ip.h File Reference

Go to the source code of this file.

Functions
int	loadIpList (void)
int	writeIpList (void)
int	deleteIp (char *ip)
int	compactIpList ()
int	ipadd (char *ip)
int	ipEntry (char *ip)
void	incrementHitCount (char *ip)
void	secwatch (void)
char *	replaceIp (char *buf, char *ip)
void	ipManage (void)
int	dropIp (int ind)
int	undropIp (int ind)

---

Function Documentation

int compactIpList (   )

compact IP list removing deleted entries Definition at line 105 of file ip.c. References ipcnt, iplist, and writeLog(). { ipinfo_t *nlist; int i, ncnt = 0; if((nlist = calloc(sizeof(ipinfo_t),ipcnt)) == NULL) { writeLog("Cannot allocate space for compaction %m"); return -1; } for(i = 0; i < ipcnt; i++) if(iplist[i].timein != -1) nlist[ncnt++] = iplist[i]; if((nlist = realloc(nlist,(sizeof(ipinfo_t)*ncnt))) == NULL) { writeLog("Cannot allocate space for compaction %m"); return -1; } free(iplist); iplist = nlist; ipDeleteFlag = 0; } Here is the call graph for this function:

int deleteIp (  char *  ip  )

mark an IP in our tracking list as deleted. Definition at line 92 of file ip.c. References ipDeleteFlag, ipEntry(), iplist, and _ipinfo::timein. { int i; if((i = ipEntry(ip)) != -1) { bzero(iplist[i].ip,sizeof(iplist[i].ip)); iplist[i].timein = (time_t)-1; ipDeleteFlag = 1; return 0; } return -1; } Here is the call graph for this function:

int dropIp (  int  ind  )

drop an IP by setting up a firewall rule to reject all packets from that source Definition at line 209 of file ip.c. References confVarFlist(), confVarText(), count(), _ipinfo::ip, iplist, and replaceIp(). Referenced by ipManage(). { ipinfo_t *ip = &iplist[ind]; char * s; char ** dropRules = NULL; int i, x; if(dropRules == NULL) dropRules = confVarFlist("fwreject",&i); for(i = 0; i < count(dropRules); i++) { s = replaceIp(confVarText(dropRules[i],&x),ip->ip); system(s); free(s); } ip->isdropped = 1; time(&ip->timein); writeIpList(); inform("secwatch dropped IP %s",ip->ip); return 0; } Here is the call graph for this function:

void incrementHitCount (  char *  ip  )

increment the hit count for an IP, add it if it doesnt exist in the list Definition at line 155 of file ip.c. References _ipinfo::hitcount, ipadd(), ipEntry(), iplist, and writeIpList(). Referenced by secwatch(). { int i; if((i = ipEntry(ip)) != -1) iplist[i].hitcount ++; else ipadd(ip); time(&iplist[i].timein); writeIpList(); } Here is the call graph for this function:

int ipadd (  char *  ip  )

add an IP to the IP list Definition at line 126 of file ip.c. References _ipinfo::hitcount, _ipinfo::ip, ipcnt, iplist, _ipinfo::isdropped, _ipinfo::timein, writeIpList(), and writeLog(). Referenced by incrementHitCount(). { ipinfo_t ipi; int ipn; strcpy(ipi.ip,ip); time(&ipi.timein); ipi.hitcount = 1; ipi.isdropped = 0; ipn = ipcnt++; if((iplist = realloc(iplist,(sizeof(ipinfo_t)*ipcnt))) == NULL) { writeLog("Cannot allocate ip member"); return -1; } iplist[ipn] = ipi; writeIpList(); return 0; } Here is the call graph for this function:

int ipEntry (  char *  ip  )

return the index of the IP list entry corresponding to IP or -1 if not found Definition at line 144 of file ip.c. References ipcnt, and iplist. Referenced by deleteIp(), and incrementHitCount(). { int i; for(i = 0; i < ipcnt; i++) if(strcmp(iplist[i].ip,ip) == 0) return i; errno = ENOENT; return -1; }

void ipManage (  void   )

manage the IP list checking expirations and hit counts. Ban problem IPs and remove older offenders. If IP delete flag is set compact the IP list Definition at line 168 of file ip.c. References confVarInt(), dropIp(), ipcnt, iplist, and undropIp(). Referenced by secwatch(). { int i; time_t now; static int maxatt = -1; static int maxsecs = -1; if(maxatt == -1) maxatt=confVarInt("maxatt",&i); if(maxsecs == -1) maxsecs = confVarInt("maxage",&i) * 60; time(&now); for(i = 0; i < ipcnt; i++) { if(iplist[i].isdropped == 0 && iplist[i].hitcount >= maxatt) dropIp(i); else if((now - iplist[i].timein) >= maxsecs) undropIp(i); } if(ipDeleteFlag) compactIpList(); writeIpList(); } Here is the call graph for this function:

