1 /* @(#) $Id: ./src/shared/rules_op.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
12 * License details at the LICENSE file included with OSSEC or
13 * online at: http://www.ossec.net/en/licensing.html
20 /* Chaging path for test rule. */
23 #define RULEPATH "rules/"
28 int _OS_GetRulesAttributes(char **attributes,
30 RuleInfo *ruleinfo_pt);
31 RuleInfo *_OS_AllocateRule();
36 /* Rules_OP_ReadRules, v0.3, 2005/03/21
38 * v0.3: Fixed many memory problems.
40 int OS_ReadXMLRules(char *rulefile,
41 void *(*ruleact_function)(RuleInfo *rule, void *data),
49 /* These are the available options for the rule configuration */
51 char *xml_group = "group";
52 char *xml_rule = "rule";
54 char *xml_regex = "regex";
55 char *xml_match = "match";
56 char *xml_decoded = "decoded_as";
57 char *xml_category = "category";
58 char *xml_cve = "cve";
59 char *xml_info = "info";
60 char *xml_day_time = "time";
61 char *xml_week_day = "weekday";
62 char *xml_comment = "description";
63 char *xml_ignore = "ignore";
64 char *xml_check_if_ignored = "check_if_ignored";
66 char *xml_srcip = "srcip";
67 char *xml_srcport = "srcport";
68 char *xml_dstip = "dstip";
69 char *xml_dstport = "dstport";
70 char *xml_user = "user";
71 char *xml_url = "url";
73 char *xml_data = "extra_data";
74 char *xml_hostname = "hostname";
75 char *xml_program_name = "program_name";
76 char *xml_status = "status";
77 char *xml_action = "action";
78 char *xml_compiled = "compiled_rule";
80 char *xml_if_sid = "if_sid";
81 char *xml_if_group = "if_group";
82 char *xml_if_level = "if_level";
83 char *xml_fts = "if_fts";
85 char *xml_if_matched_regex = "if_matched_regex";
86 char *xml_if_matched_group = "if_matched_group";
87 char *xml_if_matched_sid = "if_matched_sid";
89 char *xml_same_source_ip = "same_source_ip";
90 char *xml_same_src_port = "same_src_port";
91 char *xml_same_dst_port = "same_dst_port";
92 char *xml_same_user = "same_user";
93 char *xml_same_location = "same_location";
94 char *xml_same_id = "same_id";
95 char *xml_dodiff = "check_diff";
97 char *xml_different_url = "different_url";
99 char *xml_notsame_source_ip = "not_same_source_ip";
100 char *xml_notsame_user = "not_same_user";
101 char *xml_notsame_agent = "not_same_agent";
102 char *xml_notsame_id = "not_same_id";
104 char *xml_options = "options";
111 /* If no directory in the rulefile add the default */
112 if((strchr(rulefile, '/')) == NULL)
114 /* Building the rule file name + path */
115 i = strlen(RULEPATH) + strlen(rulefile) + 2;
116 rulepath = (char *)calloc(i,sizeof(char));
119 ErrorExit(MEM_ERROR,ARGV0);
121 snprintf(rulepath,i,"%s/%s",RULEPATH,rulefile);
125 os_strdup(rulefile, rulepath);
126 debug1("%s is the rulefile", rulefile);
127 debug1("Not modifing the rule path");
131 /* Reading the XML */
132 if(OS_ReadXML(rulepath,&xml) < 0)
134 merror(XML_ERROR, __local_name, rulepath, xml.err, xml.err_line);
141 debug1("%s: DEBUG: read xml for rule '%s'.", __local_name, rulepath);
144 /* Applying any variable found */
145 if(OS_ApplyVariables(&xml) != 0)
147 merror(XML_ERROR_VAR, __local_name, rulepath, xml.err);
153 debug1("%s: DEBUG: XML Variables applied.", __local_name);
156 /* Getting the root elements */
157 node = OS_GetElementsbyNode(&xml, NULL);
160 merror(CONFIG_ERROR, __local_name, rulepath);
166 /* Zeroing the rule memory -- not used anymore */
170 /* Checking if there is any invalid global option */
176 /* Verifying group */
177 if(strcasecmp(node[i]->element,xml_group) != 0)
179 merror(RL_INV_ROOT, __local_name, node[i]->element);
183 /* Checking group attribute -- only name is allowed */
