devbox
盐析白兔
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

OSSIM开源安全信息管理系统(十六)

作者:盐析白兔 | 2024-08-05 21:55:26

OSSIM开源安全信息管理系统(十六)

2021SC@SDUSC




本周继续对OSSIM系统中,关联分析部分进行源码分析。
关联分析部分源码目录:\ossim\alienvault-ossim\src\alienvault-ossim\os-sim\src


gboolean sim_directive_backlog_match_by_not (SimDirective *directive)

该函数的主要功能是检查指令中的所有节点规则

gboolean
sim_directive_backlog_match_by_not (SimDirective  *directive)
{
  GNode      *node = NULL;
  GNode      *children = NULL;
 
  g_return_val_if_fail (directive, FALSE);
  g_return_val_if_fail (SIM_IS_DIRECTIVE (directive), FALSE);
  g_return_val_if_fail (!directive->_priv->matched, FALSE);
  g_return_val_if_fail (directive->_priv->rule_curr, FALSE);
  g_return_val_if_fail (directive->_priv->rule_curr->data, FALSE);
  g_return_val_if_fail (SIM_IS_RULE (directive->_priv->rule_curr->data), FALSE);
 
  node = directive->_priv->rule_curr->children;  while (node) 
  {
    
    SimRule *rule = (SimRule *) node->data;
      //如果规则已超时 &&
    if ((sim_rule_is_time_out (rule)) && (sim_rule_get_not (rule)) && (!sim_rule_is_not_invalid (rule))) 
        {
          time_t time_last = time (NULL);
        directive->_priv->rule_curr = node;
          directive->_priv->time_last = time_last;
          directive->_priv->time_out = sim_directive_get_rule_curr_time_out_max (directive);
 
        sim_rule_set_not_data (rule); 
        //这不是最后的节点,他还有一些子节点.
        if (!G_NODE_IS_LEAF (node)) 
        {
          children = node->children;          while (children)
                {
                SimRule *rule_child = (SimRule *) children->data;
 
                  sim_rule_set_time_last (rule_child, time_last);
 
                  sim_directive_set_rule_vars (directive, children);
                  children = children->next;
                }
        } 
        //最后的节点
        else 
        {
          directive->_priv->matched = TRUE;
        }        return TRUE;
        }
    node = node->next;
  }  return FALSE;
}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48

void sim_directive_set_rule_vars (SimDirective *directive, GNode *node)

backlog&directives几乎是相同的:backlog是存储指令并填充事件数据的地方。

node 是子节点函数。我们需要从引用其级别的节点向该节点添加src_ip、port等。

如果“node”参数是根节点->子节点1->子节点2中的children2,并且我们在children2中有1:plugin-sid,那么我们必须将根节点中的plugin-sid添加到children2中。

void
sim_directive_set_rule_vars (SimDirective *directive, GNode *node){
  SimRule    *rule;
  SimRule    *rule_up;
  GNode      *node_up;
  GList      *vars;
  GInetAddr  *ia;
  GInetAddr  *sensor;
  gint        port;
  gint        sid;
  SimProtocolType  protocol;
    gchar               *aux = NULL;
 
  g_return_if_fail (directive);
  g_return_if_fail (SIM_IS_DIRECTIVE (directive));
  g_return_if_fail (node);
  g_return_if_fail (g_node_depth (node) > 1);
 
  rule = (SimRule *) node->data;
  vars = sim_rule_get_vars (rule);

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20

static void sim_directive_set_rule_var_inet

该函数的主要功能是基于传入参数varrule设置inet

  • @inet: a #SimInet
  • @rule: a #SimRule
  • @var: a #SimRuleVar
static void
sim_directive_set_rule_var_inet (SimInet    *inet,
                                 SimRule    *rule,
                                 SimRuleVar *var)
{
  if (var->attr == SIM_RULE_VAR_SRC_IA)
  {
    if (var->negated)
      sim_rule_add_src_inet_not (rule, inet);
    else
    {
      sim_rule_add_src_inet (rule, inet);
    }
  }
  else if (var->attr == SIM_RULE_VAR_DST_IA)
  {
    if (var->negated)
      sim_rule_add_dst_inet_not (rule, inet);
    else
      sim_rule_add_dst_inet (rule, inet);
  }
}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22

