-/* @(#) $Id: generic_samples.c,v 1.2 2009/06/24 17:06:23 dcid Exp $ */
+/* @(#) $Id: ./src/analysisd/compiled_rules/generic_samples.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 3) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
-/** Note: If the rule fails to match it should return NULL.
+/** Note: If the rule fails to match it should return NULL.
* If you want processing to continue, return lf (the eventinfo structure).
*/
-
+
/* Example 1:
if(*target_user != *caller_user)
return(lf);
- if(*target_user == '\t' ||
+ if(*target_user == '\t' ||
(*target_user == ' ' && target_user[1] == ' '))
- break;
+ break;
- target_user++;caller_user++;
+ target_user++;caller_user++;
}
/* If we got in here, the accounts are the same.
* So, we return NULL since we only want to alert if they are different.
- */
+ */
return(NULL);
}
+/* Example 4:
+ * Checks if a HTTP request is a simple GET/POST without a query.
+ * This avoid that we call the attack rules for no reason.
+ */
+void *is_simple_http_request(Eventinfo *lf)
+{
+
+ /* Simple GET / request. */
+ if(strcmp(lf->url,"/") == 0)
+ {
+ return(lf);
+ }
+
+
+ /* Simple request, no query. */
+ if(!strchr(lf->url,'?'))
+ {
+ return(lf);
+ }
+
+
+ /* In here, we have an additional query to be checked. */
+ return(NULL);
+}
+
+
+/* Example 5:
+ * Checks if the source ip is from a valid bot.
+ */
+void *is_valid_crawler(Eventinfo *lf)
+{
+ if((strncmp(lf->log, "66.249.",7) == 0)|| /* Google bot */
+ (strncmp(lf->log, "72.14.",6) == 0)|| /* Feedfetcher-Google */
+ (strncmp(lf->log, "209.85.",7) == 0)|| /* Feedfetcher-Google */
+ (strncmp(lf->log, "65.55.",6) == 0)|| /* MSN/Bing */
+ (strncmp(lf->log, "207.46.",7) == 0)|| /* MSN/Bing */
+ (strncmp(lf->log, "74.6.",5) == 0)|| /* Yahoo */
+ (strncmp(lf->log, "72.30.",6) == 0)|| /* Yahoo */
+ (strncmp(lf->log, "67.195.",7) == 0) /* Yahoo */
+ )
+ {
+ return(lf);
+ }
+
+ return(NULL);
+}
+
+
+
/* END generic samples. */