconds, (++hyp->n_postconds)*sizeof(char*) )))
|
if ( !( hyp->postconds = (char**) realloc ( hyp->postconds, (++hyp->n_postconds)*sizeof(char*) )))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal allocation memory error at %s:%d\n",
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
__FILE__, __LINE__ );
|
|
||||||
|
|
||||||
hyp->postconds[hyp->n_postconds-1] = strdup ((const char*) tagvalue );
|
hyp->postconds[hyp->n_postconds-1] = strdup ((const char*) tagvalue );
|
||||||
}
|
}
|
||||||
|
@ -741,20 +739,20 @@ AI_alert_correlation_thread ( void *arg )
|
||||||
|
|
||||||
/* Fill the hyper alert info for the current alert */
|
/* Fill the hyper alert info for the current alert */
|
||||||
if ( !( alert_iterator->hyperalert = ( AI_hyperalert_info* ) malloc ( sizeof ( AI_hyperalert_info ))))
|
if ( !( alert_iterator->hyperalert = ( AI_hyperalert_info* ) malloc ( sizeof ( AI_hyperalert_info ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
alert_iterator->hyperalert->key = hyp->key;
|
alert_iterator->hyperalert->key = hyp->key;
|
||||||
alert_iterator->hyperalert->n_preconds = hyp->n_preconds;
|
alert_iterator->hyperalert->n_preconds = hyp->n_preconds;
|
||||||
alert_iterator->hyperalert->n_postconds = hyp->n_postconds;
|
alert_iterator->hyperalert->n_postconds = hyp->n_postconds;
|
||||||
|
|
||||||
if ( !( alert_iterator->hyperalert->preconds = ( char** ) malloc ( alert_iterator->hyperalert->n_preconds * sizeof ( char* ))))
|
if ( !( alert_iterator->hyperalert->preconds = ( char** ) malloc ( alert_iterator->hyperalert->n_preconds * sizeof ( char* ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
for ( i=0; i < alert_iterator->hyperalert->n_preconds; i++ )
|
for ( i=0; i < alert_iterator->hyperalert->n_preconds; i++ )
|
||||||
alert_iterator->hyperalert->preconds[i] = strdup ( hyp->preconds[i] );
|
alert_iterator->hyperalert->preconds[i] = strdup ( hyp->preconds[i] );
|
||||||
|
|
||||||
if ( !( alert_iterator->hyperalert->postconds = ( char** ) malloc ( alert_iterator->hyperalert->n_postconds * sizeof ( char* ))))
|
if ( !( alert_iterator->hyperalert->postconds = ( char** ) malloc ( alert_iterator->hyperalert->n_postconds * sizeof ( char* ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
for ( i=0; i < alert_iterator->hyperalert->n_postconds; i++ )
|
for ( i=0; i < alert_iterator->hyperalert->n_postconds; i++ )
|
||||||
alert_iterator->hyperalert->postconds[i] = strdup ( hyp->postconds[i] );
|
alert_iterator->hyperalert->postconds[i] = strdup ( hyp->postconds[i] );
|
||||||
|
@ -775,7 +773,7 @@ AI_alert_correlation_thread ( void *arg )
|
||||||
alert_iterator->rev == alert_iterator2->rev ))
|
alert_iterator->rev == alert_iterator2->rev ))
|
||||||
{
|
{
|
||||||
if ( !( corr = ( AI_alert_correlation* ) malloc ( sizeof ( AI_alert_correlation ))))
|
if ( !( corr = ( AI_alert_correlation* ) malloc ( sizeof ( AI_alert_correlation ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
corr_key.a = alert_iterator;
|
corr_key.a = alert_iterator;
|
||||||
corr_key.b = alert_iterator2;
|
corr_key.b = alert_iterator2;
|
||||||
|
@ -823,14 +821,14 @@ AI_alert_correlation_thread ( void *arg )
|
||||||
{
|
{
|
||||||
if ( mkdir ( config->corr_alerts_dir, 0755 ) < 0 )
|
if ( mkdir ( config->corr_alerts_dir, 0755 ) < 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unable to create directory '%s'\n", config->corr_alerts_dir );
|
AI_fatal_err ( "Unable to create directory the correlated alerts directory", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
} else if ( !S_ISDIR ( st.st_mode )) {
|
} else if ( !S_ISDIR ( st.st_mode )) {
|
||||||
_dpd.fatalMsg ( "AIPreproc: '%s' found but it's not a directory\n", config->corr_alerts_dir );
|
AI_fatal_err ( "The specified directory for correlated alerts is not a directory", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( !( fp = fopen ( corr_dot_file, "w" )))
|
if ( !( fp = fopen ( corr_dot_file, "w" )))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Could not write on file '%s'\n", corr_dot_file );
|
AI_fatal_err ( "Could not write on the correlated alerts .dot file", __FILE__, __LINE__ );
|
||||||
fprintf ( fp, "digraph G {\n" );
|
fprintf ( fp, "digraph G {\n" );
|
||||||
|
|
||||||
/* Find correlated alerts */
|
/* Find correlated alerts */
|
||||||
|
@ -844,10 +842,10 @@ AI_alert_correlation_thread ( void *arg )
|
||||||
corr->key.a->rev == corr->key.b->rev ))
|
corr->key.a->rev == corr->key.b->rev ))
|
||||||
{
|
{
|
||||||
if ( !( corr->key.a->derived_alerts = ( AI_snort_alert** ) realloc ( corr->key.a->derived_alerts, (++corr->key.a->n_derived_alerts) * sizeof ( AI_snort_alert* ))))
|
if ( !( corr->key.a->derived_alerts = ( AI_snort_alert** ) realloc ( corr->key.a->derived_alerts, (++corr->key.a->n_derived_alerts) * sizeof ( AI_snort_alert* ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
if ( !( corr->key.b->parent_alerts = ( AI_snort_alert** ) realloc ( corr->key.b->parent_alerts, (++corr->key.b->n_parent_alerts) * sizeof ( AI_snort_alert* ))))
|
if ( !( corr->key.b->parent_alerts = ( AI_snort_alert** ) realloc ( corr->key.b->parent_alerts, (++corr->key.b->n_parent_alerts) * sizeof ( AI_snort_alert* ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
corr->key.a->derived_alerts[ corr->key.a->n_derived_alerts - 1 ] = corr->key.b;
|
corr->key.a->derived_alerts[ corr->key.a->n_derived_alerts - 1 ] = corr->key.b;
|
||||||
corr->key.b->parent_alerts [ corr->key.b->n_parent_alerts - 1 ] = corr->key.a;
|
corr->key.b->parent_alerts [ corr->key.b->n_parent_alerts - 1 ] = corr->key.a;
|
||||||
|
@ -857,12 +855,12 @@ AI_alert_correlation_thread ( void *arg )
|
||||||
{
|
{
|
||||||
if ( pthread_create ( &db_thread, NULL, AI_store_correlation_to_db_thread, corr ) != 0 )
|
if ( pthread_create ( &db_thread, NULL, AI_store_correlation_to_db_thread, corr ) != 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Failed to create the correlation-to-database storing thread: %s\n", strerror ( errno ));
|
AI_fatal_err ( "Failed to create the correlation-to-database storing thread", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( pthread_join ( db_thread, NULL ) != 0 )
