/* * ===================================================================================== * * Filename: manual.c * * Description: Managing the thread for manual correlations * * Version: 0.1 * Created: 20/01/2011 19:00:34 * Revision: none * Compiler: gcc * * Author: BlackLight (http://0x00.ath.cx), * Licence: GNU GPL v.3 * Company: DO WHAT YOU WANT CAUSE A PIRATE IS FREE, YOU ARE A PIRATE! * * ===================================================================================== */ #include "spp_ai.h" #include #include #include /** \defgroup correlation Module for the correlation of hyperalerts * @{ */ #ifndef LIBXML_READER_ENABLED #error "libxml2 reader not enabled\n" #endif /** Enumeration for the types of manual correlations XML tags */ enum { inCorrelation, inCorrelations, inFromTag, inToTag, MAN_TAG_NUM }; AI_alert_type_pair *manual_correlations = NULL; AI_alert_type_pair *manual_uncorrelations = NULL; /** * \brief Parse the manual specified correlations from XML file(s) and fills the hash table */ void* AI_manual_correlations_parsing_thread ( void *arg ) { unsigned int i = 0; char manual_correlations_xml[1060] = { 0 }, manual_uncorrelations_xml[1060] = { 0 }; struct stat st; xmlTextReaderPtr xml; const xmlChar *tagname; AI_alert_type_pair_key key; AI_alert_type_pair *pair = NULL, *found = NULL; bool xml_flags[MAN_TAG_NUM] = { false }; while ( 1 ) { /* Cleanup tables */ while ( manual_correlations ) { pair = manual_correlations; HASH_DEL ( manual_correlations, pair ); free ( pair ); } while ( manual_uncorrelations ) { pair = manual_uncorrelations; HASH_DEL ( manual_uncorrelations, pair ); free ( pair ); } pair = NULL; memset ( &key, 0, sizeof ( key )); snprintf ( manual_correlations_xml, sizeof ( manual_correlations_xml ), "%s/manual_correlations.xml", config->webserv_dir ); snprintf ( manual_uncorrelations_xml, sizeof ( manual_uncorrelations_xml ), "%s/manual_uncorrelations.xml", config->webserv_dir ); if ( stat ( manual_correlations_xml, &st ) < 0 ) { pthread_exit ((void*) 0); return (void*) 0; } if ( stat ( manual_uncorrelations_xml, &st ) < 0 ) { pthread_exit ((void*) 0); return (void*) 0; } LIBXML_TEST_VERSION /* Check manual correlations */ if ( !( xml = xmlReaderForFile ( manual_correlations_xml, NULL, 0 ))) { pthread_exit ((void*) 0); return (void*) 0; } while ( xmlTextReaderRead ( xml )) { if ( !( tagname = xmlTextReaderConstName ( xml ))) continue; if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_ELEMENT ) { if ( !strcasecmp ((const char*) tagname, "correlations" )) { if ( xml_flags[inCorrelations] ) { AI_fatal_err ( "Tag 'correlations' opened twice in manual correlations XML file", __FILE__, __LINE__ ); } else { xml_flags[inCorrelations] = true; } } else if ( !strcasecmp ((const char*) tagname, "correlation" )) { if ( xml_flags[inCorrelation] ) { AI_fatal_err ( "Tag 'correlation' opened twice in manual correlations XML file", __FILE__, __LINE__ ); } else { xml_flags[inCorrelation] = true; } } else if ( !strcasecmp ((const char*) tagname, "from" )) { xml_flags[inFromTag] = true; key.from_gid = (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "gid" )) ? strtol (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "gid" ), NULL, 10 ) : 0; key.from_sid = (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "sid" )) ? strtol (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "sid" ), NULL, 10 ) : 0; key.from_rev = (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "rev" )) ? strtol (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "rev" ), NULL, 10 ) : 0; /* If this is a new pair, allocate the memory */ if ( pair == NULL ) { if ( !