Mercurial > syslog2iptables

diff src/syslogconfig.cpp @ 35:d2ceebcf6595 stable-1-7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
add message description in patterns
author carl
date Tue, 18 Sep 2007 09:54:22 -0700
parents 601bc0e075e1
children 6a2f26976898
line wrap: on
line diff
--- a/src/syslogconfig.cpp	Sun Sep 09 15:46:03 2007 -0700
+++ b/src/syslogconfig.cpp	Tue Sep 18 09:54:22 2007 -0700
@@ -35,6 +35,7 @@
 char *token_include;
 char *token_index;
 char *token_lbrace;
+char *token_message;
 char *token_pattern;
 char *token_rbrace;
 char *token_remove;
@@ -62,9 +63,9 @@
 class IPR {
 	ip_buckets	violations;
 public:
-	void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index);
+	void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index, char *message);
 	void leak(int amount, CONFIG &con);
-	void update(int ip, bool added, char *file_name, int pattern_index);
+	void update(int ip, bool added, char *file_name, int pattern_index, char *message);
 	void changed(CONFIG &con, int ip, bool added);
 };
 
@@ -73,7 +74,7 @@
 
 ////////////////////////////////////////////////
 //
-void IPR::add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index) {
+void IPR::add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index, char *message) {
 	if (con.looking(ip)) {
 		ip_buckets::iterator i = violations.find(ip);
 		if (i == violations.end()) {
@@ -82,7 +83,7 @@
 			b.latch = (con.get_threshold() <= b.count);
 			violations[ip] = b;
 			if (b.latch) {
-				update(ip, true, file_name, pattern_index);
+				update(ip, true, file_name, pattern_index, message);
 				changed(con, ip, true);
 			}
 		}
@@ -94,7 +95,7 @@
 				b.count += amount;
 				if ((!b.latch) && (c < t) && (t <= b.count)) {
 					b.latch = true;
-					update(ip, true, file_name, pattern_index);
+					update(ip, true, file_name, pattern_index, message);
 					changed(con, ip, true);
 				}
 			}
@@ -109,7 +110,7 @@
 		bucket &b = (*i).second;
 		if (b.count <= amount) {
 			if (b.latch) {
-				update(ip, false, NULL, 0);
+				update(ip, false, NULL, 0, NULL);
 				changed(con, ip, false);
 			}
 			violations.erase(i++);
@@ -122,12 +123,15 @@
 }
 
 
-void IPR::update(int ip, bool added, char *file_name, int pattern_index) {
+void IPR::update(int ip, bool added, char *file_name, int pattern_index, char *message) {
 	if (debug_syslog > 2) {
 		char buf[maxlen];
 		in_addr ad;
 		ad.s_addr = htonl(ip);
-		if (added) snprintf(buf, maxlen, "dropping traffic from/to %s based on pattern match %d in %s", inet_ntoa(ad), pattern_index, file_name);
+		if (added) {
+			if (message) snprintf(buf, maxlen, "dropping traffic from/to %s based on %s in %s", inet_ntoa(ad), message, file_name);
+			else		 snprintf(buf, maxlen, "dropping traffic from/to %s based on pattern match %d in %s", inet_ntoa(ad), pattern_index, file_name);
+		}
 		else	   snprintf(buf, maxlen, "allowing traffic from/to %s", inet_ntoa(ad));
 		my_syslog(buf);
 	}
@@ -172,10 +176,11 @@
 
 ////////////////////////////////////////////////
 //
-PATTERN::PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_) {
+PATTERN::PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_, char *msg_) {
 	pattern = pattern_;
 	index	= index_;
 	amount	= amount_;
+	message = msg_;
 	if (pattern) {
 		int rc = regcomp(&re, pattern, REG_ICASE | REG_EXTENDED);
 		if (rc) {
@@ -209,7 +214,7 @@
 				buf[e] = '\0';
 				int ip = ip_address(buf+s);
 				if (ip) {
-					recorder.add(ip, amount, con, file_name, pattern_index);
+					recorder.add(ip, amount, con, file_name, pattern_index, message);
 				}
 				return true;
 			}
@@ -227,6 +232,7 @@
 	printf("%s pattern \"%s\" {; \n", indent, pattern);
 	printf("%s     index %d; \n", indent, index);
 	printf("%s     bucket %d; \n", indent, amount);
+	if (message) printf("%s     message \"%s\"; \n", indent, message);
 	printf("%s }; \n", indent);
 }
 
@@ -488,6 +494,7 @@
 bool parse_pattern(TOKEN &tok, SYSLOGCONFIG &con) {
 	char *pat = tok.next();
 	int  ind, buc;
+	char *msg = NULL;
 	if (!tsa(tok, token_lbrace)) return false;
 	while (true) {
 		char *have = tok.next();
@@ -503,13 +510,17 @@
 			buc  = atoi(have);
 			if (!tsa(tok, token_semi)) return false;
 		}
+		else if (have == token_message) {
+			msg = tok.next();
+			if (!tsa(tok, token_semi)) return false;
+		}
 		else {
 			tok.token_error("index/bucket", have);
 			return false;
 		}
 	}
 	if (!tsa(tok, token_semi)) return false;
-	PATTERNP patt = new PATTERN(tok, pat, ind, buc);
+	PATTERNP patt = new PATTERN(tok, pat, ind, buc, msg);
 	con.add_pattern(patt);
 	return true;
 }
@@ -662,6 +673,7 @@
 	token_include	 = register_string("include");
 	token_index 	 = register_string("index");
 	token_lbrace	 = register_string("{");
+	token_message	 = register_string("message");
 	token_pattern	 = register_string("pattern");
 	token_rbrace	 = register_string("}");
 	token_remove	 = register_string("remove_command");