From f2d21902372226f57e8d4fc8875b08535a8b6752 Mon Sep 17 00:00:00 2001 From: cgzones Date: Wed, 29 Jan 2014 15:37:12 +0000 Subject: [PATCH] merging in @cgzones geoip clean --- src/Makefile | 3 +- src/analysisd/Makefile | 6 ++-- src/analysisd/alerts/log.c | 69 +++++++++++++++++++++----------------- 3 files changed, 43 insertions(+), 35 deletions(-) diff --git a/src/Makefile b/src/Makefile index 46a194c2a..d80e10e2b 100755 --- a/src/Makefile +++ b/src/Makefile @@ -72,7 +72,8 @@ setprelude: @echo "CPRELUDE=-DPRELUDE -lprelude `libprelude-config --pthread-cflags` `libprelude-config --libs`" >> ./Config.OS setgeoip: - @echo "CGEOIP=-DGEOIP -I/usr/local/include -L/usr/local/lib -lGeoIP" >> ./Config.OS + @echo "CGEOIP=-DGEOIP" >> ./Config.OS + @echo "CGEOIPLIB=-I/usr/local/include -L/usr/local/lib -lGeoIP" >> ./Config.OS setdb: @cd ./os_dbd; echo "CDB=`./dbmake.sh`" >> ../Config.OS; diff --git a/src/analysisd/Makefile b/src/analysisd/Makefile index 99b5fa696..09d63a369 100755 --- a/src/analysisd/Makefile +++ b/src/analysisd/Makefile @@ -23,17 +23,17 @@ logaudit: cd ./alerts; make cd ./decoders; make cd ./compiled_rules; make; - $(CC) $(CFLAGS) ${OS_LINK} -I./ ${loga_OBJS} -o ${NAME} + $(CC) $(CFLAGS) ${OS_LINK} -I./ ${loga_OBJS} ${CGEOIPLIB} -o ${NAME} logtest: cd ./cdb; make cd ./decoders; make logtest cd ./compiled_rules; make; - $(CC) $(CFLAGS) ${OS_LINK} -DTESTRULE -I./ testrule.c ${loga_OBJS} -o ossec-logtest + $(CC) $(CFLAGS) ${OS_LINK} -DTESTRULE -I./ testrule.c ${loga_OBJS} ${CGEOIPLIB} -o ossec-logtest makelists: cd ./cdb; make - $(CC) $(CFLAGS) ${OS_LINK} -DTESTRULE -I./ makelists.c ${lists_OBJS} -o ossec-makelists + $(CC) $(CFLAGS) ${OS_LINK} -DTESTRULE -I./ makelists.c ${lists_OBJS} ${CGEOIPLIB} -o ossec-makelists clean: cd ./cdb; make clean diff --git a/src/analysisd/alerts/log.c b/src/analysisd/alerts/log.c index f5cb74a0f..b7b25bad5 100755 --- a/src/analysisd/alerts/log.c +++ b/src/analysisd/alerts/log.c @@ -32,33 +32,31 @@ #define NETMASK_16 4294901760 /* 255.255.0.0 */ static const char * _mk_NA( const char * p ){ - return p ? p : "N/A"; + return (p ? p : "N/A"); } /* StrIP2Long */ /* Convert an dot-quad IP address into long format */ -unsigned long StrIP2Int(char *ip) { - unsigned int c1,c2,c3,c4; - /* IP address is not coming from user input -> We can trust it */ - /* only minimal checking is performed */ - int len = strlen(ip); - if ((len < 7) || (len > 15)) return 0; - - sscanf(ip, "%d.%d.%d.%d", &c1, &c2, &c3, &c4); - return((unsigned long)c4+c3*256+c2*256*256+c1*256*256*256); +static unsigned long StrIP2Int(const char *ip) { + unsigned int c1,c2,c3,c4; + /* IP address is not coming from user input -> We can trust it */ + /* only minimal checking is performed */ + size_t len = strlen(ip); + if ((len < 7) || (len > 15)) return (0); + + sscanf(ip, "%u.%u.%u.