184 if((!node[i]->attributes) || (!node[i]->values)||
185 (!node[i]->values[0]) || (!node[i]->attributes[0]) ||
186 (strcasecmp(node[i]->attributes[0],"name") != 0) ||
187 (node[i]->attributes[1]))
189 merror(RL_INV_ROOT, __local_name, node[i]->element);
196 merror(XML_READ_ERROR, __local_name);
204 /* Getting the rules now */
209 XML_NODE rule = NULL;
212 /* Getting all rules for a global group */
213 rule = OS_GetElementsbyNode(&xml,node[i]);
220 /* Looping on the rules node */
225 char *regex = NULL, *match = NULL, *url = NULL,
226 *if_matched_regex = NULL, *if_matched_group = NULL,
227 *user = NULL, *id = NULL, *srcport = NULL,
228 *dstport = NULL, *status = NULL, *hostname = NULL,
229 *extra_data = NULL, *program_name = NULL;
231 RuleInfo *config_ruleinfo = NULL;
232 XML_NODE rule_opt = NULL;
235 /* Checking if the rule element is correct */
236 if((!rule[j]->element)||
237 (strcasecmp(rule[j]->element,xml_rule) != 0))
239 merror(RL_INV_RULE, __local_name, node[i]->element);
245 /* Checking for the attributes of the rule */
246 if((!rule[j]->attributes) || (!rule[j]->values))
248 merror(RL_INV_RULE, __local_name, rulefile);
254 /* Attribute block */
255 config_ruleinfo = _OS_AllocateRule();
257 if(_OS_GetRulesAttributes(rule[j]->attributes, rule[j]->values,
258 config_ruleinfo) < 0)
260 merror(RL_INV_ATTR, __local_name, rulefile);
265 /* We must have an id or level */
266 if((config_ruleinfo->sigid == -1)||(config_ruleinfo->level == -1))
268 merror(RL_INV_ATTR, __local_name, rulefile);
274 /* Here we can assign the group name to the rule.
275 * The level is correct so the rule is probably going to
278 os_strdup(node[i]->values[0], config_ruleinfo->group);
281 /* Getting rules options */
282 rule_opt = OS_GetElementsbyNode(&xml, rule[j]);
285 merror(RL_NO_OPT, __local_name, config_ruleinfo->sigid);
291 /* Reading the whole rule block */
294 if((!rule_opt[k]->element)||(!rule_opt[k]->content))
298 else if(strcasecmp(rule_opt[k]->element,xml_regex)==0)
302 rule_opt[k]->content);
304 else if(strcasecmp(rule_opt[k]->element,xml_match)==0)
308 rule_opt[k]->content);
310 else if(strcasecmp(rule_opt[k]->element, xml_decoded) == 0)
313 else if(strcasecmp(rule_opt[k]->element,xml_info) == 0)
315 config_ruleinfo->info=
316 os_LoadString(config_ruleinfo->info,
317 rule_opt[k]->content);
319 else if(strcasecmp(rule_opt[k]->element,xml_day_time) == 0)
321 config_ruleinfo->day_time =
322 OS_IsValidTime(rule_opt[k]->content);
323 if(!config_ruleinfo->day_time)
325 merror(INVALID_CONFIG, __local_name,
326 rule_opt[k]->element,
327 rule_opt[k]->content);
331 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
332 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
334 else if(strcasecmp(rule_opt[k]->element,xml_week_day) == 0)
336 config_ruleinfo->week_day =
337 OS_IsValidDay(rule_opt[k]->content);
339 if(!config_ruleinfo->week_day)
341 merror(INVALID_CONFIG, __local_name,
342 rule_opt[k]->element,
343 rule_opt[k]->content);
346 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
347 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
349 else if(strcasecmp(rule_opt[k]->element,xml_group) == 0)
351 config_ruleinfo->group =
352 os_LoadString(config_ruleinfo->group,
353 rule_opt[k]->content);
355 else if(strcasecmp(rule_opt[k]->element,xml_cve) == 0)
357 config_ruleinfo->cve=
358 os_LoadString(config_ruleinfo->cve,
359 rule_opt[k]->content);
361 else if(strcasecmp(rule_opt[k]->element,xml_comment) == 0)
365 newline = strchr(rule_opt[k]->content, '\n');
370 config_ruleinfo->comment=
371 os_LoadString(config_ruleinfo->comment,
