3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 2) as published by the FSF - Free Software
11 * License details at the LICENSE file included with OSSEC or
12 * online at: http://www.ossec.net/en/licensing.html
19 /* Chaging path for test rule. */
22 #define RULEPATH "rules/"
27 int _OS_GetRulesAttributes(char **attributes,
29 RuleInfo *ruleinfo_pt);
30 RuleInfo *_OS_AllocateRule();
35 /* Rules_OP_ReadRules, v0.3, 2005/03/21
37 * v0.3: Fixed many memory problems.
39 int OS_ReadXMLRules(char *rulefile,
40 void *(*ruleact_function)(RuleInfo *rule, void *data),
48 /* These are the available options for the rule configuration */
50 char *xml_group = "group";
51 char *xml_rule = "rule";
53 char *xml_regex = "regex";
54 char *xml_match = "match";
55 char *xml_decoded = "decoded_as";
56 char *xml_category = "category";
57 char *xml_cve = "cve";
58 char *xml_info = "info";
59 char *xml_day_time = "time";
60 char *xml_week_day = "weekday";
61 char *xml_comment = "description";
62 char *xml_ignore = "ignore";
63 char *xml_check_if_ignored = "check_if_ignored";
65 char *xml_srcip = "srcip";
66 char *xml_srcport = "srcport";
67 char *xml_dstip = "dstip";
68 char *xml_dstport = "dstport";
69 char *xml_user = "user";
70 char *xml_url = "url";
72 char *xml_data = "extra_data";
73 char *xml_hostname = "hostname";
74 char *xml_program_name = "program_name";
75 char *xml_status = "status";
76 char *xml_action = "action";
77 char *xml_compiled = "compiled_rule";
79 char *xml_if_sid = "if_sid";
80 char *xml_if_group = "if_group";
81 char *xml_if_level = "if_level";
82 char *xml_fts = "if_fts";
84 char *xml_if_matched_regex = "if_matched_regex";
85 char *xml_if_matched_group = "if_matched_group";
86 char *xml_if_matched_sid = "if_matched_sid";
88 char *xml_same_source_ip = "same_source_ip";
89 char *xml_same_src_port = "same_src_port";
90 char *xml_same_dst_port = "same_dst_port";
91 char *xml_same_user = "same_user";
92 char *xml_same_location = "same_location";
93 char *xml_same_id = "same_id";
94 char *xml_dodiff = "check_diff";
96 char *xml_different_url = "different_url";
98 char *xml_notsame_source_ip = "not_same_source_ip";
99 char *xml_notsame_user = "not_same_user";
100 char *xml_notsame_agent = "not_same_agent";
101 char *xml_notsame_id = "not_same_id";
103 char *xml_options = "options";
110 /* If no directory in the rulefile add the default */
111 if((strchr(rulefile, '/')) == NULL)
113 /* Building the rule file name + path */
114 i = strlen(RULEPATH) + strlen(rulefile) + 2;
115 rulepath = (char *)calloc(i,sizeof(char));
118 ErrorExit(MEM_ERROR,ARGV0);
120 snprintf(rulepath,i,"%s/%s",RULEPATH,rulefile);
124 os_strdup(rulefile, rulepath);
125 debug1("%s is the rulefile", rulefile);
126 debug1("Not modifing the rule path");
130 /* Reading the XML */
131 if(OS_ReadXML(rulepath,&xml) < 0)
133 merror(XML_ERROR, __local_name, rulepath, xml.err, xml.err_line);
140 debug1("%s: DEBUG: read xml for rule '%s'.", __local_name, rulepath);
143 /* Applying any variable found */
144 if(OS_ApplyVariables(&xml) != 0)
146 merror(XML_ERROR_VAR, __local_name, rulepath, xml.err);
152 debug1("%s: DEBUG: XML Variables applied.", __local_name);
155 /* Getting the root elements */
156 node = OS_GetElementsbyNode(&xml, NULL);
159 merror(CONFIG_ERROR, __local_name, rulepath);
165 /* Zeroing the rule memory -- not used anymore */
169 /* Checking if there is any invalid global option */
175 /* Verifying group */
176 if(strcasecmp(node[i]->element,xml_group) != 0)
178 merror(RL_INV_ROOT, __local_name, node[i]->element);
182 /* Checking group attribute -- only name is allowed */