int loadIpList (  void   )

load the list of IP's we are tracking Definition at line 47 of file ip.c. References confVarPath(), ipcnt, iplist, and writeLog(). Referenced by secwatch(). { struct stat _st, *s = &_st; int cnt; char * filename = NULL; FILE *f; if(filename == NULL) filename = confVarPath("iplist",&cnt); if(stat(filename,s) != 0) { writeLog("Cannot stat %s: %m",filename); return -1; } cnt = s->st_size / sizeof(ipinfo_t); if((iplist = malloc(s->st_size)) == NULL) { fprintf(stderr,"Cannot allocate space for iplist: %m\n"); exit(-1); } if((f = fopen(filename,"r")) == NULL) { fprintf(stderr,"Cannot open iplist: %m\n"); exit(-1); } fread(iplist,sizeof(ipinfo_t),cnt,f); fclose(f); ipcnt = cnt; return 0; } Here is the call graph for this function:

char* replaceIp (  char *  buf, char *  ip )

parse a string and replace $i with IP. Return NULL if there is no $ip, and on ENOMEM Definition at line 193 of file ip.c. References strpos(). Referenced by dropIp(), and undropIp(). { char *tmp, *p; int i; tmp = alloca(strlen(buf)+strlen(ip)+2); if((i = strpos(buf,"$i")) == -1) return NULL; p = &buf[i]; p+= 2; strncpy(tmp,buf,i); strcat(tmp,ip); strcat(tmp,p); return strdup(tmp); } Here is the call graph for this function:

void secwatch (  void   )

secwatch watches log files looking for repeat attemps based on patterns if secwatch thinks an external source is making too many failed attemps that source's packets will be dropped for a specified time. Definition at line 34 of file secwatch.c. References incrementHitCount(), ipManage(), loadIpList(), patternMatch(), processLogHooks(), sigHandler(), taildata(), tailsleep(), trim(), and writeLog(). { char buf[32767]; char ip[32]; char *filename; int ipp; loadIpList(); signal(SIGINT,sigHandler); signal(SIGKILL,sigHandler); signal(SIGABRT,sigHandler); signal(SIGTERM,sigHandler); writeLog("secwatch startup"); while(1) { ipManage(); if(taildata(&filename,buf,sizeof(buf)) > 0) { if(patternMatch(filename,buf,&ipp) == 0) { if(sscanf(&buf[ipp],"%s",ip)) incrementHitCount(ip); else writeLog("Couldn't get ip from log line: [%s]",trim(buf)); } processLogHooks(buf); } tailsleep(100); } } Here is the call graph for this function:

int undropIp (  int  ind  )

If IP is dropped, re-enable it and reset the timer. If it's not dropped it's expired so marke it as deleted. Definition at line 233 of file ip.c. References confVarFlist(), confVarText(), count(), inform(), _ipinfo::ip, iplist, _ipinfo::isdropped, replaceIp(), and _ipinfo::timein. Referenced by ipManage(). { ipinfo_t *ip = &iplist[ind]; char * s; char ** allowRules = NULL; int i, x; if(allowRules == NULL) allowRules = confVarFlist("fwallow",&i); if(ip->isdropped) { for(i = 0; i < count(allowRules); i++) { s = replaceIp(confVarText(allowRules[i],&x),ip->ip); system(s); free(s); } ip->isdropped = 0; inform("secwatch undropped IP %s",ip->ip); time(&ip->timein); } else deleteIp(ip->ip); writeIpList(); return 0; } Here is the call graph for this function:

int writeIpList (  void   )

write the list of IP's we are tracking Definition at line 75 of file ip.c. References confVarPath(), ipcnt, and iplist. Referenced by incrementHitCount(), ipadd(), and sigHandler(). { FILE *f; char *filename = NULL; int i; if(filename == NULL) filename = confVarPath("iplist",&i); if((f = fopen(filename,"w")) == NULL) { fprintf(stderr,"Cannot open iplist: %m\n"); exit(-1); } fwrite(iplist,sizeof(ipinfo_t),ipcnt,f); fclose(f); return 0; } Here is the call graph for this function:

---