|
if ( pthread_join ( db_thread, NULL ) != 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Failed to join the correlation-to-database storing thread: %s\n", strerror ( errno ));
|
AI_fatal_err ( "Failed to join the correlation-to-database storing thread", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
33
db.c
33
db.c
|
@ -60,20 +60,19 @@ AI_db_alertparser_thread ( void *arg )
|
||||||
|
|
||||||
if ( !DB_init() )
|
if ( !DB_init() )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unable to connect to the database '%s' @ '%s'\n",
|
AI_fatal_err ( "Unable to connect to the database specified in module configuration", __FILE__, __LINE__ );
|
||||||
config->dbname, config->dbhost );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Initialize the pool of alerts to be passed to the serialization thread */
|
/* Initialize the pool of alerts to be passed to the serialization thread */
|
||||||
if ( !( alerts_pool = ( AI_snort_alert** ) malloc ( config->alert_bufsize * sizeof ( AI_snort_alert* ))))
|
if ( !( alerts_pool = ( AI_snort_alert** ) malloc ( config->alert_bufsize * sizeof ( AI_snort_alert* ))))
|
||||||
_dpd.fatalMsg ( "Dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
for ( i=0; i < config->alert_bufsize; i++ )
|
for ( i=0; i < config->alert_bufsize; i++ )
|
||||||
alerts_pool[i] = NULL;
|
alerts_pool[i] = NULL;
|
||||||
|
|
||||||
/* Initialize the thread for managing the serialization of alerts' pool */
|
/* Initialize the thread for managing the serialization of alerts' pool */
|
||||||
if ( pthread_create ( &alerts_pool_thread, NULL, AI_alerts_pool_thread, NULL ) != 0 )
|
if ( pthread_create ( &alerts_pool_thread, NULL, AI_alerts_pool_thread, NULL ) != 0 )
|
||||||
_dpd.fatalMsg ( "Failed to create the alerts' pool management thread\n" );
|
AI_fatal_err ( "Failed to create the alerts' pool management thread", __FILE__, __LINE__ );
|
||||||
|
|
||||||
while ( 1 )
|
while ( 1 )
|
||||||
{
|
{
|
||||||
|
@ -87,14 +86,13 @@ AI_db_alertparser_thread ( void *arg )
|
||||||
if ( !( res = (DB_result) DB_query ( query )))
|
if ( !( res = (DB_result) DB_query ( query )))
|
||||||
{
|
{
|
||||||
DB_close();
|
DB_close();
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal error while executing a query on the database "
|
AI_fatal_err ( "Fatal error while executing a query on the database", __FILE__, __LINE__ );
|
||||||
"at %s:%d: '%s'\n", __FILE__, __LINE__, query );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (( rows = DB_num_rows ( res )) < 0 )
|
if (( rows = DB_num_rows ( res )) < 0 )
|
||||||
{
|
{
|
||||||
DB_close();
|
DB_close();
|
||||||
_dpd.fatalMsg ( "AIPreproc: Could not store the query result at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Could not store the query result", __FILE__, __LINE__ );
|
||||||
} else if ( rows == 0 ) {
|
} else if ( rows == 0 ) {
|
||||||
pthread_mutex_unlock ( &mutex );
|
pthread_mutex_unlock ( &mutex );
|
||||||
continue;
|
continue;
|
||||||
|
@ -104,7 +102,7 @@ AI_db_alertparser_thread ( void *arg )
|
||||||
{
|
{
|
||||||
if ( !( alert = ( AI_snort_alert* ) malloc ( sizeof ( AI_snort_alert )) ))
|
if ( !( alert = ( AI_snort_alert* ) malloc ( sizeof ( AI_snort_alert )) ))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Fatal dynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
memset ( alert, 0, sizeof ( AI_snort_alert ));
|
memset ( alert, 0, sizeof ( AI_snort_alert ));
|
||||||
|
@ -119,13 +117,12 @@ AI_db_alertparser_thread ( void *arg )
|
||||||
if ( !( res2 = (DB_result) DB_query ( query )))
|
if ( !( res2 = (DB_result) DB_query ( query )))
|
||||||
{
|
{
|
||||||
DB_close();
|
DB_close();
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal error while executing a query on the database "
|
AI_fatal_err ( "Fatal error while executing a query on the database", __FILE__, __LINE__ );
|
||||||
"at %s:%d: '%s'\n", __FILE__, __LINE__, query );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (( rows = DB_num_rows ( res2 )) < 0 ) {
|
if (( rows = DB_num_rows ( res2 )) < 0 ) {
|
||||||
DB_close();
|
DB_close();
|
||||||
_dpd.fatalMsg ( "AIPreproc: Could not store the query result at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Could not store the query result", __FILE__, __LINE__ );
|
||||||
} else if ( rows > 0 ) {
|
} else if ( rows > 0 ) {
|
||||||
if (( row2 = (DB_row) DB_fetch_row ( res2 )))
|
if (( row2 = (DB_row) DB_fetch_row ( res2 )))
|
||||||
{
|
{
|
||||||
|
@ -147,13 +144,12 @@ AI_db_alertparser_thread ( void *arg )
|
||||||
if ( !( res2 = (DB_result) DB_query ( query )))
|
if ( !( res2 = (DB_result) DB_query ( query )))
|
||||||
{
|
{
|
||||||
DB_close();
|
DB_close();
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal error while executing a query on the database "
|
AI_fatal_err ( "Fatal error while executing a query on the database", __FILE__, __LINE__ );
|
||||||
"at %s:%d: '%s'\n", __FILE__, __LINE__, query );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (( rows = DB_num_rows ( res2 )) < 0 ) {
|
if (( rows = DB_num_rows ( res2 )) < 0 ) {
|
||||||
DB_close();
|
DB_close();
|
||||||
_dpd.fatalMsg ( "AIPreproc: Could not store the query result at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Could not store the query result", __FILE__, __LINE__ );
|
||||||
} else if ( rows > 0 ) {
|
} else if ( rows > 0 ) {
|
||||||
if (( row2 = DB_fetch_row ( res2 )))
|
if (( row2 = DB_fetch_row ( res2 )))
|
||||||
{
|
{
|
||||||
|
@ -177,13 +173,12 @@ AI_db_alertparser_thread ( void *arg )
|
||||||
if ( !( res2 = (DB_result) DB_query ( query )))
|
if ( !( res2 = (DB_result) DB_query ( query )))
|
||||||
{
|
{
|
||||||
DB_close();
|
DB_close();
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal error while executing a query on the database "
|
AI_fatal_err ( "Fatal error while executing a query on the database", __FILE__, __LINE__ );
|
||||||
"at %s:%d: '%s'\n", __FILE__, __LINE__, query );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (( rows = DB_num_rows ( res2 )) < 0 ) {
|
if (( rows = DB_num_rows ( res2 )) < 0 ) {
|
||||||
DB_close();
|
DB_close();
|
||||||