183 if((!node[i]->attributes) || (!node[i]->values)||
184 (!node[i]->values[0]) || (!node[i]->attributes[0]) ||
185 (strcasecmp(node[i]->attributes[0],"name") != 0) ||
186 (node[i]->attributes[1]))
188 merror(RL_INV_ROOT, __local_name, node[i]->element);
195 merror(XML_READ_ERROR, __local_name);
203 /* Getting the rules now */
208 XML_NODE rule = NULL;
211 /* Getting all rules for a global group */
212 rule = OS_GetElementsbyNode(&xml,node[i]);
219 /* Looping on the rules node */
224 char *regex = NULL, *match = NULL, *url = NULL,
225 *if_matched_regex = NULL, *if_matched_group = NULL,
226 *user = NULL, *id = NULL, *srcport = NULL,
227 *dstport = NULL, *status = NULL, *hostname = NULL,
228 *extra_data = NULL, *program_name = NULL;
230 RuleInfo *config_ruleinfo = NULL;
231 XML_NODE rule_opt = NULL;
234 /* Checking if the rule element is correct */
235 if((!rule[j]->element)||
236 (strcasecmp(rule[j]->element,xml_rule) != 0))
238 merror(RL_INV_RULE, __local_name, node[i]->element);
244 /* Checking for the attributes of the rule */
245 if((!rule[j]->attributes) || (!rule[j]->values))
247 merror(RL_INV_RULE, __local_name, rulefile);
253 /* Attribute block */
254 config_ruleinfo = _OS_AllocateRule();
256 if(_OS_GetRulesAttributes(rule[j]->attributes, rule[j]->values,
257 config_ruleinfo) < 0)
259 merror(RL_INV_ATTR, __local_name, rulefile);
264 /* We must have an id or level */
265 if((config_ruleinfo->sigid == -1)||(config_ruleinfo->level == -1))
267 merror(RL_INV_ATTR, __local_name, rulefile);
273 /* Here we can assign the group name to the rule.
274 * The level is correct so the rule is probably going to
277 os_strdup(node[i]->values[0], config_ruleinfo->group);
280 /* Getting rules options */
281 rule_opt = OS_GetElementsbyNode(&xml, rule[j]);
284 merror(RL_NO_OPT, __local_name, config_ruleinfo->sigid);
290 /* Reading the whole rule block */
293 if((!rule_opt[k]->element)||(!rule_opt[k]->content))
297 else if(strcasecmp(rule_opt[k]->element,xml_regex)==0)
301 rule_opt[k]->content);
303 else if(strcasecmp(rule_opt[k]->element,xml_match)==0)
307 rule_opt[k]->content);
309 else if(strcasecmp(rule_opt[k]->element, xml_decoded) == 0)
312 else if(strcasecmp(rule_opt[k]->element,xml_info) == 0)
314 config_ruleinfo->info=
315 os_LoadString(config_ruleinfo->info,
316 rule_opt[k]->content);
318 else if(strcasecmp(rule_opt[k]->element,xml_day_time) == 0)
320 config_ruleinfo->day_time =
321 OS_IsValidTime(rule_opt[k]->content);
322 if(!config_ruleinfo->day_time)
324 merror(INVALID_CONFIG, __local_name,
325 rule_opt[k]->element,
326 rule_opt[k]->content);
330 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
331 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
333 else if(strcasecmp(rule_opt[k]->element,xml_week_day) == 0)
335 config_ruleinfo->week_day =
336 OS_IsValidDay(rule_opt[k]->content);
338 if(!config_ruleinfo->week_day)
340 merror(INVALID_CONFIG, __local_name,
341 rule_opt[k]->element,
342 rule_opt[k]->content);
345 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
346 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
348 else if(strcasecmp(rule_opt[k]->element,xml_group) == 0)
350 config_ruleinfo->group =
351 os_LoadString(config_ruleinfo->group,
352 rule_opt[k]->content);
354 else if(strcasecmp(rule_opt[k]->element,xml_cve) == 0)
356 config_ruleinfo->cve=
357 os_LoadString(config_ruleinfo->cve,
358 rule_opt[k]->content);
360 else if(strcasecmp(rule_opt[k]->element,xml_comment) == 0)
364 newline = strchr(rule_opt[k]->content, '\n');
369 config_ruleinfo->comment=
370 os_LoadString(config_ruleinfo->comment,
371 rule_opt[k]->content);
373 else if(strcasecmp(rule_opt[k]->element,xml_srcip)==0)
377 /* Getting size of source ip list */
378 while(config_ruleinfo->srcip &&
379 config_ruleinfo->srcip[ip_s])
384 config_ruleinfo->srcip =
385 realloc(config_ruleinfo->srcip,
386 (ip_s + 2) * sizeof(os_ip *));
389 /* Allocating memory for the individual entries */
390 os_calloc(1, sizeof(os_ip),
391 config_ruleinfo->srcip[ip_s]);
392 config_ruleinfo->srcip[ip_s +1] = NULL;
395 /* Checking if the ip is valid */
396 if(!OS_IsValidIP(rule_opt[k]->content,
397 config_ruleinfo->srcip[ip_s]))
399 merror(INVALID_IP, __local_name, rule_opt[k]->content);
403 if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
404 config_ruleinfo->alert_opts |= DO_PACKETINFO;
406 else if(strcasecmp(rule_opt[k]->element,xml_dstip)==0)
410 /* Getting size of source ip list */
411 while(config_ruleinfo->dstip &&
412 config_ruleinfo->dstip[ip_s])
417 config_ruleinfo->dstip =
418 realloc(config_ruleinfo->dstip,
419 (ip_s + 2) * sizeof(os_ip *));
422 /* Allocating memory for the individual entries */
423 os_calloc(1, sizeof(os_ip),
424 config_ruleinfo->dstip[ip_s]);
425 config_ruleinfo->dstip[ip_s +1] = NULL;
428 /* Checking if the ip is valid */
429 if(!OS_IsValidIP(rule_opt[k]->content,
430 config_ruleinfo->dstip[ip_s]))
432 merror(INVALID_IP, __local_name, rule_opt[k]->content);
436 if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
437 config_ruleinfo->alert_opts |= DO_PACKETINFO;
439 else if(strcasecmp(rule_opt[k]->element,xml_user) == 0)
441 user = os_LoadString(user, rule_opt[k]->content);
443 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
444 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
446 else if(strcasecmp(rule_opt[k]->element,xml_id) == 0)
448 id = os_LoadString(id, rule_opt[k]->content);
450 else if(strcasecmp(rule_opt[k]->element,xml_srcport) == 0)
452 srcport = os_LoadString(srcport, rule_opt[k]->content);
454 if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
455 config_ruleinfo->alert_opts |= DO_PACKETINFO;
457 else if(strcasecmp(rule_opt[k]->element,xml_dstport) == 0)
459 dstport = os_LoadString(dstport, rule_opt[k]->content);
461 if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
462 config_ruleinfo->alert_opts |= DO_PACKETINFO;
464 else if(strcasecmp(rule_opt[k]->element,xml_status)==0)
466 status = os_LoadString(status, rule_opt[k]->content);
468 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
469 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
471 else if(strcasecmp(rule_opt[k]->element,xml_hostname) == 0)
473 hostname = os_LoadString(hostname, rule_opt[k]->content);
475 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
476 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
478 else if(strcasecmp(rule_opt[k]->element,xml_data)==0)
480 extra_data = os_LoadString(extra_data, rule_opt[k]->content);
482 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
483 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
485 else if(strcasecmp(rule_opt[k]->element,
486 xml_program_name)==0)
488 program_name = os_LoadString(program_name,
489 rule_opt[k]->content);
491 else if(strcasecmp(rule_opt[k]->element,xml_action) == 0)
493 config_ruleinfo->action =
494 os_LoadString(config_ruleinfo->action,
495 rule_opt[k]->content);
497 else if(strcasecmp(rule_opt[k]->element,xml_url) == 0)
499 url= os_LoadString(url, rule_opt[k]->content);
502 else if(strcasecmp(rule_opt[k]->element, xml_compiled)==0)
504 /* Not using this in here. */
507 /* We allow these categories so far */
508 else if(strcasecmp(rule_opt[k]->element, xml_category)==0)
510 if(strcmp(rule_opt[k]->content, "firewall") == 0)
512 config_ruleinfo->category = FIREWALL;
514 else if(strcmp(rule_opt[k]->content, "ids") == 0)
516 config_ruleinfo->category = IDS;
518 else if(strcmp(rule_opt[k]->content, "syslog") == 0)
520 config_ruleinfo->category = SYSLOG;
522 else if(strcmp(rule_opt[k]->content, "web-log") == 0)
524 config_ruleinfo->category = WEBLOG;
526 else if(strcmp(rule_opt[k]->content, "squid") == 0)
528 config_ruleinfo->category = SQUID;
530 else if(strcmp(rule_opt[k]->content,"windows") == 0)
532 config_ruleinfo->category = WINDOWS;
534 else if(strcmp(rule_opt[k]->content,"ossec") == 0)
536 config_ruleinfo->category = OSSEC_RL;
540 merror(INVALID_CAT, __local_name, rule_opt[k]->content);
544 else if(strcasecmp(rule_opt[k]->element,xml_if_sid)==0)
546 config_ruleinfo->if_sid=
547 os_LoadString(config_ruleinfo->if_sid,
548 rule_opt[k]->content);
550 else if(strcasecmp(rule_opt[k]->element,xml_if_level)==0)
552 if(!OS_StrIsNum(rule_opt[k]->content))
554 merror(INVALID_CONFIG, __local_name,
556 rule_opt[k]->content);
560 config_ruleinfo->if_level=
561 os_LoadString(config_ruleinfo->if_level,
562 rule_opt[k]->content);
564 else if(strcasecmp(rule_opt[k]->element,xml_if_group)==0)
566 config_ruleinfo->if_group=
567 os_LoadString(config_ruleinfo->if_group,
568 rule_opt[k]->content);
570 else if(strcasecmp(rule_opt[k]->element,
571 xml_if_matched_regex) == 0)
573 config_ruleinfo->context = 1;
575 os_LoadString(if_matched_regex,
576 rule_opt[k]->content);
578 else if(strcasecmp(rule_opt[k]->element,
579 xml_if_matched_group) == 0)
581 config_ruleinfo->context = 1;
583 os_LoadString(if_matched_group,
584 rule_opt[k]->content);
586 else if(strcasecmp(rule_opt[k]->element,
587 xml_if_matched_sid) == 0)
589 config_ruleinfo->context = 1;
590 if(!OS_StrIsNum(rule_opt[k]->content))
592 merror(INVALID_CONFIG, __local_name,
593 rule_opt[k]->element,
594 rule_opt[k]->content);
597 config_ruleinfo->if_matched_sid =
598 atoi(rule_opt[k]->content);
601 else if(strcasecmp(rule_opt[k]->element,
602 xml_same_source_ip)==0)
604 config_ruleinfo->context_opts|= SAME_SRCIP;
606 else if(strcasecmp(rule_opt[k]->element,
607 xml_same_src_port)==0)
609 config_ruleinfo->context_opts|= SAME_SRCPORT;
611 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
612 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
614 else if(strcasecmp(rule_opt[k]->element,
617 config_ruleinfo->context++;
618 config_ruleinfo->context_opts|= SAME_DODIFF;
619 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
621 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
624 else if(strcasecmp(rule_opt[k]->element,
625 xml_same_dst_port) == 0)
627 config_ruleinfo->context_opts|= SAME_DSTPORT;
629 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
630 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
632 else if(strcasecmp(rule_opt[k]->element,
633 xml_notsame_source_ip)==0)
635 config_ruleinfo->context_opts&= NOT_SAME_SRCIP;
637 else if(strcmp(rule_opt[k]->element, xml_same_id) == 0)
639 config_ruleinfo->context_opts|= SAME_ID;
641 else if(strcmp(rule_opt[k]->element,
642 xml_different_url) == 0)
644 config_ruleinfo->context_opts|= DIFFERENT_URL;
646 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
647 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
649 else if(strcmp(rule_opt[k]->element,xml_notsame_id) == 0)
651 config_ruleinfo->context_opts&= NOT_SAME_ID;
653 else if(strcasecmp(rule_opt[k]->element,
656 config_ruleinfo->alert_opts |= DO_FTS;
658 else if(strcasecmp(rule_opt[k]->element,
