1 /*
2 * Argus Software
3 * Copyright (c) 2000-2016 QoSient, LLC
4 * All rights reserved.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2, or (at your option)
9 * any later version.
10
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 *
20 */
21
22 /*
23 * ralabel - add descriptor labels to flows.
24 * this particular labeler adds descriptors based
25 * on addresses.
26 *
27 * written by Carter Bullard
28 * QoSient, LLC
29 *
30 * $Id: //depot/argus/clients/examples/ralabel/ralabel.c#14 $
31 * $DateTime: 2016/06/01 15:17:28 $
32 * $Change: 3148 $
33 */
34
35 #ifdef HAVE_CONFIG_H
36 #include "argus_config.h"
37 #endif
38
39 #if defined(CYGWIN)
40 #define USE_IPV6
41 #endif
42
43 #include <unistd.h>
44 #include <stdlib.h>
45 #include <signal.h>
46 #include <ctype.h>
47
48 #if defined(ARGUS_SOLARIS)
49 #include <strings.h>
50 #include <string.h>
51 #endif
52
53 #include <math.h>
54
55 #include <rabins.h>
56 #include <argus_util.h>
57 #include <argus_label.h>
58 #include <argus_client.h>
59 #include <argus_filter.h>
60 #include <argus_main.h>
61 #include <argus_cluster.h>
62
63
64 void
ArgusClientInit(struct ArgusParserStruct * parser)65 ArgusClientInit (struct ArgusParserStruct *parser)
66 {
67 extern int RaPrintLabelTreeLevel;
68 struct ArgusModeStruct *mode = NULL;
69 parser->RaWriteOut = 0;
70
71 if (!(parser->RaInitialized)) {
72 (void) signal (SIGHUP, (void (*)(int)) RaParseComplete);
73
74 if ((parser->ArgusLabeler = ArgusNewLabeler(parser, 0L)) == NULL)
75 ArgusLog (LOG_ERR, "ArgusClientInit: ArgusNewLabeler error");
76
77 if (parser->ArgusFlowModelFile) {
78 RaLabelParseResourceFile (parser, parser->ArgusLabeler, parser->ArgusFlowModelFile);
79 parser->ArgusFlowModelFile = NULL;
80 }
81
82 if ((parser->ArgusAggregator = ArgusNewAggregator(parser, NULL, ARGUS_RECORD_AGGREGATOR)) == NULL)
83 ArgusLog (LOG_ERR, "ArgusClientInit: ArgusNewAggregator error");
84
85 if ((mode = parser->ArgusModeList) != NULL) {
86 while (mode) {
87 if (!(strncasecmp (mode->mode, "noprune", 7))) {
88 parser->ArgusLabeler->prune = 0;
89 } else
90 if (!(strncasecmp (mode->mode, "addr", 4))) {
91 if (parser->ArgusFlowModelFile) {
92 if (!(RaReadAddressConfig (parser, parser->ArgusLabeler, parser->ArgusFlowModelFile) > 0))
93 ArgusLog (LOG_ERR, "ArgusNewLabeler: RaReadAddressConfig error");
94 }
95 } else
96 if ((!(strncasecmp (mode->mode, "debug.tree", 10))) ||
97 (!(strncasecmp (mode->mode, "debug", 5)))) {
98 parser->ArgusLabeler->RaPrintLabelTreeMode = ARGUS_TREE;
99 if (parser->ArgusLabeler && parser->ArgusLabeler->ArgusAddrTree) {
100 if (parser->Lflag > 0) {
101 RaPrintLabelTreeLevel = parser->Lflag;
102 }
103 RaPrintLabelTree (parser->ArgusLabeler, parser->ArgusLabeler->ArgusAddrTree[AF_INET], 0, 0);
104 }
105 exit(0);
106 }
107
108 mode = mode->nxt;
109 }
110 }
111
112 parser->RaInitialized++;
113 }
114 }
115