_dpd.fatalMsg ( "AIPreproc: Could not store the query result at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Could not store the query result", __FILE__, __LINE__ );
|
||||||
} else if ( rows > 0 ) {
|
} else if ( rows > 0 ) {
|
||||||
if (( row2 = DB_fetch_row ( res2 )))
|
if (( row2 = DB_fetch_row ( res2 )))
|
||||||
{
|
{
|
||||||
|
@ -227,7 +222,7 @@ AI_db_alertparser_thread ( void *arg )
|
||||||
latest_time = time ( NULL );
|
latest_time = time ( NULL );
|
||||||
|
|
||||||
if ( pthread_create ( &serializer_thread, NULL, AI_serializer_thread, alert ) != 0 )
|
if ( pthread_create ( &serializer_thread, NULL, AI_serializer_thread, alert ) != 0 )
|
||||||
_dpd.fatalMsg ( "Failed to create the alerts' serializer thread\n" );
|
AI_fatal_err ( "Failed to create the alerts' serializer thread", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
DB_close();
|
DB_close();
|
||||||
|
@ -257,7 +252,7 @@ _AI_db_copy_alerts ( AI_snort_alert *node )
|
||||||
|
|
||||||
if ( !( current = ( AI_snort_alert* ) malloc ( sizeof ( AI_snort_alert )) ))
|
if ( !( current = ( AI_snort_alert* ) malloc ( sizeof ( AI_snort_alert )) ))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Fatal dynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
memcpy ( current, node, sizeof ( AI_snort_alert ));
|
memcpy ( current, node, sizeof ( AI_snort_alert ));
|
||||||
|
|
12
outdb.c
12
outdb.c
|
@ -89,7 +89,7 @@ AI_store_alert_to_db_thread ( void *arg )
|
||||||
pthread_mutex_lock ( &mutex );
|
pthread_mutex_lock ( &mutex );
|
||||||
|
|
||||||
if ( !DB_out_init() )
|
if ( !DB_out_init() )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unable to connect to output database '%s'\n", config->outdbname );
|
AI_fatal_err ( "Unable to connect to the specified output database", __FILE__, __LINE__ );
|
||||||
|
|
||||||
inet_ntop ( AF_INET, &(alert->ip_src_addr), srcip, INET_ADDRSTRLEN );
|
inet_ntop ( AF_INET, &(alert->ip_src_addr), srcip, INET_ADDRSTRLEN );
|
||||||
inet_ntop ( AF_INET, &(alert->ip_dst_addr), dstip, INET_ADDRSTRLEN );
|
inet_ntop ( AF_INET, &(alert->ip_dst_addr), dstip, INET_ADDRSTRLEN );
|
||||||
|
@ -210,7 +210,7 @@ AI_store_alert_to_db_thread ( void *arg )
|
||||||
pkt_size_offset = 0;
|
pkt_size_offset = 0;
|
||||||
|
|
||||||
if ( !( pkt_data = (unsigned char*) alloca ( 2 * (pkt->pkt->pcap_header->len + pkt->pkt->payload_size) + 1 )))
|
if ( !( pkt_data = (unsigned char*) alloca ( 2 * (pkt->pkt->pcap_header->len + pkt->pkt->payload_size) + 1 )))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic allocation memory at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
DB_out_escape_string ( &pkt_data,
|
DB_out_escape_string ( &pkt_data,
|
||||||
pkt->pkt->pkt_data,
|
pkt->pkt->pkt_data,
|
||||||
|
@ -273,7 +273,7 @@ AI_store_cluster_to_db_thread ( void *arg )
|
||||||
|
|
||||||
/* Initialize the database (it just does nothing if it is already initialized) */
|
/* Initialize the database (it just does nothing if it is already initialized) */
|
||||||
if ( !DB_out_init() )
|
if ( !DB_out_init() )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unable to connect to output database '%s'\n", config->outdbname );
|
AI_fatal_err ( "Unable to connect to the specified output database", __FILE__, __LINE__ );
|
||||||
|
|
||||||
/* If one of the two alerts has no alert_id, simply return */
|
/* If one of the two alerts has no alert_id, simply return */
|
||||||
if ( !alerts_couple->alert1->alert_id || !alerts_couple->alert2->alert_id )
|
if ( !alerts_couple->alert1->alert_id || !alerts_couple->alert2->alert_id )
|
||||||
|
@ -334,7 +334,7 @@ AI_store_cluster_to_db_thread ( void *arg )
|
||||||
if ( cluster1 != 0 && cluster2 != 0 && cluster1 == cluster2 )
|
if ( cluster1 != 0 && cluster2 != 0 && cluster1 == cluster2 )
|
||||||
{
|
{
|
||||||
if ( !( found = ( AI_couples_cache* ) malloc ( sizeof ( AI_couples_cache ))))
|
if ( !( found = ( AI_couples_cache* ) malloc ( sizeof ( AI_couples_cache ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic allocation memory at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
found->alerts_couple = alerts_couple;
|
found->alerts_couple = alerts_couple;
|
||||||
found->cluster_id = cluster1;
|
found->cluster_id = cluster1;
|
||||||
|
@ -417,7 +417,7 @@ AI_store_cluster_to_db_thread ( void *arg )
|
||||||
|
|
||||||
/* Add the couple to the cache */
|
/* Add the couple to the cache */
|
||||||
if ( !( found = ( AI_couples_cache* ) malloc ( sizeof ( AI_couples_cache ))))
|
if ( !( found = ( AI_couples_cache* ) malloc ( sizeof ( AI_couples_cache ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic allocation memory at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
found->alerts_couple = alerts_couple;
|
found->alerts_couple = alerts_couple;
|
||||||
found->cluster_id = cluster1;
|
found->cluster_id = cluster1;
|
||||||
|
@ -444,7 +444,7 @@ AI_store_correlation_to_db_thread ( void *arg )
|
||||||
|
|
||||||
/* Initialize the database (it just does nothing if it is already initialized) */
|
/* Initialize the database (it just does nothing if it is already initialized) */
|
||||||
if ( !DB_out_init() )
|
if ( !DB_out_init() )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unable to connect to output database '%s'\n", config->outdbname );
|
AI_fatal_err ( "Unable to connect to the specified output database", __FILE__, __LINE__ );
|
||||||
|
|
||||||
memset ( query, 0, sizeof ( query ));
|
memset ( query, 0, sizeof ( query ));
|
||||||
snprintf ( query, sizeof ( query ),
|
snprintf ( query, sizeof ( query ),
|
||||||
|
|
|
@ -62,7 +62,7 @@ __postgresql_do_init ( PGconn **__DB, BOOL is_out )
|
||||||
return (void*) *__DB;
|
return (void*) *__DB;
|
||||||
|
|
||||||
if ( !( conninfo = (char*) alloca ( conninfo_max_length )))
|
if ( !( conninfo = (char*) alloca ( conninfo_max_length )))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
memset ( conninfo, 0, conninfo_max_length );
|
memset ( conninfo, 0, conninfo_max_length );
|
||||||
|
|
||||||
|
@ -104,7 +104,7 @@ __postgresql_do_query ( PGconn *__DB, const char *query )
|
||||||
PSQL_result *res = NULL;
|
PSQL_result *res = NULL;
|
||||||
