~wibblymat/ubuntu/oneiric/sagan/ftbfs-jam

sagan_log(1, "[%s, line %d] Could not change to '%.32s' uid=%lu gid=%lu.", __FILE__, __LINE__, (unsigned long)pw->pw_uid, (unsigned long)pw->pw_gid, pw->pw_dir);

}

100

}

101

else {

102

sagan_log(1, "[%s, line %d] User \"%.32s\" cannot be found.", __FILE__, __LINE__, username);

103

}

104

105

sagan_log(0, "Dropping privileges [UID: %lu GID: %lu]", (unsigned long)pw->pw_uid, (unsigned long)pw->pw_gid);

106

}

107

108

/***************************************************************/

109

/* Convert syslog data to hex for input into the payload table */

110

/***************************************************************/

111

112

char *fasthex(char *xdata, int length)

113

{

114

char conv[] = "0123456789ABCDEF";

115

char *retbuf = NULL;

116

char *index;

117

char *end;

118

char *ridx;

119

120

index = xdata;

121

end = xdata + length;

122

retbuf = (char *) calloc((length*2)+1, sizeof(char));

123

ridx = retbuf;

124

125

while(index < end)

126

{

127

*ridx++ = conv[((*index & 0xFF)>>4)];

128

*ridx++ = conv[((*index & 0xFF)&0x0F)];

129

index++;

130

}

131

132

return(retbuf);

133

}

134

135

/* Removes quotes from msg, pcre, etc */

136

137

char *remquotes(char *s) {

138

char *s1, *s2;

139

for(s1 = s2 = s;*s1;*s1++ = *s2++ )

140

while( *s2 == '"' )s2++;

141

return s;

142

}

143

144

char *remrt(char *s) {

145

char *s1, *s2;

146

for(s1 = s2 = s;*s1;*s1++ = *s2++ )

147

while( *s2 == '\n' )s2++;

148

return s;

149

}

150

151

152

153

/* Removes spaces from certain rule fields, etc */

154

155

char *remspaces(char *s) {

156

char *s1, *s2;

157

for(s1 = s2 = s;*s1;*s1++ = *s2++ )

158

while( *s2 == ' ')s2++;

159

return s;

160

}

161

162

char *toupperc(char* const s) {

163

char* cur = s;

164

while (*cur) {

165

*cur = toupper(*cur);

166

++cur;

167

}

168

return s;

169

}

170

171

172

void sagan_log (int type, const char *format,... ) {

173

174

char buf[1024];

175

va_list ap;

176

va_start(ap, format);

177

char *chr="*";

178

char curtime[64];

179

char tmplog[64];

180

time_t t;

181

struct tm *now;

182

t = time(NULL);

183

now=localtime(&t);

184

strftime(curtime, sizeof(curtime), "%m/%d/%Y %H:%M:%S", now);

185

186

if ( type == 1 ) chr="E";

187

188

vsnprintf(buf, sizeof(buf), format, ap);

189

fprintf(config->sagan_log_stream, "[%s] [%s] - %s\n", chr, curtime, buf);

190

fflush(config->sagan_log_stream);

191

192

if ( programmode == 0 && daemonize == 0) printf("[%s] %s\n", chr, buf);

193

if ( type == 1 ) exit(1);

194

}

195

196

int checkendian() {

197

int i = 1;

198

char *p = (char *) &i;

199

if (p[0] == 1) // Lowest address contains the least significant byte

200

return 0; // Little endian

201

else

202

return 1; // Big endian

203

}

204

205

206

/* Converts IP address. For IPv4, we convert the quad IP string to a 32 bit

207

* value. We return the unsigned long value as a pointer to a string because

208

* that's the way IPv6 is done. Basically, we'll probably want IPv6 when

209

* snort supports DB IPv6.

210

211

212

int ip2bit (char *ipaddr, int endian) {

213

214

struct sockaddr_in ipv4;

215

uint32_t ip;

216

217

/* Change to AF_UNSPEC for future ipv6 */

218

/* Champ Clark III - 01/18/2011 */

219

220

if (!inet_pton(AF_INET, ipaddr, &ipv4.sin_addr)) {

221

sagan_log(0, "Warning: inet_pton() error, but continuing...");

222

}

223

224

if ( endian == 0 ) {

225

ip = htonl(ipv4.sin_addr.s_addr);

226

} else {

227

ip = ipv4.sin_addr.s_addr;

228

}

229

230

return(ip);

231

}

232

233

int isnumeric (char *str) {

234

235

if(strlen(str) == strspn(str, "0123456789")) {

236

return(1);

237

} else {

238

return(0);

239

}

240

}

241

242

/* Escape SQL. This was taken from Prelude. */

243

244

#if defined(HAVE_LIBMYSQLCLIENT_R) || defined(HAVE_LIBPQ)

245

char *sql_escape(const char *string, int from )

246

{

247

size_t len;

248

char *escaped=NULL;

249

char *escapedre=NULL;

250

char tmpescaped[MAX_SYSLOGMSG];

251

252

253

if ( ! string )

254

return strdup("NULL");

255

256

* MySQL documentation say :

257

* The string pointed to by from must be length bytes long. You must

258

* allocate the to buffer to be at least length*2+1 bytes long. (In the

259

* worse case, each character may need to be encoded as using two bytes,

260

* and you need room for the terminating null byte.)

