b5cb30332d85abf160a5d61162e8ca1220883c40
[ossec-hids.git] / decoder.c
1 /* @(#) $Id: ./src/analysisd/decoders/decoder.c, 2011/09/08 dcid Exp $
2  */
3
4 /* Copyright (C) 2009 Trend Micro Inc.
5  * All rights reserved.
6  *
7  * This program is a free software; you can redistribute it
8  * and/or modify it under the terms of the GNU General Public
9  * License (version 2) as published by the FSF - Free Software
10  * Foundation.
11  *
12  * License details at the LICENSE file included with OSSEC or
13  * online at: http://www.ossec.net/en/licensing.html
14  */
15
16
17 #include "shared.h"
18 #include "os_regex/os_regex.h"
19 #include "os_xml/os_xml.h"
20
21
22 #include "eventinfo.h"
23 #include "decoder.h"
24
25
26
27 /* DecodeEvent.
28  * Will use the osdecoders to decode the received event.
29  */
30 void DecodeEvent(Eventinfo *lf)
31 {
32     OSDecoderNode *node;
33     OSDecoderNode *child_node;
34     OSDecoderInfo *nnode;
35
36     char *llog;
37     char *pmatch;
38     char *cmatch;
39     char *regex_prev = NULL;
40
41
42     node = OS_GetFirstOSDecoder(lf->program_name);
43
44
45     /* Return if no node...
46      * This shouldn't happen here anyways.
47      */
48     if(!node)
49         return;
50
51
52     #ifdef TESTRULE
53     if(!alert_only)
54     {
55         print_out("\n**Phase 2: Completed decoding.");
56     }
57     #endif
58
59     do
60     {
61         nnode = node->osdecoder;
62
63
64         /* First checking program name */
65         if(lf->program_name)
66         {
67             if(!OSMatch_Execute(lf->program_name, lf->p_name_size,
68                         nnode->program_name))
69             {
70                 continue;
71             }
72             pmatch = lf->log;
73         }
74
75
76         /* If prematch fails, go to the next osdecoder in the list */
77         if(nnode->prematch)
78         {
79             if(!(pmatch = OSRegex_Execute(lf->log, nnode->prematch)))
80             {
81                 continue;
82             }
83
84             /* Next character */
85             if(*pmatch != '\0')
86                 pmatch++;
87         }
88
89
90         #ifdef TESTRULE
91         if(!alert_only)print_out("       decoder: '%s'", nnode->name);
92         #endif
93
94
95         lf->decoder_info = nnode;
96
97
98         child_node = node->child;
99
100
101         /* If no child node is set, set the child node
102          * as if it were the child (ugh)
103          */
104         if(!child_node)
105         {
106             child_node = node;
107         }
108
109         else
110         {
111             /* Check if we have any child osdecoder */
112             while(child_node)
113             {
114                 nnode = child_node->osdecoder;
115
116
117                 /* If we have a pre match and it matches, keep
118                  * going. If we don't have a prematch, stop
119                  * and go for the regexes.
120                  */
121                 if(nnode->prematch)
122                 {
123                     char *llog;
124
125                     /* If we have an offset set, use it */
126                     if(nnode->prematch_offset & AFTER_PARENT)
127                     {
128                         llog = pmatch;
129                     }
130                     else
131                     {
132                         llog = lf->log;
133                     }
134
135                     if((cmatch = OSRegex_Execute(llog, nnode->prematch)))
136                     {
137                         if(*cmatch != '\0')
138                             cmatch++;
139
140                         lf->decoder_info = nnode;
141
142                         break;
143                     }
144                 }
145                 else
146                 {
147                     cmatch = pmatch;
148                     break;
149                 }
150
151
152                 /* If we have multiple regex-only childs,
153                  * do not attempt to go any further with them.