GNode* sim_directive_get_node_branch_by_level

此函数可返回引用指令级别的节点。

例如:根节点->子节点1->子节点2。如果函数中的“node”参数为children2,级别为1,则返回根节点,因为它是子节点的第一级。

GNode*
sim_directive_get_node_branch_by_level (SimDirective *directive,GNode *node,gint level)
{
  GNode  *ret;
  gint    up_level;
  gint    i;

  g_return_val_if_fail (SIM_IS_DIRECTIVE (directive), NULL);
  g_return_val_if_fail (node, NULL);

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

根节点的深度为1。对于根节点的子节点,深度为2

  up_level = g_node_depth (node) - level;	
  if (up_level < 1)
    return NULL;

  ret = node;
  for (i = 0; i < up_level; i++)
  {
    ret = ret->parent;
  }

  return ret;
}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12

sim_group_alarm_new

SimGroupAlarm 类的构造器

返回值:指向新创建对象的指针,如果出现错误,则为NULL

SimGroupAlarm * sim_group_alarm_new (unsigned int timeout, const gchar *key){
	SimGroupAlarm *p = NULL;
	GString	*gkey;
	struct tm tvalue;
	char timebuf[2048];

	g_return_val_if_fail (key != NULL, NULL);
	if ( (gkey = g_string_new (key)) != NULL){ 
		if (timeout < 3601 ){
			do{
				p = g_object_new (SIM_TYPE_GROUP_ALARM, NULL);
				p->_priv->tstart = time(NULL);
				p->_priv->tend = time(NULL) + timeout;
				p->_priv->alarmsha1 = NULL;
				if (gmtime_r (&p->_priv->tstart,&tvalue) == NULL){
					g_object_unref (G_OBJECT (p));
					p = NULL;
					break; /* Out */
				}
				if (asctime_r (&tvalue,timebuf) == NULL){
					g_object_unref (G_OBJECT (p));
					p = NULL;
					break;
				}
				g_string_append_printf (gkey,"%s|%s",key,timebuf);
				if  ( (p->_priv->alarmsha1 = g_compute_checksum_for_string (G_CHECKSUM_SHA1, gkey->str,-1)) == NULL){
					g_object_unref (G_OBJECT (p));
					p = NULL;
					break;
				}
				
				
			}while (0);

		}else{
			g_warning ("Max timeout is 3600 seconds");
		}
	}
	if (gkey)
		g_string_free (gkey, TRUE);
	if (p == NULL)
		g_warning ("Can't creatae SimGroupAlarm object\n");
	return p;
}

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44



本篇文章部分内容参考或转载自下列文章及书籍。侵权即删。

参考书籍:

  • 《开源安全运维平台OSSIM疑难解析(入门篇)》——李晨光著
  • 《开源安全运维平台OSSIM疑难解析(提高篇)》——李晨光著
  • 《开源安全运维平台:OSSIM最佳实践》——李晨光著

参考文章:

  • https://blog.51cto.com/chenguang/2426473
  • https://blog.csdn.net/lcgweb/article/details/101284949
  • https://blog.51cto.com/chenguang/1665012
  • https://www.cnblogs.com/lsdb/p/10000061.html
  • https://blog.51cto.com/chenguang/1691090
  • https://blog.51cto.com/chenguang/category10.html
  • https://blog.51cto.com/topic/ossim.html
  • https://blog.csdn.net/isinstance/article/details/53694361
  • https://blog.51cto.com/chenguang/1332329
  • https://www.cnblogs.com/airoot/p/8072727.html
  • https://blog.51cto.com/chenguang/1738731
  • https://blog.csdn.net/security_yj/article/details/120153992

上一篇:OSSIM开源安全信息管理系统(十五)
下一篇:

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/盐析白兔/article/detail/934441
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号