File: logentry.cc

package info (click to toggle)
wflogs 0.9.8-4
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 4,220 kB
  • ctags: 3,750
  • sloc: ansic: 12,166; sh: 8,047; cpp: 6,412; lex: 1,525; yacc: 1,430; makefile: 731; sed: 16
file content (184 lines) | stat: -rw-r--r-- 4,442 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
 
/*
 * WallFire -- a comprehensive firewall administration tool.
 * 
 * Copyright (C) 2001-2002 Herv Eychenne <rv@wallfire.org>
 * 
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 * 
 */

using namespace std;

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <sstream>

#include "wflogentry.h"
#include "defs.h"


struct tcpflags {
  int flag;
  string str;
  char letter;
};

static struct tcpflags mytcpflags[] = {
  { TCP_SYN, "SYN", 's' },
  { TCP_ACK, "ACK", 'a' },
  { TCP_FIN, "FIN", 'f' },
  { TCP_RST, "RST", 'r' },
  { TCP_PSH, "PSH", 'p' },
  { TCP_URG, "URG", 'u' },
  { TCP_ECE, "ECE", 'e' },
  { TCP_CWR, "CWR", 'c' }
};

wf_logentry::wf_logentry() :
  format(),
  count(0),
  start_time(0),
  end_time(0),
  hostname(),
  chainlabel(),
  branchname(),
  input_iface(),
  output_iface(),
  protocol(-1),
  datalen(0),
  sipaddr(),
  sport(0),
  smacaddr(),
  dipaddr(),
  dport(0),
  dmacaddr(),
  tcpflags(0)
{}


bool
wf_logentry::check() const {
  if (count == 0 || start_time == 0 || protocol == -1 ||
      sipaddr.isdefined() == false || dipaddr.isdefined() == false)
    return false; /* uninitialised value */

  if (end_time != 0) {
    if (count == 1)
      return false; /* end_time should not be defined for only one packet */

    if (start_time > end_time)
      return false; /* wrong time order */
  }

  /* this should be part of each module.
     We should make a check() method for each input module RV@@9 */
  if (format != "cisco_pix" && format != "cisco_ios" && format != "snort" &&
      input_iface.empty() && output_iface.empty())
    return false; /* no interface information at all */


#if 0
  /* Forged packets can sometimes have at least a port num set to 0 ALL@@7.
     We should find another way to identify that ports have been parsed, but
     are null anyway. */
  if (protocol == IPPROTO_UDP || protocol == IPPROTO_TCP) {
    if (sport == 0 || dport == 0)
      return false; /* port missing */
  }
#endif

  if (protocol != IPPROTO_TCP && tcpflags != 0)
    return false; /* bizarre */

  return true; /* OK */
}

// use wf_tcpflags RV@@10
string
wf_logentry::tcpflags_tostr() const {
  if (protocol != IPPROTO_TCP)
    return "-";

  ostringstream os;
  unsigned int i;

  for (i = 0; i < sizeof(mytcpflags) / sizeof(struct tcpflags); i++) {
    if (tcpflags & mytcpflags[i].flag)
      os << ' ' << mytcpflags[i].str;
  }

  return os.str();
}

string
wf_logentry::tcpflags_tostr_mini() const {
  if (protocol != IPPROTO_TCP)
    return "-";
  
  ostringstream os;

  if (tcpflags) {
    if (tcpflags != TCP_SYN) {
      unsigned int i;
      for (i = 0; i < sizeof(mytcpflags) / sizeof(struct tcpflags); i++) {
	if (tcpflags & mytcpflags[i].flag)
	  os << mytcpflags[i].letter;
	else
	  os << '-';
      }
    }
    else
      os << "SYN";
  }
  else
    os << '-';

  return os.str();
}

ostream&
wf_logentry::debugprint(ostream& os) const {
  os << "Log entry:" << endl;
  os << "format: " << format << endl;
  os << "count: " << count << endl;

  os << "start_time: " << ctime(&start_time);
  if (end_time != 0)
    os << "end_time: " << ctime(&end_time);
  os << "hostname: " << hostname << endl;


  os << "chainlabel: " << chainlabel << endl;
  os << "branchname: " << branchname << endl;

  os << "input interface: " << input_iface << endl;
  os << "output interface: " << output_iface << endl;

  os << "protocol: " << protocol << endl;
  os << "datalen: " << datalen << endl;

  os << "src host: " << sipaddr << endl;
  os << "src port: " << sport << endl;
  os << "src MAC address: " << smacaddr << endl;
  os << "dst host: " << dipaddr << endl;
  os << "dst port: " << dport << endl;
  os << "dst MAC address: " << dmacaddr << endl;

  os << "flags:" << tcpflags_tostr() << endl;
  
  return os;
}