-/* @(#) $Id$ */
+/* @(#) $Id: ./src/analysisd/decoders/decode-xml.c, 2011/09/08 dcid Exp $
+ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
- * License details at the LICENSE file included with OSSEC or
+ * License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
{
return(OSStore_GetPosition(os_decoder_store, name));
}
-
+
return(0);
}
{
int p_id = 0;
char *p_name;
-
+
nnode = node->osdecoder;
- nnode->id = getDecoderfromlist(nnode->name);
-
+ nnode->id = getDecoderfromlist(nnode->name);
+
/* Id can noit be 0 */
if(nnode->id == 0)
{
/* Setting parent name */
nnode->name = p_name;
}
-
-
+
+
/* Id can noit be 0 */
if(nnode->id == 0)
{
{
return(0);
}
-
+
if(strcmp(names[0], "offset") == 0)
{
int offset = 0;
-
+
/* Offsets can be: after_parent, after_prematch
* or after_regex.
*/
merror(INV_OFFSET, ARGV0, values[0]);
offset |= AFTER_ERROR;
}
-
+
return(offset);
}
/* ReaddecodeXML */
int ReadDecodeXML(char *file)
{
-
- debug1("ReadDecoderXML File = %s", file);
OS_XML xml;
XML_NODE node = NULL;
- /* XML variables */
+ /* XML variables */
/* These are the available options for the rule configuration */
-
+
char *xml_plugindecoder = "plugin_decoder";
char *xml_decoder = "decoder";
char *xml_decoder_name = "name";
int i = 0;
OSDecoderInfo *NULL_Decoder_tmp = NULL;
-
-
- /* Reading the XML */
+
+
+ /* Reading the XML */
if((i = OS_ReadXML(file,&xml)) < 0)
{
if((i == -2) && (strcmp(file, XML_LDECODER) == 0))
{
return(-2);
}
-
+
merror(XML_ERROR, ARGV0, file, xml.err, xml.err_line);
return(0);
}
-
+
/* Applying any variable found */
if(OS_ApplyVariables(&xml) != 0)
{
NULL_Decoder = (void *)NULL_Decoder_tmp;
-
+
i = 0;
while(node[i])
{
char *prematch;
char *p_name;
-
- if(!node[i]->element ||
+
+ if(!node[i]->element ||
strcasecmp(node[i]->element, xml_decoder) != 0)
{
merror(XML_INVELEM, ARGV0, node[i]->element);
return(0);
}
-
+
/* Getting name */
if((!node[i]->attributes) || (!node[i]->values)||
return(0);
}
-
+
/* Checking for additional entries */
if(node[i]->attributes[1] && node[i]->values[1])
{
merror(XML_INVELEM, ARGV0, node[i]->element);
return(0);
}
-
+
if(node[i]->attributes[2])
{
merror(XML_INVELEM, ARGV0, node[i]->element);
}
}
-
+
/* Getting decoder options */
elements = OS_GetElementsbyNode(&xml,node[i]);
if(elements == NULL)
merror(MEM_ERROR,ARGV0);
return(0);
}
-
-
+
+
/* Default values to the list */
pi->parent = NULL;
pi->id = 0;
pi->get_next = 0;
pi->regex_offset = 0;
pi->prematch_offset = 0;
-
+
regex = NULL;
prematch = NULL;
p_name = NULL;
-
-
+
+
/* Checking if strdup worked */
if(!pi->name)
{
merror(MEM_ERROR, ARGV0);
return(0);
}
-
+
/* Add decoder */
if(!addDecoder2list(pi->name))
{
merror(XML_VALUENULL, ARGV0, elements[j]->element);
return(0);
}
-
+
/* Checking if it is a child of a rule */
else if(strcasecmp(elements[j]->element, xml_parent) == 0)
{
pi->parent = _loadmemory(pi->parent, elements[j]->content);
}
-
+
/* Getting the regex */
else if(strcasecmp(elements[j]->element,xml_regex) == 0)
{
int r_offset;
r_offset = ReadDecodeAttrs(elements[j]->attributes,
elements[j]->values);
-
+
if(r_offset & AFTER_ERROR)
{
merror(DEC_REGEX_ERROR, ARGV0, pi->name);
return(0);
}
-
- /* Only the first regex entry may have an offset */
+
+ /* Only the first regex entry may have an offset */
if(regex && r_offset)
{
merror(DUP_REGEX, ARGV0, pi->name);
merror(DEC_REGEX_ERROR, ARGV0, pi->name);
return(0);
}
-
+
/* regex offset */