261

262

len = strlen(string);

263

264

escaped = malloc(len * 2 + 3);

265

266

if (! escaped) {

267

sagan_log(1, "[%s, line %d] Memory exhausted.", __FILE__, __LINE__ );

268

return NULL;

269

}

270

271

escaped[0] = '\'';

272

273

/* Snort */

274

if ( from == 0 ) {

275

#ifdef HAVE_LIBMYSQLCLIENT_R

276

#if MYSQL_VERSION_ID >= 32200

277

len = mysql_real_escape_string(mysql, escaped + 1, string, len);

278

#else

279

len = mysql_escape_string(escaped + 1, string, len);

280

#endif

281

#endif

282

283

escaped[len + 1] = '\'';

284

escaped[len + 2] = '\0';

285

}

286

287

/* Logzilla */

288

289

if ( from == 1 ) {

290

#ifdef HAVE_LIBMYSQLCLIENT_R

291

#if MYSQL_VERSION_ID >= 32200

292

len = mysql_real_escape_string(mysql_logzilla, escaped + 1, string, len);

293

#else

294

len = mysql_escape_string(escaped + 1, string, len);

295

#endif

296

#endif

297

escaped[len + 1] = '\'';

298

escaped[len + 2] = '\0';

299

}

300

301

/* Temp. copy value, and free(escaped) to prevent mem. leak */

302

303

snprintf(tmpescaped, sizeof(tmpescaped), "%s", escaped);

304

escapedre=tmpescaped;

305

free(escaped);

306

307

return(escapedre);

308

}

309

#endif

310

311

/* Grab's information between "quotes" and returns it. Use for things like

312

* parsing msg: and pcre */

313

314

char *betweenquotes(char *instring)

315

{

316

sbool flag=0;

317

int i;

318

char tmp1[2];

319

char tmp2[512]="";

320

char *ret;

321

322

for ( i=0; i<strlen(instring); i++) {

323

324

if ( flag == 1 && instring[i] == '\"' ) flag = 0;

325

if ( flag == 1 ) {

326

snprintf(tmp1, sizeof(tmp1), "%c", instring[i]);

327

strlcat(tmp2, tmp1, sizeof(tmp2));

328

}

329

330

if ( instring[i] == '\"' ) flag++;

331

332

}

333

334

ret=tmp2;

335

return(ret);

336

}

337

338

/* CalcPct (Taken from Snort) */

339

340

double CalcPct(uint64_t cnt, uint64_t total)

341

{

342

double pct = 0.0;

343

344

if (total == 0.0)

345

{

346

pct = (double)cnt;

347

}

348

else

349

{

350

pct = (double)cnt / (double)total;

351

}

352

353

pct *= 100.0;

354

355

return pct;

356

}

357

358

/* DNS lookup of hostnames. Wired for IPv4 and IPv6. Code largely

359

* based on Beej's showip.c */

360

361

char *dns_lookup(char *host)

362

{

363

struct addrinfo hints, *res; //,// *p;

364

int status;

365

char ipstr[INET6_ADDRSTRLEN];

366

char *ret;

367

void *addr;

368

369

if ( config->disable_dns_warnings == 0 ) {

370

sagan_log(0, "--------------------------------------------------------------------------");

371

sagan_log(0, "Sagan DNS lookup need for %s.", host);

372

sagan_log(0, "This can affect performance. Please see:" );

373

sagan_log(0, "https://wiki.softwink.com/bin/view/Main/SaganDNS");

374

sagan_log(0, "--------------------------------------------------------------------------");

375

}

376

377

memset(&hints, 0, sizeof hints);

378

hints.ai_family = AF_UNSPEC; // AF_INET or AF_INET6 to force version

379

hints.ai_socktype = SOCK_STREAM;

380

381

if ((status = getaddrinfo(host, NULL, &hints, &res)) != 0) {

382

sagan_log(0, "getaddrinfo: %s", gai_strerror(status));

383

return NULL;

384

}

385

386

if (res->ai_family == AF_INET) { // IPv4

387

struct sockaddr_in *ipv4 = (struct sockaddr_in *)res->ai_addr;

388

addr = &(ipv4->sin_addr);

389

} else { // IPv6

390

struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)res->ai_addr;

391

addr = &(ipv6->sin6_addr);

392

}

393

394

inet_ntop(res->ai_family, addr, ipstr, sizeof ipstr);

395

ret=ipstr;

396

return ret;

397

}

Older »