1 /* @(#) $Id: generic_samples.c,v 1.2 2009/06/24 17:06:23 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
11 * License details at the LICENSE file included with OSSEC or
12 * online at: http://www.ossec.net/en/licensing.html
17 #include "eventinfo.h"
22 /** Note: If the rule fails to match it should return NULL.
23 * If you want processing to continue, return lf (the eventinfo structure).
29 * Comparing if the srcuser and dstuser are the same. If they are the same,
31 * If any of them is not set, return true too.
33 void *comp_srcuser_dstuser(Eventinfo *lf)
35 if(!lf->srcuser || !lf->dstuser)
40 if(strcmp(lf->srcuser, lf->dstuser) == 0)
46 /* In here, srcuser and dstuser are present and are different. */
53 * Checking if the size of the id field is larger than 10.
55 void *check_id_size(Eventinfo *lf)
62 if(strlen(lf->id) >= 10)
73 * Comparing the Target Account Name and Caller User Name
75 * It will return NULL (not match) if any of these values
76 * are not present or if they are the same.
77 * This function will return TRUE if they are NOT the same.
79 void *comp_mswin_targetuser_calleruser_diff(Eventinfo *lf)
85 target_user = strstr(lf->log, "Target Account Name");
86 caller_user = strstr(lf->log, "Caller User Name");
88 if(!target_user || !caller_user)
94 /* We need to clear each user type and finish the string.
96 * Target Account Name: account\t
97 * Caller User Name: account\t
99 target_user = strchr(target_user, ':');
100 caller_user = strchr(caller_user, ':');
102 if(!target_user || !caller_user)
112 while(*target_user != '\0')
114 if(*target_user != *caller_user)
117 if(*target_user == '\t' ||
118 (*target_user == ' ' && target_user[1] == ' '))
121 target_user++;caller_user++;
125 /* If we got in here, the accounts are the same.
126 * So, we return NULL since we only want to alert if they are different.
132 /* END generic samples. */