( pair = ( AI_alert_type_pair* ) malloc ( sizeof ( AI_alert_type_pair )))) { AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ ); } pair->corr_type = manuallyCorrelated; } else { /* Otherwise, add the pair to the hash, if it's not already there */ pair->key = key; HASH_FIND ( hh, manual_correlations, &key, sizeof ( key ), found ); if ( !found ) { HASH_ADD ( hh, manual_correlations, key, sizeof ( key ), pair ); } pair = NULL; memset ( &key, 0, sizeof ( key )); } } else if ( !strcasecmp ((const char*) tagname, "to" )) { xml_flags[inToTag] = true; key.to_gid = (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "gid" )) ? strtol (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "gid" ), NULL, 10 ) : 0; key.to_sid = (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "sid" )) ? strtol (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "sid" ), NULL, 10 ) : 0; key.to_rev = (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "rev" )) ? strtol (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "rev" ), NULL, 10 ) : 0; /* If this is a new pair, allocate the memory */ if ( pair == NULL ) { if ( !( pair = ( AI_alert_type_pair* ) malloc ( sizeof ( AI_alert_type_pair )))) { AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ ); } pair->corr_type = manuallyCorrelated; } else { /* Otherwise, add the pair to the hash, if it's not already there */ pair->key = key; HASH_FIND ( hh, manual_correlations, &key, sizeof ( key ), found ); if ( !found ) { HASH_ADD ( hh, manual_correlations, key, sizeof ( key ), pair ); } pair = NULL; memset ( &key, 0, sizeof ( key )); } } else { AI_fatal_err ( "Unrecognized tag in manual correlations XML file", __FILE__, __LINE__ ); } } else if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_END_ELEMENT ) { if ( !strcasecmp ((const char*) tagname, "correlations" )) { if ( !xml_flags[inCorrelations] ) { AI_fatal_err ( "Tag 'correlations' closed but never opened in manual correlations XML file", __FILE__, __LINE__ ); } else { xml_flags[inCorrelations] = false; } } else if ( !strcasecmp ((const char*) tagname, "correlation" )) { if ( !xml_flags[inCorrelation] ) { AI_fatal_err ( "Tag 'correlation' closed but never opened in manual correlations XML file", __FILE__, __LINE__ ); } else { xml_flags[inCorrelation] = false; } } else if ( !strcasecmp ((const char*) tagname, "from" )) { if ( !xml_flags[inFromTag] ) { AI_fatal_err ( "Tag 'from' closed but never opened in manual correlations XML file", __FILE__, __LINE__ ); } else { xml_flags[inFromTag] = false; } } else if ( !strcasecmp ((const char*) tagname, "to" )) { if ( !xml_flags[inToTag] ) { AI_fatal_err ( "Tag 'to' closed but never opened in manual correlations XML file", __FILE__, __LINE__ ); } else { xml_flags[inToTag] = false; } } else { AI_fatal_err ( "Unrecognized tag in manual correlations XML file", __FILE__, __LINE__ ); } } } xmlFreeTextReader ( xml ); xmlCleanupParser(); for ( i=0; i < MAN_TAG_NUM; i++ ) { xml_flags[i] = false; } /* Check manual un-correlations */ if ( !( xml = xmlReaderForFile ( manual_uncorrelations_xml, NULL, 0 ))) { pthread_exit ((void*) 0); return (void*) 0; } while ( xmlTextReaderRead ( xml )) { if ( !( tagname = xmlTextReaderConstName ( xml ))) continue; if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_ELEMENT ) { if ( !strcasecmp ((const char*) tagname, "correlations" )) { if ( xml_flags[inCorrelations] ) { AI_fatal_err ( "Tag 'correlations' opened twice in manual correlations XML file", __FILE__, __LINE__ ); } else { xml_flags[inCorrelations] = true; } } else if ( !strcasecmp ((const char*) tagname, "correlation" )) { if ( xml_flags[inCorrelation] ) { AI_fatal_err ( "Tag 'correlation' opened twice in manual correlations XML file", __FILE__, __LINE__ ); } else { xml_flags[inCorrelation] = true; } } else if ( !strcasecmp ((const