1 /* @(#) $Id: rules_op.c,v 1.6 2009/06/24 18:53:08 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
11 * License details at the LICENSE file included with OSSEC or
12 * online at: http://www.ossec.net/en/licensing.html
21 int _OS_GetRulesAttributes(char **attributes,
23 RuleInfo *ruleinfo_pt);
24 RuleInfo *_OS_AllocateRule();
29 /* Rules_OP_ReadRules, v0.3, 2005/03/21
31 * v0.3: Fixed many memory problems.
33 int OS_ReadXMLRules(char *rulefile,
34 void *(*ruleact_function)(RuleInfo *rule, void *data),
42 /* These are the available options for the rule configuration */
44 char *xml_group = "group";
45 char *xml_rule = "rule";
47 char *xml_regex = "regex";
48 char *xml_match = "match";
49 char *xml_decoded = "decoded_as";
50 char *xml_category = "category";
51 char *xml_cve = "cve";
52 char *xml_info = "info";
53 char *xml_day_time = "time";
54 char *xml_week_day = "weekday";
55 char *xml_comment = "description";
56 char *xml_ignore = "ignore";
57 char *xml_check_if_ignored = "check_if_ignored";
59 char *xml_srcip = "srcip";
60 char *xml_srcport = "srcport";
61 char *xml_dstip = "dstip";
62 char *xml_dstport = "dstport";
63 char *xml_user = "user";
64 char *xml_url = "url";
66 char *xml_data = "extra_data";
67 char *xml_hostname = "hostname";
68 char *xml_program_name = "program_name";
69 char *xml_status = "status";
70 char *xml_action = "action";
71 char *xml_compiled = "compiled_rule";
73 char *xml_if_sid = "if_sid";
74 char *xml_if_group = "if_group";
75 char *xml_if_level = "if_level";
76 char *xml_fts = "if_fts";
78 char *xml_if_matched_regex = "if_matched_regex";
79 char *xml_if_matched_group = "if_matched_group";
80 char *xml_if_matched_sid = "if_matched_sid";
82 char *xml_same_source_ip = "same_source_ip";
83 char *xml_same_src_port = "same_src_port";
84 char *xml_same_dst_port = "same_dst_port";
85 char *xml_same_user = "same_user";
86 char *xml_same_location = "same_location";
87 char *xml_same_id = "same_id";
89 char *xml_different_url = "different_url";
91 char *xml_notsame_source_ip = "not_same_source_ip";
92 char *xml_notsame_user = "not_same_user";
93 char *xml_notsame_agent = "not_same_agent";
94 char *xml_notsame_id = "not_same_id";
96 char *xml_options = "options";
103 /* Building the rule file name + path */
104 i = strlen(RULEPATH) + strlen(rulefile) + 2;
105 rulepath = (char *)calloc(i,sizeof(char));
108 ErrorExit(MEM_ERROR,__local_name);
110 snprintf(rulepath,i,"%s/%s",RULEPATH,rulefile);
113 /* Reading the XML */
114 if(OS_ReadXML(rulepath,&xml) < 0)
116 merror(XML_ERROR, __local_name, rulepath, xml.err, xml.err_line);
123 debug1("%s: DEBUG: read xml for rule '%s'.", __local_name, rulepath);
126 /* Applying any variable found */
127 if(OS_ApplyVariables(&xml) != 0)
129 merror(XML_ERROR_VAR, __local_name, rulepath, xml.err);
135 debug1("%s: DEBUG: XML Variables applied.", __local_name);
138 /* Getting the root elements */
139 node = OS_GetElementsbyNode(&xml, NULL);
142 merror(CONFIG_ERROR, __local_name, rulepath);
148 /* Zeroing the rule memory -- not used anymore */
152 /* Checking if there is any invalid global option */
158 /* Verifying group */
159 if(strcasecmp(node[i]->element,xml_group) != 0)
161 merror(RL_INV_ROOT, __local_name, node[i]->element);
165 /* Checking group attribute -- only name is allowed */
166 if((!node[i]->attributes) || (!node[i]->values)||
