1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
11 #include "os_regex/os_regex.h"
12 #include "os_xml/os_xml.h"
13 #include "eventinfo.h"
19 /* Use the osdecoders to decode the received event */
20 void DecodeEvent(Eventinfo *lf)
23 OSDecoderNode *child_node;
26 const char *llog = NULL;
27 const char *pmatch = NULL;
28 const char *cmatch = NULL;
29 const char *regex_prev = NULL;
31 node = OS_GetFirstOSDecoder(lf->program_name);
39 print_out("\n**Phase 2: Completed decoding.");
44 nnode = node->osdecoder;
46 /* First check program name */
47 if (lf->program_name) {
48 if (nnode->program_name) {
49 if (!OSMatch_Execute(lf->program_name, lf->p_name_size,
50 nnode->program_name)) {
54 } else if (nnode->program_name_pcre2) {
55 if (!OSPcre2_Execute(lf->program_name, nnode->program_name_pcre2)) {
62 /* If prematch fails, go to the next osdecoder in the list */
63 if (nnode->prematch) {
64 if (!(pmatch = OSRegex_Execute(lf->log, nnode->prematch))) {
68 else if (nnode->prematch_pcre2) {
69 if (!(pmatch = OSPcre2_Execute(lf->log, nnode->prematch_pcre2))) {
76 print_out(" decoder: '%s'", nnode->name);
80 lf->decoder_info = nnode;
81 child_node = node->child;
83 /* If no child node is set, set the child node
84 * as if it were the child (ugh)
91 /* Check if we have any child osdecoder */
93 nnode = child_node->osdecoder;
95 /* If we have a pre match and it matches, keep
96 * going. If we don't have a prematch, stop
97 * and go for the regexes.
99 if (nnode->prematch) {
102 /* If we have an offset set, use it */
103 if (nnode->prematch_offset & AFTER_PARENT) {
109 if ((cmatch = OSRegex_Execute(llog2, nnode->prematch))) {
110 lf->decoder_info = nnode;
114 } else if (nnode->prematch_pcre2) {
117 /* If we have an offset set, use it */
118 if (nnode->prematch_offset & AFTER_PARENT) {
124 if ((cmatch = OSPcre2_Execute(llog2, nnode->prematch_pcre2))) {
125 lf->decoder_info = nnode;
134 /* If we have multiple regex-only childs,
135 * do not attempt to go any further with them.
137 if (child_node->osdecoder->get_next) {
139 child_node = child_node->next;
140 } while (child_node && child_node->osdecoder->get_next);
146 child_node = child_node->next;
149 child_node = child_node->next;
155 /* Nothing matched */
160 /* If we have an external decoder, execute it */
161 if (nnode->plugindecoder) {
162 nnode->plugindecoder(lf);
171 /* With regex we have multiple options
172 * regarding the offset:
173 * after the prematch,
175 * after some previous regex,
178 if (nnode->regex_offset) {
179 if (nnode->regex_offset & AFTER_PARENT) {
181 } else if (nnode->regex_offset & AFTER_PREMATCH) {
183 } else if (nnode->regex_offset & AFTER_PREVREGEX) {
194 /* If Regex does not match, return */
195 if (!(regex_prev = OSRegex_Execute(llog, nnode->regex))) {
196 if (nnode->get_next) {
197 child_node = child_node->next;
198 nnode = child_node->osdecoder;
204 lf->decoder_info = nnode;
206 for (i = 0; nnode->regex->sub_strings[i]; i++) {
207 if (i >= Config.decoder_order_size) {
208 ErrorExit("%s: ERROR: Regex has too many groups.", ARGV0);
212 nnode->order[i](lf, nnode->regex->sub_strings[i], i);
214 /* We do not free any memory used above */
215 os_free(nnode->regex->sub_strings[i]);
217 nnode->regex->sub_strings[i] = NULL;
220 /* If we have a next regex, try getting it */
221 if (nnode->get_next) {
222 child_node = child_node->next;
223 nnode = child_node->osdecoder;
229 else if (nnode->pcre2) {
232 /* With regex we have multiple options
233 * regarding the offset:
234 * after the prematch,
236 * after some previous regex,
239 if (nnode->regex_offset) {
240 if (nnode->regex_offset & AFTER_PARENT) {
242 } else if (nnode->regex_offset & AFTER_PREMATCH) {
244 } else if (nnode->regex_offset & AFTER_PREVREGEX) {
255 /* If Regex does not match, return */
256 if (!(regex_prev = OSPcre2_Execute(llog, nnode->pcre2))) {
257 if (nnode->get_next) {
258 child_node = child_node->next;
259 nnode = child_node->osdecoder;
266 lf->decoder_info = nnode;
268 for (i = 0; nnode->pcre2->sub_strings[i]; i++) {
269 if (i >= Config.decoder_order_size) {
270 ErrorExit("%s: ERROR: Regex has too many groups.", ARGV0);
274 nnode->order[i](lf, nnode->pcre2->sub_strings[i], i);
276 /* We do not free any memory used above */
277 os_free(nnode->pcre2->sub_strings[i]);
279 nnode->pcre2->sub_strings[i] = NULL;
282 /* If we have a next regex, try getting it */
283 if (nnode->get_next) {
284 child_node = child_node->next;
285 nnode = child_node->osdecoder;
293 /* If we don't have a regex, we may leave now */
299 } while ((node = node->next) != NULL);
303 print_out(" No decoder matched.");
308 /*** Event decoders ****/
310 void *DstUser_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
314 print_out(" dstuser: '%s'", field);
322 void *SrcUser_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
326 print_out(" srcuser: '%s'", field);
334 void *SrcIP_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
338 print_out(" srcip: '%s'", field);
344 #ifdef LIBGEOIP_ENABLED
347 lf->srcgeoip = GetGeoInfobyIP(lf->srcip);
351 if (lf->srcgeoip && !alert_only)
352 print_out(" srcgeoip: '%s'", lf->srcgeoip);
360 void *DstIP_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
364 print_out(" dstip: '%s'", field);
369 #ifdef LIBGEOIP_ENABLED
372 lf->dstgeoip = GetGeoInfobyIP(lf->dstip);
375 if (lf->dstgeoip && !alert_only)
376 print_out(" dstgeoip: '%s'", lf->dstgeoip);
384 void *SrcPort_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
388 print_out(" srcport: '%s'", field);
396 void *DstPort_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
400 print_out(" dstport: '%s'", field);
408 void *Protocol_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
412 print_out(" proto: '%s'", field);
416 lf->protocol = field;
420 void *Action_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
424 print_out(" action: '%s'", field);
432 void *ID_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
436 print_out(" id: '%s'", field);
444 void *Url_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
448 print_out(" url: '%s'", field);
456 void *Data_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
460 print_out(" extra_data: '%s'", field);
468 void *Status_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
472 print_out(" status: '%s'", field);
480 void *SystemName_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
484 print_out(" system_name: '%s'", field);
488 lf->systemname = field;
492 void *FileName_FP(Eventinfo *lf, char *field, __attribute__((unused)) int order)
496 print_out(" filename: '%s'", field);
500 lf->filename = field;
505 void *DynamicField_FP(Eventinfo *lf, char *field, int order)
509 print_out(" %s: '%s'", lf->decoder_info->fields[order], field);
513 lf->fields[order] = field;
518 void *None_FP(__attribute__((unused)) Eventinfo *lf, char *field, __attribute__((unused)) int order)