X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Fanalysisd%2Feventinfo.h;h=d01786cc387b086f32f52f8ba9d17e4a7056447c;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=dcfeb93b42bc291f91980acaad03689433a46858;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git diff --git a/src/analysisd/eventinfo.h b/src/analysisd/eventinfo.h old mode 100755 new mode 100644 index dcfeb93..d01786c --- a/src/analysisd/eventinfo.h +++ b/src/analysisd/eventinfo.h @@ -1,27 +1,20 @@ -/* @(#) $Id: eventinfo.h,v 1.37 2009/07/24 18:34:11 dcid Exp $ */ - /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation */ - - #ifndef _EVTINFO__H - #define _EVTINFO__H #include "rules.h" #include "decoders/decoder.h" - /* Event Information structure */ -typedef struct _Eventinfo -{ +typedef struct _Eventinfo { /* Extracted from the event */ char *log; char *full_log; @@ -29,10 +22,11 @@ typedef struct _Eventinfo char *hostname; char *program_name; - /* Extracted from the decoders */ char *srcip; + char *srcgeoip; char *dstip; + char *dstgeoip; char *srcport; char *dstport; char *protocol; @@ -45,6 +39,8 @@ typedef struct _Eventinfo char *url; char *data; char *systemname; + char **fields; + /* Pointer to the rule that generated it */ @@ -57,43 +53,57 @@ typedef struct _Eventinfo OSListNode *sid_node_to_delete; /* Extract when the event fires a rule */ - int size; - int p_name_size; - + size_t size; + size_t p_name_size; /* Other internal variables */ - short int matched; - - int time; + int matched; + + time_t time; int day; int year; - char hour[9]; + char hour[10]; char mon[4]; -}Eventinfo; + /* SYSCHECK Results variables */ + char *filename; + int perm_before; + int perm_after; + char *md5_before; + char *md5_after; + char *sha1_before; + char *sha1_after; + char *size_before; + char *size_after; + char *owner_before; + char *owner_after; + char *gowner_before; + char *gowner_after; +} Eventinfo; /* Events List structure */ -typedef struct _EventNode -{ +typedef struct _EventNode { Eventinfo *event; struct _EventNode *next; struct _EventNode *prev; -}EventNode; - - - -/** Types of events (from decoders) **/ -#define UNKNOWN 0 /* Unkown */ -#define SYSLOG 1 /* syslog messages */ -#define IDS 2 /* IDS alerts */ -#define FIREWALL 3 /* Firewall events */ -#define WEBLOG 7 /* Apache logs */ -#define SQUID 8 /* Squid logs */ -#define WINDOWS 9 /* Windows logs */ -#define HOST_INFO 10 /* Host information logs (from nmap or similar) */ -#define OSSEC_RL 11 /* Ossec rules */ -#define OSSEC_ALERT 12 /* Ossec Alerts */ - +} EventNode; + +#ifdef TESTRULE +extern int full_output; +extern int alert_only; +#endif + +/* Types of events (from decoders) */ +#define UNKNOWN 0 /* Unknown */ +#define SYSLOG 1 /* syslog messages */ +#define IDS 2 /* IDS alerts */ +#define FIREWALL 3 /* Firewall events */ +#define WEBLOG 7 /* Apache logs */ +#define SQUID 8 /* Squid logs */ +#define DECODER_WINDOWS 9 /* Windows logs */ +#define HOST_INFO 10 /* Host information logs (from nmap or similar) */ +#define OSSEC_RL 11 /* OSSEC rules */ +#define OSSEC_ALERT 12 /* OSSEC alerts */ /* FTS allowed values */ #define FTS_NAME 001000 @@ -107,7 +117,6 @@ typedef struct _EventNode #define FTS_SYSTEMNAME 000040 #define FTS_DONE 010000 - /** Functions for events **/ /* Search for matches in the last events */ @@ -125,28 +134,29 @@ void Free_Eventinfo(Eventinfo *lf); void OS_AddEvent(Eventinfo *lf); /* Return the last event from the Event list */ -EventNode *OS_GetLastEvent(); +EventNode *OS_GetLastEvent(void); /* Create the event list. Maxsize must be specified */ void OS_CreateEventList(int maxsize); - /* Pointers to the event decoders */ -void *SrcUser_FP(Eventinfo *lf, char *field); -void *DstUser_FP(Eventinfo *lf, char *field); -void *SrcIP_FP(Eventinfo *lf, char *field); -void *DstIP_FP(Eventinfo *lf, char *field); -void *SrcPort_FP(Eventinfo *lf, char *field); -void *DstPort_FP(Eventinfo *lf, char *field); -void *Protocol_FP(Eventinfo *lf, char *field); -void *Action_FP(Eventinfo *lf, char *field); -void *ID_FP(Eventinfo *lf, char *field); -void *Url_FP(Eventinfo *lf, char *field); -void *Data_FP(Eventinfo *lf, char *field); -void *Status_FP(Eventinfo *lf, char *field); -void *SystemName_FP(Eventinfo *lf, char *field); -void *None_FP(Eventinfo *lf, char *field); - +void *SrcUser_FP(Eventinfo *lf, char *field, int order); +void *DstUser_FP(Eventinfo *lf, char *field, int order); +void *SrcIP_FP(Eventinfo *lf, char *field, int order); +void *DstIP_FP(Eventinfo *lf, char *field, int order); +void *SrcPort_FP(Eventinfo *lf, char *field, int order); +void *DstPort_FP(Eventinfo *lf, char *field, int order); +void *Protocol_FP(Eventinfo *lf, char *field, int order); +void *Action_FP(Eventinfo *lf, char *field, int order); +void *ID_FP(Eventinfo *lf, char *field, int order); +void *Url_FP(Eventinfo *lf, char *field, int order); +void *Data_FP(Eventinfo *lf, char *field, int order); +void *Status_FP(Eventinfo *lf, char *field, int order); +void *SystemName_FP(Eventinfo *lf, char *field, int order); +void *FileName_FP(Eventinfo *lf, char *field, int order); +void *DynamicField_FP(Eventinfo *lf, char *field, int order); +void *None_FP(Eventinfo *lf, char *field, int order); #endif /* _EVTINFO__H */ +