|
|
||||||
if ( !( res = (PSQL_result*) malloc ( sizeof ( PSQL_result ))))
|
if ( !( res = (PSQL_result*) malloc ( sizeof ( PSQL_result ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
if ( PQresultStatus ( res->res = PQexec( __DB, query )) != PGRES_TUPLES_OK )
|
if ( PQresultStatus ( res->res = PQexec( __DB, query )) != PGRES_TUPLES_OK )
|
||||||
{
|
{
|
||||||
|
@ -117,14 +117,14 @@ __postgresql_do_query ( PGconn *__DB, const char *query )
|
||||||
res->rows = NULL;
|
res->rows = NULL;
|
||||||
|
|
||||||
if ( !( res->rows = ( char*** ) malloc ( ntuples * sizeof ( char** ))))
|
if ( !( res->rows = ( char*** ) malloc ( ntuples * sizeof ( char** ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
for ( i=0; i < ntuples; i++ )
|
for ( i=0; i < ntuples; i++ )
|
||||||
{
|
{
|
||||||
nfields = PQnfields ( res->res );
|
nfields = PQnfields ( res->res );
|
||||||
|
|
||||||
if ( !( res->rows[i] = ( char** ) malloc ( nfields * sizeof ( char* ))))
|
if ( !( res->rows[i] = ( char** ) malloc ( nfields * sizeof ( char* ))))
|
||||||
_dpd.fatalMsg ( "AIPreproc: Fatal dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
|
|
||||||
for ( j=0; j < nfields; j++ )
|
for ( j=0; j < nfields; j++ )
|
||||||
{
|
{
|
||||||
|
|
138
spp_ai.c
138
spp_ai.c
|
@ -19,10 +19,12 @@
|
||||||
|
|
||||||
#include "spp_ai.h"
|
#include "spp_ai.h"
|
||||||
#include "sfPolicyUserData.h"
|
#include "sfPolicyUserData.h"
|
||||||
|
#include "sf_preproc_info.h"
|
||||||
|
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <pthread.h>
|
#include <pthread.h>
|
||||||
|
#include <errno.h>
|
||||||
|
|
||||||
/** \defgroup spp_ai Main file for spp_ai module
|
/** \defgroup spp_ai Main file for spp_ai module
|
||||||
* @{ */
|
* @{ */
|
||||||
|
@ -48,6 +50,21 @@ static void AI_reloadSwapFree(void *);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Function called when the module experiences a fatal error
|
||||||
|
* \param msg Error message
|
||||||
|
* \param file File where the error occurred
|
||||||
|
* \param line Line number where the error occurred
|
||||||
|
*/
|
||||||
|
|
||||||
|
void
|
||||||
|
AI_fatal_err ( const char *msg, const char *file, const int line )
|
||||||
|
{
|
||||||
|
_dpd.fatalMsg ( "%s: %s at %s:%d (%s)\n",
|
||||||
|
PREPROC_NAME, msg, file, line,
|
||||||
|
((errno != 0) ? strerror(errno) : ""));
|
||||||
|
} /* ----- end of function AI_fatal_err ----- */
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief Set up the preprocessor module
|
* \brief Set up the preprocessor module
|
||||||
*/
|
*/
|
||||||
|
@ -84,7 +101,7 @@ static void AI_init(char *args)
|
||||||
{
|
{
|
||||||
ex_config = sfPolicyConfigCreate();
|
ex_config = sfPolicyConfigCreate();
|
||||||
if (ex_config == NULL)
|
if (ex_config == NULL)
|
||||||
_dpd.fatalMsg ("Could not allocate configuration struct.\n");
|
AI_fatal_err ("Could not allocate configuration struct", __FILE__, __LINE__);
|
||||||
}
|
}
|
||||||
|
|
||||||
config = AI_parse(args);
|
config = AI_parse(args);
|
||||||
|
@ -97,7 +114,7 @@ static void AI_init(char *args)
|
||||||
{
|
{
|
||||||
if ( pthread_create ( &cleanup_thread, NULL, AI_hashcleanup_thread, config ) != 0 )
|
if ( pthread_create ( &cleanup_thread, NULL, AI_hashcleanup_thread, config ) != 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Failed to create the hash cleanup thread\n" );
|
AI_fatal_err ( "Failed to create the hash cleanup thread", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -107,7 +124,7 @@ static void AI_init(char *args)
|
||||||
{
|
{
|
||||||
if ( pthread_create ( &correlation_thread, NULL, AI_alert_correlation_thread, config ) != 0 )
|
if ( pthread_create ( &correlation_thread, NULL, AI_alert_correlation_thread, config ) != 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Failed to create the alert correlation thread\n" );
|
AI_fatal_err ( "Failed to create the alert correlation thread", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -115,7 +132,7 @@ static void AI_init(char *args)
|
||||||
{
|
{
|
||||||
if ( pthread_create ( &logparse_thread, NULL, alertparser_thread, config ) != 0 )
|
if ( pthread_create ( &logparse_thread, NULL, alertparser_thread, config ) != 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Failed to create the alert parser thread\n" );
|
AI_fatal_err ( "Failed to create the alert parser thread", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -187,7 +204,7 @@ static AI_config * AI_parse(char *args)
|
||||||
has_alert_history_file = false;
|
has_alert_history_file = false;
|
||||||
|
|
||||||
if ( !( config = ( AI_config* ) malloc ( sizeof( AI_config )) ))
|
if ( !( config = ( AI_config* ) malloc ( sizeof( AI_config )) ))
|
||||||
_dpd.fatalMsg("Could not allocate configuration struct.\n");
|
AI_fatal_err( "Could not allocate configuration struct", __FILE__, __LINE__ );
|
||||||
memset ( config, 0, sizeof ( AI_config ));
|
memset ( config, 0, sizeof ( AI_config ));
|
||||||
|
|
||||||
/* Parsing the hashtable_cleanup_interval option */
|
/* Parsing the hashtable_cleanup_interval option */
|
||||||
|
@ -201,8 +218,8 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*arg) )
|
if ( !(*arg) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: hashtable_cleanup_interval option used but "
|
AI_fatal_err ( "Hashtable_cleanup_interval option used but "
|
||||||
"no value specified\n");
|
"no value specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
cleanup_interval = strtoul(arg, NULL, 10);
|
cleanup_interval = strtoul(arg, NULL, 10);
|
||||||
|
@ -221,8 +238,8 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*arg) )
|
if ( !(*arg) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: tcp_stream_expire_interval option used but "
|
AI_fatal_err( "tcp_stream_expire_interval option used but "
|
||||||
"no value specified\n");
|
"no value specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
stream_expire_interval = strtoul(arg, NULL, 10);
|
stream_expire_interval = strtoul(arg, NULL, 10);
|
||||||
|
@ -239,8 +256,8 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*arg) )
|
if ( !(*arg) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: alert_clustering_interval option used but "