661 config_ruleinfo->context_opts|= SAME_USER;
663 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
664 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
666 else if(strcasecmp(rule_opt[k]->element,
667 xml_notsame_user)==0)
669 config_ruleinfo->context_opts&= NOT_SAME_USER;
671 else if(strcasecmp(rule_opt[k]->element,
672 xml_same_location)==0)
674 config_ruleinfo->context_opts|= SAME_LOCATION;
675 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
676 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
678 else if(strcasecmp(rule_opt[k]->element,
679 xml_notsame_agent)==0)
681 config_ruleinfo->context_opts&= NOT_SAME_AGENT;
683 else if(strcasecmp(rule_opt[k]->element,
686 if(strcmp("alert_by_email",
687 rule_opt[k]->content) == 0)
689 if(!(config_ruleinfo->alert_opts & DO_MAILALERT))
691 config_ruleinfo->alert_opts|= DO_MAILALERT;
694 else if(strcmp("no_email_alert",
695 rule_opt[k]->content) == 0)
697 if(config_ruleinfo->alert_opts & DO_MAILALERT)
699 config_ruleinfo->alert_opts&=0xfff-DO_MAILALERT;
702 else if(strcmp("log_alert",
703 rule_opt[k]->content) == 0)
705 if(!(config_ruleinfo->alert_opts & DO_LOGALERT))
707 config_ruleinfo->alert_opts|= DO_LOGALERT;
710 else if(strcmp("no_log", rule_opt[k]->content) == 0)
712 if(config_ruleinfo->alert_opts & DO_LOGALERT)
714 config_ruleinfo->alert_opts &=0xfff-DO_LOGALERT;
717 else if(strcmp("no_ar", rule_opt[k]->content) == 0)
719 if(!(config_ruleinfo->alert_opts & NO_AR))
721 config_ruleinfo->alert_opts|= NO_AR;
726 merror(XML_VALUEERR, __local_name, xml_options,
727 rule_opt[k]->content);
729 merror(INVALID_ELEMENT, __local_name,
730 rule_opt[k]->element,
731 rule_opt[k]->content);
736 else if(strcasecmp(rule_opt[k]->element,
739 if(strstr(rule_opt[k]->content, "user") != NULL)
741 config_ruleinfo->ignore|=FTS_USER;
743 if(strstr(rule_opt[k]->content, "srcip") != NULL)
745 config_ruleinfo->ignore|=FTS_SRCIP;
747 if(strstr(rule_opt[k]->content, "dstip") != NULL)
749 config_ruleinfo->ignore|=FTS_DSTIP;
751 if(strstr(rule_opt[k]->content, "id") != NULL)
753 config_ruleinfo->ignore|=FTS_ID;
755 if(strstr(rule_opt[k]->content,"location")!= NULL)
757 config_ruleinfo->ignore|=FTS_LOCATION;
759 if(strstr(rule_opt[k]->content,"data")!= NULL)
761 config_ruleinfo->ignore|=FTS_DATA;
763 if(strstr(rule_opt[k]->content, "name") != NULL)
765 config_ruleinfo->ignore|=FTS_NAME;
768 if(!config_ruleinfo->ignore)
770 merror(INVALID_ELEMENT, __local_name,
771 rule_opt[k]->element,
772 rule_opt[k]->content);
777 else if(strcasecmp(rule_opt[k]->element,
778 xml_check_if_ignored) == 0)
780 if(strstr(rule_opt[k]->content, "user") != NULL)
782 config_ruleinfo->ckignore|=FTS_USER;
784 if(strstr(rule_opt[k]->content, "srcip") != NULL)
786 config_ruleinfo->ckignore|=FTS_SRCIP;
788 if(strstr(rule_opt[k]->content, "dstip") != NULL)
790 config_ruleinfo->ckignore|=FTS_DSTIP;
792 if(strstr(rule_opt[k]->content, "id") != NULL)
794 config_ruleinfo->ckignore|=FTS_ID;
796 if(strstr(rule_opt[k]->content,"location")!= NULL)
798 config_ruleinfo->ckignore|=FTS_LOCATION;
800 if(strstr(rule_opt[k]->content,"data")!= NULL)
802 config_ruleinfo->ignore|=FTS_DATA;
804 if(strstr(rule_opt[k]->content, "name") != NULL)
806 config_ruleinfo->ckignore|=FTS_NAME;
809 if(!config_ruleinfo->ckignore)
811 merror(INVALID_ELEMENT, __local_name,
812 rule_opt[k]->element,
813 rule_opt[k]->content);
818 /* XXX As new features are added into ../analysisd/rules.c
819 * This code needs to be updated to match, but is out of date
820 * it's become a nightmare to correct with out just make the
821 * problem for someone later.