154                  */
155                 if(child_node->osdecoder->get_next)
156                 {
157                     do
158                     {
159                         child_node = child_node->next;
160                     }while(child_node && child_node->osdecoder->get_next);
161
162                     if(!child_node)
163                         return;
164
165                     child_node = child_node->next;
166                     nnode = NULL;
167                 }
168                 else
169                 {
170                     child_node = child_node->next;
171                     nnode = NULL;
172                 }
173             }
174         }
175
176
177         /* Nothing matched */
178         if(!nnode)
179             return;
180
181
182         /* If we have a external decoder, execute it */
183         if(nnode->plugindecoder)
184         {
185             nnode->plugindecoder(lf);
186             return;
187         }
188
189
190         /* Getting the regex */
191         while(child_node)
192         {
193             if(nnode->regex)
194             {
195                 int i = 0;
196
197                 /* With regex we have multiple options
198                  * regarding the offset:
199                  * after the prematch,
200                  * after the parent,
201                  * after some previous regex,
202                  * or any offset
203                  */
204                 if(nnode->regex_offset)
205                 {
206                     if(nnode->regex_offset & AFTER_PARENT)
207                     {
208                         llog = pmatch;
209                     }
210                     else if(nnode->regex_offset & AFTER_PREMATCH)
211                     {
212                         llog = cmatch;
213                     }
214                     else if(nnode->regex_offset & AFTER_PREVREGEX)
215                     {
216                         if(!regex_prev)
217                             llog = cmatch;
218                         else
219                             llog = regex_prev;
220                     }
221                 }
222                 else
223                 {
224                     llog = lf->log;
225                 }
226
227                 /* If Regex does not match, return */
228                 if(!(regex_prev = OSRegex_Execute(llog, nnode->regex)))
229                 {
230                     if(nnode->get_next)
231                     {
232                         child_node = child_node->next;
233                         nnode = child_node->osdecoder;
234                         continue;
235                     }
236                     return;
237                 }
238
239
240                 /* Fixing next pointer */
241                 if(*regex_prev != '\0')
242                     regex_prev++;
243
244                 while(nnode->regex->sub_strings[i])
245                 {
246                     if(nnode->order[i])
247                     {
248                         nnode->order[i](lf, nnode->regex->sub_strings[i]);
249                         nnode->regex->sub_strings[i] = NULL;
250                         i++;
251                         continue;
252                     }
253
254                     /* We do not free any memory used above */
255                     os_free(nnode->regex->sub_strings[i]);
256                     nnode->regex->sub_strings[i] = NULL;
257                     i++;
258                 }
259
260                 /* If we have a next regex, try getting it */
261                 if(nnode->get_next)
262                 {
263                     child_node = child_node->next;
264                     nnode = child_node->osdecoder;
265                     continue;
266                 }
267
268                 break;
269             }
270
271             /* If we don't have a regex, we may leave now */
272             return;
273         }
274
275         /* ok to return  */
276         return;
277     }while((node=node->next) != NULL);
278
279     #ifdef TESTRULE
280     if(!alert_only)
281     {
282         print_out("       No decoder matched.");
283     }
284     #endif
285
286 }
287
288
289 /*** Event decoders ****/
290 void *DstUser_FP(Eventinfo *lf, char *field)
291 {
292     #ifdef TESTRULE
293     if(!alert_only)print_out("       dstuser: '%s'", field);
294     #endif
295
296     lf->dstuser = field;
297     return(NULL);
298 }
299 void *SrcUser_FP(Eventinfo *lf, char *field)
300 {
301     #ifdef TESTRULE
302     if(!alert_only)print_out("       srcuser: '%s'", field);
303     #endif
304
305     lf->srcuser = field;
306     return(NULL);
307 }
308 void *SrcIP_FP(Eventinfo *lf, char *field)
309 {
310     #ifdef TESTRULE
311     if(!alert_only)print_out("       srcip: '%s'", field);
312     #endif
313
314     lf->srcip = field;
315     return(NULL);
316 }
317 void *DstIP_FP(Eventinfo *lf, char *field)
318 {
319     #ifdef TESTRULE
320     if(!alert_only)print_out("       dstip: '%s'", field);
321     #endif
322
323     lf->dstip = field;
324     return(NULL);
325 }
326 void *SrcPort_FP(Eventinfo *lf, char *field)
327 {
328     #ifdef TESTRULE
329     if(!alert_only)print_out("       srcport: '%s'", field);
330     #endif
331
332     lf->srcport = field;
333     return(NULL);
334 }
335 void *DstPort_FP(Eventinfo *lf, char *field)
336 {
337     #ifdef TESTRULE
338     if(!alert_only)print_out("       dstport: '%s'", field);
339     #endif
340
341     lf->dstport = field;
342     return(NULL);
343 }
344 void *Protocol_FP(Eventinfo *lf, char *field)
345 {
346     #ifdef TESTRULE
347     if(!alert_only)print_out("       proto: '%s'", field);
348     #endif
349
350     lf->protocol = field;
351     return(NULL);
352 }
353 void *Action_FP(Eventinfo *lf, char *field)
354 {
355     #ifdef TESTRULE
356     if(!alert_only)print_out("       action: '%s'", field);
357     #endif
358
359     lf->action = field;
360     return(NULL);
361 }
362 void *ID_FP(Eventinfo *lf, char *field)
363 {
364     #ifdef TESTRULE
365     if(!alert_only)print_out("       id: '%s'", field);
366     #endif
367
368     lf->id = field;
369     return(NULL);
370 }
371 void *Url_FP(Eventinfo *lf, char *field)
372 {
373     #ifdef TESTRULE
374     if(!alert_only)print_out("       url: '%s'", field);
375     #endif
376
377     lf->url = field;
378     return(NULL);
379 }
380 void *Data_FP(Eventinfo *lf, char *field)
381 {
382     #ifdef TESTRULE
383     if(!alert_only)print_out("       extra_data: '%s'", field);
384     #endif
385
386     lf->data = field;
387     return(NULL);
388 }
389 void *Status_FP(Eventinfo *lf, char *field)
390 {
391     #ifdef TESTRULE
392     if(!alert_only)print_out("       status: '%s'", field);
393     #endif
394
395     lf->status = field;
396     return(NULL);
397 }
398 void *SystemName_FP(Eventinfo *lf, char *field)
399 {
400     #ifdef TESTRULE
401     if(!alert_only)print_out("       system_name: '%s'", field);
402     #endif
403
404     lf->systemname = field;
405     return(NULL);
406 }
407 void *None_FP(Eventinfo *lf, char *field)
408 {
409     free(field);
410     return(NULL);
411 }
412
413
414 /* EOF */