|
AI_fatal_err ( "alert_clustering_interval option used but "
|
||||||
"no value specified\n");
|
"no value specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
alert_clustering_interval = strtoul(arg, NULL, 10);
|
alert_clustering_interval = strtoul(arg, NULL, 10);
|
||||||
|
@ -259,8 +276,8 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*arg) )
|
if ( !(*arg) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: database_parsing_interval option used but "
|
AI_fatal_err ( "database_parsing_interval option used but "
|
||||||
"no value specified\n");
|
"no value specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
database_parsing_interval = strtoul(arg, NULL, 10);
|
database_parsing_interval = strtoul(arg, NULL, 10);
|
||||||
|
@ -279,8 +296,8 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*arg) )
|
if ( !(*arg) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: correlation_graph_interval option used but "
|
AI_fatal_err ( "correlation_graph_interval option used but "
|
||||||
"no value specified\n");
|
"no value specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
correlation_graph_interval = strtoul(arg, NULL, 10);
|
correlation_graph_interval = strtoul(arg, NULL, 10);
|
||||||
|
@ -297,8 +314,8 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*arg) )
|
if ( !(*arg) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: alert_serialization_interval option used but "
|
AI_fatal_err ( "alert_serialization_interval option used but "
|
||||||
"no value specified\n");
|
"no value specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
alert_serialization_interval = strtoul(arg, NULL, 10);
|
alert_serialization_interval = strtoul(arg, NULL, 10);
|
||||||
|
@ -315,8 +332,8 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*arg) )
|
if ( !(*arg) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: alert_bufsize option used but "
|
AI_fatal_err( "alert_bufsize option used but "
|
||||||
"no value specified\n");
|
"no value specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
alert_bufsize = strtoul(arg, NULL, 10);
|
alert_bufsize = strtoul(arg, NULL, 10);
|
||||||
|
@ -335,8 +352,8 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*arg) )
|
if ( !(*arg) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: correlation_threshold_coefficient option used but "
|
AI_fatal_err( "correlation_threshold_coefficient option used but "
|
||||||
"no value specified\n");
|
"no value specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
corr_threshold_coefficient = strtod ( arg, NULL );
|
corr_threshold_coefficient = strtod ( arg, NULL );
|
||||||
|
@ -354,8 +371,8 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*arg) )
|
if ( !(*arg) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: bayesian_correlation_interval option used but "
|
AI_fatal_err ( "bayesian_correlation_interval option used but "
|
||||||
"no value specified\n");
|
"no value specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
bayesian_correlation_interval = strtoul ( arg, NULL, 10 );
|
bayesian_correlation_interval = strtoul ( arg, NULL, 10 );
|
||||||
|
@ -376,8 +393,8 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*arg) )
|
if ( !(*arg) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: bayesian_correlation_cache_validity option used but "
|
AI_fatal_err ( "bayesian_correlation_cache_validity option used but "
|
||||||
"no value specified\n");
|
"no value specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
bayesian_correlation_cache_validity = strtoul ( arg, NULL, 10 );
|
bayesian_correlation_cache_validity = strtoul ( arg, NULL, 10 );
|
||||||
|
@ -399,8 +416,8 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*arg) )
|
if ( !(*arg) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: cluster_max_alert_interval option used but "
|
AI_fatal_err ( "cluster_max_alert_interval option used but "
|
||||||
"no value specified\n");
|
"no value specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
cluster_max_alert_interval = strtoul ( arg, NULL, 10 );
|
cluster_max_alert_interval = strtoul ( arg, NULL, 10 );
|
||||||
|
@ -420,7 +437,7 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*(arg++)) )
|
if ( !(*(arg++)) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: alertfile option used but no filename specified\n");
|
AI_fatal_err ( "alertfile option used but no filename specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( alertfile[ (++alertfile_len)-1 ] = *arg;
|
for ( alertfile[ (++alertfile_len)-1 ] = *arg;
|
||||||
|
@ -431,7 +448,7 @@ static AI_config * AI_parse(char *args)
|
||||||
has_alertfile = false;
|
has_alertfile = false;
|
||||||
} else {
|
} else {
|
||||||
if ( alertfile_len >= 1024 ) {
|
if ( alertfile_len >= 1024 ) {
|
||||||
_dpd.fatalMsg("AIPreproc: alertfile path too long ( >= 1024 )\n");
|
AI_fatal_err ( "alertfile path too long ( >= 1024 )", __FILE__, __LINE__ );
|
||||||
} else if ( strlen( alertfile ) == 0 ) {
|
} else if ( strlen( alertfile ) == 0 ) {
|
||||||
has_alertfile = false;
|
has_alertfile = false;
|
||||||
} else {
|
} else {
|
||||||
|
@ -453,7 +470,7 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*(arg++)) )
|
if ( !(*(arg++)) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: alert_history_file option used but no filename specified\n");
|
AI_fatal_err ( "alert_history_file option used but no filename specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( alert_history_file[ (++alert_history_file_len)-1 ] = *arg;
|
for ( alert_history_file[ (++alert_history_file_len)-1 ] = *arg;
|
||||||
|
@ -464,7 +481,7 @@ static AI_config * AI_parse(char *args)
|
||||||
has_alert_history_file = false;
|
has_alert_history_file = false;
|
||||||
} else {
|
} else {
|
||||||
if ( alert_history_file_len >= 1024 ) {
|
if ( alert_history_file_len >= 1024 ) {
|
||||||
_dpd.fatalMsg("AIPreproc: alert_history_file path too long ( >= 1024 )\n");
|
AI_fatal_err ( "alert_history_file path too long ( >= 1024 )", __FILE__, __LINE__ );
|
||||||
} else if ( strlen( alert_history_file ) == 0 ) {
|
