OSSIM开源安全信息管理系统(十六)
赵佐
2021SC@SDUSC
本周继续对OSSIM系统中,关联分析部分进行源码分析。
关联分析部分源码目录:\ossim\alienvault-ossim\src\alienvault-ossim\os-sim\src
gboolean sim_directive_backlog_match_by_not (SimDirective *directive):
该函数的主要功能是检查指令中的所有节点规则
gboolean
sim_directive_backlog_match_by_not (SimDirective *directive)
{
GNode *node = NULL;
GNode *children = NULL;
g_return_val_if_fail (directive, FALSE);
g_return_val_if_fail (SIM_IS_DIRECTIVE (directive), FALSE);
g_return_val_if_fail (!directive->_priv->matched, FALSE);
g_return_val_if_fail (directive->_priv->rule_curr, FALSE);
g_return_val_if_fail (directive->_priv->rule_curr->data, FALSE);
g_return_val_if_fail (SIM_IS_RULE (directive->_priv->rule_curr->data), FALSE);
node = directive->_priv->rule_curr->children; while (node)
{
SimRule *rule = (SimRule *) node->data;
//如果规则已超时 &&
if ((sim_rule_is_time_out (rule)) && (sim_rule_get_not (rule)) && (!sim_rule_is_not_invalid (rule)))
{
time_t time_last = time (NULL);
directive->_priv->rule_curr = node;
directive->_priv->time_last = time_last;
directive->_priv->time_out = sim_directive_get_rule_curr_time_out_max (directive);
sim_rule_set_not_data (rule);
//这不是最后的节点,他还有一些子节点.
if (!G_NODE_IS_LEAF (node))
{
children = node->children; while (children)
{
SimRule *rule_child = (SimRule *) children->data;
sim_rule_set_time_last (rule_child, time_last);
sim_directive_set_rule_vars (directive, children);
children = children->next;
}
}
//最后的节点
else
{
directive->_priv->matched = TRUE;
} return TRUE;
}
node = node->next;
} return FALSE;
}
void sim_directive_set_rule_vars (SimDirective *directive, GNode *node)
backlog&directives几乎是相同的:backlog是存储指令并填充事件数据的地方。
node 是子节点函数。我们需要从引用其级别的节点向该节点添加src_ip、port等。
如果“node”参数是根节点->子节点1->子节点2中的children2,并且我们在children2中有1:plugin-sid,那么我们必须将根节点中的plugin-sid添加到children2中。
void
sim_directive_set_rule_vars (SimDirective *directive, GNode *node){
SimRule *rule;
SimRule *rule_up;
GNode *node_up;
GList *vars;
GInetAddr *ia;
GInetAddr *sensor;
gint port;
gint sid;
SimProtocolType protocol;
gchar *aux = NULL;
g_return_if_fail (directive);
g_return_if_fail (SIM_IS_DIRECTIVE (directive));
g_return_if_fail (node);
g_return_if_fail (g_node_depth (node) > 1);
rule = (SimRule *) node->data;
vars = sim_rule_get_vars (rule);
static void sim_directive_set_rule_var_inet
该函数的主要功能是基于传入参数var为rule设置inet
- @inet: a #SimInet
- @rule: a #SimRule
- @var: a #SimRuleVar
static void
sim_directive_set_rule_var_inet (SimInet *inet,
SimRule *rule,
SimRuleVar *var)
{
if (var->attr == SIM_RULE_VAR_SRC_IA)
{
if (var->negated)
sim_rule_add_src_inet_not (rule, inet);
else
{
sim_rule_add_src_inet (rule, inet);
}
}
else if (var->attr == SIM_RULE_VAR_DST_IA)
{
if (var->negated)
sim_rule_add_dst_inet_not (rule, inet);
else
sim_rule_add_dst_inet (rule, inet);
}
}
GNode* sim_directive_get_node_branch_by_level
此函数可返回引用指令级别的节点。
例如:根节点->子节点1->子节点2。如果函数中的“node”参数为children2,级别为1,则返回根节点,因为它是子节点的第一级。
GNode*
sim_directive_get_node_branch_by_level (SimDirective *directive,GNode *node,gint level)
{
GNode *ret;
gint up_level;
gint i;
g_return_val_if_fail (SIM_IS_DIRECTIVE (directive), NULL);
g_return_val_if_fail (node, NULL);
根节点的深度为1。对于根节点的子节点,深度为2
up_level = g_node_depth (node) - level;
if (up_level < 1)
return NULL;
ret = node;
for (i = 0; i < up_level; i++)
{
ret = ret->parent;
}
return ret;
}
sim_group_alarm_new:
SimGroupAlarm 类的构造器
返回值:指向新创建对象的指针,如果出现错误,则为NULL
SimGroupAlarm * sim_group_alarm_new (unsigned int timeout, const gchar *key){
SimGroupAlarm *p = NULL;
GString *gkey;
struct tm tvalue;
char timebuf[2048];
g_return_val_if_fail (key != NULL, NULL);
if ( (gkey = g_string_new (key)) != NULL){
if (timeout < 3601 ){
do{
p = g_object_new (SIM_TYPE_GROUP_ALARM, NULL);
p->_priv->tstart = time(NULL);
p->_priv->tend = time(NULL) + timeout;
p->_priv->alarmsha1 = NULL;
if (gmtime_r (&p->_priv->tstart,&tvalue) == NULL){
g_object_unref (G_OBJECT (p));
p = NULL;
break; /* Out */
}
if (asctime_r (&tvalue,timebuf) == NULL){
g_object_unref (G_OBJECT (p));
p = NULL;
break;
}
g_string_append_printf (gkey,"%s|%s",key,timebuf);
if ( (p->_priv->alarmsha1 = g_compute_checksum_for_string (G_CHECKSUM_SHA1, gkey->str,-1)) == NULL){
g_object_unref (G_OBJECT (p));
p = NULL;
break;
}
}while (0);
}else{
g_warning ("Max timeout is 3600 seconds");
}
}
if (gkey)
g_string_free (gkey, TRUE);
if (p == NULL)
g_warning ("Can't creatae SimGroupAlarm object\n");
return p;
}
本篇文章部分内容参考或转载自下列文章及书籍。侵权即删。
参考书籍:
- 《开源安全运维平台OSSIM疑难解析(入门篇)》——李晨光著
- 《开源安全运维平台OSSIM疑难解析(提高篇)》——李晨光著
- 《开源安全运维平台:OSSIM最佳实践》——李晨光著
参考文章:
- https://blog.51cto.com/chenguang/2426473
- https://blog.csdn.net/lcgweb/article/details/101284949
- https://blog.51cto.com/chenguang/1665012
- https://www.cnblogs.com/lsdb/p/10000061.html
- https://blog.51cto.com/chenguang/1691090
- https://blog.51cto.com/chenguang/category10.html
- https://blog.51cto.com/topic/ossim.html
- https://blog.csdn.net/isinstance/article/details/53694361
- https://blog.51cto.com/chenguang/1332329
- https://www.cnblogs.com/airoot/p/8072727.html
- https://blog.51cto.com/chenguang/1738731
- https://blog.csdn.net/security_yj/article/details/120153992
上一篇:OSSIM开源安全信息管理系统(十五)
下一篇:
类似资料: