X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fshared%2Frules_op.c;fp=src%2Fshared%2Frules_op.c;h=58481ec1e26e059e41675f17e0152546f21bcf56;hp=203b3ba24624c2f5aee1447a29e2c53ad6b56980;hb=301048b51990573e58a30dc4a5bb4ec285cad554;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a diff --git a/src/shared/rules_op.c b/src/shared/rules_op.c index 203b3ba..58481ec 100755 --- a/src/shared/rules_op.c +++ b/src/shared/rules_op.c @@ -1,11 +1,11 @@ -/* @(#) $Id: rules_op.c,v 1.6 2009/06/24 18:53:08 dcid Exp $ */ +/* @(#) $Id$ */ /* Copyright (C) 2009 Trend Micro Inc. * All rights reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation. * * License details at the LICENSE file included with OSSEC or @@ -16,6 +16,12 @@ #include "rules_op.h" +/* Chaging path for test rule. */ +#ifdef TESTRULE + #undef RULEPATH + #define RULEPATH "rules/" +#endif + /** Prototypes **/ int _OS_GetRulesAttributes(char **attributes, @@ -85,6 +91,7 @@ int OS_ReadXMLRules(char *rulefile, char *xml_same_user = "same_user"; char *xml_same_location = "same_location"; char *xml_same_id = "same_id"; + char *xml_dodiff = "check_diff"; char *xml_different_url = "different_url"; @@ -100,14 +107,24 @@ int OS_ReadXMLRules(char *rulefile, int i; - /* Building the rule file name + path */ - i = strlen(RULEPATH) + strlen(rulefile) + 2; - rulepath = (char *)calloc(i,sizeof(char)); - if(!rulepath) + /* If no directory in the rulefile add the default */ + if((strchr(rulefile, '/')) == NULL) { - ErrorExit(MEM_ERROR,__local_name); + /* Building the rule file name + path */ + i = strlen(RULEPATH) + strlen(rulefile) + 2; + rulepath = (char *)calloc(i,sizeof(char)); + if(!rulepath) + { + ErrorExit(MEM_ERROR,ARGV0); + } + snprintf(rulepath,i,"%s/%s",RULEPATH,rulefile); + } + else + { + os_strdup(rulefile, rulepath); + debug1("%s is the rulefile", rulefile); + debug1("Not modifing the rule path"); } - snprintf(rulepath,i,"%s/%s",RULEPATH,rulefile); /* Reading the XML */ @@ -595,6 +612,16 @@ int OS_ReadXMLRules(char *rulefile, config_ruleinfo->alert_opts |= SAME_EXTRAINFO; } else if(strcasecmp(rule_opt[k]->element, + xml_dodiff)==0) + { + config_ruleinfo->context++; + config_ruleinfo->context_opts|= SAME_DODIFF; + if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO)) + { + config_ruleinfo->alert_opts |= DO_EXTRAINFO; + } + } + else if(strcasecmp(rule_opt[k]->element, xml_same_dst_port) == 0) { config_ruleinfo->context_opts|= SAME_DSTPORT; @@ -687,6 +714,13 @@ int OS_ReadXMLRules(char *rulefile, config_ruleinfo->alert_opts &=0xfff-DO_LOGALERT; } } + else if(strcmp("no_ar", rule_opt[k]->content) == 0) + { + if(!(config_ruleinfo->alert_opts & NO_AR)) + { + config_ruleinfo->alert_opts|= NO_AR; + } + } else { merror(XML_VALUEERR, __local_name, xml_options, @@ -781,12 +815,22 @@ int OS_ReadXMLRules(char *rulefile, return(-1); } } + /* XXX As new features are added into ../analysisd/rules.c + * This code needs to be updated to match, but is out of date + * it's become a nightmare to correct with out just make the + * problem for someone later. + * + * This hack will allow any crap xml to pass without an + * error. The correct fix is to refactor the code so that + * ../analysisd/rules* and this code are not duplicates + * else { merror(XML_INVELEM, __local_name, rule_opt[k]->element); OS_ClearXML(&xml); return(-1); } + */ k++; }