Mercurial > syslog2iptables
view src/syslogconfig.cpp @ 41:738d1f059183
update tags
author | convert-repo |
---|---|
date | Fri, 21 Mar 2008 08:51:24 +0000 |
parents | 26c29da3fbdf |
children | d9ae11033b4b |
line wrap: on
line source
/* Copyright (c) 2007 Carl Byington - 510 Software Group, released under the GPL version 3 or any later version at your choice available at http://www.gnu.org/licenses/gpl-3.0.txt */ #include "includes.h" #include <fcntl.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <limits.h> static char* syslogconfig_version = "$Id$"; char *token_add; char *token_bucket; char *token_file; char *token_ignore; char *token_include; char *token_index; char *token_lbrace; char *token_message; char *token_pattern; char *token_rbrace; char *token_remove; char *token_semi; char *token_slash; char *token_threshold; struct ltint { bool operator()(const int s1, const int s2) const { return (unsigned)s1 < (unsigned)s2; } }; struct bucket { int count; bool latch; // true iff ever count>threshold }; string_set all_strings; // owns all the strings, only modified by the config loader thread const int maxlen = 1000; // used for snprintf buffers typedef map<int, bucket, ltint> ip_buckets; class IPR { ip_buckets violations; public: void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index, char *message); void leak(int amount, CONFIG &con); void free_all(CONFIG &con); void update(int ip, bool added, char *file_name, int pattern_index, char *message); void changed(CONFIG &con, int ip, bool added); }; IPR recorder; //////////////////////////////////////////////// // void IPR::add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index, char *message) { if (con.looking(ip)) { ip_buckets::iterator i = violations.find(ip); if (i == violations.end()) { bucket b; b.count = amount; b.latch = (con.get_threshold() <= b.count); violations[ip] = b; if (b.latch) { update(ip, true, file_name, pattern_index, message); changed(con, ip, true); } } else { bucket &b = (*i).second; if (b.count < (INT_MAX-amount)) { int t = con.get_threshold(); int c = b.count; b.count += amount; if ((!b.latch) && (c < t) && (t <= b.count)) { b.latch = true; update(ip, true, file_name, pattern_index, message); changed(con, ip, true); } } } } } void IPR::leak(int amount, CONFIG &con) { for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); ) { int ip = (*i).first; bucket &b = (*i).second; if (b.count <= amount) { if (b.latch) { update(ip, false, NULL, 0, NULL); changed(con, ip, false); } violations.erase(i++); } else { b.count -= amount; i++; } } } void IPR::free_all(CONFIG &con) { if (debug_syslog > 2) { my_syslog("syslog2iptables shutting down"); } for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); i++) { int ip = (*i).first; bucket &b = (*i).second; if (b.latch) { update(ip, false, NULL, 0, NULL); changed(con, ip, false); } } violations.clear(); } void IPR::update(int ip, bool added, char *file_name, int pattern_index, char *message) { if (debug_syslog > 2) { char buf[maxlen]; in_addr ad; ad.s_addr = htonl(ip); if (added) { if (message) snprintf(buf, maxlen, "dropping traffic from/to %s based on %s in %s", inet_ntoa(ad), message, file_name); else snprintf(buf, maxlen, "dropping traffic from/to %s based on pattern match %d in %s", inet_ntoa(ad), pattern_index, file_name); } else snprintf(buf, maxlen, "allowing traffic from/to %s", inet_ntoa(ad)); my_syslog(buf); } } void IPR::changed(CONFIG &con, int ip, bool added) { int t = con.get_threshold(); char buf[maxlen]; if (added) { bucket &b = violations[ip]; if (con.looking(ip) && (b.count > t)) { in_addr ad; ad.s_addr = htonl(ip); snprintf(buf, maxlen, con.add_command, inet_ntoa(ad)); system(buf); } } else { in_addr ad; ad.s_addr = htonl(ip); snprintf(buf, maxlen, con.remove_command, inet_ntoa(ad)); system(buf); } } //////////////////////////////////////////////// // int ip_address(char *have); int ip_address(char *have) { int ipaddr = 0; in_addr ip; if (inet_aton(have, &ip)) ipaddr = ip.s_addr; else { struct hostent *host = gethostbyname(have); if (host && host->h_addrtype == AF_INET) memcpy(&ipaddr, host->h_addr, sizeof(ipaddr)); } return ntohl(ipaddr); } //////////////////////////////////////////////// // PATTERN::PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_, char *msg_) { pattern = pattern_; index = index_; amount = amount_; message = msg_; if (pattern) { int rc = regcomp(&re, pattern, REG_ICASE | REG_EXTENDED); if (rc) { char bu[maxlen]; regerror(rc, &re, bu, maxlen); char buf[maxlen]; snprintf(buf, sizeof(buf), "pattern %s not valid - %s", pattern, bu); tok.token_error(buf); pattern = NULL; } } } PATTERN::~PATTERN() { regfree(&re); } bool PATTERN::process(char *buf, CONFIG &con, char *file_name, int pattern_index) { if (pattern) { const int nmatch = index+1; regmatch_t match[nmatch]; if (0 == regexec(&re, buf, nmatch, match, 0)) { int s = match[index].rm_so; int e = match[index].rm_eo; if (s != -1) { if (debug_syslog > 3) { my_syslog(buf); // show lines with matches } buf[e] = '\0'; int ip = ip_address(buf+s); if (ip) { recorder.add(ip, amount, con, file_name, pattern_index, message); } return true; } } } return false; } void PATTERN::dump(int level) { char indent[maxlen]; int i = min(maxlen-1, level*4); memset(indent, ' ', i); indent[i] = '\0'; printf("%s pattern \"%s\" {; \n", indent, pattern); printf("%s index %d; \n", indent, index); printf("%s bucket %d; \n", indent, amount); if (message) printf("%s message \"%s\"; \n", indent, message); printf("%s }; \n", indent); } //////////////////////////////////////////////// // CONFIG::CONFIG() { reference_count = 0; generation = 0; load_time = 0; threshold = 500; add_command = "/sbin/iptables -I INPUT --src %s --jump DROP"; remove_command = "/sbin/iptables -D INPUT --src %s --jump DROP"; } CONFIG::~CONFIG() { for (syslogconfig_list::iterator i=syslogconfigs.begin(); i!=syslogconfigs.end(); i++) { SYSLOGCONFIG *c = *i; delete c; } ignore.clear(); } void CONFIG::add_syslogconfig(SYSLOGCONFIGP con) { syslogconfigs.push_back(con); } void CONFIG::add_pair(IPPAIR pair) { ignore.push_back(pair); } void CONFIG::dump() { printf(" threshold %d; \n\n", threshold); printf(" add_command \"%s\"; \n", add_command); printf(" remove_command \"%s\"; \n\n", remove_command); printf(" ignore { \n"); for (ippair_list::iterator i=ignore.begin(); i!=ignore.end(); i++) { IPPAIR &p = *i; in_addr ip; ip.s_addr = htonl(p.first); printf(" %s/%d; \n", inet_ntoa(ip), p.cidr); } printf(" }; \n\n"); for (syslogconfig_list::iterator i=syslogconfigs.begin(); i!=syslogconfigs.end(); i++) { SYSLOGCONFIGP c = *i; c->dump(0); } } void CONFIG::read() { while (true) { bool have = false; for (syslogconfig_list::iterator i=syslogconfigs.begin(); i!=syslogconfigs.end(); i++) { SYSLOGCONFIGP c = *i; have |= c->read(*this); } if (!have) break; } } void CONFIG::sleep(int duration, time_t &previous) { ::sleep(duration); time_t now = time(NULL); recorder.leak(now-previous, *this); previous = now; } void CONFIG::free_all() { recorder.free_all(*this); } bool CONFIG::looking(int ip) { for (ippair_list::iterator i=ignore.begin(); i!=ignore.end(); i++) { IPPAIR &p = *i; if ((p.first <= ip) && (ip <= p.last)) return false; } return true; } //////////////////////////////////////////////// // SYSLOGCONFIG::SYSLOGCONFIG(TOKEN &tok, char *file_name_) { tokp = &tok; file_name = file_name_; open(true); } SYSLOGCONFIG::~SYSLOGCONFIG() { close(); for (pattern_list::iterator i=patterns.begin(); i!