3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 2) as published by the FSF - Free Software
11 * License details at the LICENSE file included with OSSEC or
12 * online at: http://www.ossec.net/en/licensing.html
17 #include "eventinfo.h"
22 /** Note: If the rule fails to match it should return NULL.
23 * If you want processing to continue, return lf (the eventinfo structure).
29 * Comparing if the srcuser and dstuser are the same. If they are the same,
31 * If any of them is not set, return true too.
33 void *comp_srcuser_dstuser(Eventinfo *lf)
35 if(!lf->srcuser || !lf->dstuser)
40 if(strcmp(lf->srcuser, lf->dstuser) == 0)
46 /* In here, srcuser and dstuser are present and are different. */
53 * Checking if the size of the id field is larger than 10.
55 void *check_id_size(Eventinfo *lf)
62 if(strlen(lf->id) >= 10)
73 * Comparing the Target Account Name and Caller User Name
75 * It will return NULL (not match) if any of these values
76 * are not present or if they are the same.
77 * This function will return TRUE if they are NOT the same.
79 void *comp_mswin_targetuser_calleruser_diff(Eventinfo *lf)
85 target_user = strstr(lf->log, "Target Account Name");
86 caller_user = strstr(lf->log, "Caller User Name");
88 if(!target_user || !caller_user)
94 /* We need to clear each user type and finish the string.
96 * Target Account Name: account\t
97 * Caller User Name: account\t
99 target_user = strchr(target_user, ':');
100 caller_user = strchr(caller_user, ':');
102 if(!target_user || !caller_user)
112 while(*target_user != '\0')
114 if(*target_user != *caller_user)
117 if(*target_user == '\t' ||
118 (*target_user == ' ' && target_user[1] == ' '))
121 target_user++;caller_user++;
125 /* If we got in here, the accounts are the same.
126 * So, we return NULL since we only want to alert if they are different.
133 * Checks if a HTTP request is a simple GET/POST without a query.
134 * This avoid that we call the attack rules for no reason.
136 void *is_simple_http_request(Eventinfo *lf)
139 /* Simple GET / request. */
140 if(strcmp(lf->url,"/") == 0)
146 /* Simple request, no query. */
147 if(!strchr(lf->url,'?'))
153 /* In here, we have an additional query to be checked. */
159 * Checks if the source ip is from a valid bot.
161 void *is_valid_crawler(Eventinfo *lf)
163 if((strncmp(lf->log, "66.249.",7) == 0)|| /* Google bot */
164 (strncmp(lf->log, "72.14.",6) == 0)|| /* Feedfetcher-Google */
165 (strncmp(lf->log, "209.85.",7) == 0)|| /* Feedfetcher-Google */
166 (strncmp(lf->log, "65.55.",6) == 0)|| /* MSN/Bing */
167 (strncmp(lf->log, "207.46.",7) == 0)|| /* MSN/Bing */
168 (strncmp(lf->log, "74.6.",5) == 0)|| /* Yahoo */
169 (strncmp(lf->log, "72.30.",6) == 0)|| /* Yahoo */
170 (strncmp(lf->log, "67.195.",7) == 0) /* Yahoo */
181 /* END generic samples. */