X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Fanalysisd%2Feventinfo.c;h=b35fd403ade365481a6c3eca73f9545cb6a3445c;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hp=e3a77b21ef8cc0649de7c089a67f9322509e09df;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git diff --git a/src/analysisd/eventinfo.c b/src/analysisd/eventinfo.c index e3a77b2..b35fd40 100755 --- a/src/analysisd/eventinfo.c +++ b/src/analysisd/eventinfo.c @@ -1,14 +1,15 @@ -/* @(#) $Id: eventinfo.c,v 1.41 2009/06/24 17:06:22 dcid Exp $ */ +/* @(#) $Id: ./src/analysisd/eventinfo.c, 2011/09/08 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All rights reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation. * - * License details at the LICENSE file included with OSSEC or + * License details at the LICENSE file included with OSSEC or * online at: http://www.ossec.net/en/licensing.html */ @@ -16,7 +17,7 @@ /* Part of the OSSEC. * Available at http://www.ossec.net */ - + #include "config.h" @@ -33,8 +34,8 @@ Eventinfo *Search_LastSids(Eventinfo *my_lf, RuleInfo *currently_rule) Eventinfo *lf; Eventinfo *first_lf; OSListNode *lf_node; - - + + /* Setting frequency to 0 */ currently_rule->__frequency = 0; @@ -52,12 +53,12 @@ Eventinfo *Search_LastSids(Eventinfo *my_lf, RuleInfo *currently_rule) return(NULL); } first_lf = (Eventinfo *)lf_node->data; - + do { lf = (Eventinfo *)lf_node->data; - + /* If time is outside the timeframe, return */ if((c_time - lf->time) > currently_rule->timeframe) { @@ -154,19 +155,20 @@ Eventinfo *Search_LastSids(Eventinfo *my_lf, RuleInfo *currently_rule) /* Checking if the number of matches worked */ - if(currently_rule->__frequency < currently_rule->frequency) + if(currently_rule->__frequency <= 10) { - if(currently_rule->__frequency <= 10) - { - currently_rule->last_events[currently_rule->__frequency] - = lf->full_log; - currently_rule->last_events[currently_rule->__frequency+1] - = NULL; - } + currently_rule->last_events[currently_rule->__frequency] + = lf->full_log; + currently_rule->last_events[currently_rule->__frequency+1] + = NULL; + } + if(currently_rule->__frequency < currently_rule->frequency) + { currently_rule->__frequency++; continue; } + currently_rule->__frequency++; /* If reached here, we matched */ @@ -342,16 +344,16 @@ Eventinfo *Search_LastGroups(Eventinfo *my_lf, RuleInfo *currently_rule) } -/* Search LastEvents. +/* Search LastEvents. * Will look if any of the last events (inside the timeframe) - * match the specified rule. + * match the specified rule. */ Eventinfo *Search_LastEvents(Eventinfo *my_lf, RuleInfo *currently_rule) { EventNode *eventnode_pt; Eventinfo *lf; Eventinfo *first_lf; - + merror("XXXX : remove me!"); @@ -363,17 +365,17 @@ Eventinfo *Search_LastEvents(Eventinfo *my_lf, RuleInfo *currently_rule) /* Nothing found */ return(NULL); } - + /* Setting frequency to 0 */ currently_rule->__frequency = 0; first_lf = (Eventinfo *)eventnode_pt->event; - - + + /* Searching all previous events */ do { lf = eventnode_pt->event; - + /* If time is outside the timeframe, return */ if((c_time - lf->time) > currently_rule->timeframe) { @@ -381,22 +383,22 @@ Eventinfo *Search_LastEvents(Eventinfo *my_lf, RuleInfo *currently_rule) } - /* We avoid multiple triggers for the same rule + /* We avoid multiple triggers for the same rule * or rules with a lower level. */ else if(lf->matched >= currently_rule->level) { return(NULL); } - - + + /* The category must be the same */ else if(lf->decoder_info->type != my_lf->decoder_info->type) { - continue; + continue; } - - + + /* If regex does not match, go to next */ if(currently_rule->if_matched_regex) { @@ -412,27 +414,27 @@ Eventinfo *Search_LastEvents(Eventinfo *my_lf, RuleInfo *currently_rule) { if((!lf->dstuser)||(!my_lf->dstuser)) continue; - + if(strcmp(lf->dstuser,my_lf->dstuser) != 