167 (!node[i]->values[0]) || (!node[i]->attributes[0]) ||
168 (strcasecmp(node[i]->attributes[0],"name") != 0) ||
169 (node[i]->attributes[1]))
171 merror(RL_INV_ROOT, __local_name, node[i]->element);
178 merror(XML_READ_ERROR, __local_name);
186 /* Getting the rules now */
191 XML_NODE rule = NULL;
194 /* Getting all rules for a global group */
195 rule = OS_GetElementsbyNode(&xml,node[i]);
202 /* Looping on the rules node */
207 char *regex = NULL, *match = NULL, *url = NULL,
208 *if_matched_regex = NULL, *if_matched_group = NULL,
209 *user = NULL, *id = NULL, *srcport = NULL,
210 *dstport = NULL, *status = NULL, *hostname = NULL,
211 *extra_data = NULL, *program_name = NULL;
213 RuleInfo *config_ruleinfo = NULL;
214 XML_NODE rule_opt = NULL;
217 /* Checking if the rule element is correct */
218 if((!rule[j]->element)||
219 (strcasecmp(rule[j]->element,xml_rule) != 0))
221 merror(RL_INV_RULE, __local_name, node[i]->element);
227 /* Checking for the attributes of the rule */
228 if((!rule[j]->attributes) || (!rule[j]->values))
230 merror(RL_INV_RULE, __local_name, rulefile);
236 /* Attribute block */
237 config_ruleinfo = _OS_AllocateRule();
239 if(_OS_GetRulesAttributes(rule[j]->attributes, rule[j]->values,
240 config_ruleinfo) < 0)
242 merror(RL_INV_ATTR, __local_name, rulefile);
247 /* We must have an id or level */
248 if((config_ruleinfo->sigid == -1)||(config_ruleinfo->level == -1))
250 merror(RL_INV_ATTR, __local_name, rulefile);
256 /* Here we can assign the group name to the rule.
257 * The level is correct so the rule is probably going to
260 os_strdup(node[i]->values[0], config_ruleinfo->group);
263 /* Getting rules options */
264 rule_opt = OS_GetElementsbyNode(&xml, rule[j]);
267 merror(RL_NO_OPT, __local_name, config_ruleinfo->sigid);
273 /* Reading the whole rule block */
276 if((!rule_opt[k]->element)||(!rule_opt[k]->content))
280 else if(strcasecmp(rule_opt[k]->element,xml_regex)==0)
284 rule_opt[k]->content);
286 else if(strcasecmp(rule_opt[k]->element,xml_match)==0)
290 rule_opt[k]->content);
292 else if(strcasecmp(rule_opt[k]->element, xml_decoded) == 0)
295 else if(strcasecmp(rule_opt[k]->element,xml_info) == 0)
297 config_ruleinfo->info=
298 os_LoadString(config_ruleinfo->info,
299 rule_opt[k]->content);
301 else if(strcasecmp(rule_opt[k]->element,xml_day_time) == 0)
303 config_ruleinfo->day_time =
304 OS_IsValidTime(rule_opt[k]->content);
305 if(!config_ruleinfo->day_time)
307 merror(INVALID_CONFIG, __local_name,
308 rule_opt[k]->element,
309 rule_opt[k]->content);
313 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
314 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
316 else if(strcasecmp(rule_opt[k]->element,xml_week_day) == 0)
318 config_ruleinfo->week_day =
319 OS_IsValidDay(rule_opt[k]->content);
321 if(!config_ruleinfo->week_day)
323 merror(INVALID_CONFIG, __local_name,
324 rule_opt[k]->element,
325 rule_opt[k]->content);
328 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
329 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
331 else if(strcasecmp(rule_opt[k]->element,xml_group) == 0)
333 config_ruleinfo->group =
334 os_LoadString(config_ruleinfo->group,
335 rule_opt[k]->content);
337 else if(strcasecmp(rule_opt[k]->element,xml_cve) == 0)
339 config_ruleinfo->cve=
340 os_LoadString(config_ruleinfo->cve,
341 rule_opt[k]->content);