372 rule_opt[k]->content);
374 else if(strcasecmp(rule_opt[k]->element,xml_srcip)==0)
378 /* Getting size of source ip list */
379 while(config_ruleinfo->srcip &&
380 config_ruleinfo->srcip[ip_s])
385 config_ruleinfo->srcip =
386 realloc(config_ruleinfo->srcip,
387 (ip_s + 2) * sizeof(os_ip *));
390 /* Allocating memory for the individual entries */
391 os_calloc(1, sizeof(os_ip),
392 config_ruleinfo->srcip[ip_s]);
393 config_ruleinfo->srcip[ip_s +1] = NULL;
396 /* Checking if the ip is valid */
397 if(!OS_IsValidIP(rule_opt[k]->content,
398 config_ruleinfo->srcip[ip_s]))
400 merror(INVALID_IP, __local_name, rule_opt[k]->content);
404 if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
405 config_ruleinfo->alert_opts |= DO_PACKETINFO;
407 else if(strcasecmp(rule_opt[k]->element,xml_dstip)==0)
411 /* Getting size of source ip list */
412 while(config_ruleinfo->dstip &&
413 config_ruleinfo->dstip[ip_s])
418 config_ruleinfo->dstip =
419 realloc(config_ruleinfo->dstip,
420 (ip_s + 2) * sizeof(os_ip *));
423 /* Allocating memory for the individual entries */
424 os_calloc(1, sizeof(os_ip),
425 config_ruleinfo->dstip[ip_s]);
426 config_ruleinfo->dstip[ip_s +1] = NULL;
429 /* Checking if the ip is valid */
430 if(!OS_IsValidIP(rule_opt[k]->content,
431 config_ruleinfo->dstip[ip_s]))
433 merror(INVALID_IP, __local_name, rule_opt[k]->content);
437 if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
438 config_ruleinfo->alert_opts |= DO_PACKETINFO;
440 else if(strcasecmp(rule_opt[k]->element,xml_user) == 0)
442 user = os_LoadString(user, rule_opt[k]->content);
444 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
445 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
447 else if(strcasecmp(rule_opt[k]->element,xml_id) == 0)
449 id = os_LoadString(id, rule_opt[k]->content);
451 else if(strcasecmp(rule_opt[k]->element,xml_srcport) == 0)
453 srcport = os_LoadString(srcport, rule_opt[k]->content);
455 if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
456 config_ruleinfo->alert_opts |= DO_PACKETINFO;
458 else if(strcasecmp(rule_opt[k]->element,xml_dstport) == 0)
460 dstport = os_LoadString(dstport, rule_opt[k]->content);
462 if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
463 config_ruleinfo->alert_opts |= DO_PACKETINFO;
465 else if(strcasecmp(rule_opt[k]->element,xml_status)==0)
467 status = os_LoadString(status, rule_opt[k]->content);
469 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
470 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
472 else if(strcasecmp(rule_opt[k]->element,xml_hostname) == 0)
474 hostname = os_LoadString(hostname, rule_opt[k]->content);
476 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
477 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
479 else if(strcasecmp(rule_opt[k]->element,xml_data)==0)
481 extra_data = os_LoadString(extra_data, rule_opt[k]->content);
483 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
484 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
486 else if(strcasecmp(rule_opt[k]->element,
487 xml_program_name)==0)
489 program_name = os_LoadString(program_name,
490 rule_opt[k]->content);
492 else if(strcasecmp(rule_opt[k]->element,xml_action) == 0)
494 config_ruleinfo->action =
495 os_LoadString(config_ruleinfo->action,
496 rule_opt[k]->content);
498 else if(strcasecmp(rule_opt[k]->element,xml_url) == 0)
500 url= os_LoadString(url, rule_opt[k]->content);
503 else if(strcasecmp(rule_opt[k]->element, xml_compiled)==0)
505 /* Not using this in here. */
508 /* We allow these categories so far */
509 else if(strcasecmp(rule_opt[k]->element, xml_category)==0)
