-/* @(#) $Id: ./src/analysisd/eventinfo.h, 2011/09/08 dcid Exp $
- */
-
/* Copyright (C) 2009 Trend Micro Inc.
* All right reserved.
*
* Foundation
*/
-
-
#ifndef _EVTINFO__H
-
#define _EVTINFO__H
#include "rules.h"
#include "decoders/decoder.h"
-
/* Event Information structure */
-typedef struct _Eventinfo
-{
+typedef struct _Eventinfo {
/* Extracted from the event */
char *log;
char *full_log;
char *hostname;
char *program_name;
-
/* Extracted from the decoders */
char *srcip;
+ char *srcgeoip;
char *dstip;
+ char *dstgeoip;
char *srcport;
char *dstport;
char *protocol;
char *url;
char *data;
char *systemname;
+ char **fields;
+
/* Pointer to the rule that generated it */
OSListNode *sid_node_to_delete;
/* Extract when the event fires a rule */
- int size;
- int p_name_size;
-
+ size_t size;
+ size_t p_name_size;
/* Other internal variables */
- short int matched;
+ int matched;
- int time;
+ time_t time;
int day;
int year;
char hour[10];
char *owner_after;
char *gowner_before;
char *gowner_after;
-}Eventinfo;
-
+} Eventinfo;
/* Events List structure */
-typedef struct _EventNode
-{
+typedef struct _EventNode {
Eventinfo *event;
struct _EventNode *next;
struct _EventNode *prev;
-}EventNode;
-
-
+} EventNode;
-/* For test rule only. */
#ifdef TESTRULE
-int full_output;
-int alert_only;
+extern int full_output;
+extern int alert_only;
#endif
-
-/** Types of events (from decoders) **/
-#define UNKNOWN 0 /* Unkown */
-#define SYSLOG 1 /* syslog messages */
-#define IDS 2 /* IDS alerts */
-#define FIREWALL 3 /* Firewall events */
-#define WEBLOG 7 /* Apache logs */
-#define SQUID 8 /* Squid logs */
-#define DECODER_WINDOWS 9 /* Windows logs */
-#define HOST_INFO 10 /* Host information logs (from nmap or similar) */
-#define OSSEC_RL 11 /* Ossec rules */
-#define OSSEC_ALERT 12 /* Ossec Alerts */
-
+/* Types of events (from decoders) */
+#define UNKNOWN 0 /* Unknown */
+#define SYSLOG 1 /* syslog messages */
+#define IDS 2 /* IDS alerts */
+#define FIREWALL 3 /* Firewall events */
+#define WEBLOG 7 /* Apache logs */
+#define SQUID 8 /* Squid logs */
+#define DECODER_WINDOWS 9 /* Windows logs */
+#define HOST_INFO 10 /* Host information logs (from nmap or similar) */
+#define OSSEC_RL 11 /* OSSEC rules */
+#define OSSEC_ALERT 12 /* OSSEC alerts */
/* FTS allowed values */
#define FTS_NAME 001000
#define FTS_SYSTEMNAME 000040
#define FTS_DONE 010000
-
/** Functions for events **/
/* Search for matches in the last events */
void OS_AddEvent(Eventinfo *lf);
/* Return the last event from the Event list */
-EventNode *OS_GetLastEvent();
+EventNode *OS_GetLastEvent(void);
/* Create the event list. Maxsize must be specified */
void OS_CreateEventList(int maxsize);
-
/* Pointers to the event decoders */
-void *SrcUser_FP(Eventinfo *lf, char *field);
-void *DstUser_FP(Eventinfo *lf, char *field);
-void *SrcIP_FP(Eventinfo *lf, char *field);
-void *DstIP_FP(Eventinfo *lf, char *field);
-void *SrcPort_FP(Eventinfo *lf, char *field);
-void *DstPort_FP(Eventinfo *lf, char *field);
-void *Protocol_FP(Eventinfo *lf, char *field);
-void *Action_FP(Eventinfo *lf, char *field);
-void *ID_FP(Eventinfo *lf, char *field);
-void *Url_FP(Eventinfo *lf, char *field);
-void *Data_FP(Eventinfo *lf, char *field);
-void *Status_FP(Eventinfo *lf, char *field);
-void *SystemName_FP(Eventinfo *lf, char *field);
-void *None_FP(Eventinfo *lf, char *field);
-
+void *SrcUser_FP(Eventinfo *lf, char *field, int order);
+void *DstUser_FP(Eventinfo *lf, char *field, int order);
+void *SrcIP_FP(Eventinfo *lf, char *field, int order);
+void *DstIP_FP(Eventinfo *lf, char *field, int order);
+void *SrcPort_FP(Eventinfo *lf, char *field, int order);
+void *DstPort_FP(Eventinfo *lf, char *field, int order);
+void *Protocol_FP(Eventinfo *lf, char *field, int order);
+void *Action_FP(Eventinfo *lf, char *field, int order);
+void *ID_FP(Eventinfo *lf, char *field, int order);
+void *Url_FP(Eventinfo *lf, char *field, int order);
+void *Data_FP(Eventinfo *lf, char *field, int order);
+void *Status_FP(Eventinfo *lf, char *field, int order);
+void *SystemName_FP(Eventinfo *lf, char *field, int order);
+void *FileName_FP(Eventinfo *lf, char *field, int order);
+void *DynamicField_FP(Eventinfo *lf, char *field, int order);
+void *None_FP(Eventinfo *lf, char *field, int order);
#endif /* _EVTINFO__H */
+