} else if ( strlen( alert_history_file ) == 0 ) {
|
||||||
has_alert_history_file = false;
|
has_alert_history_file = false;
|
||||||
} else {
|
} else {
|
||||||
|
@ -485,7 +502,7 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*(arg++)) )
|
if ( !(*(arg++)) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: clusterfile option used but no filename specified\n");
|
AI_fatal_err ( "clusterfile option used but no filename specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( clusterfile[ (++clusterfile_len)-1 ] = *arg;
|
for ( clusterfile[ (++clusterfile_len)-1 ] = *arg;
|
||||||
|
@ -496,7 +513,7 @@ static AI_config * AI_parse(char *args)
|
||||||
has_clusterfile = false;
|
has_clusterfile = false;
|
||||||
} else {
|
} else {
|
||||||
if ( clusterfile_len >= 1024 ) {
|
if ( clusterfile_len >= 1024 ) {
|
||||||
_dpd.fatalMsg("AIPreproc: clusterfile path too long ( >= 1024 )\n");
|
AI_fatal_err ( "clusterfile path too long ( >= 1024 )", __FILE__, __LINE__ );
|
||||||
} else if ( strlen( clusterfile ) == 0 ) {
|
} else if ( strlen( clusterfile ) == 0 ) {
|
||||||
has_clusterfile = false;
|
has_clusterfile = false;
|
||||||
} else {
|
} else {
|
||||||
|
@ -517,7 +534,7 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*(arg++)) )
|
if ( !(*(arg++)) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: correlation_rules_dir option used but no filename specified\n");
|
AI_fatal_err ( "correlation_rules_dir option used but no filename specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( corr_rules_dir[ (++corr_rules_dir_len)-1 ] = *arg;
|
for ( corr_rules_dir[ (++corr_rules_dir_len)-1 ] = *arg;
|
||||||
|
@ -528,7 +545,7 @@ static AI_config * AI_parse(char *args)
|
||||||
has_corr_rules_dir = false;
|
has_corr_rules_dir = false;
|
||||||
} else {
|
} else {
|
||||||
if ( corr_rules_dir_len >= 1024 ) {
|
if ( corr_rules_dir_len >= 1024 ) {
|
||||||
_dpd.fatalMsg("AIPreproc: corr_rules_dir path too long ( >= 1024 )\n");
|
AI_fatal_err ( "corr_rules_dir path too long ( >= 1024 )", __FILE__, __LINE__ );
|
||||||
} else if ( strlen( corr_rules_dir ) == 0 ) {
|
} else if ( strlen( corr_rules_dir ) == 0 ) {
|
||||||
has_corr_rules_dir = false;
|
has_corr_rules_dir = false;
|
||||||
} else {
|
} else {
|
||||||
|
@ -549,7 +566,7 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !(*(arg++)) )
|
if ( !(*(arg++)) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg("AIPreproc: correlated_alerts_dir option used but no filename specified\n");
|
AI_fatal_err ( "correlated_alerts_dir option used but no filename specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( corr_alerts_dir[ (++corr_alerts_dir_len)-1 ] = *arg;
|
for ( corr_alerts_dir[ (++corr_alerts_dir_len)-1 ] = *arg;
|
||||||
|
@ -560,7 +577,7 @@ static AI_config * AI_parse(char *args)
|
||||||
has_corr_alerts_dir = false;
|
has_corr_alerts_dir = false;
|
||||||
} else {
|
} else {
|
||||||
if ( corr_alerts_dir_len >= 1024 ) {
|
if ( corr_alerts_dir_len >= 1024 ) {
|
||||||
_dpd.fatalMsg("AIPreproc: correlated_alerts_dir path too long ( >= 1024 )\n");
|
AI_fatal_err ( "correlated_alerts_dir path too long ( >= 1024 )", __FILE__, __LINE__ );
|
||||||
} else if ( strlen( corr_alerts_dir ) == 0 ) {
|
} else if ( strlen( corr_alerts_dir ) == 0 ) {
|
||||||
has_corr_alerts_dir = false;
|
has_corr_alerts_dir = false;
|
||||||
} else {
|
} else {
|
||||||
|
@ -590,7 +607,7 @@ static AI_config * AI_parse(char *args)
|
||||||
{
|
{
|
||||||
if ( strcasecmp ( matches[0], "mysql" ) && strcasecmp ( matches[0], "postgresql" ))
|
if ( strcasecmp ( matches[0], "mysql" ) && strcasecmp ( matches[0], "postgresql" ))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Not supported database '%s' (supported types: mysql, postgresql)\n", matches[0] );
|
AI_fatal_err ( "Not supported database type in configuration (supported types: mysql, postgresql)", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( i=0; i < nmatches; i++ )
|
for ( i=0; i < nmatches; i++ )
|
||||||
|
@ -648,7 +665,7 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !strlen ( config->dbhost ) || !strlen ( config->dbname ) || !strlen ( config->dbpass ) || !strlen ( config->dbuser ))
|
if ( !strlen ( config->dbhost ) || !strlen ( config->dbname ) || !strlen ( config->dbpass ) || !strlen ( config->dbuser ))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Database option used in config, but missing configuration option (all 'host', 'type', 'name', 'user', and 'password' option must be used)\n" );
|
AI_fatal_err ( "Database option used in config, but missing configuration option (all 'host', 'type', 'name', 'user', and 'password' option must be used)", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
_dpd.logMsg(" Reading alerts from the database %s\n", config->dbname );
|
_dpd.logMsg(" Reading alerts from the database %s\n", config->dbname );
|
||||||
|
@ -675,18 +692,18 @@ static AI_config * AI_parse(char *args)
|
||||||
if ( !strcasecmp ( matches[0], "mysql" ))
|
if ( !strcasecmp ( matches[0], "mysql" ))
|
||||||
{
|
{
|
||||||
#ifndef HAVE_LIBMYSQLCLIENT
|
#ifndef HAVE_LIBMYSQLCLIENT
|
||||||
_dpd.fatalMsg ( "AIPreproc: mysql output set in 'output_database' option but the module was not compiled through --with-mysql option\n" );
|
AI_fatal_err ( "mysql output set in 'output_database' option but the module was not compiled through --with-mysql option", __FILE__, __LINE__ );
|
||||||
#else
|
#else
|
||||||
config->outdbtype = outdb_mysql;
|
config->outdbtype = outdb_mysql;
|
||||||
#endif
|
#endif
|
||||||
} else if ( !strcasecmp ( matches[0], "postgresql" )) {
|
} else if ( !strcasecmp ( matches[0], "postgresql" )) {
|
||||||
#ifndef HAVE_LIBPQ
|
#ifndef HAVE_LIBPQ
|
||||||
_dpd.fatalMsg ( "AIPreproc: postgresql output set in 'output_database' option but the module was not compiled through --with-postgresql option\n" );
|
AI_fatal_err ( "postgresql output set in 'output_database' option but the module was not compiled through --with-postgresql option", __FILE__, __LINE__ );
|
||||||
#else
|
#else
|
||||||
config->outdbtype = outdb_postgresql;
|
config->outdbtype = outdb_postgresql;
|
||||||
#endif
|
#endif