511 if(strcmp(rule_opt[k]->content, "firewall") == 0)
513 config_ruleinfo->category = FIREWALL;
515 else if(strcmp(rule_opt[k]->content, "ids") == 0)
517 config_ruleinfo->category = IDS;
519 else if(strcmp(rule_opt[k]->content, "syslog") == 0)
521 config_ruleinfo->category = SYSLOG;
523 else if(strcmp(rule_opt[k]->content, "web-log") == 0)
525 config_ruleinfo->category = WEBLOG;
527 else if(strcmp(rule_opt[k]->content, "squid") == 0)
529 config_ruleinfo->category = SQUID;
531 else if(strcmp(rule_opt[k]->content,"windows") == 0)
533 config_ruleinfo->category = DECODER_WINDOWS;
535 else if(strcmp(rule_opt[k]->content,"ossec") == 0)
537 config_ruleinfo->category = OSSEC_RL;
541 merror(INVALID_CAT, __local_name, rule_opt[k]->content);
545 else if(strcasecmp(rule_opt[k]->element,xml_if_sid)==0)
547 config_ruleinfo->if_sid=
548 os_LoadString(config_ruleinfo->if_sid,
549 rule_opt[k]->content);
551 else if(strcasecmp(rule_opt[k]->element,xml_if_level)==0)
553 if(!OS_StrIsNum(rule_opt[k]->content))
555 merror(INVALID_CONFIG, __local_name,
557 rule_opt[k]->content);
561 config_ruleinfo->if_level=
562 os_LoadString(config_ruleinfo->if_level,
563 rule_opt[k]->content);
565 else if(strcasecmp(rule_opt[k]->element,xml_if_group)==0)
567 config_ruleinfo->if_group=
568 os_LoadString(config_ruleinfo->if_group,
569 rule_opt[k]->content);
571 else if(strcasecmp(rule_opt[k]->element,
572 xml_if_matched_regex) == 0)
574 config_ruleinfo->context = 1;
576 os_LoadString(if_matched_regex,
577 rule_opt[k]->content);
579 else if(strcasecmp(rule_opt[k]->element,
580 xml_if_matched_group) == 0)
582 config_ruleinfo->context = 1;
584 os_LoadString(if_matched_group,
585 rule_opt[k]->content);
587 else if(strcasecmp(rule_opt[k]->element,
588 xml_if_matched_sid) == 0)
590 config_ruleinfo->context = 1;
591 if(!OS_StrIsNum(rule_opt[k]->content))
593 merror(INVALID_CONFIG, __local_name,
594 rule_opt[k]->element,
595 rule_opt[k]->content);
598 config_ruleinfo->if_matched_sid =
599 atoi(rule_opt[k]->content);
602 else if(strcasecmp(rule_opt[k]->element,
603 xml_same_source_ip)==0)
605 config_ruleinfo->context_opts|= SAME_SRCIP;
607 else if(strcasecmp(rule_opt[k]->element,
608 xml_same_src_port)==0)
610 config_ruleinfo->context_opts|= SAME_SRCPORT;
612 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
613 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
615 else if(strcasecmp(rule_opt[k]->element,
618 config_ruleinfo->context++;
619 config_ruleinfo->context_opts|= SAME_DODIFF;
620 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
622 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
625 else if(strcasecmp(rule_opt[k]->element,
626 xml_same_dst_port) == 0)
628 config_ruleinfo->context_opts|= SAME_DSTPORT;
630 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
631 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
633 else if(strcasecmp(rule_opt[k]->element,
634 xml_notsame_source_ip)==0)
636 config_ruleinfo->context_opts&= NOT_SAME_SRCIP;
638 else if(strcmp(rule_opt[k]->element, xml_same_id) == 0)
640 config_ruleinfo->context_opts|= SAME_ID;
642 else if(strcmp(rule_opt[k]->element,
643 xml_different_url) == 0)
645 config_ruleinfo->context_opts|= DIFFERENT_URL;
647 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
648 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
650 else if(strcmp(rule_opt[k]->element,xml_notsame_id) == 0)
652 config_ruleinfo->context_opts&= NOT_SAME_ID;
654 else if(strcasecmp(rule_opt[k]->element,
657 config_ruleinfo->alert_opts |= DO_FTS;
659 else if(strcasecmp(rule_opt[k]->element,