if(r_offset)
{
pi->regex_offset = r_offset;
}
-
+
/* Assign regex */
regex =
_loadmemory(regex,
elements[j]->content);
}
-
+
/* Getting the pre match */
else if(strcasecmp(elements[j]->element,xml_prematch)==0)
{
int r_offset;
-
+
r_offset = ReadDecodeAttrs(
elements[j]->attributes,
elements[j]->values);
ErrorExit(DEC_REGEX_ERROR, ARGV0, pi->name);
}
-
+
/* Only the first prematch entry may have an offset */
if(prematch && r_offset)
{
{
pi->prematch_offset = r_offset;
}
-
+
prematch =
_loadmemory(prematch,
elements[j]->content);
int ed_c = 0;
for(ed_c = 0; plugin_decoders[ed_c] != NULL; ed_c++)
{
- if(strcmp(plugin_decoders[ed_c],
+ if(strcmp(plugin_decoders[ed_c],
elements[j]->content) == 0)
{
/* Initializing plugin */
return(0);
}
}
-
-
+
+
/* Getting the type */
else if(strcmp(elements[j]->element, xml_type) == 0)
{
else if(strcmp(elements[j]->content, "ids") == 0)
pi->type = IDS;
else if(strcmp(elements[j]->content, "web-log") == 0)
- pi->type = WEBLOG;
+ pi->type = WEBLOG;
else if(strcmp(elements[j]->content, "syslog") == 0)
pi->type = SYSLOG;
else if(strcmp(elements[j]->content, "squid") == 0)
pi->type = SQUID;
else if(strcmp(elements[j]->content, "windows") == 0)
- pi->type = WINDOWS;
+ pi->type = WINDOWS;
else if(strcmp(elements[j]->content, "host-information") == 0)
pi->type = HOST_INFO;
else if(strcmp(elements[j]->content, "ossec") == 0)
- pi->type = OSSEC_RL;
+ pi->type = OSSEC_RL;
else
{
merror("%s: Invalid decoder type '%s'.",
return(0);
}
}
-
+
/* Getting the order */
else if(strcasecmp(elements[j]->element,xml_order)==0)
{
char **norder, **s_norder;
int order_int = 0;
-
+
/* Maximum number is 8 for the order */
norder = OS_StrBreak(',',elements[j]->content, 8);
s_norder = norder;
order_int++;
}
order_int = 0;
-
+
/* Checking the values from the order */
while(*norder)
free(s_norder);
}
-
+
/* Getting the fts order */
else if(strcasecmp(elements[j]->element,xml_fts)==0)
{
char **norder;
char **s_norder;
-
+
/* Maximum number is 8 for the fts */
norder = OS_StrBreak(',',elements[j]->content, 8);
if(norder == NULL)
ErrorExit(MEM_ERROR,ARGV0);
-
-
+
+
/* Saving the initial point to free later */
s_norder = norder;
-
-
+
+
/* Checking the values from the fts */
while(*norder)
{
/* NEXT */
j++;
-
+
} /* while(elements[j]) */
-
+
OS_ClearNode(elements);
-
+
/* Prematch must be set */
if(!prematch && !pi->parent && !p_name)
merror(DEC_REGEX_ERROR, ARGV0, pi->name);
return(0);
}
-
+
/* For the offsets */
if(pi->regex_offset & AFTER_PARENT && !pi->parent)
merror(DEC_REGEX_ERROR, ARGV0, pi->name);
return(0);
}
-
+
if(pi->regex_offset & AFTER_PREMATCH)
{
/* If after_prematch is set, but rule have
return(0);
}
}
-
+
/* For the after_regex offset */
if(pi->regex_offset & AFTER_PREVREGEX)
{
return(0);
}
}
-
+
/* Checking the prematch offset */
if(pi->prematch_offset)
}
}
-
+
/* Compiling the regex/prematch */
if(prematch)
{
free(prematch);
}
-
+
/* Compiling the p_name */
if(p_name)
{
free(p_name);
}
-
+
/* We may not have the pi->regex */
if(regex)
{
merror(DECODE_ADD, ARGV0, pi->name);
return(0);
}
-
+
/* Adding osdecoder to the list */
if(!OS_AddOSDecoder(pi))
{
- merror(DECODER_ERROR, ARGV0);
+ merror(DECODER_ERROR, ARGV0);
return(0);
}
/* Cleaning node and XML structures */
OS_ClearNode(node);
-
+
OS_ClearXML(&xml);
int SetDecodeXML()
-{
+{
/* Adding rootcheck decoder to list */
addDecoder2list(ROOTCHECK_MOD);
addDecoder2list(SYSCHECK_MOD);