/* Rules_OP_ReadRules, v0.3, 2005/03/21
* Read the log rules.
* v0.3: Fixed many memory problems.
/* Rules_OP_ReadRules, v0.3, 2005/03/21
* Read the log rules.
* v0.3: Fixed many memory problems.
char *xml_comment = "description";
char *xml_ignore = "ignore";
char *xml_check_if_ignored = "check_if_ignored";
char *xml_comment = "description";
char *xml_ignore = "ignore";
char *xml_check_if_ignored = "check_if_ignored";
char *xml_srcip = "srcip";
char *xml_srcport = "srcport";
char *xml_dstip = "dstip";
char *xml_srcip = "srcip";
char *xml_srcport = "srcport";
char *xml_dstip = "dstip";
char *xml_status = "status";
char *xml_action = "action";
char *xml_compiled = "compiled_rule";
char *xml_status = "status";
char *xml_action = "action";
char *xml_compiled = "compiled_rule";
char *xml_if_sid = "if_sid";
char *xml_if_group = "if_group";
char *xml_if_level = "if_level";
char *xml_fts = "if_fts";
char *xml_if_sid = "if_sid";
char *xml_if_group = "if_group";
char *xml_if_level = "if_level";
char *xml_fts = "if_fts";
char *xml_if_matched_regex = "if_matched_regex";
char *xml_if_matched_group = "if_matched_group";
char *xml_if_matched_sid = "if_matched_sid";
char *xml_if_matched_regex = "if_matched_regex";
char *xml_if_matched_group = "if_matched_group";
char *xml_if_matched_sid = "if_matched_sid";
char *xml_same_source_ip = "same_source_ip";
char *xml_same_src_port = "same_src_port";
char *xml_same_dst_port = "same_dst_port";
char *xml_same_source_ip = "same_source_ip";
char *xml_same_src_port = "same_src_port";
char *xml_same_dst_port = "same_dst_port";
char *xml_notsame_source_ip = "not_same_source_ip";
char *xml_notsame_user = "not_same_user";
char *xml_notsame_agent = "not_same_agent";
char *xml_notsame_id = "not_same_id";
char *xml_options = "options";
char *xml_notsame_source_ip = "not_same_source_ip";
char *xml_notsame_user = "not_same_user";
char *xml_notsame_agent = "not_same_agent";
char *xml_notsame_id = "not_same_id";
char *xml_options = "options";
debug1("%s is the rulefile", rulefile);
debug1("Not modifing the rule path");
}
debug1("%s is the rulefile", rulefile);
debug1("Not modifing the rule path");
}
if(OS_ReadXML(rulepath,&xml) < 0)
{
merror(XML_ERROR, __local_name, rulepath, xml.err, xml.err_line);
if(OS_ReadXML(rulepath,&xml) < 0)
{
merror(XML_ERROR, __local_name, rulepath, xml.err, xml.err_line);
/* Getting the root elements */
node = OS_GetElementsbyNode(&xml, NULL);
/* Getting the root elements */
node = OS_GetElementsbyNode(&xml, NULL);
- char *regex = NULL, *match = NULL, *url = NULL,
+ char *regex = NULL, *match = NULL, *url = NULL,
*if_matched_regex = NULL, *if_matched_group = NULL,
*user = NULL, *id = NULL, *srcport = NULL,
*dstport = NULL, *status = NULL, *hostname = NULL,
*extra_data = NULL, *program_name = NULL;
*if_matched_regex = NULL, *if_matched_group = NULL,
*user = NULL, *id = NULL, *srcport = NULL,
*dstport = NULL, *status = NULL, *hostname = NULL,
*extra_data = NULL, *program_name = NULL;
rule_opt = OS_GetElementsbyNode(&xml, rule[j]);
if(rule_opt == NULL)
{
merror(RL_NO_OPT, __local_name, config_ruleinfo->sigid);
OS_ClearXML(&xml);
rule_opt = OS_GetElementsbyNode(&xml, rule[j]);
if(rule_opt == NULL)
{
merror(RL_NO_OPT, __local_name, config_ruleinfo->sigid);
OS_ClearXML(&xml);
realloc(config_ruleinfo->srcip,
(ip_s + 2) * sizeof(os_ip *));
/* Allocating memory for the individual entries */
realloc(config_ruleinfo->srcip,
(ip_s + 2) * sizeof(os_ip *));
/* Allocating memory for the individual entries */
config_ruleinfo->srcip[ip_s]);
config_ruleinfo->srcip[ip_s +1] = NULL;
/* Checking if the ip is valid */
config_ruleinfo->srcip[ip_s]);
config_ruleinfo->srcip[ip_s +1] = NULL;
/* Checking if the ip is valid */
config_ruleinfo->srcip[ip_s]))
{
merror(INVALID_IP, __local_name, rule_opt[k]->content);
config_ruleinfo->srcip[ip_s]))
{
merror(INVALID_IP, __local_name, rule_opt[k]->content);
else if(strcasecmp(rule_opt[k]->element,xml_srcport) == 0)
{
srcport = os_LoadString(srcport, rule_opt[k]->content);
else if(strcasecmp(rule_opt[k]->element,xml_srcport) == 0)
{
srcport = os_LoadString(srcport, rule_opt[k]->content);
merror(XML_VALUEERR, __local_name, xml_options,
rule_opt[k]->content);
merror(XML_VALUEERR, __local_name, xml_options,
rule_opt[k]->content);
- /* XXX As new features are added into ../analysisd/rules.c
- * This code needs to be updated to match, but is out of date
- * it's become a nightmare to correct with out just make the
- * problem for someone later.
