Mercurial > syslog2iptables
comparison src/syslogconfig.cpp @ 35:d2ceebcf6595 stable-1-7
add message description in patterns
| author | carl |
|---|---|
| date | Tue, 18 Sep 2007 09:54:22 -0700 |
| parents | 601bc0e075e1 |
| children | 6a2f26976898 |
comparison
equal
deleted
inserted
replaced
| 34:a3fee10284e2 | 35:d2ceebcf6595 |
|---|---|
| 33 char *token_file; | 33 char *token_file; |
| 34 char *token_ignore; | 34 char *token_ignore; |
| 35 char *token_include; | 35 char *token_include; |
| 36 char *token_index; | 36 char *token_index; |
| 37 char *token_lbrace; | 37 char *token_lbrace; |
| 38 char *token_message; | |
| 38 char *token_pattern; | 39 char *token_pattern; |
| 39 char *token_rbrace; | 40 char *token_rbrace; |
| 40 char *token_remove; | 41 char *token_remove; |
| 41 char *token_semi; | 42 char *token_semi; |
| 42 char *token_slash; | 43 char *token_slash; |
| 60 typedef map<int, bucket, ltint> ip_buckets; | 61 typedef map<int, bucket, ltint> ip_buckets; |
| 61 | 62 |
| 62 class IPR { | 63 class IPR { |
| 63 ip_buckets violations; | 64 ip_buckets violations; |
| 64 public: | 65 public: |
| 65 void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index); | 66 void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index, char *message); |
| 66 void leak(int amount, CONFIG &con); | 67 void leak(int amount, CONFIG &con); |
| 67 void update(int ip, bool added, char *file_name, int pattern_index); | 68 void update(int ip, bool added, char *file_name, int pattern_index, char *message); |
| 68 void changed(CONFIG &con, int ip, bool added); | 69 void changed(CONFIG &con, int ip, bool added); |
| 69 }; | 70 }; |
| 70 | 71 |
| 71 IPR recorder; | 72 IPR recorder; |
| 72 | 73 |
| 73 | 74 |
| 74 //////////////////////////////////////////////// | 75 //////////////////////////////////////////////// |
| 75 // | 76 // |
| 76 void IPR::add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index) { | 77 void IPR::add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index, char *message) { |
| 77 if (con.looking(ip)) { | 78 if (con.looking(ip)) { |
| 78 ip_buckets::iterator i = violations.find(ip); | 79 ip_buckets::iterator i = violations.find(ip); |
| 79 if (i == violations.end()) { | 80 if (i == violations.end()) { |
| 80 bucket b; | 81 bucket b; |
| 81 b.count = amount; | 82 b.count = amount; |
| 82 b.latch = (con.get_threshold() <= b.count); | 83 b.latch = (con.get_threshold() <= b.count); |
| 83 violations[ip] = b; | 84 violations[ip] = b; |
| 84 if (b.latch) { | 85 if (b.latch) { |
| 85 update(ip, true, file_name, pattern_index); | 86 update(ip, true, file_name, pattern_index, message); |
| 86 changed(con, ip, true); | 87 changed(con, ip, true); |
| 87 } | 88 } |
| 88 } | 89 } |
| 89 else { | 90 else { |
| 90 bucket &b = (*i).second; | 91 bucket &b = (*i).second; |
| 92 int t = con.get_threshold(); | 93 int t = con.get_threshold(); |
| 93 int c = b.count; | 94 int c = b.count; |
| 94 b.count += amount; | 95 b.count += amount; |
| 95 if ((!b.latch) && (c < t) && (t <= b.count)) { | 96 if ((!b.latch) && (c < t) && (t <= b.count)) { |
| 96 b.latch = true; | 97 b.latch = true; |
| 97 update(ip, true, file_name, pattern_index); | 98 update(ip, true, file_name, pattern_index, message); |
| 98 changed(con, ip, true); | 99 changed(con, ip, true); |
| 99 } | 100 } |