|
||||||
} else {
|
} else {
|
||||||
_dpd.fatalMsg ( "AIPreproc: Not supported database '%s' (supported types: mysql, postgresql)\n", matches[0] );
|
AI_fatal_err ( "Not supported database in configuration (supported types: mysql, postgresql)", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( i=0; i < nmatches; i++ )
|
for ( i=0; i < nmatches; i++ )
|
||||||
|
@ -744,7 +761,7 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( !strlen ( config->outdbhost ) || !strlen ( config->outdbname ) || !strlen ( config->outdbpass ) || !strlen ( config->outdbuser ))
|
if ( !strlen ( config->outdbhost ) || !strlen ( config->outdbname ) || !strlen ( config->outdbpass ) || !strlen ( config->outdbuser ))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Output database option used in config, but missing configuration option (all 'host', 'type', 'name', 'user', and 'password' options must be used)\n" );
|
AI_fatal_err ( "Output database option used in config, but missing configuration option (all 'host', 'type', 'name', 'user', and 'password' options must be used)", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
AI_outdb_mutex_initialize();
|
AI_outdb_mutex_initialize();
|
||||||
|
@ -784,7 +801,7 @@ static AI_config * AI_parse(char *args)
|
||||||
else if ( !strcasecmp ( matches[0], "dst_addr" ))
|
else if ( !strcasecmp ( matches[0], "dst_addr" ))
|
||||||
type = dst_addr;
|
type = dst_addr;
|
||||||
else
|
else
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unknown class type in configuration: '%s'\n", matches[0] );
|
AI_fatal_err ( "Unknown class type in configuration", __FILE__, __LINE__ );
|
||||||
|
|
||||||
for ( i=0; i < nmatches; i++ )
|
for ( i=0; i < nmatches; i++ )
|
||||||
free ( matches[i] );
|
free ( matches[i] );
|
||||||
|
@ -796,8 +813,7 @@ static AI_config * AI_parse(char *args)
|
||||||
if ( preg_match ( "name\\s*=\\s*\"([^\"]+)\"", match, &matches, &nmatches ) > 0 )
|
if ( preg_match ( "name\\s*=\\s*\"([^\"]+)\"", match, &matches, &nmatches ) > 0 )
|
||||||
{
|
{
|
||||||
if ( strlen( matches[0] ) > sizeof(label) )
|
if ( strlen( matches[0] ) > sizeof(label) )
|
||||||
_dpd.fatalMsg ( "AIPreproc: Label name too long in configuration: '%s' (maximum allowed length: %d)\n",
|
AI_fatal_err ( "Label name too long in configuration", __FILE__, __LINE__ );
|
||||||
matches[0], sizeof(label) );
|
|
||||||
|
|
||||||
strncpy ( label, matches[0], sizeof(label) );
|
strncpy ( label, matches[0], sizeof(label) );
|
||||||
|
|
||||||
|
@ -829,7 +845,7 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( min_val > max_val )
|
if ( min_val > max_val )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Parse error in configuration: '%s', minval > maxval\n", arg );
|
AI_fatal_err ( "Parse error in configuration: minval > maxval", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( i=0; i < nmatches; i++ )
|
for ( i=0; i < nmatches; i++ )
|
||||||
|
@ -847,7 +863,7 @@ static AI_config * AI_parse(char *args)
|
||||||
free ( matches );
|
free ( matches );
|
||||||
matches = NULL;
|
matches = NULL;
|
||||||
} else {
|
} else {
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unallowed format for a port range in configuration file: '%s'\n", arg );
|
AI_fatal_err ( "Unallowed format for a port range in configuration file", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
@ -858,7 +874,7 @@ static AI_config * AI_parse(char *args)
|
||||||
{
|
{
|
||||||
if (( min_val = inet_addr ( matches[0] )) == INADDR_NONE )
|
if (( min_val = inet_addr ( matches[0] )) == INADDR_NONE )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unallowed IPv4 format in configuration: '%s'\n", matches[0] );
|
AI_fatal_err ( "Unallowed IPv4 format in configuration", __FILE__, __LINE__ );
|
||||||
|
|
||||||
for ( i=0; i < nmatches; i++ )
|
for ( i=0; i < nmatches; i++ )
|
||||||
free ( matches[i] );
|
free ( matches[i] );
|
||||||
|
@ -877,7 +893,7 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( netmask > 32 )
|
if ( netmask > 32 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: The netmask number of bits should be in [0,32] in '%s'\n", arg );
|
AI_fatal_err ( "The netmask number of bits should be in [0,32] in configuration file", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
netmask = 1 << (( 8*sizeof ( uint32_t )) - netmask );
|
netmask = 1 << (( 8*sizeof ( uint32_t )) - netmask );
|
||||||
|
@ -886,7 +902,7 @@ static AI_config * AI_parse(char *args)
|
||||||
} else if ( preg_match ( "^([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})$", arg, &matches, &nmatches ) > 0 ) {
|
} else if ( preg_match ( "^([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})$", arg, &matches, &nmatches ) > 0 ) {
|
||||||
if (( min_val = inet_addr ( matches[0] )) == INADDR_NONE )
|
if (( min_val = inet_addr ( matches[0] )) == INADDR_NONE )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Unallowed IPv4 format in configuration: '%s'\n", matches[0] );
|
AI_fatal_err ( "Unallowed IPv4 format in configuration", __FILE__, __LINE__ );
|
||||||
|
|
||||||
for ( i=0; i < nmatches; i++ )
|
for ( i=0; i < nmatches; i++ )
|
||||||
free ( matches[i] );
|
free ( matches[i] );
|
||||||
|
@ -904,7 +920,7 @@ static AI_config * AI_parse(char *args)
|
||||||
min_val = ntohl ( min_val );
|
min_val = ntohl ( min_val );
|
||||||
max_val = min_val;
|
max_val = min_val;
|
||||||
} else {
|
} else {
|
||||||
_dpd.fatalMsg ( "AIPreproc: Invalid value for an IP address or a subnet in configuration: '%s'\n", arg );
|
AI_fatal_err ( "Invalid value for an IP address or a subnet in configuration", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
@ -935,21 +951,21 @@ static AI_config * AI_parse(char *args)
|
||||||
|
|
||||||
if ( min_val == -1 || max_val == -1 || type == none || strlen ( label ) == 0 )
|
if ( min_val == -1 || max_val == -1 || type == none || strlen ( label ) == 0 )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: Invalid cluster in configuration: '%s'\nAll of the following fields are required: class, range, name\n", match );
|
AI_fatal_err ( "Invalid cluster in configuration\nAll of the following fields are required: class, range, name", __FILE__, __LINE__ );
