X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fanalysisd%2Fcompiled_rules%2Fgeneric_samples.c;h=c7afccc50c16399673bc1ed7a7eff8a48a69c3b1;hp=57da7b0e1cd9e24a89286527e5553c05d2f1b40b;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/src/analysisd/compiled_rules/generic_samples.c b/src/analysisd/compiled_rules/generic_samples.c index 57da7b0..c7afccc 100644 --- a/src/analysisd/compiled_rules/generic_samples.c +++ b/src/analysisd/compiled_rules/generic_samples.c @@ -1,6 +1,3 @@ -/* @(#) $Id: ./src/analysisd/compiled_rules/generic_samples.c, 2011/09/08 dcid Exp $ - */ - /* Copyright (C) 2009 Trend Micro Inc. * All rights reserved. * @@ -8,71 +5,50 @@ * and/or modify it under the terms of the GNU General Public * License (version 2) as published by the FSF - Free Software * Foundation. - * - * License details at the LICENSE file included with OSSEC or - * online at: http://www.ossec.net/en/licensing.html */ - -#include "shared.h" #include "eventinfo.h" +#include "shared.h" #include "config.h" - -/** Note: If the rule fails to match it should return NULL. +/* Note: If the rule fails to match it should return NULL. * If you want processing to continue, return lf (the eventinfo structure). */ - - -/* Example 1: - * Comparing if the srcuser and dstuser are the same. If they are the same, - * return true. - * If any of them is not set, return true too. +/* Example 1: Comparing if the srcuser and dstuser are the same + * If they are the same, return true + * If any of them is not set, return true too */ void *comp_srcuser_dstuser(Eventinfo *lf) { - if(!lf->srcuser || !lf->dstuser) - { - return(lf); + if (!lf->srcuser || !lf->dstuser) { + return (lf); } - if(strcmp(lf->srcuser, lf->dstuser) == 0) - { - return(lf); + if (strcmp(lf->srcuser, lf->dstuser) == 0) { + return (lf); } - - /* In here, srcuser and dstuser are present and are different. */ - return(NULL); + /* In here, srcuser and dstuser are present and are different */ + return (NULL); } - - -/* Example 2: - * Checking if the size of the id field is larger than 10. - */ +/* Example 2: Checking if the size of the id field is larger than 10 */ void *check_id_size(Eventinfo *lf) { - if(!lf->id) - { - return(NULL); + if (!lf->id) { + return (NULL); } - if(strlen(lf->id) >= 10) - { - return(lf); + if (strlen(lf->id) >= 10) { + return (lf); } - return(NULL); + return (NULL); } - - -/* Example 3: - * Comparing the Target Account Name and Caller User Name - * on Windows logs. +/* Example 3: Comparing the Target Account Name and Caller User Name on Windows logs * It will return NULL (not match) if any of these values * are not present or if they are the same. * This function will return TRUE if they are NOT the same. @@ -82,16 +58,13 @@ void *comp_mswin_targetuser_calleruser_diff(Eventinfo *lf) char *target_user; char *caller_user; - target_user = strstr(lf->log, "Target Account Name"); caller_user = strstr(lf->log, "Caller User Name"); - if(!target_user || !caller_user) - { - return(NULL); + if (!target_user || !caller_user) { + return (NULL); } - /* We need to clear each user type and finish the string. * It looks like: * Target Account Name: account\t @@ -100,84 +73,72 @@ void *comp_mswin_targetuser_calleruser_diff(Eventinfo *lf) target_user = strchr(target_user, ':'); caller_user = strchr(caller_user, ':'); - if(!target_user || !caller_user) - { - return(NULL); + if (!target_user || !caller_user) { + return (NULL); } - target_user++; caller_user++; + while (*target_user != '\0') { + if (*target_user != *caller_user) { + return (lf); + } - while(*target_user != '\0') - { - if(*target_user != *caller_user) - return(lf); - - if(*target_user == '\t' || - (*target_user == ' ' && target_user[1] == ' ')) + if (*target_user == '\t' || + (*target_user == ' ' && target_user[1] == ' ')) { break; + } - target_user++;caller_user++; + target_user++; + caller_user++; } - /* If we got in here, the accounts are the same. * So, we return NULL since we only want to alert if they are different. */ - return(NULL); + return (NULL); } - -/* Example 4: - * Checks if a HTTP request is a simple GET/POST without a query. +/* Example 4: Checking if a HTTP request is a simple GET/POST without a query * This avoid that we call the attack rules for no reason. */ void *is_simple_http_request(Eventinfo *lf) { - /* Simple GET / request. */ - if(strcmp(lf->url,"/") == 0) - { - return(lf); + if (!lf->url) { + return (NULL); } - - /* Simple request, no query. */ - if(!strchr(lf->url,'?')) - { - return(lf); + /* Simple GET / request */ + if (strcmp(lf->url, "/") == 0) { + return (lf); } + /* Simple request, no query */ + if (!strchr(lf->url, '?')) { + return (lf); + } - /* In here, we have an additional query to be checked. */ - return(NULL); + /* In here, we have an additional query to be checked */ + return (NULL); } - -/* Example 5: - * Checks if the source ip is from a valid bot. - */ +/* Example 5: Checking if the source IP is from a valid bot */ void *is_valid_crawler(Eventinfo *lf) { - if((strncmp(lf->log, "66.249.",7) == 0)|| /* Google bot */ - (strncmp(lf->log, "72.14.",6) == 0)|| /* Feedfetcher-Google */ - (strncmp(lf->log, "209.85.",7) == 0)|| /* Feedfetcher-Google */ - (strncmp(lf->log, "65.55.",6) == 0)|| /* MSN/Bing */ - (strncmp(lf->log, "207.46.",7) == 0)|| /* MSN/Bing */ - (strncmp(lf->log, "74.6.",5) == 0)|| /* Yahoo */ - (strncmp(lf->log, "72.30.",6) == 0)|| /* Yahoo */ - (strncmp(lf->log, "67.195.",7) == 0) /* Yahoo */ - ) - { - return(lf); + if ((strncmp(lf->log, "66.249.", 7) == 0) || /* Google bot */ + (strncmp(lf->log, "72.14.", 6) == 0) || /* Feedfetcher-Google */ + (strncmp(lf->log, "209.85.", 7) == 0) || /* Feedfetcher-Google */ + (strncmp(lf->log, "65.55.", 6) == 0) || /* MSN/Bing */ + (strncmp(lf->log, "207.46.", 7) == 0) || /* MSN/Bing */ + (strncmp(lf->log, "74.6.", 5) == 0) || /* Yahoo */ + (strncmp(lf->log, "72.30.", 6) == 0) || /* Yahoo */ + (strncmp(lf->log, "67.195.", 7) == 0) /* Yahoo */ + ) { + return (lf); } - return(NULL); + return (NULL); } - - -/* END generic samples. */ -