343 else if(strcasecmp(rule_opt[k]->element,xml_comment) == 0)
347 newline = strchr(rule_opt[k]->content, '\n');
352 config_ruleinfo->comment=
353 os_LoadString(config_ruleinfo->comment,
354 rule_opt[k]->content);
356 else if(strcasecmp(rule_opt[k]->element,xml_srcip)==0)
360 /* Getting size of source ip list */
361 while(config_ruleinfo->srcip &&
362 config_ruleinfo->srcip[ip_s])
367 config_ruleinfo->srcip =
368 realloc(config_ruleinfo->srcip,
369 (ip_s + 2) * sizeof(os_ip *));
372 /* Allocating memory for the individual entries */
373 os_calloc(1, sizeof(os_ip),
374 config_ruleinfo->srcip[ip_s]);
375 config_ruleinfo->srcip[ip_s +1] = NULL;
378 /* Checking if the ip is valid */
379 if(!OS_IsValidIP(rule_opt[k]->content,
380 config_ruleinfo->srcip[ip_s]))
382 merror(INVALID_IP, __local_name, rule_opt[k]->content);
386 if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
387 config_ruleinfo->alert_opts |= DO_PACKETINFO;
389 else if(strcasecmp(rule_opt[k]->element,xml_dstip)==0)
393 /* Getting size of source ip list */
394 while(config_ruleinfo->dstip &&
395 config_ruleinfo->dstip[ip_s])
400 config_ruleinfo->dstip =
401 realloc(config_ruleinfo->dstip,
402 (ip_s + 2) * sizeof(os_ip *));
405 /* Allocating memory for the individual entries */
406 os_calloc(1, sizeof(os_ip),
407 config_ruleinfo->dstip[ip_s]);
408 config_ruleinfo->dstip[ip_s +1] = NULL;
411 /* Checking if the ip is valid */
412 if(!OS_IsValidIP(rule_opt[k]->content,
413 config_ruleinfo->dstip[ip_s]))
415 merror(INVALID_IP, __local_name, rule_opt[k]->content);
419 if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
420 config_ruleinfo->alert_opts |= DO_PACKETINFO;
422 else if(strcasecmp(rule_opt[k]->element,xml_user) == 0)
424 user = os_LoadString(user, rule_opt[k]->content);
426 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
427 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
429 else if(strcasecmp(rule_opt[k]->element,xml_id) == 0)
431 id = os_LoadString(id, rule_opt[k]->content);
433 else if(strcasecmp(rule_opt[k]->element,xml_srcport) == 0)
435 srcport = os_LoadString(srcport, rule_opt[k]->content);
437 if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
438 config_ruleinfo->alert_opts |= DO_PACKETINFO;
440 else if(strcasecmp(rule_opt[k]->element,xml_dstport) == 0)
442 dstport = os_LoadString(dstport, rule_opt[k]->content);
444 if(!(config_ruleinfo->alert_opts & DO_PACKETINFO))
445 config_ruleinfo->alert_opts |= DO_PACKETINFO;
447 else if(strcasecmp(rule_opt[k]->element,xml_status)==0)
449 status = os_LoadString(status, rule_opt[k]->content);
451 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
452 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
454 else if(strcasecmp(rule_opt[k]->element,xml_hostname) == 0)
456 hostname = os_LoadString(hostname, rule_opt[k]->content);
458 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
459 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
461 else if(strcasecmp(rule_opt[k]->element,xml_data)==0)
463 extra_data = os_LoadString(extra_data, rule_opt[k]->content);
465 if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
466 config_ruleinfo->alert_opts |= DO_EXTRAINFO;
468 else if(strcasecmp(rule_opt[k]->element,
469 xml_program_name)==0)
471 program_name = os_LoadString(program_name,
472 rule_opt[k]->content);
474 else if(strcasecmp(rule_opt[k]->element,xml_action) == 0)
476 config_ruleinfo->action =