|
||||||
free ( match );
|
free ( match );
|
||||||
match = NULL;
|
match = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( !( hierarchy_nodes = ( hierarchy_node** ) realloc ( hierarchy_nodes, (++n_hierarchy_nodes) * sizeof(hierarchy_node) )) )
|
if ( !( hierarchy_nodes = ( hierarchy_node** ) realloc ( hierarchy_nodes, (++n_hierarchy_nodes) * sizeof(hierarchy_node) )) )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Fatal dynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation failure", __FILE__, __LINE__ );
|
||||||
free ( match );
|
free ( match );
|
||||||
match = NULL;
|
match = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( !( hierarchy_nodes[ n_hierarchy_nodes - 1 ] = ( hierarchy_node* ) malloc ( sizeof(hierarchy_node) ) ))
|
if ( !( hierarchy_nodes[ n_hierarchy_nodes - 1 ] = ( hierarchy_node* ) malloc ( sizeof(hierarchy_node) ) ))
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "Fatal dynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
|
AI_fatal_err ( "Fatal dynamic memory allocation failure", __FILE__, __LINE__ );
|
||||||
free ( match );
|
free ( match );
|
||||||
match = NULL;
|
match = NULL;
|
||||||
}
|
}
|
||||||
|
@ -1000,8 +1016,8 @@ static AI_config * AI_parse(char *args)
|
||||||
#ifdef HAVE_DB
|
#ifdef HAVE_DB
|
||||||
alertparser_thread = AI_db_alertparser_thread;
|
alertparser_thread = AI_db_alertparser_thread;
|
||||||
#else
|
#else
|
||||||
_dpd.fatalMsg ( "AIPreproc: database logging enabled in config file, but the module was not compiled "
|
AI_fatal_err ( "Database logging enabled in config file, but the module was not compiled "
|
||||||
"with database support (recompile, i.e., with ./configure --with-mysql or --with-postgresql)\n" );
|
"with database support (recompile, i.e., with ./configure --with-mysql or --with-postgresql)", __FILE__, __LINE__ );
|
||||||
#endif
|
#endif
|
||||||
} else if ( has_alertfile ) {
|
} else if ( has_alertfile ) {
|
||||||
alertparser_thread = AI_file_alertparser_thread;
|
alertparser_thread = AI_file_alertparser_thread;
|
||||||
|
@ -1017,7 +1033,7 @@ static AI_config * AI_parse(char *args)
|
||||||
{
|
{
|
||||||
if ( ! hierarchy_nodes )
|
if ( ! hierarchy_nodes )
|
||||||
{
|
{
|
||||||
_dpd.fatalMsg ( "AIPreproc: cluster file specified in the configuration but no clusters were specified\n" );
|
AI_fatal_err ( "Cluster file specified in the configuration but no clusters were specified", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ! has_clusterfile )
|
if ( ! has_clusterfile )
|
||||||
|
@ -1036,7 +1052,7 @@ static AI_config * AI_parse(char *args)
|
||||||
if ( ! has_corr_rules_dir )
|
if ( ! has_corr_rules_dir )
|
||||||
{
|
{
|
||||||
#ifndef HAVE_CONFIG_H
|
#ifndef HAVE_CONFIG_H
|
||||||
_dpd.fatalMsg ( "AIPreproc: unable to read PREFIX from config.h\n" );
|
AI_fatal_err ( "Unable to read PREFIX from config.h", __FILE__, __LINE__ );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if ( !strcmp ( PREFIX, "/usr" ) || !strcmp ( PREFIX, "/usr/" ))
|
if ( !strcmp ( PREFIX, "/usr" ) || !strcmp ( PREFIX, "/usr/" ))
|
||||||
|
@ -1071,7 +1087,7 @@ static AI_config * AI_parse(char *args)
|
||||||
#ifdef HAVE_DB
|
#ifdef HAVE_DB
|
||||||
get_alerts = AI_db_get_alerts;
|
get_alerts = AI_db_get_alerts;
|
||||||
#else
|
#else
|
||||||
_dpd.fatalMsg ( "AIPreproc: Using database alert log, but the module was not compiled with database support\n" );
|
AI_fatal_err ( "Using database alert log, but the module was not compiled with database support", __FILE__, __LINE__ );
|
||||||
#endif
|
#endif
|
||||||
} else {
|
} else {
|
||||||
get_alerts = AI_get_alerts;
|
get_alerts = AI_get_alerts;
|
||||||
|
@ -1119,7 +1135,7 @@ static void AI_reload(char *args)
|
||||||
{
|
{
|
||||||
ex_swap_config = sfPolicyConfigCreate();
|
ex_swap_config = sfPolicyConfigCreate();
|
||||||
if (ex_swap_config == NULL)
|
if (ex_swap_config == NULL)
|
||||||
_dpd.fatalMsg("Could not allocate configuration struct.\n");
|
AI_fatal_err ( "Could not allocate configuration struct", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
config = AI_parse(args);
|
config = AI_parse(args);
|
||||||
|
|
1
spp_ai.h
1
spp_ai.h
|
@ -392,6 +392,7 @@ int preg_match ( const char*, char*, char***, int* );
|
||||||
char* str_replace ( char*, char*, char *);
|
char* str_replace ( char*, char*, char *);
|
||||||
char* str_replace_all ( char*, char*, char* );
|
char* str_replace_all ( char*, char*, char* );
|
||||||
|
|
||||||
|
void AI_fatal_err ( const char *msg, const char *file, const int line );
|
||||||
void* AI_hashcleanup_thread ( void* );
|
void* AI_hashcleanup_thread ( void* );
|
||||||
void* AI_file_alertparser_thread ( void* );
|
void* AI_file_alertparser_thread ( void* );
|
||||||
void* AI_alert_correlation_thread ( void* );
|
void* AI_alert_correlation_thread ( void* );
|
||||||
|
|
8
stream.c
8
stream.c
|
@ -167,9 +167,7 @@ AI_pkt_enqueue ( SFSnortPacket* pkt )
|
||||||
return;
|
return;
|
||||||
|
|
||||||
if ( !( info = (struct pkt_info*) malloc( sizeof(struct pkt_info) )) )
|
if ( !( info = (struct pkt_info*) malloc( sizeof(struct pkt_info) )) )
|
||||||
{
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
_dpd.fatalMsg ( "\nDynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
|
|
||||||
}
|
|
||||||
|
|
||||||
memset ( &key, 0, sizeof(struct pkt_key));
|
memset ( &key, 0, sizeof(struct pkt_key));
|
||||||
key.src_ip = pkt->ip4_header->source.s_addr;
|
key.src_ip = pkt->ip4_header->source.s_addr;
|
||||||
|
@ -181,9 +179,7 @@ AI_pkt_enqueue ( SFSnortPacket* pkt )
|
||||||
info->next = NULL;
|
info->next = NULL;
|
||||||
|
|
||||||
if ( !( info->pkt = (SFSnortPacket*) malloc ( sizeof (SFSnortPacket) )) )
|
if ( !( info->pkt = (SFSnortPacket*) malloc ( sizeof (SFSnortPacket) )) )
|
||||||
{
|
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||||
_dpd.fatalMsg ( "\nDynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
|
|
||||||
}
|
|
||||||
|
|
||||||
memcpy ( info->pkt, pkt, sizeof (SFSnortPacket) );
|
memcpy ( info->pkt, pkt, sizeof (SFSnortPacket) );
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue