Permalink
Browse files

Fixed a few issue:

- Added iph defaulting with inner_iph (portscan mainly..)
- Added exit in Barnyard2Cleanup (prob merge conflict)
- some cleanup in syslog fix
- fixed a leak in spoolerEventCacheClean
  • Loading branch information...
1 parent 5f9ef93 commit 51b189459e924001d979a1c30a800d31f62fd4df @binf binf committed Jan 31, 2012
Showing with 65 additions and 31 deletions.
  1. +4 −0 src/barnyard2.c
  2. +13 −14 src/output-plugins/spo_syslog_full.c
  3. +5 −1 src/plugbase.c
  4. +43 −16 src/spooler.c
View
@@ -1185,6 +1185,10 @@ static void Barnyard2Cleanup(int exit_val)
if (barnyard2_conf_dir != NULL)
free(barnyard2_conf_dir);
+
+
+ _exit(exit_val);
+
}
void Restart(void)
@@ -861,7 +861,7 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
SigNode *sn = NULL;
ClassType *cn = NULL;
-
+
char sip[16] = {0};
char dip[16] = {0};
@@ -892,6 +892,7 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
memset(syslogContext->formatBuffer,'\0',(SYSLOG_MAX_QUERY_SIZE));
syslogContext->payload_current_pos = 0;
syslogContext->format_current_pos = 0;
+
switch(syslogContext->operation_mode)
{
@@ -931,7 +932,6 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
- return;
}
if( OpSyslog_Concat(syslogContext))
@@ -983,7 +983,6 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
- return ;
}
}
@@ -997,7 +996,6 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
- return ;
}
}
@@ -1016,22 +1014,24 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
{
if(!BcAlertInterface())
{
- if( protocol_names[GET_IPH_PROTO(p)] )
+ if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" {%s} %s -> %s",
protocol_names[GET_IPH_PROTO(p)],
sip, dip)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
- return ;
+ FatalError("[%s()], failed call to snprintf \n",
+ __FUNCTION__);
}
}
}
else
{
- if( protocol_names[GET_IPH_PROTO(p)] )
+ if(protocol_names[GET_IPH_PROTO(p)])
{
+
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" <%s> {%s} %s -> %s",
barnyard2_conf->interface,
@@ -1041,7 +1041,7 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
- return ;
+
}
}
}
@@ -1050,7 +1050,7 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
{
if(BcAlertInterface())
{
- if( protocol_names[GET_IPH_PROTO(p)] )
+ if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" <%s> {%s} %s:%i -> %s:%i",
@@ -1061,13 +1061,12 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
- return;
}
}
}
else
{
- if( protocol_names[GET_IPH_PROTO(p)] )
+ if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" {%s} %s:%i -> %s:%i",
@@ -1077,7 +1076,6 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
- return;
}
}
}
@@ -1157,8 +1155,9 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
{
FatalError("NetSend(): call failed for host:port '%s:%u' bailing...\n", syslogContext->server, syslogContext->port);
}
- return;
}
+
+
return;
}
@@ -1415,7 +1414,7 @@ OpSyslog_Data *OpSyslog_ParseArgs(char *args)
else if(!strcasecmp("LOG_AUTH", stoks[1]))
{
op_data->syslog_priority |= LOG_AUTH;
- snprintf(op_data->syslog_tx_facility,"%s","");
+ snprintf(op_data->syslog_tx_facility,16,"%s","LOG_AUTH");
}
else if(!strcasecmp("LOG_SYSLOG", stoks[1]))
{
View
@@ -467,7 +467,11 @@ void FreeOutputList(OutputFuncNode *list)
OutputFuncNode *tmp = list;
list = list->next;
- free(tmp);
+
+ if(tmp != NULL)
+ {
+ free(tmp);
+ }
}
}
View
@@ -673,6 +673,13 @@ void spoolerProcessRecord(Spooler *spooler, int fire_output)
DecodePacket(datalink, spooler->record.pkt, &pkth,
((Unified2Packet *)spooler->record.data)->packet_data);
+ /* This is a fixup for portscan... */
+ if( (spooler->record.pkt->iph == NULL) &&
+ ((spooler->record.pkt->inner_iph != NULL) && (spooler->record.pkt->inner_iph->ip_proto == 255)))
+ {
+ spooler->record.pkt->iph = spooler->record.pkt->inner_iph;
+ }
+
/* check if it's been re-assembled */
if (spooler->record.pkt->packet_flags & PKT_REBUILT_STREAM)
{
@@ -856,32 +863,52 @@ uint8_t spoolerEventCacheHeadUsed(Spooler *spooler)
int spoolerEventCacheClean(Spooler *spooler)
{
- EventRecordNode *ernCurrent;
- EventRecordNode *ernPrevious = NULL;
-
+ EventRecordNode *ernCurrent = NULL;
+ EventRecordNode *ernPrev = NULL;
+ EventRecordNode *ernNext = NULL;
+
if (spooler == NULL || spooler->event_cache == NULL )
return 1;
-
+
+ ernPrev = spooler->event_cache;
ernCurrent = spooler->event_cache;
-
+
while (ernCurrent != NULL && spooler->events_cached > CACHED_EVENTS_MAX )
{
- if ( ernCurrent->used == 1 )
+ ernNext = ernCurrent->next;
+
+ if ( ernCurrent->used == 1 )
{
- /* clear the node from the list */
- if (ernPrevious == NULL)
- spooler->event_cache = ernCurrent->next;
+ /* Delete from list */
+ if (ernCurrent == spooler->event_cache)
+ {
+ spooler->event_cache = ernNext;
+ }
else
- ernPrevious->next = ernCurrent->next;
-
+ {
+ ernPrev->next = ernNext;
+ }
+
spooler->events_cached--;
- free(ernCurrent->data);
- free(ernCurrent);
+ if(ernCurrent->data != NULL)
+ {
+ free(ernCurrent->data);
+ }
+
+ if(ernCurrent != NULL)
+ {
+ free(ernCurrent);
+ }
}
+
+ if(ernCurrent != NULL)
+ {
+ ernPrev = ernCurrent;
+ }
+
+ ernCurrent = ernNext;
- ernPrevious = ernCurrent;
- ernCurrent = ernCurrent->next;
}
return 0;
@@ -1014,7 +1041,7 @@ int spoolerReadWaldo(Waldo *waldo)
/* ensure we are at the beggining since we must be open and in read */
lseek(waldo->fd, 0, SEEK_SET);
}
-
+
/* read values into temporary WaldoData structure */
ret = read(waldo->fd, &wd, sizeof(WaldoData));

0 comments on commit 51b1894

Please sign in to comment.