477 os_LoadString(config_ruleinfo->action,
478 rule_opt[k]->content);
480 else if(strcasecmp(rule_opt[k]->element,xml_url) == 0)
482 url= os_LoadString(url, rule_opt[k]->content);
485 else if(strcasecmp(rule_opt[k]->element, xml_compiled)==0)
487 /* Not using this in here. */
490 /* We allow these categories so far */
491 else if(strcasecmp(rule_opt[k]->element, xml_category)==0)
493 if(strcmp(rule_opt[k]->content, "firewall") == 0)
495 config_ruleinfo->category = FIREWALL;
497 else if(strcmp(rule_opt[k]->content, "ids") == 0)
499 config_ruleinfo->category = IDS;
501 else if(strcmp(rule_opt[k]->content, "syslog") == 0)
503 config_ruleinfo->category = SYSLOG;
505 else if(strcmp(rule_opt[k]->content, "web-log") == 0)
507 config_ruleinfo->category = WEBLOG;
509 else if(strcmp(rule_opt[k]->content, "squid") == 0)
511 config_ruleinfo->category = SQUID;
513 else if(strcmp(rule_opt[k]->content,"windows") == 0)
515 config_ruleinfo->category = WINDOWS;
517 else if(strcmp(rule_opt[k]->content,"ossec") == 0)
519 config_ruleinfo->category = OSSEC_RL;
523 merror(INVALID_CAT, __local_name, rule_opt[k]->content);
527 else if(strcasecmp(rule_opt[k]->element,xml_if_sid)==0)
529 config_ruleinfo->if_sid=
530 os_LoadString(config_ruleinfo->if_sid,
531 rule_opt[k]->content);
533 else if(strcasecmp(rule_opt[k]->element,xml_if_level)==0)
535 if(!OS_StrIsNum(rule_opt[k]->content))
537 merror(INVALID_CONFIG, __local_name,
539 rule_opt[k]->content);
543 config_ruleinfo->if_level=
544 os_LoadString(config_ruleinfo->if_level,
545 rule_opt[k]->content);
547 else if(strcasecmp(rule_opt[k]->element,xml_if_group)==0)
549 config_ruleinfo->if_group=
550 os_LoadString(config_ruleinfo->if_group,
551 rule_opt[k]->content);
553 else if(strcasecmp(rule_opt[k]->element,
554 xml_if_matched_regex) == 0)
556 config_ruleinfo->context = 1;
558 os_LoadString(if_matched_regex,
559 rule_opt[k]->content);
561 else if(strcasecmp(rule_opt[k]->element,
562 xml_if_matched_group) == 0)
564 config_ruleinfo->context = 1;
566 os_LoadString(if_matched_group,
567 rule_opt[k]->content);
569 else if(strcasecmp(rule_opt[k]->element,
570 xml_if_matched_sid) == 0)
572 config_ruleinfo->context = 1;
573 if(!OS_StrIsNum(rule_opt[k]->content))
575 merror(INVALID_CONFIG, __local_name,
576 rule_opt[k]->element,
577 rule_opt[k]->content);
580 config_ruleinfo->if_matched_sid =
581 atoi(rule_opt[k]->content);
584 else if(strcasecmp(rule_opt[k]->element,
585 xml_same_source_ip)==0)
587 config_ruleinfo->context_opts|= SAME_SRCIP;
589 else if(strcasecmp(rule_opt[k]->element,
590 xml_same_src_port)==0)
592 config_ruleinfo->context_opts|= SAME_SRCPORT;
594 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
595 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
597 else if(strcasecmp(rule_opt[k]->element,
598 xml_same_dst_port) == 0)
600 config_ruleinfo->context_opts|= SAME_DSTPORT;
602 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
603 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
605 else if(strcasecmp(rule_opt[k]->element,
606 xml_notsame_source_ip)==0)
608 config_ruleinfo->context_opts&= NOT_SAME_SRCIP;
610 else if(strcmp(rule_opt[k]->element, xml_same_id) == 0)
612 config_ruleinfo->context_opts|= SAME_ID;
614 else if(strcmp(rule_opt[k]->element,
615 xml_different_url) == 0)
617 config_ruleinfo->context_opts|= DIFFERENT_URL;
619 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
620 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
622 else if(strcmp(rule_opt[k]->element,xml_notsame_id) == 0)
624 config_ruleinfo->context_opts&= NOT_SAME_ID;
626 else if(strcasecmp(rule_opt[k]->element,
629 config_ruleinfo->alert_opts |= DO_FTS;
631 else if(strcasecmp(rule_opt[k]->element,
634 config_ruleinfo->context_opts|= SAME_USER;
636 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
637 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
639 else if(strcasecmp(rule_opt[k]->element,
640 xml_notsame_user)==0)
642 config_ruleinfo->context_opts&= NOT_SAME_USER;
644 else if(strcasecmp(rule_opt[k]->element,
645 xml_same_location)==0)
647 config_ruleinfo->context_opts|= SAME_LOCATION;
648 if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO))
649 config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
651 else if(strcasecmp(rule_opt[k]->element,
652 xml_notsame_agent)==0)
654 config_ruleinfo->context_opts&= NOT_SAME_AGENT;
656 else if(strcasecmp(rule_opt[k]->element,
659 if(strcmp("alert_by_email",
660 rule_opt[k]->content) == 0)
662 if(!(config_ruleinfo->alert_opts & DO_MAILALERT))
664 config_ruleinfo->alert_opts|= DO_MAILALERT;
667 else if(strcmp("no_email_alert",
668 rule_opt[k]->content) == 0)
670 if(config_ruleinfo->alert_opts & DO_MAILALERT)
672 config_ruleinfo->alert_opts&=0xfff-DO_MAILALERT;
675 else if(strcmp("log_alert",
676 rule_opt[k]->content) == 0)
678 if(!(config_ruleinfo->alert_opts & DO_LOGALERT))
680 config_ruleinfo->alert_opts|= DO_LOGALERT;
683 else if(strcmp("no_log", rule_opt[k]->content) == 0)
685 if(config_ruleinfo->alert_opts & DO_LOGALERT)
687 config_ruleinfo->alert_opts &=0xfff-DO_LOGALERT;
692 merror(XML_VALUEERR, __local_name, xml_options,
693 rule_opt[k]->content);
695 merror(INVALID_ELEMENT, __local_name,
696 rule_opt[k]->element,
697 rule_opt[k]->content);
702 else if(strcasecmp(rule_opt[k]->element,
705 if(strstr(rule_opt[k]->content, "user") != NULL)
707 config_ruleinfo->ignore|=FTS_USER;
709 if(strstr(rule_opt[k]->content, "srcip") != NULL)
711 config_ruleinfo->ignore|=FTS_SRCIP;
713 if(strstr(rule_opt[k]->content, "dstip") != NULL)
715 config_ruleinfo->ignore|=FTS_DSTIP;
717 if(strstr(rule_opt[k]->content, "id") != NULL)
719 config_ruleinfo->ignore|=FTS_ID;
721 if(strstr(rule_opt[k]->content,"location")!= NULL)
723 config_ruleinfo->ignore|=FTS_LOCATION;
725 if(strstr(rule_opt[k]->content,"data")!= NULL)
727 config_ruleinfo->ignore|=FTS_DATA;
729 if(strstr(rule_opt[k]->content, "name") != NULL)
731 config_ruleinfo->ignore|=FTS_NAME;
734 if(!config_ruleinfo->ignore)
736 merror(INVALID_ELEMENT, __local_name,
737 rule_opt[k]->element,
738 rule_opt[k]->content);
743 else if(strcasecmp(rule_opt[k]->element,
744 xml_check_if_ignored) == 0)
746 if(strstr(rule_opt[k]->content, "user") != NULL)
748 config_ruleinfo->ckignore|=FTS_USER;
750 if(strstr(rule_opt[k]->content, "srcip") != NULL)
752 config_ruleinfo->ckignore|=FTS_SRCIP;
754 if(strstr(rule_opt[k]->content, "dstip") != NULL)
756 config_ruleinfo->ckignore|=FTS_DSTIP;
758 if(strstr(rule_opt[k]->content, "id") != NULL)
760 config_ruleinfo->ckignore|=FTS_ID;
762 if(strstr(rule_opt[k]->content,"location")!= NULL)
764 config_ruleinfo->ckignore|=FTS_LOCATION;
766 if(strstr(rule_opt[k]->content,"data")!= NULL)
768 config_ruleinfo->ignore|=FTS_DATA;