+ /* XXX As new features are added into ../analysisd/rules.c
+ * This code needs to be updated to match, but is out of date
+ * it's become a nightmare to correct with out just make the
+ * problem for someone later.
- * This hack will allow any crap xml to pass without an
- * error. The correct fix is to refactor the code so that
+ * This hack will allow any crap xml to pass without an
+ * error. The correct fix is to refactor the code so that
/* If_matched_sid, we need to get the if_sid */
if(config_ruleinfo->if_matched_sid &&
/* If_matched_sid, we need to get the if_sid */
if(config_ruleinfo->if_matched_sid &&
/* Calling the function provided. */
ruleact_function(config_ruleinfo, data);
/* Calling the function provided. */
ruleact_function(config_ruleinfo, data);
/* Allocation memory for structure */
ruleinfo_pt = (RuleInfo *)calloc(1,sizeof(RuleInfo));
if(ruleinfo_pt == NULL)
{
ErrorExit(MEM_ERROR,__local_name);
}
/* Allocation memory for structure */
ruleinfo_pt = (RuleInfo *)calloc(1,sizeof(RuleInfo));
if(ruleinfo_pt == NULL)
{
ErrorExit(MEM_ERROR,__local_name);
}
ruleinfo_pt->ignore_time = 0;
ruleinfo_pt->timeframe = 0;
ruleinfo_pt->time_ignored = 0;
ruleinfo_pt->ignore_time = 0;
ruleinfo_pt->timeframe = 0;
ruleinfo_pt->time_ignored = 0;
-
- ruleinfo_pt->context_opts = 0;
- ruleinfo_pt->alert_opts = 0;
- ruleinfo_pt->ignore = 0;
- ruleinfo_pt->ckignore = 0;
+
+ ruleinfo_pt->context_opts = 0;
+ ruleinfo_pt->alert_opts = 0;
+ ruleinfo_pt->ignore = 0;
+ ruleinfo_pt->ckignore = 0;
ruleinfo_pt->if_sid = NULL;
ruleinfo_pt->if_group = NULL;
ruleinfo_pt->if_level = NULL;
ruleinfo_pt->if_sid = NULL;
ruleinfo_pt->if_group = NULL;
ruleinfo_pt->if_level = NULL;
ruleinfo_pt->if_matched_regex = NULL;
ruleinfo_pt->if_matched_group = NULL;
ruleinfo_pt->if_matched_sid = 0;
ruleinfo_pt->if_matched_regex = NULL;
ruleinfo_pt->if_matched_group = NULL;
ruleinfo_pt->if_matched_sid = 0;
ruleinfo_pt->srcip = NULL;
ruleinfo_pt->srcport = NULL;
ruleinfo_pt->dstip = NULL;
ruleinfo_pt->srcip = NULL;
ruleinfo_pt->srcport = NULL;
ruleinfo_pt->dstip = NULL;
ruleinfo_pt->hostname = NULL;
ruleinfo_pt->program_name = NULL;
ruleinfo_pt->action = NULL;
ruleinfo_pt->hostname = NULL;
ruleinfo_pt->program_name = NULL;
ruleinfo_pt->action = NULL;
/* Zeroing last matched events */
ruleinfo_pt->__frequency = 0;
ruleinfo_pt->last_events = NULL;
/* Zeroing last matched events */
ruleinfo_pt->__frequency = 0;
ruleinfo_pt->last_events = NULL;
/* zeroing the list of previous matches */
ruleinfo_pt->sid_prev_matched = NULL;
ruleinfo_pt->group_prev_matched = NULL;
/* zeroing the list of previous matches */
ruleinfo_pt->sid_prev_matched = NULL;
ruleinfo_pt->group_prev_matched = NULL;
char *xml_noalert = "noalert";
char *xml_ignore_time = "ignore";
char *xml_overwrite = "overwrite";
char *xml_noalert = "noalert";
char *xml_ignore_time = "ignore";
char *xml_overwrite = "overwrite";
else
{
merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
else
{
merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
- debug1("%s: __local_name: Print Rule:%d, level %d, ignore: %d, frequency:%d",
+ debug1("%s: __local_name: Print Rule:%d, level %d, ignore: %d, frequency:%d",