=patterns.end(); i++) { PATTERN *p = *i; delete p; } } void SYSLOGCONFIG::open(bool msg) { fd = ::open(file_name, O_RDONLY); len = 0; if (fd == -1) { if (msg) { char buf[maxlen]; snprintf(buf, sizeof(buf), "syslog file %s not readable", file_name); tokp->token_error(buf); } } else { if (debug_syslog > 1) { snprintf(buf, sizeof(buf), "syslog file %s opened", file_name); my_syslog(buf); } lseek(fd, 0, SEEK_END); if (fstat(fd, &openfdstat)) { close(); snprintf(buf, sizeof(buf), "syslog file %s cannot stat after open", file_name); tokp->token_error(buf); } // specify that this fd gets closed on exec, so that selinux // won't complain about iptables trying to read log files. int oldflags = fcntl(fd, F_GETFD, 0); if (oldflags >= 0) { fcntl(fd, F_SETFD, oldflags | FD_CLOEXEC); } } } bool SYSLOGCONFIG::read(CONFIG &con) { if (failed()) { open(false); if (failed()) return false; } int n = ::read(fd, buf+len, buflen-len); bool have = (n > 0); if (have) { len += n; while (true) { char *p = (char*)memchr(buf, '\n', len); if (!p) break; n = p-buf; *p = '\0'; process(con); // process null terminated string len -= n+1; memmove(buf, p+1, len); } // no <lf> in a full buffer if (len == buflen) len = 0; } else { // check for file close struct stat filenamest; if (0 == stat(file_name, &filenamest)) { if ((filenamest.st_dev != openfdstat.st_dev) || (filenamest.st_ino != openfdstat.st_ino)) { close(); } } else { // filename no longer exists close(); } } return have; } void SYSLOGCONFIG::close() { if (debug_syslog > 1) { snprintf(buf, sizeof(buf), "syslog file %s closed", file_name); my_syslog(buf); } if (fd != -1) ::close(fd); fd = -1; } void SYSLOGCONFIG::add_pattern(PATTERNP pat) { patterns.push_back(pat); } void SYSLOGCONFIG::process(CONFIG &con) { int pi=0; for (pattern_list::iterator i=patterns.begin(); i!=patterns.end(); i++) { PATTERN *p = *i; if (p->process(buf, con, file_name, pi)) break; pi++; } } void SYSLOGCONFIG::dump(int level) { char indent[maxlen]; int i = min(maxlen-1, level*4); memset(indent, ' ', i); indent[i] = '\0'; char buf[maxlen]; printf("%s file \"%s\" {\n", indent, file_name); for (pattern_list::iterator i=patterns.begin(); i!=patterns.end(); i++) { PATTERN *p = *i; p->dump(level+1); } printf("%s }; \n", indent); } //////////////////////////////////////////////// // helper to discard the strings held by a string_set // void discard(string_set &s) { for (string_set::iterator i=s.begin(); i!=s.end(); i++) { free(*i); } s.clear(); } //////////////////////////////////////////////// // helper to register a string in a string set // char* register_string(string_set &s, char *name) { string_set::iterator i = s.find(name); if (i != s.end()) return *i; char *x = strdup(name); s.insert(x); return x; } //////////////////////////////////////////////// // register a global string // char* register_string(char *name) { return register_string(all_strings, name); } //////////////////////////////////////////////// // clear all global strings, helper for valgrind checking // void clear_strings() { discard(all_strings); } //////////////////////////////////////////////// // bool tsa(TOKEN &tok, char *token); bool tsa(TOKEN &tok, char *token) { char *have = tok.next(); if (have == token) return true; tok.token_error(token, have); return false; } //////////////////////////////////////////////// // bool parse_pattern(TOKEN &tok, SYSLOGCONFIG &con); bool parse_pattern(TOKEN &tok, SYSLOGCONFIG &con) { char *pat = tok.next(); int ind, buc; char *msg = NULL; if (!tsa(tok, token_lbrace)) return false; while (true) { char *have = tok.next(); if (!have) break; if (have == token_rbrace) break; if (have == token_index) { have = tok.next(); ind = atoi(have); if (!tsa(tok, token_semi)) return false; } else if (have == token_bucket) { have = tok.next(); buc = atoi(have); if (!tsa(tok, token_semi)) return false; } else if (have == token_message) { msg = tok.next(); if (!tsa(tok, token_semi)) return