770 if(strstr(rule_opt[k]->content, "name") != NULL)
772 config_ruleinfo->ckignore|=FTS_NAME;
775 if(!config_ruleinfo->ckignore)
777 merror(INVALID_ELEMENT, __local_name,
778 rule_opt[k]->element,
779 rule_opt[k]->content);
786 merror(XML_INVELEM, __local_name, rule_opt[k]->element);
795 /* Checking for a valid use of frequency */
796 if((config_ruleinfo->context_opts ||
797 config_ruleinfo->frequency) &&
798 !config_ruleinfo->context)
800 merror("%s: Invalid use of frequency/context options. "
801 "Missing if_matched on rule '%d'.",
802 __local_name, config_ruleinfo->sigid);
808 /* If if_matched_group we must have a if_sid or if_group */
811 if(!config_ruleinfo->if_sid && !config_ruleinfo->if_group)
813 os_strdup(if_matched_group, config_ruleinfo->if_group);
818 /* If_matched_sid, we need to get the if_sid */
819 if(config_ruleinfo->if_matched_sid &&
820 !config_ruleinfo->if_sid &&
821 !config_ruleinfo->if_group)
823 os_calloc(16, sizeof(char), config_ruleinfo->if_sid);
824 snprintf(config_ruleinfo->if_sid, 15, "%d",
825 config_ruleinfo->if_matched_sid);
829 /* Checking the regexes */
832 os_calloc(1, sizeof(OSRegex), config_ruleinfo->regex);
833 if(!OSRegex_Compile(regex, config_ruleinfo->regex, 0))
835 merror(REGEX_COMPILE, __local_name, regex,
836 config_ruleinfo->regex->error);
844 /* Adding in match */
847 os_calloc(1, sizeof(OSMatch), config_ruleinfo->match);
848 if(!OSMatch_Compile(match, config_ruleinfo->match, 0))
850 merror(REGEX_COMPILE, __local_name, match,
851 config_ruleinfo->match->error);
862 os_calloc(1, sizeof(OSMatch), config_ruleinfo->id);
863 if(!OSMatch_Compile(id, config_ruleinfo->id, 0))
865 merror(REGEX_COMPILE, __local_name, id,
866 config_ruleinfo->id->error);
877 os_calloc(1, sizeof(OSMatch), config_ruleinfo->srcport);
878 if(!OSMatch_Compile(srcport, config_ruleinfo->srcport, 0))
880 merror(REGEX_COMPILE, __local_name, srcport,
881 config_ruleinfo->id->error);
892 os_calloc(1, sizeof(OSMatch), config_ruleinfo->dstport);
893 if(!OSMatch_Compile(dstport, config_ruleinfo->dstport, 0))
895 merror(REGEX_COMPILE, __local_name, dstport,
896 config_ruleinfo->id->error);
904 /* Adding in status */
907 os_calloc(1, sizeof(OSMatch), config_ruleinfo->status);
908 if(!OSMatch_Compile(status, config_ruleinfo->status, 0))
910 merror(REGEX_COMPILE, __local_name, status,
911 config_ruleinfo->status->error);
919 /* Adding in hostname */
922 os_calloc(1, sizeof(OSMatch), config_ruleinfo->hostname);
923 if(!OSMatch_Compile(hostname, config_ruleinfo->hostname,0))
925 merror(REGEX_COMPILE, __local_name, hostname,
926 config_ruleinfo->hostname->error);
934 /* Adding extra data */
937 os_calloc(1, sizeof(OSMatch), config_ruleinfo->extra_data);
938 if(!OSMatch_Compile(extra_data,
939 config_ruleinfo->extra_data, 0))
941 merror(REGEX_COMPILE, __local_name, extra_data,
942 config_ruleinfo->extra_data->error);
950 /* Adding in program name */
953 os_calloc(1,sizeof(OSMatch),config_ruleinfo->program_name);
954 if(!OSMatch_Compile(program_name,
955 config_ruleinfo->program_name,0))
957 merror(REGEX_COMPILE, __local_name, program_name,
958 config_ruleinfo->program_name->error);
969 os_calloc(1, sizeof(OSMatch), config_ruleinfo->user);
970 if(!OSMatch_Compile(user, config_ruleinfo->user, 0))
972 merror(REGEX_COMPILE, __local_name, user,
973 config_ruleinfo->user->error);
984 os_calloc(1, sizeof(OSMatch), config_ruleinfo->url);
