X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Fanalysisd%2Frules_list.c;h=f8bd8a713c6dfcd28b3953235c128e2520e79806;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=c8613fa324e13fe8cff16e28361a7c4dc0673b0b;hpb=301048b51990573e58a30dc4a5bb4ec285cad554;p=ossec-hids.git diff --git a/src/analysisd/rules_list.c b/src/analysisd/rules_list.c old mode 100755 new mode 100644 index c8613fa..f8bd8a7 --- a/src/analysisd/rules_list.c +++ b/src/analysisd/rules_list.c @@ -1,5 +1,3 @@ -/* @(#) $Id$ */ - /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * @@ -9,337 +7,278 @@ * Foundation */ - #include "shared.h" #include "rules.h" -/* Rulenode global */ -RuleNode *rulenode; +/* Rulenode local */ +static RuleNode *rulenode; /* _OS_Addrule: Internal AddRule */ -RuleNode *_OS_AddRule(RuleNode *_rulenode, RuleInfo *read_rule); +static RuleNode *_OS_AddRule(RuleNode *_rulenode, RuleInfo *read_rule); +static int _AddtoRule(int sid, int level, int none, const char *group, + RuleNode *r_node, RuleInfo *read_rule); /* Create the RuleList */ void OS_CreateRuleList() { rulenode = NULL; - return; } - /* Get first node from rule */ RuleNode *OS_GetFirstRule() { RuleNode *rulenode_pt = rulenode; - - return(rulenode_pt); + return (rulenode_pt); } - -/* Search all rules, including childs */ -int _AddtoRule(int sid, int level, int none, char *group, +/* Search all rules, including children */ +static int _AddtoRule(int sid, int level, int none, const char *group, RuleNode *r_node, RuleInfo *read_rule) { int r_code = 0; - + /* If we don't have the first node, start from * the beginning of the list */ - if(!r_node) - { + if (!r_node) { r_node = OS_GetFirstRule(); } - while(r_node) - { - /* Checking if the sigid matches */ - if(sid) - { - if(r_node->ruleinfo->sigid == sid) - { - /* Assign the category of this rule to the child + while (r_node) { + /* Check if the sigid matches */ + if (sid) { + if (r_node->ruleinfo->sigid == sid) { + /* Assign the category of this rule to the child * as they must match */ read_rule->category = r_node->ruleinfo->category; - - /* If no context for rule, check if the parent has - * and use it. + /* If no context for rule, check if the parent has context + * and use that */ - if(!read_rule->last_events && r_node->ruleinfo->last_events) - { + if (!read_rule->last_events && r_node->ruleinfo->last_events) { read_rule->last_events = r_node->ruleinfo->last_events; } - - r_node->child= + + r_node->child = _OS_AddRule(r_node->child, read_rule); - return(1); + return (1); } } - - /* Checking if the group matches */ - else if(group) - { - if(OS_WordMatch(group, r_node->ruleinfo->group) && - (r_node->ruleinfo->sigid != read_rule->sigid)) - { - /* If no context for rule, check if the parent has - * and use it. + + /* Check if the group matches */ + else if (group) { + if (OS_WordMatch(group, r_node->ruleinfo->group) && + (r_node->ruleinfo->sigid != read_rule->sigid)) { + /* If no context for rule, check if the parent has context + * and use that */ - if(!read_rule->last_events && r_node->ruleinfo->last_events) - { + if (!read_rule->last_events && r_node->ruleinfo->last_events) { read_rule->last_events = r_node->ruleinfo->last_events; } - /* We will loop on all rules until we find */ + /* Loop over all rules until we find it */ r_node->child = _OS_AddRule(r_node->child, read_rule); r_code = 1; } } - /* Checking if the level matches */ - else