Changeset 206 for trunk/src

Timestamp:

Jan 8, 2009, 10:08:45 PM (16 years ago)

Author:

katerina

Message:

Fix for ticket #133 (improve port checking and its reporting to prelude).

Location:

trunk/src

Files:

• sh_cat.c (modified) (2 diffs)
• sh_port2proc.c (modified) (9 diffs)
• sh_portcheck.c (modified) (11 diffs)
• sh_prelude.c (modified) (8 diffs)

trunk/src/sh_cat.c

@@ -135 +135 @@
 #ifdef SH_USE_PORTCHECK
   { MSG_PORT_MISS,   SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [ServiceMissing] %s\"")},
-  { MSG_PORT_NEW,    SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [ServiceNew] %s\" path=\"%s\" userid=\"%s\"")},
-  { MSG_PORT_RESTART,SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [ServiceRestarted] %s\" path=\"%s\" userid=\"%s\"")},
-  { MSG_PORT_NEWPORT,SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [ServicePortSwitch] %s\" path=\"%s\" userid=\"%s\"")},
+  { MSG_PORT_NEW,    SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [ServiceNew] %s\" path=\"%s\"  pid=\"%lu\" userid=\"%s\"")},
+  { MSG_PORT_RESTART,SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [ServiceRestarted] %s\" path=\"%s\" pid=\"%lu\" userid=\"%s\"")},
+  { MSG_PORT_NEWPORT,SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [ServicePortSwitch] %s\" path=\"%s\" pid=\"%lu\" userid=\"%s\"")},
 #endif
 
@@ -464 +464 @@
 #ifdef SH_USE_PORTCHECK
   { MSG_PORT_MISS,   SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [ServiceMissing] %s>")},
-  { MSG_PORT_NEW,    SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [ServiceNew] %s> path=<%s> userid=<%s>")},
-  { MSG_PORT_RESTART,SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [ServiceRestarted] %s> path=<%s> userid=<%s>")},
-  { MSG_PORT_NEWPORT,SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [ServicePortSwitch] %s> path=<%s> userid=<%s>")},
+  { MSG_PORT_NEW,    SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [ServiceNew] %s> path=<%s> pid=<%lu> userid=<%s>")},
+  { MSG_PORT_RESTART,SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [ServiceRestarted] %s> path=<%s> pid=<%lu> userid=<%s>")},
+  { MSG_PORT_NEWPORT,SH_ERR_SEVERE,  EVENT, N_("msg=<POLICY [ServicePortSwitch] %s> path=<%s> pid=<%lu> userid=<%s>")},
 #endif
 

trunk/src/sh_port2proc.c

@@ -311 +311 @@
 /* returns the command and fills the 'user' array 
  */
-char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport,
+char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport, unsigned long * pid,
                           char * user, size_t userlen)
 {
@@ -320 +320 @@
   else
     fd = fopen("/proc/net/udp", "r");
+
+  *pid = 0;
 
   if (fd)
@@ -345 +347 @@
                         {
                           fclose(fd);
+                          *pid = (unsigned long) new->pid;
                           if (new->path)
                             {
@@ -363 +366 @@
     }
  err_out:
-  sl_strlcpy(user, "0", userlen);
+  sl_strlcpy(user, "-", userlen);
   return sh_util_strdup("-");
 }
@@ -750 +753 @@
 
 char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport,
-                          char * user, size_t userlen)
+                          unsigned long * pid, char * user, size_t userlen)
 {
   int n, hash;
@@ -756 +759 @@
   struct in_addr * haddr;
   struct sock * s;
+
+  *pid = 0;
   
   for (xf = xfiles, n = 0; n < nxfiles; ++n, ++xf) {
@@ -796 +801 @@
         struct sock_store try;
         
+        *pid = xf->xf_pid;
+
         try.pid  = xf->xf_pid;
         try.path = NULL;
@@ -862 +869 @@
 
 char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport,
-                          char * user, size_t userlen)
+                          unsigned long * pid, char * user, size_t userlen)
 {
   (void) proto;
@@ -868 +875 @@
   (void) sport;
 
