X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Fanalysisd%2Frules.h;h=ccf035ce0b4deecdd547557da4bfa513f8c41768;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0f77df430ce0c30cba2084c37e785823231e2d78;hpb=301048b51990573e58a30dc4a5bb4ec285cad554;p=ossec-hids.git diff --git a/src/analysisd/rules.h b/src/analysisd/rules.h old mode 100755 new mode 100644 index 0f77df4..ccf035c --- a/src/analysisd/rules.h +++ b/src/analysisd/rules.h @@ -1,5 +1,3 @@ -/* @(#) $Id$ */ - /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * @@ -9,24 +7,25 @@ * Foundation */ - #ifndef _OS_RULES - #define _OS_RULES #define MAX_LAST_EVENTS 11 +#define MAX_TIMEFRAME 604800 + #include "shared.h" #include "active-response.h" #include "lists.h" - /* Event context - stored on a uint8 */ #define SAME_USER 0x001 /* 1 */ #define SAME_SRCIP 0x002 /* 2 */ #define SAME_ID 0x004 /* 4 */ #define SAME_LOCATION 0x008 /* 8 */ #define DIFFERENT_URL 0x010 /* */ +#define DIFFERENT_SRCIP 0x200 +#define DIFFERENT_SRCGEOIP 0x400 #define SAME_SRCPORT 0x020 #define SAME_DSTPORT 0x040 #define SAME_DODIFF 0x100 @@ -59,7 +58,6 @@ #define RULE_STATUS 1024 #define RULE_ACTION 2048 - #define RULEINFODETAIL_TEXT 0 #define RULEINFODETAIL_LINK 1 #define RULEINFODETAIL_CVE 2 @@ -68,33 +66,36 @@ #define MAX_RULEINFODETAIL 32 -typedef struct _RuleInfoDetail -{ +typedef struct _FieldInfo { + char *name; + OSRegex *regex; +} FieldInfo; + + +typedef struct _RuleInfoDetail { int type; char *data; struct _RuleInfoDetail *next; -}RuleInfoDetail; +} RuleInfoDetail; -typedef struct _RuleInfo -{ +typedef struct _RuleInfo { int sigid; /* id attribute -- required*/ int level; /* level attribute --required */ - int maxsize; + size_t maxsize; int frequency; int timeframe; u_int8_t context; /* Not an user option */ int firedtimes; /* Not an user option */ - int time_ignored; /* Not an user option */ + time_t time_ignored; /* Not an user option */ int ignore_time; int ignore; int ckignore; - int group_prev_matched_sz; + unsigned int group_prev_matched_sz; int __frequency; char **last_events; - /* Not an option in the rule */ u_int16_t alert_opts; @@ -102,9 +103,9 @@ typedef struct _RuleInfo /* Context options */ u_int16_t context_opts; - /* category */ + /* Category */ u_int8_t category; - + /* Decoded as */ u_int16_t decoded_as; @@ -124,13 +125,14 @@ typedef struct _RuleInfo /* Pointer to group_prev_matched */ OSList *group_search; - /* Function pointer to the event_search. */ + /* Function pointer to the event_search */ void *(*event_search)(void *lf, void *rule); - char *group; OSMatch *match; + OSPcre2 *match_pcre2; OSRegex *regex; + OSPcre2 *pcre2; /* Policy-based rules */ char *day_time; @@ -138,6 +140,8 @@ typedef struct _RuleInfo os_ip **srcip; os_ip **dstip; + OSMatch *srcgeoip; + OSMatch *dstgeoip; OSMatch *srcport; OSMatch *dstport; OSMatch *user; @@ -147,14 +151,28 @@ typedef struct _RuleInfo OSMatch *hostname; OSMatch *program_name; OSMatch *extra_data; + FieldInfo **fields; + + + OSPcre2 *srcgeoip_pcre2; + OSPcre2 *dstgeoip_pcre2; + OSPcre2 *srcport_pcre2; + OSPcre2 *dstport_pcre2; + OSPcre2 *user_pcre2; + OSPcre2 *url_pcre2; + OSPcre2 *id_pcre2; + OSPcre2 *status_pcre2; + OSPcre2 *hostname_pcre2; + OSPcre2 *program_name_pcre2; + OSPcre2 *extra_data_pcre2; char *action; - + char *comment; /* description in the xml */ char *info; char *cve; RuleInfoDetail *info_details; ListRule *lists; - + char *if_sid; char *if_level; char *if_group; @@ -162,32 +180,31 @@ typedef struct _RuleInfo OSRegex *if_matched_regex; OSMatch *if_matched_group; int if_matched_sid; - + void *(*compiled_rule)(void *lf); active_response **ar; -}RuleInfo; +} RuleInfo; -typedef struct _RuleNode -{ +typedef struct _RuleNode { RuleInfo *ruleinfo; struct _RuleNode *next; struct _RuleNode *child; -}RuleNode; +} RuleNode; -RuleInfo *currently_rule; /* */ +extern RuleInfo *currently_rule; -RuleInfoDetail *zeroinfodetails(int type, char *data); +RuleInfoDetail *zeroinfodetails(int type, const char *data); int get_info_attributes(char **attributes, char **values); /* RuleInfo functions */ -RuleInfo *zerorulemember(int id, +RuleInfo *zerorulemember(int id, int level, - int maxsize, + int maxsize, int frequency, - int timeframe, + int timeframe, int noalert, int ignore_time, int overwrite); @@ -196,7 +213,7 @@ RuleInfo *zerorulemember(int id, /** Rule_list Functions **/ /* create the rule list */ -void OS_CreateRuleList(); +void OS_CreateRuleList(void); /* Add rule information to the list */ int OS_AddRule(RuleInfo *read_rule); @@ -213,21 +230,26 @@ int OS_MarkGroup(RuleNode *r_node, RuleInfo *orig_rule); /* Mark IDs (if_matched_sid) */ int OS_MarkID(RuleNode *r_node, RuleInfo *orig_rule); - /* Get first rule */ -RuleNode *OS_GetFirstRule(); +RuleNode *OS_GetFirstRule(void); + +void Rules_OP_CreateRules(void); +int Rules_OP_ReadRules(const char *rulefile); + +int AddHash_Rule(RuleNode *node); + +int _setlevels(RuleNode *node, int nnode); + +/** Definition of the internal rule IDS ** + ** These SIGIDs cannot be used ** + ** **/ -/** Defition of the internal rule IDS ** - ** These SIGIDs cannot be used ** - ** **/ - #define STATS_MODULE 11 #define FTS_MODULE 12 -#define SYSCHECK_MODULE 13 +#define SYSCHECK_MODULE 13 #define HOSTINFO_MODULE 15 - #define ROOTCHECK_MOD "rootcheck" #define HOSTINFO_NEW "hostinfo_new" #define HOSTINFO_MOD "hostinfo_modified" @@ -237,5 +259,8 @@ RuleNode *OS_GetFirstRule(); #define SYSCHECK_NEW "syscheck_new_entry" #define SYSCHECK_DEL "syscheck_deleted" +/* Global variables */ +extern int _max_freq; #endif /* _OS_RULES */ +