985 if(!OSMatch_Compile(url, config_ruleinfo->url, 0))
987 merror(REGEX_COMPILE, __local_name, url,
988 config_ruleinfo->url->error);
996 /* Adding matched_group */
999 os_calloc(1,sizeof(OSMatch),config_ruleinfo->if_matched_group);
1001 if(!OSMatch_Compile(if_matched_group,
1002 config_ruleinfo->if_matched_group,0))
1004 merror(REGEX_COMPILE, __local_name, if_matched_group,
1005 config_ruleinfo->if_matched_group->error);
1008 free(if_matched_group);
1009 if_matched_group = NULL;
1013 /* Adding matched_regex */
1014 if(if_matched_regex)
1016 os_calloc(1, sizeof(OSRegex),
1017 config_ruleinfo->if_matched_regex);
1018 if(!OSRegex_Compile(if_matched_regex,
1019 config_ruleinfo->if_matched_regex, 0))
1021 merror(REGEX_COMPILE, __local_name, if_matched_regex,
1022 config_ruleinfo->if_matched_regex->error);
1025 free(if_matched_regex);
1026 if_matched_regex = NULL;
1030 /* Calling the function provided. */
1031 ruleact_function(config_ruleinfo, data);
1034 j++; /* next rule */
1037 } /* while(rule[j]) */
1041 } /* while (node[i]) */
1043 /* Cleaning global node */
1048 /* Done over here */
1054 /** RuleInfo *_OS_AllocateRule()
1055 * Allocates the memory for the rule.
1057 RuleInfo *_OS_AllocateRule()
1059 RuleInfo *ruleinfo_pt = NULL;
1062 /* Allocation memory for structure */
1063 ruleinfo_pt = (RuleInfo *)calloc(1,sizeof(RuleInfo));
1064 if(ruleinfo_pt == NULL)
1066 ErrorExit(MEM_ERROR,__local_name);
1070 /* Default values */
1071 ruleinfo_pt->level = -1;
1073 /* Default category is syslog */
1074 ruleinfo_pt->category = SYSLOG;
1076 ruleinfo_pt->ar = NULL;
1078 ruleinfo_pt->context = 0;
1080 /* Default sigid of -1 */
1081 ruleinfo_pt->sigid = -1;
1082 ruleinfo_pt->firedtimes = 0;
1083 ruleinfo_pt->maxsize = 0;
1084 ruleinfo_pt->frequency = 0;
1085 ruleinfo_pt->ignore_time = 0;
1086 ruleinfo_pt->timeframe = 0;
1087 ruleinfo_pt->time_ignored = 0;
1089 ruleinfo_pt->context_opts = 0;
1090 ruleinfo_pt->alert_opts = 0;
1091 ruleinfo_pt->ignore = 0;
1092 ruleinfo_pt->ckignore = 0;
1094 ruleinfo_pt->day_time = NULL;
1095 ruleinfo_pt->week_day = NULL;
1097 ruleinfo_pt->group = NULL;
1098 ruleinfo_pt->regex = NULL;
1099 ruleinfo_pt->match = NULL;
1100 ruleinfo_pt->decoded_as = 0;
1102 ruleinfo_pt->comment = NULL;
1103 ruleinfo_pt->info = NULL;
1104 ruleinfo_pt->cve = NULL;
1106 ruleinfo_pt->if_sid = NULL;
1107 ruleinfo_pt->if_group = NULL;
1108 ruleinfo_pt->if_level = NULL;
1110 ruleinfo_pt->if_matched_regex = NULL;
1111 ruleinfo_pt->if_matched_group = NULL;
1112 ruleinfo_pt->if_matched_sid = 0;
1114 ruleinfo_pt->user = NULL;
1115 ruleinfo_pt->srcip = NULL;
1116 ruleinfo_pt->srcport = NULL;
1117 ruleinfo_pt->dstip = NULL;
1118 ruleinfo_pt->dstport = NULL;
1119 ruleinfo_pt->url = NULL;
1120 ruleinfo_pt->id = NULL;
1121 ruleinfo_pt->status = NULL;
1122 ruleinfo_pt->hostname = NULL;
1123 ruleinfo_pt->program_name = NULL;
1124 ruleinfo_pt->action = NULL;
1126 /* Zeroing last matched events */
1127 ruleinfo_pt->__frequency = 0;
1128 ruleinfo_pt->last_events = NULL;
1130 /* zeroing the list of previous matches */
1131 ruleinfo_pt->sid_prev_matched = NULL;
1132 ruleinfo_pt->group_prev_matched = NULL;
1134 ruleinfo_pt->sid_search = NULL;
1135 ruleinfo_pt->group_search = NULL;
1137 ruleinfo_pt->event_search = NULL;
1139 return(ruleinfo_pt);
1144 /** int _OS_GetRulesAttributes
1145 * Reads the rules attributes and assign them.