+  *pid = 0;
+
   sl_strlcpy(user, "-", userlen);
   return sh_util_strdup("-");

trunk/src/sh_portcheck.c

@@ -137 +137 @@
 
 extern char * sh_port2proc_query(int proto, struct in_addr * saddr, int sport,
-                                 char * user, size_t userlen);
+                                 unsigned long * pid, char * user, size_t userlen);
 extern int sh_port2proc_prepare();
 
@@ -515 +515 @@
         {
           char * path;
+          unsigned long qpid;
           char   user[USER_MAX];
 
@@ -523 +524 @@
                   inet_ntoa(haddr), port, SH_PROTO_STR(proto), service);
 #else
-          path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user));
+          path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user));
           SH_MUTEX_LOCK(mutex_thread_nolog);
           sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, 
-                          MSG_PORT_NEW, errbuf, path, user);
+                          MSG_PORT_NEW, errbuf, path, qpid, user);
           SH_MUTEX_UNLOCK(mutex_thread_nolog);
           SH_FREE(path);
@@ -538 +539 @@
         {
           char * path;
+          unsigned long qpid;
           char   user[USER_MAX];
 
@@ -545 +547 @@
           fprintf(stderr, _("service: %s\n"), errbuf);
 #else
-          path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user));
+          path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user));
           SH_MUTEX_LOCK(mutex_thread_nolog);
           sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, 
-                          MSG_PORT_RESTART, errbuf, path, user);
+                          MSG_PORT_RESTART, errbuf, path, qpid, user);
           SH_MUTEX_UNLOCK(mutex_thread_nolog);
           SH_FREE(path);
@@ -558 +560 @@
         {
           char * path;
+          unsigned long qpid;
           char   user[USER_MAX];
 
@@ -565 +568 @@
           fprintf(stderr, _("service: %s\n"), errbuf);
 #else
-          path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user));
+          path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user));
           SH_MUTEX_LOCK(mutex_thread_nolog);
           sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, 
-                          MSG_PORT_NEWPORT, errbuf, path, user);
+                          MSG_PORT_NEWPORT, errbuf, path, qpid, user);
           SH_MUTEX_UNLOCK(mutex_thread_nolog);
           SH_FREE(path);
@@ -585 +588 @@
         {
           char * path;
+          unsigned long qpid;
           char   user[USER_MAX];
 
@@ -593 +597 @@
                   inet_ntoa(haddr), port, SH_PROTO_STR(proto), check_services(port, proto));
 #else
-          path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user));
+          path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user));
           SH_MUTEX_LOCK(mutex_thread_nolog);
           sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, 
-                          MSG_PORT_NEW, errbuf, path, user);
+                          MSG_PORT_NEW, errbuf, path, qpid, user);
           SH_MUTEX_UNLOCK(mutex_thread_nolog);
           SH_FREE(path);
@@ -608 +612 @@
         {
           char * path;
+          unsigned long qpid;
           char   user[USER_MAX];
 
@@ -615 +620 @@
           fprintf(stderr, _("port   : %s\n"), errbuf);
 #else
-          path = sh_port2proc_query(proto, &haddr, port, user, sizeof(user));
+          path = sh_port2proc_query(proto, &haddr, port, &qpid, user, sizeof(user));
           SH_MUTEX_LOCK(mutex_thread_nolog);
           sh_error_handle(sh_portchk_severity, FIL__, __LINE__, 0, 
-                          MSG_PORT_RESTART, errbuf, path, user);
+                          MSG_PORT_RESTART, errbuf, path, qpid, user);
           SH_MUTEX_UNLOCK(mutex_thread_nolog);
           SH_FREE(path);

trunk/src/sh_prelude.c

@@ -696 +696 @@
         int ret;
         long port;
-        char *ptr, *new, *tmp, *ip, *srv, *end;
+        char *ptr, *new, *tmp, *ip, *srv, *protocol, *end;
         prelude_string_t *str;
         idmef_address_t *address;
@@ -704 +704 @@
         idmef_service_t *service;
         idmef_source_t *source = idmef_alert_get_next_source(alert, NULL);
+        struct passwd *pw;
+#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
+        struct passwd pwd;
+        char buffer[SH_PWBUF_SIZE];
+#endif
 
         new = sh_util_strdup(msg);
@@ -778 +783 @@
         if ( *ptr && *end == '\0' && port >= 0 && port < 65536) {
 
