-/* @(#) $Id: rules.h,v 1.41 2009/06/24 17:06:22 dcid Exp $ */
+/* @(#) $Id: ./src/analysisd/rules.h, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 3) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation
*/
#include "shared.h"
#include "active-response.h"
+#include "lists.h"
+
/* Event context - stored on a uint8 */
#define SAME_USER 0x001 /* 1 */
#define DIFFERENT_URL 0x010 /* */
#define SAME_SRCPORT 0x020
#define SAME_DSTPORT 0x040
+#define SAME_DODIFF 0x100
#define NOT_SAME_USER 0xffe /* 0xfff - 0x001 */
#define NOT_SAME_SRCIP 0xffd /* 0xfff - 0x002 */
#define NOT_SAME_ID 0xffb /* 0xfff - 0x004 */
#define DO_FTS 0x001
#define DO_MAILALERT 0x002
#define DO_LOGALERT 0x004
+#define NO_AR 0x008
#define NO_ALERT 0x010
#define DO_OVERWRITE 0x020
#define DO_PACKETINFO 0x040
#define DO_EXTRAINFO 0x100
#define SAME_EXTRAINFO 0x200
+#define RULE_MASTER 1
+#define RULE_SRCIP 2
+#define RULE_SRCPORT 4
+#define RULE_DSTIP 8
+#define RULE_DSTPORT 16
+#define RULE_USER 32
+#define RULE_URL 64
+#define RULE_ID 128
+#define RULE_HOSTNAME 256
+#define RULE_PROGRAM_NAME 512
+#define RULE_STATUS 1024
+#define RULE_ACTION 2048
+
+
+#define RULEINFODETAIL_TEXT 0
+#define RULEINFODETAIL_LINK 1
+#define RULEINFODETAIL_CVE 2
+#define RULEINFODETAIL_OSVDB 3
+#define RULEINFODETAIL_BUGTRACK 4
+
+#define MAX_RULEINFODETAIL 32
+
+typedef struct _RuleInfoDetail
+{
+ int type;
+ char *data;
+ struct _RuleInfoDetail *next;
+}RuleInfoDetail;
typedef struct _RuleInfo
{
int __frequency;
char **last_events;
-
+
/* Not an option in the rule */
u_int16_t alert_opts;
/* category */
u_int8_t category;
-
+
/* Decoded as */
u_int16_t decoded_as;
/* Function pointer to the event_search. */
void *(*event_search)(void *lf, void *rule);
-
+
char *group;
OSMatch *match;
OSMatch *program_name;
OSMatch *extra_data;
char *action;
-
+
char *comment; /* description in the xml */
char *info;
char *cve;
-
+ RuleInfoDetail *info_details;
+ ListRule *lists;
+
char *if_sid;
char *if_level;
char *if_group;
OSRegex *if_matched_regex;
OSMatch *if_matched_group;
int if_matched_sid;
-
+
void *(*compiled_rule)(void *lf);
active_response **ar;
RuleInfo *currently_rule; /* */
+RuleInfoDetail *zeroinfodetails(int type, char *data);
+int get_info_attributes(char **attributes, char **values);
+
/* RuleInfo functions */
-RuleInfo *zerorulemember(int id,
+RuleInfo *zerorulemember(int id,
int level,
- int maxsize,
+ int maxsize,
int frequency,
- int timeframe,
+ int timeframe,
int noalert,
int ignore_time,
int overwrite);
/** Defition of the internal rule IDS **
** These SIGIDs cannot be used **
** **/
-
+
#define STATS_MODULE 11
#define FTS_MODULE 12
-#define SYSCHECK_MODULE 13
+#define SYSCHECK_MODULE 13
#define HOSTINFO_MODULE 15