-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/rules_list.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
* Foundation
*/
-
+
#include "shared.h"
#include "rules.h"
RuleNode *OS_GetFirstRule()
{
RuleNode *rulenode_pt = rulenode;
-
- return(rulenode_pt);
+
+ return(rulenode_pt);
}
/* Search all rules, including childs */
-int _AddtoRule(int sid, int level, int none, char *group,
+int _AddtoRule(int sid, int level, int none, char *group,
RuleNode *r_node, RuleInfo *read_rule)
{
int r_code = 0;
-
+
/* If we don't have the first node, start from
* the beginning of the list
*/
{
/* Checking if the sigid matches */
if(sid)
- {
+ {
if(r_node->ruleinfo->sigid == sid)
{
- /* Assign the category of this rule to the child
+ /* Assign the category of this rule to the child
* as they must match
*/
read_rule->category = r_node->ruleinfo->category;
-
+
/* If no context for rule, check if the parent has
* and use it.
{
read_rule->last_events = r_node->ruleinfo->last_events;
}
-
+
r_node->child=
_OS_AddRule(r_node->child, read_rule);
return(1);
}
}
-
+
/* Checking if the group matches */
else if(group)
{
- if(OS_WordMatch(group, r_node->ruleinfo->group) &&
+ if(OS_WordMatch(group, r_node->ruleinfo->group) &&
(r_node->ruleinfo->sigid != read_rule->sigid))
{
/* If no context for rule, check if the parent has
/* Checking if the level matches */
else if(level)
{
- if((r_node->ruleinfo->level >= level) &&
+ if((r_node->ruleinfo->level >= level) &&
(r_node->ruleinfo->sigid != read_rule->sigid))
{
r_node->child=
r_code = 1;
}
}
-
-
+
+
/* If we are not searching for the sid/group, the category must
- * be the same.
+ * be the same.
*/
else if(read_rule->category != r_node->ruleinfo->category)
{
continue;
}
-
+
/* If none of them is set, add for the category */
else
{
r_node = r_node->next;
}
-
- return(r_code);
+
+ return(r_code);
}
return(1);
}
- /* Adding for if_sid */
+ /* Adding for if_sid */
if(read_rule->if_sid)
{
int val = 0;
char *sid;
-
+
sid = read_rule->if_sid;
-
+
/* Loop to read all the rules (comma or space separated */
do
{
}
}
- /* Adding for if_group */
+ /* Adding for if_group */
else if(read_rule->if_group)
{
if(!_AddtoRule(0, 0, 0, read_rule->if_group, NULL, read_rule))
"found. Invalid 'if_group'.", read_rule->if_group);
}
}
-
+
/* Just add based on the category */
else
{
RuleNode *_OS_AddRule(RuleNode *_rulenode, RuleInfo *read_rule)
{
RuleNode *tmp_rulenode = _rulenode;
-
+
if(tmp_rulenode != NULL)
{
int middle_insertion = 0;
RuleNode *prev_rulenode = NULL;
RuleNode *new_rulenode = NULL;
-
+
while(tmp_rulenode != NULL)
{
if(read_rule->level > tmp_rulenode->ruleinfo->level)
prev_rulenode = tmp_rulenode;
tmp_rulenode = tmp_rulenode->next;
}
-
+
new_rulenode = (RuleNode *)calloc(1,sizeof(RuleNode));
if(!new_rulenode)
{
prev_rulenode->next = new_rulenode;
}
-
+
new_rulenode->next = tmp_rulenode;
new_rulenode->ruleinfo = read_rule;
new_rulenode->child = NULL;
}
-
+
else
{
prev_rulenode->next = new_rulenode;
prev_rulenode->next->ruleinfo = read_rule;
- prev_rulenode->next->next = NULL;
- prev_rulenode->next->child = NULL;
+ prev_rulenode->next->next = NULL;
+ prev_rulenode->next->child = NULL;
}
}
-
+
else
{
_rulenode = (RuleNode *)calloc(1,sizeof(RuleNode));
r_node->ruleinfo->decoded_as = newrule->decoded_as;
r_node->ruleinfo->ar = newrule->ar;
r_node->ruleinfo->compiled_rule = newrule->compiled_rule;
+ if((newrule->context_opts & SAME_DODIFF) && r_node->ruleinfo->last_events == NULL)
+ {
+ r_node->ruleinfo->last_events = newrule->last_events;
+ }
return(1);
}
while(r_node)
{
- if(OSMatch_Execute(r_node->ruleinfo->group,
+ if(OSMatch_Execute(r_node->ruleinfo->group,
strlen(r_node->ruleinfo->group),
orig_rule->if_matched_group))
{
rule_g++;
}
}
-
- os_realloc(r_node->ruleinfo->group_prev_matched,
+
+ os_realloc(r_node->ruleinfo->group_prev_matched,
(rule_g + 2)*sizeof(OSList *),
- r_node->ruleinfo->group_prev_matched);
-
+ r_node->ruleinfo->group_prev_matched);
+
r_node->ruleinfo->group_prev_matched[rule_g] = NULL;
r_node->ruleinfo->group_prev_matched[rule_g +1] = NULL;
-
+
/* Setting the size */
r_node->ruleinfo->group_prev_matched_sz = rule_g +1;
-
- r_node->ruleinfo->group_prev_matched[rule_g] =
+
+ r_node->ruleinfo->group_prev_matched[rule_g] =
orig_rule->group_search;
}