if(level) - { - if((r_node->ruleinfo->level >= level) && - (r_node->ruleinfo->sigid != read_rule->sigid)) - { - r_node->child= + /* Check if the level matches */ + else if (level) { + if ((r_node->ruleinfo->level >= level) && + (r_node->ruleinfo->sigid != read_rule->sigid)) { + r_node->child = _OS_AddRule(r_node->child, read_rule); r_code = 1; } } - - + /* If we are not searching for the sid/group, the category must - * be the same. + * be the same */ - else if(read_rule->category != r_node->ruleinfo->category) - { + else if (read_rule->category != r_node->ruleinfo->category) { r_node = r_node->next; continue; } - - /* If none of them is set, add for the category */ - else - { - /* Setting the parent category to it */ + /* If none of them are set, add for the category */ + else { + /* Set the parent category to it */ read_rule->category = r_node->ruleinfo->category; r_node->child = - _OS_AddRule(r_node->child, read_rule); - return(1); + _OS_AddRule(r_node->child, read_rule); + return (1); } - /* Checking if the child has a rule */ - if(r_node->child) - { - if(_AddtoRule(sid, level, none, group, r_node->child, read_rule)) - { + /* Check if the child has a rule */ + if (r_node->child) { + if (_AddtoRule(sid, level, none, group, r_node->child, read_rule)) { r_code = 1; } } r_node = r_node->next; } - - return(r_code); -} + return (r_code); +} /* Add a child */ int OS_AddChild(RuleInfo *read_rule) { - if(!read_rule) - { + if (!read_rule) { merror("rules_list: Passing a NULL rule. Inconsistent state"); - return(1); + return (1); } - /* Adding for if_sid */ - if(read_rule->if_sid) - { + /* Adding for if_sid */ + if (read_rule->if_sid) { int val = 0; - char *sid; - + const char *sid; + sid = read_rule->if_sid; - - /* Loop to read all the rules (comma or space separated */ - do - { + + /* Loop to read all the rules (comma or space separated) */ + do { int rule_id = 0; - if((*sid == ',')||(*sid == ' ')) - { + if ((*sid == ',') || (*sid == ' ')) { val = 0; continue; - } - else if((isdigit((int)*sid)) || (*sid == '\0')) - { - if(val == 0) - { + } else if ((isdigit((int)*sid)) || (*sid == '\0')) { + if (val == 0) { rule_id = atoi(sid); - if(!_AddtoRule(rule_id, 0, 0, NULL, NULL, read_rule)) - { + if (!_AddtoRule(rule_id, 0, 0, NULL, NULL, read_rule)) { ErrorExit("rules_list: Signature ID '%d' not " "found. Invalid 'if_sid'.", rule_id); } val = 1; } - } - else - { + } else { ErrorExit("rules_list: Signature ID must be an integer. " "Exiting..."); } - }while(*sid++ != '\0'); + } while (*sid++ != '\0'); } /* Adding for if_level */ - else if(read_rule->if_level) - { + else if (read_rule->if_level) { int ilevel = 0; ilevel = atoi(read_rule->if_level); - if(ilevel == 0) - { - merror("%s: Invalid level (atoi)",ARGV0); - return(1); + if (ilevel == 0) { + merror("%s: Invalid level (atoi)", ARGV0); + return (1); } - ilevel*=100; + ilevel *= 100; - if(!_AddtoRule(0, ilevel, 0, NULL, NULL, read_rule)) - { + if (!_AddtoRule(0, ilevel, 0, NULL, NULL, read_rule)) { ErrorExit("rules_list: Level ID '%d' not " - "found. Invalid 'if_level'.", ilevel); + "found. Invalid 'if_level'.", ilevel); } } - /* Adding for if_group */ - else if(read_rule->if_group) - { - if(!_AddtoRule(0, 0, 0, read_rule->if_group, NULL, read_rule)) - { + /* Adding for if_group */ + else if (read_rule->if_group) { + if (!