662 config_ruleinfo->context_opts|= SAME_USER;
664 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
665 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
667 else if(strcasecmp(rule_opt[k]->element,
668 xml_notsame_user)==0)
670 config_ruleinfo->context_opts&= NOT_SAME_USER;
672 else if(strcasecmp(rule_opt[k]->element,
673 xml_same_location)==0)
675 config_ruleinfo->context_opts|= SAME_LOCATION;
676 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
677 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
679 else if(strcasecmp(rule_opt[k]->element,
680 xml_notsame_agent)==0)
682 config_ruleinfo->context_opts&= NOT_SAME_AGENT;
684 else if(strcasecmp(rule_opt[k]->element,
687 if(strcmp("alert_by_email",
688 rule_opt[k]->content) == 0)
690 if(!(config_ruleinfo->alert_opts & DO_MAILALERT))
692 config_ruleinfo->alert_opts|= DO_MAILALERT;
695 else if(strcmp("no_email_alert",
696 rule_opt[k]->content) == 0)
698 if(config_ruleinfo->alert_opts & DO_MAILALERT)
700 config_ruleinfo->alert_opts&=0xfff-DO_MAILALERT;
703 else if(strcmp("log_alert",
704 rule_opt[k]->content) == 0)
706 if(!(config_ruleinfo->alert_opts & DO_LOGALERT))
708 config_ruleinfo->alert_opts|= DO_LOGALERT;
711 else if(strcmp("no_log", rule_opt[k]->content) == 0)
713 if(config_ruleinfo->alert_opts & DO_LOGALERT)
715 config_ruleinfo->alert_opts &=0xfff-DO_LOGALERT;
718 else if(strcmp("no_ar", rule_opt[k]->content) == 0)
720 if(!(config_ruleinfo->alert_opts & NO_AR))
722 config_ruleinfo->alert_opts|= NO_AR;
727 merror(XML_VALUEERR, __local_name, xml_options,
728 rule_opt[k]->content);
730 merror(INVALID_ELEMENT, __local_name,
731 rule_opt[k]->element,
732 rule_opt[k]->content);
737 else if(strcasecmp(rule_opt[k]->element,
740 if(strstr(rule_opt[k]->content, "user") != NULL)
742 config_ruleinfo->ignore|=FTS_USER;
744 if(strstr(rule_opt[k]->content, "srcip") != NULL)
746 config_ruleinfo->ignore|=FTS_SRCIP;
748 if(strstr(rule_opt[k]->content, "dstip") != NULL)
750 config_ruleinfo->ignore|=FTS_DSTIP;
752 if(strstr(rule_opt[k]->content, "id") != NULL)
754 config_ruleinfo->ignore|=FTS_ID;
756 if(strstr(rule_opt[k]->content,"location")!= NULL)
758 config_ruleinfo->ignore|=FTS_LOCATION;
760 if(strstr(rule_opt[k]->content,"data")!= NULL)
762 config_ruleinfo->ignore|=FTS_DATA;
764 if(strstr(rule_opt[k]->content, "name") != NULL)
766 config_ruleinfo->ignore|=FTS_NAME;
769 if(!config_ruleinfo->ignore)
771 merror(INVALID_ELEMENT, __local_name,
772 rule_opt[k]->element,
773 rule_opt[k]->content);
778 else if(strcasecmp(rule_opt[k]->element,
779 xml_check_if_ignored) == 0)
781 if(strstr(rule_opt[k]->content, "user") != NULL)
783 config_ruleinfo->ckignore|=FTS_USER;
785 if(strstr(rule_opt[k]->content, "srcip") != NULL)
787 config_ruleinfo->ckignore|=FTS_SRCIP;
789 if(strstr(rule_opt[k]->content, "dstip") != NULL)
791 config_ruleinfo->ckignore|=FTS_DSTIP;
793 if(strstr(rule_opt[k]->content, "id") != NULL)
795 config_ruleinfo->ckignore|=FTS_ID;
797 if(strstr(rule_opt[k]->content,"location")!= NULL)
799 config_ruleinfo->ckignore|=FTS_LOCATION;
801 if(strstr(rule_opt[k]->content,"data")!= NULL)
803 config_ruleinfo->ignore|=FTS_DATA;
805 if(strstr(rule_opt[k]->content, "name") != NULL)
807 config_ruleinfo->ckignore|=FTS_NAME;
810 if(!config_ruleinfo->ckignore)
812 merror(INVALID_ELEMENT, __local_name,
813 rule_opt[k]->element,
814 rule_opt[k]->content);
819 /* XXX As new features are added into ../analysisd/rules.c
820 * This code needs to be updated to match, but is out of date
821 * it's become a nightmare to correct with out just make the
822 * problem for someone later.