char*) tagname, "from" )) { xml_flags[inFromTag] = true; key.from_gid = (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "gid" )) ? strtol (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "gid" ), NULL, 10 ) : 0; key.from_sid = (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "sid" )) ? strtol (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "sid" ), NULL, 10 ) : 0; key.from_rev = (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "rev" )) ? strtol (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "rev" ), NULL, 10 ) : 0; /* If this is a new pair, allocate the memory */ if ( pair == NULL ) { if ( !( pair = ( AI_alert_type_pair* ) malloc ( sizeof ( AI_alert_type_pair )))) { AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ ); } pair->corr_type = manuallyNotCorrelated; } else { /* Otherwise, add the pair to the hash, if it's not already there */ pair->key = key; HASH_FIND ( hh, manual_uncorrelations, &key, sizeof ( key ), found ); if ( !found ) { HASH_ADD ( hh, manual_uncorrelations, key, sizeof ( key ), pair ); } pair = NULL; memset ( &key, 0, sizeof ( key )); } } else if ( !strcasecmp ((const char*) tagname, "to" )) { xml_flags[inToTag] = true; key.to_gid = (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "gid" )) ? strtol (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "gid" ), NULL, 10 ) : 0; key.to_sid = (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "sid" )) ? strtol (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "sid" ), NULL, 10 ) : 0; key.to_rev = (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "rev" )) ? strtol (( const char* ) xmlTextReaderGetAttribute ( xml, (const xmlChar*) "rev" ), NULL, 10 ) : 0; /* If this is a new pair, allocate the memory */ if ( pair == NULL ) { if ( !( pair = ( AI_alert_type_pair* ) malloc ( sizeof ( AI_alert_type_pair )))) { AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ ); } pair->corr_type = manuallyNotCorrelated; } else { /* Otherwise, add the pair to the hash, if it's not already there */ pair->key = key; HASH_FIND ( hh, manual_uncorrelations, &key, sizeof ( key ), found ); if ( !found ) { HASH_ADD ( hh, manual_uncorrelations, key, sizeof ( key ), pair ); } pair = NULL; memset ( &key, 0, sizeof ( key )); } } else { AI_fatal_err ( "Unrecognized tag in manual correlations XML file", __FILE__, __LINE__ ); } } else if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_END_ELEMENT ) { if ( !strcasecmp ((const char*) tagname, "correlations" )) { if ( !xml_flags[inCorrelations] ) { AI_fatal_err ( "Tag 'correlations' closed but never opened in manual correlations XML file", __FILE__, __LINE__ ); } else { xml_flags[inCorrelations] = false; } } else if ( !strcasecmp ((const char*) tagname, "correlation" )) { if ( !xml_flags[inCorrelation] ) { AI_fatal_err ( "Tag 'correlation' closed but never opened in manual correlations XML file", __FILE__, __LINE__ ); } else { xml_flags[inCorrelation] = false; } } else if ( !strcasecmp ((const char*) tagname, "from" )) { if ( !xml_flags[inFromTag] ) { AI_fatal_err ( "Tag 'from' closed but never opened in manual correlations XML file", __FILE__, __LINE__ ); } else { xml_flags[inFromTag] = false; } } else if ( !strcasecmp ((const char*) tagname, "to" )) { if ( !xml_flags[inToTag] ) { AI_fatal_err ( "Tag 'to' closed but never opened in manual correlations XML file", __FILE__, __LINE__ ); } else { xml_flags[inToTag] = false; } } else { AI_fatal_err ( "Unrecognized tag in manual correlations XML file", __FILE__, __LINE__ ); } } } xmlFreeTextReader ( xml ); xmlCleanupParser(); sleep ( config->manualCorrelationsParsingInterval ); } pthread_exit ((void*) 0); return (void*) 0; } /* ----- end of function __AI_manual_correlations_parsing_thread ----- */