RaArgusInputComplete(struct ArgusInput * input)116 void RaArgusInputComplete (struct ArgusInput *input) { return; }
117
118
119 void
RaParseComplete(int sig)120 RaParseComplete (int sig)
121 {
122 if (sig >= 0) {
123 if (!ArgusParser->RaParseCompleting++) {
124
125 ArgusShutDown(sig);
126
127 if ((ArgusParser->ArgusWfileList != NULL) && (!(ArgusListEmpty(ArgusParser->ArgusWfileList)))) {
128 struct ArgusWfileStruct *wfile = NULL, *start = NULL;
129
130 if ((wfile = (struct ArgusWfileStruct *) ArgusFrontList(ArgusParser->ArgusWfileList)) != NULL) {
131 start = wfile;
132 fflush(wfile->fd);
133 ArgusPopFrontList(ArgusParser->ArgusWfileList, ARGUS_NOLOCK);
134 ArgusPushBackList(ArgusParser->ArgusWfileList, (struct ArgusListRecord *) wfile, ARGUS_NOLOCK);
135 wfile = (struct ArgusWfileStruct *) ArgusFrontList(ArgusParser->ArgusWfileList);
136 } while (wfile != start);
137 }
138
139 fflush(stdout);
140 exit(0);
141 }
142 }
143
144 #ifdef ARGUSDEBUG
145 ArgusDebug (1, "RaParseComplete (%d) returning\n", sig);
146 #endif
147 }
148
149 void
ArgusClientTimeout()150 ArgusClientTimeout ()
151 {
152
153 #ifdef ARGUSDEBUG
154 ArgusDebug (4, "ArgusClientTimeout: returning\n");
155 #endif
156 }
157
158 void
parse_arg(int argc,char ** argv)159 parse_arg (int argc, char**argv)
160 {
161
162 #ifdef ARGUSDEBUG
163 ArgusDebug (6, "parse_arg (%d, 0x%x) returning\n", argc, argv);
164 #endif
165 }
166
167
168 void
usage()169 usage ()
170 {
171 extern char version[];
172 fprintf (stdout, "RaLabeler Version %s\n", version);
173 fprintf (stdout, "usage: %s \n", ArgusParser->ArgusProgramName);
174 fprintf (stdout, "usage: %s [ra-options] -S remoteServer [- filter-expression]\n", ArgusParser->ArgusProgramName);
175 fprintf (stdout, "usage: %s [ra-options] -r argusDataFile [- filter-expression]\n\n", ArgusParser->ArgusProgramName);
176 fprintf (stdout, "options: -f <conffile> read ralabel spec from <conffile>.\n");
177 fflush (stdout);
178 exit(1);
179 }
180
181 /*
182 char *RaLabelProcessAddress (struct ArgusParserStruct *, struct ArgusRecordStruct *, unsigned int *, int);
183 extern struct RaAddressStruct *RaFindAddress (struct ArgusParserStruct *, struct RaAddressStruct *, struct RaAddressStruct *, int);
184
185
186 char *
187 RaLabelProcessAddress (struct ArgusParserStruct *parser, struct ArgusRecordStruct *argus, unsigned int *addr, int type)
188 {
189 struct ArgusLabelerStruct *labeler = NULL;
190 struct RaAddressStruct *raddr;
191 char *retn = NULL;
192
193 if ((labeler = parser->ArgusLabeler) == NULL)
194 ArgusLog (LOG_ERR, "RaLabelProcessAddress: No labeler\n");
195
196 if (labeler->ArgusAddrTree != NULL) {
197 switch (type) {
198 case ARGUS_TYPE_IPV4: {
199 struct RaAddressStruct node;
200 bzero ((char *)&node, sizeof(node));
201
202 node.addr.type = AF_INET;
203 node.addr.len = 4;
204 node.addr.addr[0] = *addr;
205 node.addr.masklen = 32;
206
207 if ((raddr = RaFindAddress (parser, labeler->ArgusAddrTree[AF_INET], &node, ARGUS_LONGEST_MATCH)) != NULL)