823 * This hack will allow any crap xml to pass without an
824 * error. The correct fix is to refactor the code so that
825 * ../analysisd/rules* and this code are not duplicates
829 merror(XML_INVELEM, __local_name, rule_opt[k]->element);
839 /* Checking for a valid use of frequency */
840 if((config_ruleinfo->context_opts ||
841 config_ruleinfo->frequency) &&
842 !config_ruleinfo->context)
844 merror("%s: Invalid use of frequency/context options. "
845 "Missing if_matched on rule '%d'.",
846 __local_name, config_ruleinfo->sigid);
852 /* If if_matched_group we must have a if_sid or if_group */
855 if(!config_ruleinfo->if_sid && !config_ruleinfo->if_group)
857 os_strdup(if_matched_group, config_ruleinfo->if_group);
862 /* If_matched_sid, we need to get the if_sid */
863 if(config_ruleinfo->if_matched_sid &&
864 !config_ruleinfo->if_sid &&
865 !config_ruleinfo->if_group)
867 os_calloc(16, sizeof(char), config_ruleinfo->if_sid);
868 snprintf(config_ruleinfo->if_sid, 15, "%d",
869 config_ruleinfo->if_matched_sid);
873 /* Checking the regexes */
876 os_calloc(1, sizeof(OSRegex), config_ruleinfo->regex);
877 if(!OSRegex_Compile(regex, config_ruleinfo->regex, 0))
879 merror(REGEX_COMPILE, __local_name, regex,
880 config_ruleinfo->regex->error);
888 /* Adding in match */
891 os_calloc(1, sizeof(OSMatch), config_ruleinfo->match);
892 if(!OSMatch_Compile(match, config_ruleinfo->match, 0))
894 merror(REGEX_COMPILE, __local_name, match,
895 config_ruleinfo->match->error);
906 os_calloc(1, sizeof(OSMatch), config_ruleinfo->id);
907 if(!OSMatch_Compile(id, config_ruleinfo->id, 0))
909 merror(REGEX_COMPILE, __local_name, id,
910 config_ruleinfo->id->error);
921 os_calloc(1, sizeof(OSMatch), config_ruleinfo->srcport);
922 if(!OSMatch_Compile(srcport, config_ruleinfo->srcport, 0))
924 merror(REGEX_COMPILE, __local_name, srcport,
925 config_ruleinfo->id->error);
936 os_calloc(1, sizeof(OSMatch), config_ruleinfo->dstport);
937 if(!OSMatch_Compile(dstport, config_ruleinfo->dstport, 0))
939 merror(REGEX_COMPILE, __local_name, dstport,
940 config_ruleinfo->id->error);
948 /* Adding in status */
951 os_calloc(1, sizeof(OSMatch), config_ruleinfo->status);
952 if(!OSMatch_Compile(status, config_ruleinfo->status, 0))
954 merror(REGEX_COMPILE, __local_name, status,
955 config_ruleinfo->status->error);
963 /* Adding in hostname */
966 os_calloc(1, sizeof(OSMatch), config_ruleinfo->hostname);
967 if(!OSMatch_Compile(hostname, config_ruleinfo->hostname,0))
969 merror(REGEX_COMPILE, __local_name, hostname,
970 config_ruleinfo->hostname->error);
978 /* Adding extra data */
981 os_calloc(1, sizeof(OSMatch), config_ruleinfo->extra_data);
982 if(!OSMatch_Compile(extra_data,
983 config_ruleinfo->extra_data, 0))
985 merror(REGEX_COMPILE, __local_name, extra_data,
986 config_ruleinfo->extra_data->error);
994 /* Adding in program name */
997 os_calloc(1,sizeof(OSMatch),config_ruleinfo->program_name);
998 if(!OSMatch_Compile(program_name,
999 config_ruleinfo->program_name,0))
1001 merror(REGEX_COMPILE, __local_name, program_name,
1002 config_ruleinfo->program_name->error);
1006 program_name = NULL;
1010 /* Adding in user */
1013 os_calloc(1, sizeof(OSMatch), config_ruleinfo->user);
1014 if(!OSMatch_Compile(user, config_ruleinfo->user, 0))
1016 merror(REGEX_COMPILE, __local_name, user,
1017 config_ruleinfo->user->error);
1028 os_calloc(1, sizeof(OSMatch), config_ruleinfo->url);