0) continue; } - + /* Checking for same id */ if(currently_rule->context_opts & SAME_ID) { if((!lf->id) || (!my_lf->id)) continue; - + if(strcmp(lf->id,my_lf->id) != 0) - continue; + continue; } - + /* Checking for repetitions from same src_ip */ if(currently_rule->context_opts & SAME_SRCIP) { if((!lf->srcip)||(!my_lf->srcip)) continue; - + if(strcmp(lf->srcip,my_lf->srcip) != 0) continue; } @@ -451,33 +453,33 @@ Eventinfo *Search_LastEvents(Eventinfo *my_lf, RuleInfo *currently_rule) } } - - /* Checking if the number of matches worked */ + + /* Checking if the number of matches worked */ if(currently_rule->__frequency < currently_rule->frequency) { if(currently_rule->__frequency <= 10) { - currently_rule->last_events[currently_rule->__frequency] + currently_rule->last_events[currently_rule->__frequency] = lf->full_log; - currently_rule->last_events[currently_rule->__frequency+1] + currently_rule->last_events[currently_rule->__frequency+1] = NULL; } - + currently_rule->__frequency++; continue; } - - + + /* If reached here, we matched */ my_lf->matched = currently_rule->level; lf->matched = currently_rule->level; first_lf->matched = currently_rule->level; - - return(lf); - + + return(lf); + }while((eventnode_pt = eventnode_pt->next) != NULL); - + return(NULL); } @@ -508,7 +510,7 @@ void Zero_Eventinfo(Eventinfo *lf) lf->time = 0; lf->matched = 0; - + lf->year = 0; lf->mon[3] = '\0'; lf->hour[9] = '\0'; @@ -517,7 +519,23 @@ void Zero_Eventinfo(Eventinfo *lf) lf->generated_rule = NULL; lf->sid_node_to_delete = NULL; lf->decoder_info = NULL_Decoder; - + + #ifdef PRELUDE + lf->filename = NULL; + lf->perm_before = 0; + lf->perm_after = 0; + lf->md5_before = NULL; + lf->md5_after = NULL; + lf->sha1_before = NULL; + lf->sha1_after = NULL; + lf->size_before = NULL; + lf->size_after = NULL; + lf->owner_before = NULL; + lf->owner_after = NULL; + lf->gowner_before = NULL; + lf->gowner_after = NULL; + #endif + return; } @@ -529,11 +547,11 @@ void Free_Eventinfo(Eventinfo *lf) merror("%s: Trying to free NULL event. Inconsistent..",ARGV0); return; } - + if(lf->full_log) - free(lf->full_log); + free(lf->full_log); if(lf->location) - free(lf->location); + free(lf->location); if(lf->srcip) free(lf->srcip); @@ -546,13 +564,13 @@ void Free_Eventinfo(Eventinfo *lf) if(lf->protocol) free(lf->protocol); if(lf->action) - free(lf->action); + free(lf->action); if(lf->status) free(lf->status); if(lf->srcuser) free(lf->srcuser); if(lf->dstuser) - free(lf->dstuser); + free(lf->dstuser); if(lf->id) free(lf->id); if(lf->command) @@ -561,15 +579,39 @@ void Free_Eventinfo(Eventinfo *lf) free(lf->url); if(lf->data) - free(lf->data); + free(lf->data); if(lf->systemname) - free(lf->systemname); - + free(lf->systemname); + + #ifdef PRELUDE + if(lf->filename) + free(lf->filename); + if (lf->md5_before) + free(lf->md5_before); + if (lf->md5_after) + free(lf->md5_after); + if (lf->sha1_before) + free(lf->sha1_before); + if (lf->sha1_after) + free(lf->sha1_after); + if (lf->size_before) + free(lf->size_before); + if (lf->size_after) + free(lf->size_after); + if (lf->owner_before) + free(lf->owner_before); + if (lf->owner_after) + free(lf->owner_after); + if (lf->gowner_before) + free(lf->gowner_before); + if (lf->gowner_after) + free(lf->gowner_after); + #endif /* Freeing node to delete */ if(lf->sid_node_to_delete) { - OSList_DeleteThisNode(lf->generated_rule->sid_prev_matched, + OSList_DeleteThisNode(lf->generated_rule->sid_prev_matched, lf->sid_node_to_delete); } else if(lf->generated_rule && lf->generated_rule->group_prev_matched) @@ -580,16 +622,16 @@ void Free_Eventinfo(Eventinfo *lf) { OSList_DeleteOldestNode(lf->generated_rule->group_prev_matched[i]); i++; - } + } } - + /* We dont need to free: * fts * comment */ free(lf); - lf = NULL; - + lf = NULL; + return; }