208 retn = raddr->label;
209 else {
210 char *ptr, *sptr;
211 if ((ptr = ArgusGetName(ArgusParser, (u_char *)addr)) != NULL) {
212 if ((sptr = strrchr(ptr, '.')) != NULL) {
213 if (strlen(++sptr) == 2) {
214 if (!isdigit((int)*sptr)) {
215 char *tptr = sptr;
216 int i, ch;
217 for (i = 0; i < 2; i++, tptr++) {
218 ch = *tptr;
219 if (islower(ch)) {
220 ch = toupper(ch);
221 *tptr = ch;
222 }
223 }
224 retn = sptr;
225 }
226 }
227 }
228 }
229 }
230
231 break;
232 }
233
234 case ARGUS_TYPE_IPV6:
235 break;
236 }
237 }
238
239 #ifdef ARGUSDEBUG
240 ArgusDebug (5, "RaLabelProcessAddress (0x%x, 0x%x, 0x%x, %d) returning %s\n", parser, argus, addr, type, retn);
241 #endif
242
243 return (retn);
244 }
245 */
246
247
248 void
RaProcessRecord(struct ArgusParserStruct * parser,struct ArgusRecordStruct * argus)249 RaProcessRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *argus)
250 {
251 // struct ArgusLabelStruct *lstruct = NULL;
252 struct ArgusRecordStruct *ns = NULL;
253 char buf[MAXSTRLEN];
254
255 if ((ns = ArgusCopyRecordStruct(argus)) != NULL) {
256 ArgusLabelRecord(parser, ns);
257
258 // lstruct = (void *) ns->dsrs[ARGUS_LABEL_INDEX];
259
260 if (parser->ArgusWfileList != NULL) {
261 struct ArgusWfileStruct *wfile = NULL;
262 struct ArgusListObjectStruct *lobj = NULL;
263 int i, count = parser->ArgusWfileList->count;
264
265 if ((lobj = parser->ArgusWfileList->start) != NULL) {
266 for (i = 0; i < count; i++) {
267 if ((wfile = (struct ArgusWfileStruct *) lobj) != NULL) {
268 if ((parser->exceptfile == NULL) || strcmp(wfile->filename, parser->exceptfile)) {
269 struct ArgusRecord *argusrec = NULL;
270 static char sbuf[0x10000];
271 if ((argusrec = ArgusGenerateRecord (ns, 0L, sbuf)) != NULL) {
272 #ifdef _LITTLE_ENDIAN
273 ArgusHtoN(argusrec);
274 #endif
275 ArgusWriteNewLogfile (parser, ns->input, wfile, argusrec);
276 }
277 }
278 }
279
280 lobj = lobj->nxt;
281 }
282 }
283
284 } else {
285 if (!parser->qflag) {
286 if (parser->Lflag) {
287 if (parser->RaLabel == NULL)
288 parser->RaLabel = ArgusGenerateLabel(parser, ns);
289
290 if (!(parser->RaLabelCounter++ % parser->Lflag))
291 printf ("%s\n", parser->RaLabel);
292
293 if (parser->Lflag < 0)
294 parser->Lflag = 0;
295 }
296
297 *(int *)&buf = 0;
298 ArgusPrintRecord(parser, buf, ns, MAXSTRLEN);
299 if (fprintf (stdout, "%s\n", buf) < 0)
300 RaParseComplete(SIGQUIT);
301 }
302 }
303
304 fflush (stdout);
305 ArgusDeleteRecordStruct(parser, ns);
306 }
307
308 #ifdef ARGUSDEBUG
309 ArgusDebug (5, "RaProcessRecord (0x%x) returning\n", argus);
310 #endif
311 }
312
313
314 int
RaSendArgusRecord(struct ArgusRecordStruct * argus)315 RaSendArgusRecord(struct ArgusRecordStruct *argus)
316 {
317
318 #ifdef ARGUSDEBUG
319 ArgusDebug (6, "RaSendArgusRecord (0x%x) returning\n", argus);
320 #endif
321 return 1;
322 }
323
ArgusWindowClose(void)324 void ArgusWindowClose(void) { }
325
326