1029 if(!OSMatch_Compile(url, config_ruleinfo->url, 0))
1031 merror(REGEX_COMPILE, __local_name, url,
1032 config_ruleinfo->url->error);
1040 /* Adding matched_group */
1041 if(if_matched_group)
1043 os_calloc(1,sizeof(OSMatch),config_ruleinfo->if_matched_group);
1045 if(!OSMatch_Compile(if_matched_group,
1046 config_ruleinfo->if_matched_group,0))
1048 merror(REGEX_COMPILE, __local_name, if_matched_group,
1049 config_ruleinfo->if_matched_group->error);
1052 free(if_matched_group);
1053 if_matched_group = NULL;
1057 /* Adding matched_regex */
1058 if(if_matched_regex)
1060 os_calloc(1, sizeof(OSRegex),
1061 config_ruleinfo->if_matched_regex);
1062 if(!OSRegex_Compile(if_matched_regex,
1063 config_ruleinfo->if_matched_regex, 0))
1065 merror(REGEX_COMPILE, __local_name, if_matched_regex,
1066 config_ruleinfo->if_matched_regex->error);
1069 free(if_matched_regex);
1070 if_matched_regex = NULL;
1074 /* Calling the function provided. */
1075 ruleact_function(config_ruleinfo, data);
1078 j++; /* next rule */
1081 } /* while(rule[j]) */
1085 } /* while (node[i]) */
1087 /* Cleaning global node */
1092 /* Done over here */
1098 /** RuleInfo *_OS_AllocateRule()
1099 * Allocates the memory for the rule.
1101 RuleInfo *_OS_AllocateRule()
1103 RuleInfo *ruleinfo_pt = NULL;
1106 /* Allocation memory for structure */
1107 ruleinfo_pt = (RuleInfo *)calloc(1,sizeof(RuleInfo));
1108 if(ruleinfo_pt == NULL)
1110 ErrorExit(MEM_ERROR,__local_name);
1114 /* Default values */
1115 ruleinfo_pt->level = -1;
1117 /* Default category is syslog */
1118 ruleinfo_pt->category = SYSLOG;
1120 ruleinfo_pt->ar = NULL;
1122 ruleinfo_pt->context = 0;
1124 /* Default sigid of -1 */
1125 ruleinfo_pt->sigid = -1;
1126 ruleinfo_pt->firedtimes = 0;
1127 ruleinfo_pt->maxsize = 0;
1128 ruleinfo_pt->frequency = 0;
1129 ruleinfo_pt->ignore_time = 0;
1130 ruleinfo_pt->timeframe = 0;
1131 ruleinfo_pt->time_ignored = 0;
1133 ruleinfo_pt->context_opts = 0;
1134 ruleinfo_pt->alert_opts = 0;
1135 ruleinfo_pt->ignore = 0;
1136 ruleinfo_pt->ckignore = 0;
1138 ruleinfo_pt->day_time = NULL;
1139 ruleinfo_pt->week_day = NULL;
1141 ruleinfo_pt->group = NULL;
1142 ruleinfo_pt->regex = NULL;
1143 ruleinfo_pt->match = NULL;
1144 ruleinfo_pt->decoded_as = 0;
1146 ruleinfo_pt->comment = NULL;
1147 ruleinfo_pt->info = NULL;
1148 ruleinfo_pt->cve = NULL;
1150 ruleinfo_pt->if_sid = NULL;
1151 ruleinfo_pt->if_group = NULL;
1152 ruleinfo_pt->if_level = NULL;
1154 ruleinfo_pt->if_matched_regex = NULL;
1155 ruleinfo_pt->if_matched_group = NULL;
1156 ruleinfo_pt->if_matched_sid = 0;
1158 ruleinfo_pt->user = NULL;
1159 ruleinfo_pt->srcip = NULL;
1160 ruleinfo_pt->srcport = NULL;
1161 ruleinfo_pt->dstip = NULL;
1162 ruleinfo_pt->dstport = NULL;
1163 ruleinfo_pt->url = NULL;
1164 ruleinfo_pt->id = NULL;
1165 ruleinfo_pt->status = NULL;
1166 ruleinfo_pt->hostname = NULL;
1167 ruleinfo_pt->program_name = NULL;
1168 ruleinfo_pt->action = NULL;
1170 /* Zeroing last matched events */
1171 ruleinfo_pt->__frequency = 0;
1172 ruleinfo_pt->last_events = NULL;
1174 /* zeroing the list of previous matches */
1175 ruleinfo_pt->sid_prev_matched = NULL;
1176 ruleinfo_pt->group_prev_matched = NULL;
1178 ruleinfo_pt->sid_search = NULL;
1179 ruleinfo_pt->group_search = NULL;
1181 ruleinfo_pt->event_search = NULL;
1183 return(ruleinfo_pt);
1188 /** int _OS_GetRulesAttributes
1189 * Reads the rules attributes and assign them.