1147 int _OS_GetRulesAttributes(char **attributes, char **values,
1148 RuleInfo *ruleinfo_pt)
1152 char *xml_id = "id";
1153 char *xml_level = "level";
1154 char *xml_maxsize = "maxsize";
1155 char *xml_timeframe = "timeframe";
1156 char *xml_frequency = "frequency";
1157 char *xml_accuracy = "accuracy";
1158 char *xml_noalert = "noalert";
1159 char *xml_ignore_time = "ignore";
1160 char *xml_overwrite = "overwrite";
1163 /* Getting attributes */
1164 while(attributes[k])
1168 merror(RL_EMPTY_ATTR, __local_name, attributes[k]);
1171 /* Getting rule Id */
1172 else if(strcasecmp(attributes[k], xml_id) == 0)
1174 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 6 ))
1176 ruleinfo_pt->sigid = atoi(values[k]);
1180 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1185 else if(strcasecmp(attributes[k],xml_level) == 0)
1187 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 3))
1189 ruleinfo_pt->level = atoi(values[k]);
1193 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1197 /* Getting maxsize */
1198 else if(strcasecmp(attributes[k],xml_maxsize) == 0)
1200 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 4))
1202 ruleinfo_pt->maxsize = atoi(values[k]);
1204 /* adding EXTRAINFO options */
1205 if(ruleinfo_pt->maxsize > 0 &&
1206 !(ruleinfo_pt->alert_opts & DO_EXTRAINFO))
1208 ruleinfo_pt->alert_opts |= DO_EXTRAINFO;
1213 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1217 /* Getting timeframe */
1218 else if(strcasecmp(attributes[k],xml_timeframe) == 0)
1220 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 5))
1222 ruleinfo_pt->timeframe = atoi(values[k]);
1226 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1230 /* Getting frequency */
1231 else if(strcasecmp(attributes[k],xml_frequency) == 0)
1233 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 4))
1235 ruleinfo_pt->frequency = atoi(values[k]);
1239 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1244 else if(strcasecmp(attributes[k],xml_accuracy) == 0)
1246 merror("%s: XXX: Use of 'accuracy' isn't supported. Ignoring.",
1249 /* Rule ignore_time */
1250 else if(strcasecmp(attributes[k],xml_ignore_time) == 0)
1252 if(OS_StrIsNum(values[k]) && (strlen(values[k]) <= 4))
1254 ruleinfo_pt->ignore_time = atoi(values[k]);
1258 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1263 else if(strcasecmp(attributes[k],xml_noalert) == 0)
1265 ruleinfo_pt->alert_opts |= NO_ALERT;
1267 else if(strcasecmp(attributes[k], xml_overwrite) == 0)
1269 if(strcmp(values[k], "yes") == 0)
1271 ruleinfo_pt->alert_opts |= DO_OVERWRITE;
1273 else if(strcmp(values[k], "no") == 0)
1278 merror(XML_VALUEERR,__local_name, attributes[k], values[k]);
1284 merror(XML_INVELEM, __local_name, attributes[k]);
1295 void OS_PrintRuleinfo(RuleInfo *rule)
1297 debug1("%s: __local_name: Print Rule:%d, level %d, ignore: %d, frequency:%d",