_AddtoRule(0, 0, 0, read_rule->if_group, NULL, read_rule)) { ErrorExit("rules_list: Group '%s' not " "found. Invalid 'if_group'.", read_rule->if_group); } } - + /* Just add based on the category */ - else - { - if(!_AddtoRule(0, 0, 0, NULL, NULL, read_rule)) - { + else { + if (!_AddtoRule(0, 0, 0, NULL, NULL, read_rule)) { ErrorExit("rules_list: Category '%d' not " - "found. Invalid 'category'.", read_rule->category); + "found. Invalid 'category'.", read_rule->category); } } /* done over here */ - return(0); + return (0); } - - /* Add a rule in the chain */ -RuleNode *_OS_AddRule(RuleNode *_rulenode, RuleInfo *read_rule) +static RuleNode *_OS_AddRule(RuleNode *_rulenode, RuleInfo *read_rule) { RuleNode *tmp_rulenode = _rulenode; - - if(tmp_rulenode != NULL) - { + if (tmp_rulenode != NULL) { int middle_insertion = 0; RuleNode *prev_rulenode = NULL; RuleNode *new_rulenode = NULL; - - while(tmp_rulenode != NULL) - { - if(read_rule->level > tmp_rulenode->ruleinfo->level) - { + + while (tmp_rulenode != NULL) { + if (read_rule->level > tmp_rulenode->ruleinfo->level) { middle_insertion = 1; break; } prev_rulenode = tmp_rulenode; tmp_rulenode = tmp_rulenode->next; } - - new_rulenode = (RuleNode *)calloc(1,sizeof(RuleNode)); - if(!new_rulenode) - { - ErrorExit(MEM_ERROR,ARGV0); + new_rulenode = (RuleNode *)calloc(1, sizeof(RuleNode)); + + if (!new_rulenode) { + ErrorExit(MEM_ERROR, ARGV0, errno, strerror(errno)); } - if(middle_insertion == 1) - { - if(prev_rulenode == NULL) - { + if (middle_insertion == 1) { + if (prev_rulenode == NULL) { _rulenode = new_rulenode; - } - else - { + } else { prev_rulenode->next = new_rulenode; } - + new_rulenode->next = tmp_rulenode; new_rulenode->ruleinfo = read_rule; new_rulenode->child = NULL; - } - - else - { + } else { prev_rulenode->next = new_rulenode; prev_rulenode->next->ruleinfo = read_rule; - prev_rulenode->next->next = NULL; - prev_rulenode->next->child = NULL; + prev_rulenode->next->next = NULL; + prev_rulenode->next->child = NULL; } - } - - else - { - _rulenode = (RuleNode *)calloc(1,sizeof(RuleNode)); - if(_rulenode == NULL) - { - ErrorExit(MEM_ERROR,ARGV0); + } else { + _rulenode = (RuleNode *)calloc(1, sizeof(RuleNode)); + if (_rulenode == NULL) { + ErrorExit(MEM_ERROR, ARGV0, errno, strerror(errno)); } _rulenode->ruleinfo = read_rule; _rulenode->next = NULL; - _rulenode->child= NULL; + _rulenode->child = NULL; } - return(_rulenode); + return (_rulenode); } /* External AddRule */ int OS_AddRule(RuleInfo *read_rule) { - rulenode = _OS_AddRule(rulenode,read_rule); + rulenode = _OS_AddRule(rulenode, read_rule); - return(0); + return (0); } - /* Update rule info for overwritten ones */ int OS_AddRuleInfo(RuleNode *r_node, RuleInfo *newrule, int sid) { /* If no r_node is given, get first node */ - if(r_node == NULL) - { + if (r_node == NULL) { r_node = OS_GetFirstRule(); } - if(sid == 0) - return(0); + if (sid == 0) { + return (0); + } - while(r_node) - { - /* Checking if the sigid matches */ - if(r_node->ruleinfo->sigid == sid) - { + while (r_node) { + /* Check if the sigid matches */ + if (r_node->ruleinfo->sigid == sid) { r_node->ruleinfo->level = newrule->level; r_node->ruleinfo->maxsize = newrule->maxsize; r_node->ruleinfo->frequency = newrule->frequency; @@ -375,117 +314,101 @@ int OS_AddRuleInfo(RuleNode *r_node, RuleInfo *newrule, int sid) r_node->ruleinfo->decoded_as = newrule->decoded_as; r_node->ruleinfo->ar = newrule->ar; r_node->ruleinfo->compiled_rule = newrule->compiled_rule; + if ((newrule->context_opts & SAME_DODIFF) && r_node->ruleinfo->last_events == NULL) { + r_node->ruleinfo->last_events = newrule->last_events; + } - return(1); + return (1); } - /* Checking if the child has a rule */ - if(r_node->child) - { - if(OS_AddRuleInfo(r_node->child, newrule, sid)) - { - return(1); + /* Check if the child has a rule */ + if (r_node->child) { + if (OS_AddRuleInfo(r_node->child, newrule, sid)) { + return (1); } } r_node = r_node->next; } - return(0); + return (0); } - /* Mark rules that match specific id (for if_matched_sid) */ int OS_MarkID(RuleNode *r_node, RuleInfo *orig_rule) { /* If no r_node is given, get first node */ - if(r_node == NULL) - { + if (r_node == NULL) { r_node = OS_GetFirstRule(); } - while(r_node) - { - if(r_node->ruleinfo->sigid == orig_rule->if_matched_sid) - { + while (r_node) { + if (r_node->ruleinfo->sigid == orig_rule->if_matched_sid) { /* If child does not have a list, create one */ - if(!r_node->ruleinfo->sid_prev_matched) - { + if (!r_node->ruleinfo->sid_prev_matched) { r_node->ruleinfo->sid_prev_matched = OSList_Create(); - if(!r_node->ruleinfo->sid_prev_matched) - { - ErrorExit(MEM_ERROR, ARGV0); + if (!r_node->ruleinfo->sid_prev_matched) { + ErrorExit(MEM_ERROR, ARGV0, errno, strerror(errno)); } } - /* Assigning the parent pointer to it */ + /* Assign the parent pointer to it */ orig_rule->sid_search = r_node->ruleinfo->sid_prev_matched; } - - /* Checking if the child has a rule */ - if(r_node->child) - { + /* Check if the child has a rule */ + if (r_node->child) { OS_MarkID(r_node->child, orig_rule); } r_node = r_node->next; } - return(0); + return (0); } - - /* Mark rules that match specific group (for if_matched_group) */ int OS_MarkGroup(RuleNode *r_node, RuleInfo *orig_rule) { /* If no r_node is given, get first node */ - if(r_node == NULL) - { + if (r_node == NULL) { r_node = OS_GetFirstRule(); } - while(r_node) - { - if(OSMatch_Execute(r_node->ruleinfo->group, - strlen(r_node->ruleinfo->group), - orig_rule->if_matched_group)) - { - int rule_g = 0; - if(r_node->ruleinfo->group_prev_matched) - { - while(r_node->ruleinfo->group_prev_matched[rule_g]) - { + while (r_node) { + if (OSMatch_Execute(r_node->ruleinfo->group, + strlen(r_node->ruleinfo->group), + orig_rule->if_matched_group)) { + unsigned int rule_g = 0; + if (r_node->ruleinfo->group_prev_matched) { + while (r_node->ruleinfo->group_prev_matched[rule_g]) { rule_g++; } } - - os_realloc(r_node->ruleinfo->group_prev_matched, + + os_realloc(r_node->ruleinfo->group_prev_matched, (rule_g + 2)*sizeof(OSList *), - r_node->ruleinfo->group_prev_matched); - + r_node->ruleinfo->group_prev_matched); + r_node->ruleinfo->group_prev_matched[rule_g] = NULL; - r_node->ruleinfo->group_prev_matched[rule_g +1] = NULL; - - /* Setting the size */ - r_node->ruleinfo->group_prev_matched_sz = rule_g +1; - - r_node->ruleinfo->group_prev_matched[rule_g] = - orig_rule->group_search; - } + r_node->ruleinfo->group_prev_matched[rule_g + 1] = NULL; + + /* Set the size */ + r_node->ruleinfo->group_prev_matched_sz = rule_g + 1; + r_node->ruleinfo->group_prev_matched[rule_g] = + orig_rule->group_search; + } - /* Checking if the child has a rule */ - if(r_node->child) - { + /* Check if the child has a rule */ + if (r_node->child) { OS_MarkGroup(r_node->child, orig_rule); } r_node = r_node->next; } - return(0); + return (0); } -/* EOF */ +