- Timestamp:
- Jul 11, 2012, 9:02:13 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/configure.ac
r402 r403 12 12 dnl start 13 13 dnl 14 AM_INIT_AUTOMAKE(samhain, 3.0. 4)14 AM_INIT_AUTOMAKE(samhain, 3.0.5) 15 15 AC_DEFINE([SAMHAIN], 1, [Application is samhain]) 16 16 AC_CANONICAL_HOST -
trunk/docs/Changelog
r402 r403 1 3.0.5: 2 * fix xml format templates for registry check 3 * fix database download on registry check init (reported by ldieu) 4 1 5 3.0.4: 2 6 * fix verbosity of message for alerts on already deleted watches … … 22 26 * change sql init scripts to make bigint fields unsigned (problem 23 27 reported by A. Sabitov) 24 * patch by Andy Jack for issue with the --with-gpg option (hangs with 28 * patch by Andy Jack for issue with the --with-gpg option (hangs with 25 29 high cpu load at startup) 26 30 * call ./samhain-install.sh as /bin/sh ./samhain-install.sh in the -
trunk/src/sh_cat.c
r356 r403 169 169 170 170 #ifdef USE_REGISTRY_CHECK 171 { MSG_REG_MISS, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [RegistryKeyMissing] \" path=\"%s\" %s")},172 { MSG_REG_NEW, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [RegistryKeyNew] \" path=\"%s\" %s")},173 { MSG_REG_CHANGE, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [RegistryKeyChanged] \" path=\"%s\" %s")},171 { MSG_REG_MISS, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [RegistryKeyMissing] %s\" path=\"%s\" %s")}, 172 { MSG_REG_NEW, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [RegistryKeyNew] %s\" path=\"%s\" %s")}, 173 { MSG_REG_CHANGE, SH_ERR_SEVERE, EVENT, N_("msg=\"POLICY [RegistryKeyChanged] %s\" path=\"%s\" %s")}, 174 174 #endif 175 175 -
trunk/src/sh_registry.c
r335 r403 181 181 if (status != 0) 182 182 { 183 char errbuf[256]; 183 char errbuf[512]; 184 char *p; 184 185 regerror(status, &(newkey->preg), errbuf, sizeof(errbuf)); 186 187 sl_strlcat(errbuf, ": ", sizeof(errbuf)); 188 p = sh_util_safe_name_keepspace(s); 189 sl_strlcat(errbuf, p, sizeof(errbuf)); 190 SH_FREE(p); 191 185 192 SH_MUTEX_LOCK(mutex_thread_nolog); 186 193 sh_error_handle((-1), FIL__, __LINE__, status, MSG_E_SUBGEN, … … 743 750 doUpdate = S_TRUE; 744 751 } 752 745 753 } 746 754 747 if ( sh.flag.checkSum == SH_CHECK_INIT || doUpdate == S_TRUE )755 if ( sh.flag.checkSum == SH_CHECK_INIT || doUpdate == S_TRUE /* change detected */ ) 748 756 { 749 757 struct store2db save; … … 767 775 } 768 776 769 if (tPath) 770 sh_hash_set_visited (tPath); 771 else 772 sh_hash_set_visited (path); 777 /* Without this, freshly updated entries would get deleted 778 * as 'not seen'. 779 */ 780 if (sh.flag.checkSum != SH_CHECK_INIT) 781 { 782 if (tPath) 783 sh_hash_set_visited (tPath); 784 else 785 sh_hash_set_visited (path); 786 } 773 787 774 788 if (tPath) … … 806 820 { 807 821 HKEY hTestKey; 822 LONG qError; 808 823 char * newpath; 809 824 size_t len; … … 836 851 snprintf(newpath, len, "%s\\%s", path, subkey); 837 852 838 if( RegOpenKeyEx( key, 839 subkey, 840 0, 841 (KEY_READ | view), 842 &hTestKey) == ERROR_SUCCESS 843 ) 853 qError = RegOpenKeyEx( key, 854 subkey, 855 0, 856 (KEY_READ | view), 857 &hTestKey); 858 859 860 if (qError == ERROR_SUCCESS) 844 861 { 845 862 QueryKey(hTestKey, newpath, len-1, isSingle); … … 850 867 { 851 868 /* Error message */ 852 char * tmp = sh_util_safe_name (newpath); 853 size_t tlen = sl_strlen(tmp); 854 869 LPVOID lpMsgBuf; 870 871 char * tmp = sh_util_safe_name (newpath); 872 size_t tlen = sl_strlen(tmp); 873 855 874 if (SL_TRUE == sl_ok_adds(64, tlen)) 856 875 { 857 char * errbuf = SH_ALLOC(64 + tlen); 858 sl_snprintf(errbuf, 64+tlen, _("Failed to open key %s"), tmp); 859 860 SH_MUTEX_LOCK(mutex_thread_nolog); 861 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN, 862 errbuf, _("CheckThisSubkey")); 863 SH_MUTEX_UNLOCK(mutex_thread_nolog); 864 865 SH_FREE(errbuf); 866 } 867 sh_reg_add_ign (tmp); 876 char * errbuf; 877 size_t elen; 878 879 tlen += 64; 880 881 elen = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | 882 FORMAT_MESSAGE_FROM_SYSTEM | 883 FORMAT_MESSAGE_IGNORE_INSERTS, 884 NULL, 885 qError, 886 MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), 887 (LPTSTR) &lpMsgBuf, 888 0, NULL ); 889 890 if (elen > 0 && SL_TRUE == sl_ok_adds(elen, tlen)) 891 { 892 tlen += elen; 893 894 errbuf = SH_ALLOC(elen + tlen); 895 sl_snprintf(errbuf, 64+tlen, _("Failed to open key %s: %s"), 896 tmp, lpMsgBuf); 897 LocalFree(lpMsgBuf); 898 899 SH_MUTEX_LOCK(mutex_thread_nolog); 900 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN, 901 errbuf, _("CheckThisSubkey")); 902 SH_MUTEX_UNLOCK(mutex_thread_nolog); 903 904 SH_FREE(errbuf); 905 } 906 } 907 sh_reg_add_ign (newpath); 868 908 SH_FREE(tmp); 869 909 } … … 880 920 char path[20] = ""; 881 921 int pos = 0; 882 int retval = -1;883 922 884 923 if (0 == strncmp(key, _("HKEY_CLASSES_ROOT"), 17))
Note:
See TracChangeset
for help on using the changeset viewer.