nuggetfarm-devel

[<rde...@us...>]

Revision: 33
          http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=33&view=rev
Author:   rdempster
Date:     2010-10-29 14:38:24 +0000 (Fri, 29 Oct 2010)

Log Message:
-----------
Now compatible with api 0.1.2

Modified Paths:
--------------
    trunk/detection-nuggets/clamav/ClamAVNugget.c
    trunk/detection-nuggets/clamav/buildit.sh

Modified: trunk/detection-nuggets/clamav/ClamAVNugget.c
===================================================================
--- trunk/detection-nuggets/clamav/ClamAVNugget.c	2010-10-25 14:48:02 UTC (rev 32)
+++ trunk/detection-nuggets/clamav/ClamAVNugget.c	2010-10-29 14:38:24 UTC (rev 33)
@@ -3,17 +3,21 @@
 #include <stdint.h>
 #include <sys/mount.h>
 #include <string.h>
-#include "libclamav/clamav.h"
-#include "libclamav/others.h"
+#include "clamav.h"
+//#include "others.h"
 #include "rzb_global.h"
+#include "rzb_alert_api.h"
+#include "rzb_alert_util.h"
 #include "rzb_alert_global.h"
 #include <uuid/uuid.h>
+#include <arpa/inet.h>
+#include <errno.h>
 
-struct cl_engine * 	RZB_start_clamav(const char *db_dir);
-int 			RZB_scan_buffer(struct cl_engine * engine, char * buffer, int buffer_size, const char ** virname);
-int 			RZB_stop_clamav(struct cl_engine * engine);
-void 			RZB_CLAMAV_Detection_Nugget(BLOCK_META_DATA *metaData);
-int 			RZB_clamav_md5sig(const char *hdb_filename, char * buffer, int buffer_size);
+static struct cl_engine * RZB_start_clamav(const char *db_dir);
+static int RZB_scan_buffer(struct cl_engine * engine, const uint8_t * buffer, int buffer_size, const char ** virname);
+static int RZB_stop_clamav(struct cl_engine * engine);
+static void RZB_CLAMAV_Detection_Nugget(BLOCK_META_DATA *metaData);
+//static int RZB_clamav_md5sig(const char *hdb_filename, char * buffer, int buffer_size);
 
 DetectionAPI    *detection; // Provides pointers to API functions
 static struct 	cl_engine *engine = NULL;
@@ -46,7 +50,7 @@
    Linux kernel 2.4 or up required (for tmpfs)
 
 ***********************************************************/
-struct cl_engine * RZB_start_clamav(const char *db_dir)
+static struct cl_engine * RZB_start_clamav(const char *db_dir)
 {
     int ret;                                				/* Return value for the function RZB_scan_buffer                */
     struct cl_engine *engine = NULL;                    		/* Pointer to ClamAV engine                    */
@@ -107,68 +111,53 @@
     initialized with RZB_start_clamav.
 
 ***********************************************************/
-int RZB_scan_buffer(struct cl_engine * engine, char * buffer, int buffer_size, const char ** virname)
+static int RZB_scan_buffer(struct cl_engine * engine, const uint8_t * buffer, int buffer_size, const char ** virname)
 {
-    FILE *out_file;                                /* Output stream to create a temporary file on tmpfs        */
-    int ret, i;                                /* Return value for the function RZB_scan_buffer        */
-    const char *virus_name;                            /* Virus name, as returned by cl_scanfile            */
-    char tmp_string[strlen("/mnt/RZB_ClamAV/tmpfile") + 4];        /* Temporary string to use for path to tmpfile            */
+    FILE *out_file;             /* Output stream to create a temporary file on tmpfs */
+    int ret;                    /* Return value for the function RZB_scan_buffer     */
+    const char *virus_name;     /* Virus name, as returned by cl_scanfile            */
+    char tmp_string[L_tmpnam];  /* Temporary string to use for path to tmpfile       */
 
-        /* Create string to use for path to tmpfile        */
-    strcpy(tmp_string, "/mnt/RZB_ClamAV/tmpfile");
-
-    /* Create at most 999 different tmpfiles at the same time */
-    for (i=0; i < 1000; i ++)
+    tmp_string[0] = 0;
+    if (tmpnam_r(tmp_string) == NULL)
     {
-        sprintf(tmp_string,"/mnt/RZB_ClamAV/tmpfile%d",i);
+        fprintf(stderr, "Cannot create temporary file name: (%d) %s\n", errno, strerror(errno));
+        return 1;
+    }
 
-        DEBUG_RZB(printf ("%s\n", tmp_string););
-
-        /* Create tmpfile               */
-        if ((out_file = fopen(tmp_string, "w")) != NULL)
-            break;
-        else
-        {
-            if (i == 999)
-            {
-            fprintf(stderr, "Cannot create temporary file in: /mnt/RZB_ClamAV\n");
-                    return 1;
-            }
-            else
-                continue;
-        }
+    /* Create tmpfile               */
+    if ((out_file = fopen(tmp_string, "w")) == NULL)
+    {
+        fprintf(stderr, "Cannot create temporary file %s: (%d) %s\n", tmp_string, errno, strerror(errno));
+        return 1;
     }
 
     /* Read from buffer and write to out_file        */
     if(fwrite (buffer, 1, buffer_size, out_file) != buffer_size)
-	{
 		perror("Error writing tempfile file to tmpfs");
-	}
 
-    /* Close file associated with stream        */
-	if (out_file !=NULL)
-	        fclose(out_file);
+    fclose(out_file);
 