+                char * tmpw;
+
                 if ( ! source ) {
                         ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
                         if ( ret < 0 ) {
-                                free(srv);
                                 SH_FREE( new );
                                 return ret;
@@ -789 +795 @@
                 ret = idmef_source_new_service(source, &service);
                 if ( ret < 0 ) {
-                        free(srv);
                         SH_FREE( new );
                         return ret;
@@ -795 +800 @@
 
                 idmef_service_set_port(service, port);
+
+                ret = idmef_service_new_protocol(service, &str);
+                if ( ret < 0 ) {
+                        SH_FREE( new );
+                        return ret;
+                }
+                
+                ++tmp; 
+                if (*tmp) { 
+                        char * tmpw = tmp;
+                        char tmpw_store;
+                        while (*tmpw && !isblank((int) *tmpw)) ++tmpw;
+                        tmpw_store = *tmpw; *tmpw = '\0';
+                        protocol = strdup(tmp);
+                        *tmpw = tmpw_store;
+                        prelude_string_set_nodup(str, protocol);
+                }
+
         }
 
@@ -850 +873 @@
         SH_FREE( new );
 
-        ptr = get_value(msg, _("user"), NULL);
+        ptr = get_value(msg, _("userid"), NULL);
 
         if ( ptr ) {
 
+                idmef_user_id_t * user_id;
+
                 ret = idmef_source_new_user(source, &user);
                 if ( ret < 0 ) {
@@ -860 +885 @@
                 }
 
-                ret = idmef_user_new_ident(user, &str);
-                if ( ret < 0 ) {
-                        free(ptr);
-                        return ret;
-                }
+                idmef_user_set_category(user, IDMEF_USER_CATEGORY_APPLICATION);
+                
+                ret = idmef_user_new_user_id(user, &user_id, IDMEF_LIST_APPEND);
+                if ( ret < 0 ) {
+                        free(ptr);
+                        return ret;
+                }
+                
+                idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_CURRENT_USER);
+
+#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
+                sh_getpwnam_r(ptr, &pwd, buffer, sizeof(buffer), &pw);
+#else
+                pw = sh_getpwnam(ptr);
+#endif
+                if ( pw )
+                        idmef_user_id_set_number(user_id, pw->pw_uid);
+
+                ret = idmef_user_id_new_name(user_id, &str);
+                if ( ret < 0 ) {
+                        free(ptr);
+                        return ret;
+                }
                 prelude_string_set_nodup(str, ptr);
+
         }
 
         ptr = get_value(msg, _("path"), NULL);
+        tmp = get_value(msg, _("pid"), NULL);
 
         if ( ptr ) {
@@ -889 +934 @@
                 prelude_string_set_nodup(str, ptr);
 
-                ptr = strrchr(ptr, '/');
-                if ( ptr ) {
+                
+                if ( NULL != strrchr(ptr, '/') ) {
                         ret = idmef_process_new_name(process, &str);
                         if ( ret == 0 ) {
+                                ptr = strrchr(ptr, '/');
                                 prelude_string_set_dup(str, ptr + 1);
                         }
-                }
-        }
+                } else {
+                        ret = idmef_process_new_name(process, &str);
+                        if ( ret == 0 ) {
+                                prelude_string_set_dup(str, ptr);
+                        }
+                }
+
+                idmef_process_set_pid(process, strtoul(tmp, NULL, 0));
+        }
+
+        if (tmp)
+          free(tmp);
 
         return 0;