824 * This hack will allow any crap xml to pass without an
825 * error. The correct fix is to refactor the code so that
826 * ../analysisd/rules* and this code are not duplicates
830 merror(XML_INVELEM, __local_name, rule_opt[k]->element);
840 /* Checking for a valid use of frequency */
841 if((config_ruleinfo->context_opts ||
842 config_ruleinfo->frequency) &&
843 !config_ruleinfo->context)
845 merror("%s: Invalid use of frequency/context options. "
846 "Missing if_matched on rule '%d'.",
847 __local_name, config_ruleinfo->sigid);
853 /* If if_matched_group we must have a if_sid or if_group */
856 if(!config_ruleinfo->if_sid && !config_ruleinfo->if_group)
858 os_strdup(if_matched_group, config_ruleinfo->if_group);
863 /* If_matched_sid, we need to get the if_sid */
864 if(config_ruleinfo->if_matched_sid &&
865 !config_ruleinfo->if_sid &&
866 !config_ruleinfo->if_group)
868 os_calloc(16, sizeof(char), config_ruleinfo->if_sid);
869 snprintf(config_ruleinfo->if_sid, 15, "%d",
870 config_ruleinfo->if_matched_sid);
874 /* Checking the regexes */
877 os_calloc(1, sizeof(OSRegex), config_ruleinfo->regex);
878 if(!OSRegex_Compile(regex, config_ruleinfo->regex, 0))
880 merror(REGEX_COMPILE, __local_name, regex,
881 config_ruleinfo->regex->error);
889 /* Adding in match */
892 os_calloc(1, sizeof(OSMatch), config_ruleinfo->match);
893 if(!OSMatch_Compile(match, config_ruleinfo->match, 0))
895 merror(REGEX_COMPILE, __local_name, match,
896 config_ruleinfo->match->error);
907 os_calloc(1, sizeof(OSMatch), config_ruleinfo->id);
908 if(!OSMatch_Compile(id, config_ruleinfo->id, 0))
910 merror(REGEX_COMPILE, __local_name, id,
911 config_ruleinfo->id->error);
922 os_calloc(1, sizeof(OSMatch), config_ruleinfo->srcport);
923 if(!OSMatch_Compile(srcport, config_ruleinfo->srcport, 0))
925 merror(REGEX_COMPILE, __local_name, srcport,
926 config_ruleinfo->id->error);
937 os_calloc(1, sizeof(OSMatch), config_ruleinfo->dstport);
938 if(!OSMatch_Compile(dstport, config_ruleinfo->dstport, 0))
940 merror(REGEX_COMPILE, __local_name, dstport,
941 config_ruleinfo->id->error);
949 /* Adding in status */
952 os_calloc(1, sizeof(OSMatch), config_ruleinfo->status);
953 if(!OSMatch_Compile(status, config_ruleinfo->status, 0))
955 merror(REGEX_COMPILE, __local_name, status,
956 config_ruleinfo->status->error);
964 /* Adding in hostname */
967 os_calloc(1, sizeof(OSMatch), config_ruleinfo->hostname);
968 if(!OSMatch_Compile(hostname, config_ruleinfo->hostname,0))
970 merror(REGEX_COMPILE, __local_name, hostname,
971 config_ruleinfo->hostname->error);
979 /* Adding extra data */
982 os_calloc(1, sizeof(OSMatch), config_ruleinfo->extra_data);
983 if(!OSMatch_Compile(extra_data,
984 config_ruleinfo->extra_data, 0))
986 merror(REGEX_COMPILE, __local_name, extra_data,
987 config_ruleinfo->extra_data->error);
995 /* Adding in program name */
998 os_calloc(1,sizeof(OSMatch),config_ruleinfo->program_name);
999 if(!OSMatch_Compile(program_name,
1000 config_ruleinfo->program_name,0))
1002 merror(REGEX_COMPILE, __local_name, program_name,
1003 config_ruleinfo->program_name->error);
1007 program_name = NULL;
1011 /* Adding in user */
1014 os_calloc(1, sizeof(OSMatch), config_ruleinfo->user);
1015 if(!OSMatch_Compile(user, config_ruleinfo->user, 0))
1017 merror(REGEX_COMPILE, __local_name, user,
1018 config_ruleinfo->user->error);
1029 os_calloc(1, sizeof(OSMatch), config_ruleinfo->url);