1191 int _OS_GetRulesAttributes(char **attributes, char **values,
1192 RuleInfo *ruleinfo_pt)
1196 char *xml_id = "id";
1197 char *xml_level = "level";
1198 char *xml_maxsize = "maxsize";
1199 char *xml_timeframe = "timeframe";
1200 char *xml_frequency = "frequency";
1201 char *xml_accuracy = "accuracy";
1202 char *xml_noalert = "noalert";
1203 char *xml_ignore_time = "ignore";
1204 char *xml_overwrite = "overwrite";
1207 /* Getting attributes */
1208 while(attributes[k])
1212 merror(RL_EMPTY_ATTR, __local_name, attributes[k]);
1215 /* Getting rule Id */
1216 else if(strcasecmp(attributes[k], xml_id) == 0)
1218 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 6 ))
1220 ruleinfo_pt->sigid = atoi(values[k]);
1224 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1229 else if(strcasecmp(attributes[k],xml_level) == 0)
1231 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 3))
1233 ruleinfo_pt->level = atoi(values[k]);
1237 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1241 /* Getting maxsize */
1242 else if(strcasecmp(attributes[k],xml_maxsize) == 0)
1244 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 4))
1246 ruleinfo_pt->maxsize = atoi(values[k]);
1248 /* adding EXTRAINFO options */
1249 if(ruleinfo_pt->maxsize > 0 &&
1250 !(ruleinfo_pt->alert_opts & DO_EXTRAINFO))
1252 ruleinfo_pt->alert_opts |= DO_EXTRAINFO;
1257 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1261 /* Getting timeframe */
1262 else if(strcasecmp(attributes[k],xml_timeframe) == 0)
1264 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 5))
1266 ruleinfo_pt->timeframe = atoi(values[k]);
1270 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1274 /* Getting frequency */
1275 else if(strcasecmp(attributes[k],xml_frequency) == 0)
1277 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 4))
1279 ruleinfo_pt->frequency = atoi(values[k]);
1283 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1288 else if(strcasecmp(attributes[k],xml_accuracy) == 0)
1290 merror("%s: XXX: Use of 'accuracy' isn't supported. Ignoring.",
1293 /* Rule ignore_time */
1294 else if(strcasecmp(attributes[k],xml_ignore_time) == 0)
1296 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 4))
1298 ruleinfo_pt->ignore_time = atoi(values[k]);
1302 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1307 else if(strcasecmp(attributes[k],xml_noalert) == 0)
1309 ruleinfo_pt->alert_opts |= NO_ALERT;
1311 else if(strcasecmp(attributes[k], xml_overwrite) == 0)
1313 if(strcmp(values[k], "yes") == 0)
1315 ruleinfo_pt->alert_opts |= DO_OVERWRITE;
1317 else if(strcmp(values[k], "no") == 0)
1322 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1328 merror(XML_INVELEM, __local_name, attributes[k]);
1339 void OS_PrintRuleinfo(RuleInfo *rule)
1341 debug1("%s: __local_name: Print Rule:%d, level %d, ignore: %d, frequency:%d",