     /* Scan the file with standard scan options        */
-        if((ret = cl_scanfile(tmp_string, &virus_name, NULL, engine, CL_SCAN_STDOPT)) == CL_VIRUS)
-        {
-                printf("Virus %s detected in %s\n", virus_name, "tmpfile");
+    if((ret = cl_scanfile(tmp_string, &virus_name, NULL, engine, CL_SCAN_STDOPT)) == CL_VIRUS)
+    {
+        printf("Virus %s detected in %s\n", virus_name, "tmpfile");
         *virname = virus_name;
-               ret = R_FOUND;
-        }
-        else
-        {
+        ret = R_FOUND;
+    }
+    else
+    {
         *virname = "No virus detected\n";
         /* If no virus was detected        */
-                printf("No virus detected.\n");
+        printf("No virus detected.\n");
 
         /* If no virus was detected...and the file isn't clean        */
-                if(ret != CL_CLEAN)
-        	{
-                	fprintf(stderr, "Error: %s\n", cl_strerror(ret));
-            		return ret;
-        	}
-           ret = R_NOT_FOUND;
+        if(ret != CL_CLEAN)
+        {
+            fprintf(stderr, "Error: %s\n", cl_strerror(ret));
+            return ret;
+        }
+        ret = R_NOT_FOUND;
 	}
 
     /* Delete the file from tmpfs        */
@@ -178,7 +167,8 @@
     return ret;
 }
 
-int RZB_clamav_md5sig(const char *hdb_filename, char * buffer, int buffer_size)
+#if 0
+static int RZB_clamav_md5sig(const char *hdb_filename, char * buffer, int buffer_size)
 {
 	char *md5=NULL;
         struct stat sb;
@@ -263,6 +253,7 @@
 
         return 0;
 }
+#endif
 
 /***********************************************************
 
@@ -281,7 +272,7 @@
    done using the ClamAV engine.
 
 ***********************************************************/
-int RZB_stop_clamav(struct cl_engine * engine)
+static int RZB_stop_clamav(struct cl_engine * engine)
 {
     int ret;                                /* Return value for the function RZB_scan_buffer                */
 
@@ -320,16 +311,14 @@
     return R_SUCCESS;
 }
 
-void RZB_CLAMAV_Detection_Nugget(BLOCK_META_DATA *metaData)
-//unsigned char *data, size_t data_len, uuid_t *type, uuid_t *eventID)
+static void RZB_CLAMAV_Detection_Nugget(BLOCK_META_DATA *metaData)
 {
-    int ret;
     const char * virname;
     char message[1024];
     unsigned char tmp_md5[MD5_SIZE];
     ALERT alert;
 
-    unsigned char *data = metaData->data;
+    uint8_t *data = metaData->data;
     size_t data_len = metaData->size;
 
     if(RZB_scan_buffer(engine, data, data_len, &virname) == R_FOUND) {
@@ -337,8 +326,8 @@
        sprintf(message, "MALWARE: %s found\n", virname);
 
        alert.event_id = metaData->eventid;
-       inet_ntop(AF_INET, metaData->src_ip, alert.src_ip, sizeof(alert.src_ip));
-       inet_ntop(AF_INET, metaData->dst_ip, alert.dst_ip, sizeof(alert.dst_ip));
+       inet_ntop(AF_INET, &metaData->src_ip, alert.src_ip, sizeof(alert.src_ip));
+       inet_ntop(AF_INET, &metaData->dst_ip, alert.dst_ip, sizeof(alert.dst_ip));
        alert.ip_proto = metaData->ip_proto;
        alert.src_port = metaData->src_port;
        alert.dst_port = metaData->dst_port;
@@ -366,3 +355,4 @@
 {
     RZB_stop_clamav(engine);
 }
+

Modified: trunk/detection-nuggets/clamav/buildit.sh
===================================================================
--- trunk/detection-nuggets/clamav/buildit.sh	2010-10-25 14:48:02 UTC (rev 32)
+++ trunk/detection-nuggets/clamav/buildit.sh	2010-10-29 14:38:24 UTC (rev 33)
@@ -1,10 +1,10 @@
 #!/bin/bash
-CLAMSRCDIR="/path/to/source/files/for/clamav-0.96.1/"
-CLAMLIBDIR="/path/where/libclamav/is/installed--/usr/local/lib/"
+CLAMCFLAGS=`pkg-config --cflags libclamav`
+CLAMLIBS=`pkg-config --libs libclamav`
 API=`pkg-config --cflags razorback`
 APILIBS=`pkg-config --libs razorback`
-echo "gcc -fPIC -g -c -I$CLAMSRCDIR ${API} ClamAVNugget.c"
-gcc -fPIC -g -c -I$CLAMSRCDIR ${API} ClamAVNugget.c
-echo "gcc -shared -Wl -I$CLAMSRCDIR -L$CLAMLIBDIR -o ClamAVNugget.so.1 ClamAVNugget.o -lc -lpcre -lclamav ${APILIBS}"
-gcc -shared -Wl -I$CLAMSRCDIR -L$CLAMLIBDIR -o ClamAVNugget.so.1 ClamAVNugget.o -lc -lpcre -lclamav ${APILIBS}
+echo "gcc -Wall -fPIC -g -c ${CLAMCFLAGS} ${API} ClamAVNugget.c"
+gcc -Wall -fPIC -g -c ${CLAMCFLAGS} ${API} ClamAVNugget.c
+echo "gcc -shared -Wl -o ClamAVNugget.so.1 ClamAVNugget.o -lc -lpcre ${APILIBS} ${CLAMLIBS}"
+gcc -shared -Wl -o ClamAVNugget.so.1 ClamAVNugget.o -lc -lpcre ${APILIBS} ${CLAMLIBS}
 echo "copy ClamAVNugget.so.1 to your nuggets directory to be run by rzbNugget"


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.