1030 if(!OSMatch_Compile(url, config_ruleinfo->url, 0))
1032 merror(REGEX_COMPILE, __local_name, url,
1033 config_ruleinfo->url->error);
1041 /* Adding matched_group */
1042 if(if_matched_group)
1044 os_calloc(1,sizeof(OSMatch),config_ruleinfo->if_matched_group);
1046 if(!OSMatch_Compile(if_matched_group,
1047 config_ruleinfo->if_matched_group,0))
1049 merror(REGEX_COMPILE, __local_name, if_matched_group,
1050 config_ruleinfo->if_matched_group->error);
1053 free(if_matched_group);
1054 if_matched_group = NULL;
1058 /* Adding matched_regex */
1059 if(if_matched_regex)
1061 os_calloc(1, sizeof(OSRegex),
1062 config_ruleinfo->if_matched_regex);
1063 if(!OSRegex_Compile(if_matched_regex,
1064 config_ruleinfo->if_matched_regex, 0))
1066 merror(REGEX_COMPILE, __local_name, if_matched_regex,
1067 config_ruleinfo->if_matched_regex->error);
1070 free(if_matched_regex);
1071 if_matched_regex = NULL;
1075 /* Calling the function provided. */
1076 ruleact_function(config_ruleinfo, data);
1079 j++; /* next rule */
1082 } /* while(rule[j]) */
1086 } /* while (node[i]) */
1088 /* Cleaning global node */
1093 /* Done over here */
1099 /** RuleInfo *_OS_AllocateRule()
1100 * Allocates the memory for the rule.
1102 RuleInfo *_OS_AllocateRule()
1104 RuleInfo *ruleinfo_pt = NULL;
1107 /* Allocation memory for structure */
1108 ruleinfo_pt = (RuleInfo *)calloc(1,sizeof(RuleInfo));
1109 if(ruleinfo_pt == NULL)
1111 ErrorExit(MEM_ERROR,__local_name);
1115 /* Default values */
1116 ruleinfo_pt->level = -1;
1118 /* Default category is syslog */
1119 ruleinfo_pt->category = SYSLOG;
1121 ruleinfo_pt->ar = NULL;
1123 ruleinfo_pt->context = 0;
1125 /* Default sigid of -1 */
1126 ruleinfo_pt->sigid = -1;
1127 ruleinfo_pt->firedtimes = 0;
1128 ruleinfo_pt->maxsize = 0;
1129 ruleinfo_pt->frequency = 0;
1130 ruleinfo_pt->ignore_time = 0;
1131 ruleinfo_pt->timeframe = 0;
1132 ruleinfo_pt->time_ignored = 0;
1134 ruleinfo_pt->context_opts = 0;
1135 ruleinfo_pt->alert_opts = 0;
1136 ruleinfo_pt->ignore = 0;
1137 ruleinfo_pt->ckignore = 0;
1139 ruleinfo_pt->day_time = NULL;
1140 ruleinfo_pt->week_day = NULL;
1142 ruleinfo_pt->group = NULL;
1143 ruleinfo_pt->regex = NULL;
1144 ruleinfo_pt->match = NULL;
1145 ruleinfo_pt->decoded_as = 0;
1147 ruleinfo_pt->comment = NULL;
1148 ruleinfo_pt->info = NULL;
1149 ruleinfo_pt->cve = NULL;
1151 ruleinfo_pt->if_sid = NULL;
1152 ruleinfo_pt->if_group = NULL;
1153 ruleinfo_pt->if_level = NULL;
1155 ruleinfo_pt->if_matched_regex = NULL;
1156 ruleinfo_pt->if_matched_group = NULL;
1157 ruleinfo_pt->if_matched_sid = 0;
1159 ruleinfo_pt->user = NULL;
1160 ruleinfo_pt->srcip = NULL;
1161 ruleinfo_pt->srcport = NULL;
1162 ruleinfo_pt->dstip = NULL;
1163 ruleinfo_pt->dstport = NULL;
1164 ruleinfo_pt->url = NULL;
1165 ruleinfo_pt->id = NULL;
1166 ruleinfo_pt->status = NULL;
1167 ruleinfo_pt->hostname = NULL;
1168 ruleinfo_pt->program_name = NULL;
1169 ruleinfo_pt->action = NULL;
1171 /* Zeroing last matched events */
1172 ruleinfo_pt->__frequency = 0;
1173 ruleinfo_pt->last_events = NULL;
1175 /* zeroing the list of previous matches */
1176 ruleinfo_pt->sid_prev_matched = NULL;
1177 ruleinfo_pt->group_prev_matched = NULL;
1179 ruleinfo_pt->sid_search = NULL;
1180 ruleinfo_pt->group_search = NULL;
1182 ruleinfo_pt->event_search = NULL;
1184 return(ruleinfo_pt);
1189 /** int _OS_GetRulesAttributes
1190 * Reads the rules attributes and assign them.
