swatch bug in throttle

From: SUZUKI Yasuhiro (ysuzuki@bb.mbn.or.jp)
Date: 05/15/02


Date: Wed, 15 May 2002 21:48:40 +0900
From: SUZUKI Yasuhiro <ysuzuki@bb.mbn.or.jp>
To: bugtraq@securityfocus.com

Hello.

I think swatch has a bug in throttle code.
Using throttle, swatch will not report events
in some cases.
  * When prural events match same watchfor regular
    expression in time of throttle and are not reported,
    if another event matching the same regular expression
    does not occur, swatch will not report the events
    forever.
  * If an event was not reported because it occured
    in time of throttle and a next of the same event
    type occurs in next month, the events will not be
    reported forever.

I think you can find a reason of the first bug
easily if you read a script code swatch creates.

I will show you the reason of the second bug.
The line 1037 of swatch source code compares
months of a new event and a previous one and
if that of a new one is bigger, a year of
the new event is decremented:
  if ($ymdhms[1] > $Msg_Rec{$key}->{ymdhms}[1]) { $ymdhms[0]--; }
Then line 1038 gets difference between two dates
of the events:
  my @delta_dhms = Delta_DHMS(@{$Msg_Rec{$key}->{ymdhms}}, @ymdhms);
and lines from 1039 to 1042 judges if the new event
has to be reported:
  foreach my $i (0..$#min_dhms_delta) {
     $passed = 0 if ($delta_dhms[$i] < $min_dhms_delta[$i]);
     last unless ($delta_dhms[$i] == $min_dhms_delta[$i]);
  }
If $passed gets one, the events are reported.

This means if the two events occur in differnet months
a new event is recognized as it is older than the old event
and the difference of the two dates of the events
is always negative. That makes $passed zero because
$delta_dhms[$i] is always less than $min_dhms_delta[$i]
and swatch will not tell the occurences of the events
forever.

I informed this bug to the author Todd Atkins
and he told me that he was improving swatch now.
But I made a patch to resolve this problem for
swatch 3.0.4, current version. You can get it at:
   http://plaza8.mbn.or.jp/~yswww/myself/swatch-en.html

This patch has a limitation.
    Using use=message with throttle and prural
  messages matching a wathfor regular expression,
  some messages not reported for throttle will
  not be reported for a while.

swatch web site is:
  http://www.oit.ucsb.edu/~eta/swatch/

------------------------------------------------------------
SUZUKI Yasuhiro
  yasu@ysuzuki.net
  ysuzuki@bb.mbn.or.jp
  http://plaza8.mbn.or.jp/~yswww/myself/index-e.html