%u", &c1, &c2, &c3, &c4); + return((unsigned long)c4+c3*256+c2*256*256+c1*256*256*256); } -/* GeoIPLookup */ +/* GeoIP_Lookup */ /* Use the GeoIP API to locate an IP address */ -char *GeoIPLookup(char *ip) +static void GeoIP_Lookup(const char *ip, char *buffer, const size_t length) { GeoIP *gi; GeoIPRecord *gir; - char buffer[OS_SIZE_1024 +1]; - unsigned long longip; /* Dumb way to detect an IPv6 address */ if (strchr(ip, ':')) { @@ -66,37 +64,46 @@ char *GeoIPLookup(char *ip) gi = GeoIP_open(Config.geoip_db_path, GEOIP_INDEX_CACHE); if (gi == NULL) { merror(INVALID_GEOIP_DB, ARGV0, Config.geoip6_db_path); - return("Unknown"); + snprintf(buffer, length, "Unknown (1)"); + return; } - gir = GeoIP_record_by_name_v6(gi, (const char *)ip); + gir = GeoIP_record_by_name_v6(gi, ip); } else { /* Use the IPv4 DB */ - /* If we have a RFC1918 IP, do not perform a DB lookup (performance) */ - longip = StrIP2Int(ip); - if (longip == 0 ) return("Unknown"); - if ((longip & NETMASK_8) == RFC1918_10 || - (longip & NETMASK_12) == RFC1918_172 || - (longip & NETMASK_16) == RFC1918_192) return(""); + /* If we have a RFC1918 IP, do not perform a DB lookup (performance) */ + unsigned long longip = StrIP2Int(ip); + if (longip == 0 ) { + snprintf(buffer, length, "Unknown (2)"); + return; + } + if ((longip & NETMASK_8) == RFC1918_10 || + (longip & NETMASK_12) == RFC1918_172 || + (longip & NETMASK_16) == RFC1918_192) { + snprintf(buffer, length, "RFC1918 IP"); + return; + } gi = GeoIP_open(Config.geoip_db_path, GEOIP_INDEX_CACHE); if (gi == NULL) { merror(INVALID_GEOIP_DB, ARGV0, Config.geoip_db_path); - return("Unknown"); + snprintf(buffer, length, "Unknown (3)"); + return; } - gir = GeoIP_record_by_name(gi, (const char *)ip); + gir = GeoIP_record_by_name(gi, ip); } if (gir != NULL) { - sprintf(buffer,"%s,%s,%s", + snprintf(buffer,length,"%s,%s,%s", _mk_NA(gir->country_code), _mk_NA(GeoIP_region_name_by_code(gir->country_code, gir->region)), _mk_NA(gir->city) ); GeoIP_delete(gi); - return(buffer); + return; } GeoIP_delete(gi); - return("Unknown"); + snprintf(buffer, length, "Unknown (4)"); + return; } #endif /* GEOIP */ @@ -182,8 +189,8 @@ void OS_LogOutput(Eventinfo *lf) geoip_msg_src[0] = '\0'; geoip_msg_dst[0] = '\0'; if (Config.loggeoip) { - if (lf->srcip) { strncpy(geoip_msg_src, GeoIPLookup(lf->srcip), OS_SIZE_1024); } - if (lf->dstip) { strncpy(geoip_msg_dst, GeoIPLookup(lf->dstip), OS_SIZE_1024); } + if (lf->srcip) GeoIP_Lookup(lf->srcip, geoip_msg_src, OS_SIZE_1024); + if (lf->dstip) GeoIP_Lookup(lf->dstip, geoip_msg_dst, OS_SIZE_1024); } #endif printf( @@ -269,8 +276,8 @@ void OS_Log(Eventinfo *lf) geoip_msg_src[0] = '\0'; geoip_msg_dst[0] = '\0'; if (Config.loggeoip) { - if (lf->srcip) { strncpy(geoip_msg_src, GeoIPLookup(lf->srcip), OS_SIZE_1024 ); } - if (lf->dstip) { strncpy(geoip_msg_dst, GeoIPLookup(lf->dstip), OS_SIZE_1024 ); } + if (lf->srcip) GeoIP_Lookup(lf->srcip, geoip_msg_src, OS_SIZE_1024 ); + if (lf->dstip) GeoIP_Lookup(lf->dstip, geoip_msg_dst, OS_SIZE_1024 ); } #endif /* Writting to the alert log file */