1192 int _OS_GetRulesAttributes(char **attributes, char **values,
1193 RuleInfo *ruleinfo_pt)
1197 char *xml_id = "id";
1198 char *xml_level = "level";
1199 char *xml_maxsize = "maxsize";
1200 char *xml_timeframe = "timeframe";
1201 char *xml_frequency = "frequency";
1202 char *xml_accuracy = "accuracy";
1203 char *xml_noalert = "noalert";
1204 char *xml_ignore_time = "ignore";
1205 char *xml_overwrite = "overwrite";
1208 /* Getting attributes */
1209 while(attributes[k])
1213 merror(RL_EMPTY_ATTR, __local_name, attributes[k]);
1216 /* Getting rule Id */
1217 else if(strcasecmp(attributes[k], xml_id) == 0)
1219 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 6 ))
1221 ruleinfo_pt->sigid = atoi(values[k]);
1225 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1230 else if(strcasecmp(attributes[k],xml_level) == 0)
1232 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 3))
1234 ruleinfo_pt->level = atoi(values[k]);
1238 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1242 /* Getting maxsize */
1243 else if(strcasecmp(attributes[k],xml_maxsize) == 0)
1245 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 4))
1247 ruleinfo_pt->maxsize = atoi(values[k]);
1249 /* adding EXTRAINFO options */
1250 if(ruleinfo_pt->maxsize > 0 &&
1251 !(ruleinfo_pt->alert_opts & DO_EXTRAINFO))
1253 ruleinfo_pt->alert_opts |= DO_EXTRAINFO;
1258 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1262 /* Getting timeframe */
1263 else if(strcasecmp(attributes[k],xml_timeframe) == 0)
1265 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 5))
1267 ruleinfo_pt->timeframe = atoi(values[k]);
1271 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1275 /* Getting frequency */
1276 else if(strcasecmp(attributes[k],xml_frequency) == 0)
1278 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 4))
1280 ruleinfo_pt->frequency = atoi(values[k]);
1284 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1289 else if(strcasecmp(attributes[k],xml_accuracy) == 0)
1291 merror("%s: XXX: Use of 'accuracy' isn't supported. Ignoring.",
1294 /* Rule ignore_time */
1295 else if(strcasecmp(attributes[k],xml_ignore_time) == 0)
1297 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 4))
1299 ruleinfo_pt->ignore_time = atoi(values[k]);
1303 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1308 else if(strcasecmp(attributes[k],xml_noalert) == 0)
1310 ruleinfo_pt->alert_opts |= NO_ALERT;
1312 else if(strcasecmp(attributes[k], xml_overwrite) == 0)
1314 if(strcmp(values[k], "yes") == 0)
1316 ruleinfo_pt->alert_opts |= DO_OVERWRITE;
1318 else if(strcmp(values[k], "no") == 0)
1323 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1329 merror(XML_INVELEM, __local_name, attributes[k]);
1340 void OS_PrintRuleinfo(RuleInfo *rule)
1342 debug1("%s: __local_name: Print Rule:%d, level %d, ignore: %d, frequency:%d",