| 100 } | 101 } |
| 101 } | 102 } |
| 102 } | 103 } |
| 107 for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); ) { | 108 for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); ) { |
| 108 int ip = (*i).first; | 109 int ip = (*i).first; |
| 109 bucket &b = (*i).second; | 110 bucket &b = (*i).second; |
| 110 if (b.count <= amount) { | 111 if (b.count <= amount) { |
| 111 if (b.latch) { | 112 if (b.latch) { |
| 112 update(ip, false, NULL, 0); | 113 update(ip, false, NULL, 0, NULL); |
| 113 changed(con, ip, false); | 114 changed(con, ip, false); |
| 114 } | 115 } |
| 115 violations.erase(i++); | 116 violations.erase(i++); |
| 116 } | 117 } |
| 117 else { | 118 else { |
| 120 } | 121 } |
| 121 } | 122 } |
| 122 } | 123 } |
| 123 | 124 |
| 124 | 125 |
| 125 void IPR::update(int ip, bool added, char *file_name, int pattern_index) { | 126 void IPR::update(int ip, bool added, char *file_name, int pattern_index, char *message) { |
| 126 if (debug_syslog > 2) { | 127 if (debug_syslog > 2) { |
| 127 char buf[maxlen]; | 128 char buf[maxlen]; |
| 128 in_addr ad; | 129 in_addr ad; |
| 129 ad.s_addr = htonl(ip); | 130 ad.s_addr = htonl(ip); |
| 130 if (added) snprintf(buf, maxlen, "dropping traffic from/to %s based on pattern match %d in %s", inet_ntoa(ad), pattern_index, file_name); | 131 if (added) { |
| 132 if (message) snprintf(buf, maxlen, "dropping traffic from/to %s based on %s in %s", inet_ntoa(ad), message, file_name); | |
| 133 else snprintf(buf, maxlen, "dropping traffic from/to %s based on pattern match %d in %s", inet_ntoa(ad), pattern_index, file_name); | |
| 134 } | |
| 131 else snprintf(buf, maxlen, "allowing traffic from/to %s", inet_ntoa(ad)); | 135 else snprintf(buf, maxlen, "allowing traffic from/to %s", inet_ntoa(ad)); |
| 132 my_syslog(buf); | 136 my_syslog(buf); |
| 133 } | 137 } |
| 134 } | 138 } |
| 135 | 139 |
| 170 } | 174 } |
| 171 | 175 |
| 172 | 176 |
| 173 //////////////////////////////////////////////// | 177 //////////////////////////////////////////////// |
| 174 // | 178 // |
| 175 PATTERN::PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_) { | 179 PATTERN::PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_, char *msg_) { |
| 176 pattern = pattern_; | 180 pattern = pattern_; |
| 177 index = index_; | 181 index = index_; |
| 178 amount = amount_; | 182 amount = amount_; |
| 183 message = msg_; | |
| 179 if (pattern) { | 184 if (pattern) { |
| 180 int rc = regcomp(&re, pattern, REG_ICASE | REG_EXTENDED); | 185 int rc = regcomp(&re, pattern, REG_ICASE | REG_EXTENDED); |
| 181 if (rc) { | 186 if (rc) { |
| 182 char bu[maxlen]; | 187 char bu[maxlen]; |
| 183 regerror(rc, &re, bu, maxlen); | 188 regerror(rc, &re, bu, maxlen); |
| 207 my_syslog(buf); // show lines with matches | 212 my_syslog(buf); // show lines with matches |
| 208 } | 213 } |
| 209 buf[e] = '\0'; | 214 buf[e] = '\0'; |
| 210 int ip = ip_address(buf+s); | 215 int ip = ip_address(buf+s); |
| 211 if (ip) { | 216 if (ip) { |
| 212 recorder.add(ip, amount, con, file_name, pattern_index); | 217 recorder.add(ip, amount, con, file_name, pattern_index, message); |
| 213 } | 218 } |
| 214 return true; | 219 return true; |
| 215 } | 220 } |
| 216 } | 221 } |
| 217 } | 222 } |
| 225 memset(indent, ' ', i); | 230 memset(indent, ' ', i); |
| 226 indent[i] = '\0'; | 231 indent[i] = '\0'; |
