Prevent FIM from producing false negatives due to wrong checksum comp…

…arison. The checksum string was being truncated by spaces though they were escaped.
wazuh · Oct 14, 2019 · 5ddc7d3 · 5ddc7d3
1 parent d8c645e
commit 5ddc7d3
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 3 deletions.
diff --git a/src/error_messages/debug_messages.h b/src/error_messages/debug_messages.h
@@ -95,7 +95,7 @@
 #define FIM_REALTIME_MONITORING             "(6225): The '%s' directory starts to be monitored in real-time mode"
 #define FIM_REALTIME_NEWPATH                "(6226): Scanning new file '%s' with options for directory '%s'."
 #define FIM_REALTIME_NEWDIRECTORY           "(6227): Directory added for real time monitoring: '%s'."
-#define FIM_REALTIME_DISCARD_EVENT          "(6228): Inotify event with same checksum for file: '%s'. Ignoring it."
+#define FIM_REALTIME_DISCARD_EVENT          "(6228): Real-time event with same checksum for file: '%s'. Ignoring it."
 
 #define FIM_WHODATA_HANDLE_UPDATE           "(6229): The handler ('%s') will be updated."
 #define FIM_WHODATA_NEWDIRECTORY            "(6230): Monitoring with Audit: '%s'."

diff --git a/src/headers/string_op.h b/src/headers/string_op.h
@@ -99,4 +99,13 @@ const char *find_string_in_array(char * const string_array[], size_t array_len,
 
 char *decode_hex_buffer_2_ascii_buffer(const char * const encoded_buffer, const size_t buffer_size);
 
+/**
+ * @brief Length of the initial segment of s which consists entirely of non-escaped bytes different from reject
+ *
+ * @param s String.
+ * @param reject String delimiter.
+ * @return size_t Number of bytes in s that are not reject.
+ */
+size_t strcspn_escaped(const char * s, char reject);
+
 #endif
diff --git a/src/shared/string_op.c b/src/shared/string_op.c
@@ -643,3 +643,24 @@ char* decode_hex_buffer_2_ascii_buffer(const char * const encoded_buffer, const
 
     return decoded_buffer;
 }
+
+// Length of the initial segment of s which consists entirely of non-escaped bytes different from reject
+
+size_t strcspn_escaped(const char * s, char reject) {
+    char charset[3] = { '\\', reject };
+
+    size_t len = strlen(s);
+    size_t spn_len = 0;
+
+    do {
+        spn_len += strcspn(s + spn_len, charset);
+
+        if (s[spn_len] == '\\') {
+            spn_len += 2;
+        } else {
+            return spn_len;
+        }
+    } while (spn_len < len);
+
+    return len;
+}
diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c
@@ -585,7 +585,7 @@ static int read_file(const char *file_name, const char *linked_file, int dir_pos
                     merror(FIM_ERROR_WHODATA_SUM_MAX, linked_file && *linked_file ? linked_file : file_name);
                 }
                 // Update database
-                snprintf(alert_msg, OS_MAXSTR, "%.*s%.*s", SK_DB_NATTR, buf, (int)strcspn(c_sum, " "), c_sum);
+                snprintf(alert_msg, OS_MAXSTR, "%.*s%.*s", SK_DB_NATTR, buf, (int)strcspn_escaped(c_sum, ' '), c_sum);
                 s_node->checksum = strdup(alert_msg);
 
                 /* Send the new checksum to the analysis server */

diff --git a/src/syscheckd/run_realtime.c b/src/syscheckd/run_realtime.c
@@ -98,7 +98,7 @@ int realtime_checksumfile(const char *file_name, whodata_evt *evt)
             }
 
             // Update database
-            snprintf(alert_msg, sizeof(alert_msg), "%.*s%.*s", SK_DB_NATTR, buf, (int)strcspn(c_sum, " "), c_sum);
+            snprintf(alert_msg, sizeof(alert_msg), "%.*s%.*s", SK_DB_NATTR, buf, (int)strcspn_escaped(c_sum, ' '), c_sum);
             s_node->checksum = strdup(alert_msg);
 
             alert_msg[OS_MAXSTR] = '\0';