X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fanalysisd%2Frules.h;fp=src%2Fanalysisd%2Frules.h;h=ccf035ce0b4deecdd547557da4bfa513f8c41768;hp=03204cfcfb7e8ad8aa0e4cbd6631b99948236f58;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/src/analysisd/rules.h b/src/analysisd/rules.h old mode 100755 new mode 100644 index 03204cf..ccf035c --- a/src/analysisd/rules.h +++ b/src/analysisd/rules.h @@ -1,6 +1,3 @@ -/* @(#) $Id: ./src/analysisd/rules.h, 2011/09/08 dcid Exp $ - */ - /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * @@ -10,24 +7,25 @@ * Foundation */ - #ifndef _OS_RULES - #define _OS_RULES #define MAX_LAST_EVENTS 11 +#define MAX_TIMEFRAME 604800 + #include "shared.h" #include "active-response.h" #include "lists.h" - /* Event context - stored on a uint8 */ #define SAME_USER 0x001 /* 1 */ #define SAME_SRCIP 0x002 /* 2 */ #define SAME_ID 0x004 /* 4 */ #define SAME_LOCATION 0x008 /* 8 */ #define DIFFERENT_URL 0x010 /* */ +#define DIFFERENT_SRCIP 0x200 +#define DIFFERENT_SRCGEOIP 0x400 #define SAME_SRCPORT 0x020 #define SAME_DSTPORT 0x040 #define SAME_DODIFF 0x100 @@ -60,7 +58,6 @@ #define RULE_STATUS 1024 #define RULE_ACTION 2048 - #define RULEINFODETAIL_TEXT 0 #define RULEINFODETAIL_LINK 1 #define RULEINFODETAIL_CVE 2 @@ -69,41 +66,44 @@ #define MAX_RULEINFODETAIL 32 -typedef struct _RuleInfoDetail -{ +typedef struct _FieldInfo { + char *name; + OSRegex *regex; +} FieldInfo; + + +typedef struct _RuleInfoDetail { int type; char *data; struct _RuleInfoDetail *next; -}RuleInfoDetail; +} RuleInfoDetail; -typedef struct _RuleInfo -{ +typedef struct _RuleInfo { int sigid; /* id attribute -- required*/ int level; /* level attribute --required */ - int maxsize; + size_t maxsize; int frequency; int timeframe; u_int8_t context; /* Not an user option */ int firedtimes; /* Not an user option */ - int time_ignored; /* Not an user option */ + time_t time_ignored; /* Not an user option */ int ignore_time; int ignore; int ckignore; - int group_prev_matched_sz; + unsigned int group_prev_matched_sz; int __frequency; char **last_events; - /* Not an option in the rule */ u_int16_t alert_opts; /* Context options */ u_int16_t context_opts; - /* category */ + /* Category */ u_int8_t category; /* Decoded as */ @@ -125,13 +125,14 @@ typedef struct _RuleInfo /* Pointer to group_prev_matched */ OSList *group_search; - /* Function pointer to the event_search. */ + /* Function pointer to the event_search */ void *(*event_search)(void *lf, void *rule); - char *group; OSMatch *match; + OSPcre2 *match_pcre2; OSRegex *regex; + OSPcre2 *pcre2; /* Policy-based rules */ char *day_time; @@ -139,6 +140,8 @@ typedef struct _RuleInfo os_ip **srcip; os_ip **dstip; + OSMatch *srcgeoip; + OSMatch *dstgeoip; OSMatch *srcport; OSMatch *dstport; OSMatch *user; @@ -148,6 +151,20 @@ typedef struct _RuleInfo OSMatch *hostname; OSMatch *program_name; OSMatch *extra_data; + FieldInfo **fields; + + + OSPcre2 *srcgeoip_pcre2; + OSPcre2 *dstgeoip_pcre2; + OSPcre2 *srcport_pcre2; + OSPcre2 *dstport_pcre2; + OSPcre2 *user_pcre2; + OSPcre2 *url_pcre2; + OSPcre2 *id_pcre2; + OSPcre2 *status_pcre2; + OSPcre2 *hostname_pcre2; + OSPcre2 *program_name_pcre2; + OSPcre2 *extra_data_pcre2; char *action; char *comment; /* description in the xml */ @@ -167,20 +184,19 @@ typedef struct _RuleInfo void *(*compiled_rule)(void *lf); active_response **ar; -}RuleInfo; +} RuleInfo; -typedef struct _RuleNode -{ +typedef struct _RuleNode { RuleInfo *ruleinfo; struct _RuleNode *next; struct _RuleNode *child; -}RuleNode; +} RuleNode; -RuleInfo *currently_rule; /* */ +extern RuleInfo *currently_rule; -RuleInfoDetail *zeroinfodetails(int type, char *data); +RuleInfoDetail *zeroinfodetails(int type, const char *data); int get_info_attributes(char **attributes, char **values); /* RuleInfo functions */ @@ -197,7 +213,7 @@ RuleInfo *zerorulemember(int id, /** Rule_list Functions **/ /* create the rule list */ -void OS_CreateRuleList(); +void OS_CreateRuleList(void); /* Add rule information to the list */ int OS_AddRule(RuleInfo *read_rule); @@ -214,21 +230,26 @@ int OS_MarkGroup(RuleNode *r_node, RuleInfo *orig_rule); /* Mark IDs (if_matched_sid) */ int OS_MarkID(RuleNode *r_node, RuleInfo *orig_rule); - /* Get first rule */ -RuleNode *OS_GetFirstRule(); +RuleNode *OS_GetFirstRule(void); + +void Rules_OP_CreateRules(void); +int Rules_OP_ReadRules(const char *rulefile); -/** Defition of the internal rule IDS ** - ** These SIGIDs cannot be used ** - ** **/ +int AddHash_Rule(RuleNode *node); + +int _setlevels(RuleNode *node, int nnode); + +/** Definition of the internal rule IDS ** + ** These SIGIDs cannot be used ** + ** **/ #define STATS_MODULE 11 #define FTS_MODULE 12 #define SYSCHECK_MODULE 13 #define HOSTINFO_MODULE 15 - #define ROOTCHECK_MOD "rootcheck" #define HOSTINFO_NEW "hostinfo_new" #define HOSTINFO_MOD "hostinfo_modified" @@ -238,5 +259,8 @@ RuleNode *OS_GetFirstRule(); #define SYSCHECK_NEW "syscheck_new_entry" #define SYSCHECK_DEL "syscheck_deleted" +/* Global variables */ +extern int _max_freq; #endif /* _OS_RULES */ +