| 227 printf("%s pattern \"%s\" {; \n", indent, pattern); | 232 printf("%s pattern \"%s\" {; \n", indent, pattern); |
| 228 printf("%s index %d; \n", indent, index); | 233 printf("%s index %d; \n", indent, index); |
| 229 printf("%s bucket %d; \n", indent, amount); | 234 printf("%s bucket %d; \n", indent, amount); |
| 235 if (message) printf("%s message \"%s\"; \n", indent, message); | |
| 230 printf("%s }; \n", indent); | 236 printf("%s }; \n", indent); |
| 231 } | 237 } |
| 232 | 238 |
| 233 | 239 |
| 234 //////////////////////////////////////////////// | 240 //////////////////////////////////////////////// |
| 486 // | 492 // |
| 487 bool parse_pattern(TOKEN &tok, SYSLOGCONFIG &con); | 493 bool parse_pattern(TOKEN &tok, SYSLOGCONFIG &con); |
| 488 bool parse_pattern(TOKEN &tok, SYSLOGCONFIG &con) { | 494 bool parse_pattern(TOKEN &tok, SYSLOGCONFIG &con) { |
| 489 char *pat = tok.next(); | 495 char *pat = tok.next(); |
| 490 int ind, buc; | 496 int ind, buc; |
| 497 char *msg = NULL; | |
| 491 if (!tsa(tok, token_lbrace)) return false; | 498 if (!tsa(tok, token_lbrace)) return false; |
| 492 while (true) { | 499 while (true) { |
| 493 char *have = tok.next(); | 500 char *have = tok.next(); |
| 494 if (!have) break; | 501 if (!have) break; |
| 495 if (have == token_rbrace) break; | 502 if (have == token_rbrace) break; |
| 501 else if (have == token_bucket) { | 508 else if (have == token_bucket) { |
| 502 have = tok.next(); | 509 have = tok.next(); |
| 503 buc = atoi(have); | 510 buc = atoi(have); |
| 504 if (!tsa(tok, token_semi)) return false; | 511 if (!tsa(tok, token_semi)) return false; |
| 505 } | 512 } |
| 513 else if (have == token_message) { | |
| 514 msg = tok.next(); | |
| 515 if (!tsa(tok, token_semi)) return false; | |
| 516 } | |
| 506 else { | 517 else { |
| 507 tok.token_error("index/bucket", have); | 518 tok.token_error("index/bucket", have); |
| 508 return false; | 519 return false; |
| 509 } | 520 } |
| 510 } | 521 } |
| 511 if (!tsa(tok, token_semi)) return false; | 522 if (!tsa(tok, token_semi)) return false; |
| 512 PATTERNP patt = new PATTERN(tok, pat, ind, buc); | 523 PATTERNP patt = new PATTERN(tok, pat, ind, buc, msg); |
| 513 con.add_pattern(patt); | 524 con.add_pattern(patt); |
| 514 return true; | 525 return true; |
| 515 } | 526 } |
| 516 | 527 |
| 517 | 528 |
| 660 token_file = register_string("file"); | 671 token_file = register_string("file"); |
| 661 token_ignore = register_string("ignore"); | 672 token_ignore = register_string("ignore"); |
| 662 token_include = register_string("include"); | 673 token_include = register_string("include"); |
| 663 token_index = register_string("index"); | 674 token_index = register_string("index"); |
| 664 token_lbrace = register_string("{"); | 675 token_lbrace = register_string("{"); |
| 676 token_message = register_string("message"); | |
| 665 token_pattern = register_string("pattern"); | 677 token_pattern = register_string("pattern"); |
| 666 token_rbrace = register_string("}"); | 678 token_rbrace = register_string("}"); |
| 667 token_remove = register_string("remove_command"); | 679 token_remove = register_string("remove_command"); |
| 668 token_semi = register_string(";"); | 680 token_semi = register_string(";"); |
| 669 token_slash = register_string("/"); | 681 token_slash = register_string("/"); |