false; } else { tok.token_error("index/bucket", have); return false; } } if (!tsa(tok, token_semi)) return false; PATTERNP patt = new PATTERN(tok, pat, ind, buc, msg); con.add_pattern(patt); return true; } //////////////////////////////////////////////// // bool parse_ignore(TOKEN &tok, CONFIG &dc); bool parse_ignore(TOKEN &tok, CONFIG &dc) { if (!tsa(tok, token_lbrace)) return false; while (true) { char *have = tok.next(); if (!have) break; if (have == token_rbrace) break; int ipaddr = ip_address(have); if (ipaddr == 0) { tok.token_error("ip address", have); return false; } if (!tsa(tok, token_slash)) return false; have = tok.next(); int mask = atoi(have); if ((mask < 8) || (mask > 32)) { tok.token_error("cidr 8..32 value", have); return false; } if (!tsa(tok, token_semi)) return false; IPPAIR pair; const int masks[33] = {0xffffffff, // 0 0x7fffffff, // 1 0x3fffffff, // 2 0x1fffffff, // 3 0x0fffffff, // 4 0x07ffffff, // 5 0x03ffffff, // 6 0x01ffffff, // 7 0x00ffffff, // 8 0x007fffff, // 9 0x003fffff, // 10 0x001fffff, // 11 0x000fffff, // 12 0x0007ffff, // 13 0x0003ffff, // 14 0x0001ffff, // 15 0x0000ffff, // 16 0x00007fff, // 17 0x00003fff, // 18 0x00001fff, // 19 0x00000fff, // 20 0x000007ff, // 21 0x000003ff, // 22 0x000001ff, // 23 0x000000ff, // 24 0x0000007f, // 25 0x0000003f, // 26 0x0000001f, // 27 0x0000000f, // 28 0x00000007, // 29 0x00000003, // 30 0x00000001, // 31 0x00000000}; // 32 pair.first = ipaddr; pair.last = ipaddr | masks[mask]; pair.cidr = mask; dc.add_pair(pair); } if (!tsa(tok, token_semi)) return false; return true; } //////////////////////////////////////////////// // bool parse_syslogconfig(TOKEN &tok, CONFIG &dc); bool parse_syslogconfig(TOKEN &tok, CONFIG &dc) { char *name = tok.next(); if (!tsa(tok, token_lbrace)) return false; SYSLOGCONFIGP con = new SYSLOGCONFIG(tok, name); if (con->failed()) { delete con; return false; } dc.add_syslogconfig(con); while (true) { char *have = tok.next(); if (!have) break; if (have == token_rbrace) break; if (have == token_pattern) { if (!parse_pattern(tok, *con)) return false; } else { tok.token_error("pattern", have); return false; } } if (!tsa(tok, token_semi)) return false; return true; } //////////////////////////////////////////////// // parse a config file // bool load_conf(CONFIG &dc, char *fn) { int count = 0; TOKEN tok(fn, &dc.config_files); while (true) { char *have = tok.next(); if (!have) break; if (have == token_threshold) { have = tok.next(); dc.set_threshold(atoi(have)); if (!tsa(tok, token_semi)) return false; } else if (have == token_ignore) { if (!parse_ignore(tok, dc)) return false; } else if (have == token_add) { have = tok.next(); dc.set_add(have); if (!tsa(tok, token_semi)) return false; } else if (have == token_remove) { have = tok.next(); dc.set_remove(have); if (!tsa(tok, token_semi)) return false; } else if (have == token_file) { if (!parse_syslogconfig(tok, dc)) return false; count++; } else { tok.token_error("threshold/ignore/add_command/remove_command/file", have); return false; } } tok.token_error("load_conf() found %d syslog files in %s", count, fn); return (!dc.syslogconfigs.empty()); } //////////////////////////////////////////////// // init the tokens // void token_init() { token_add = register_string("add_command"); token_bucket = register_string("bucket"); token_file = register_string("file"); token_ignore = register_string("ignore"); token_include = register_string("include"); token_index = register_string("index"); token_lbrace = register_string("{"); token_message = register_string("message"); token_pattern = register_string("pattern"); token_rbrace = register_string("}"); token_remove = register_string("remove_command"); token_semi = register_string(";"); token_slash = register_string("/"); token_threshold = register_string("threshold"); }