1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
10 #include "eventinfo.h"
15 /* Note: If the rule fails to match it should return NULL.
16 * If you want processing to continue, return lf (the eventinfo structure).
19 /* Example 1: Comparing if the srcuser and dstuser are the same
20 * If they are the same, return true
21 * If any of them is not set, return true too
23 void *comp_srcuser_dstuser(Eventinfo *lf)
25 if (!lf->srcuser || !lf->dstuser) {
29 if (strcmp(lf->srcuser, lf->dstuser) == 0) {
33 /* In here, srcuser and dstuser are present and are different */
37 /* Example 2: Checking if the size of the id field is larger than 10 */
38 void *check_id_size(Eventinfo *lf)
44 if (strlen(lf->id) >= 10) {
51 /* Example 3: Comparing the Target Account Name and Caller User Name on Windows logs
52 * It will return NULL (not match) if any of these values
53 * are not present or if they are the same.
54 * This function will return TRUE if they are NOT the same.
56 void *comp_mswin_targetuser_calleruser_diff(Eventinfo *lf)
61 target_user = strstr(lf->log, "Target Account Name");
62 caller_user = strstr(lf->log, "Caller User Name");
64 if (!target_user || !caller_user) {
68 /* We need to clear each user type and finish the string.
70 * Target Account Name: account\t
71 * Caller User Name: account\t
73 target_user = strchr(target_user, ':');
74 caller_user = strchr(caller_user, ':');
76 if (!target_user || !caller_user) {
83 while (*target_user != '\0') {
84 if (*target_user != *caller_user) {
88 if (*target_user == '\t' ||
89 (*target_user == ' ' && target_user[1] == ' ')) {
97 /* If we got in here, the accounts are the same.
98 * So, we return NULL since we only want to alert if they are different.
103 /* Example 4: Checking if a HTTP request is a simple GET/POST without a query
104 * This avoid that we call the attack rules for no reason.
106 void *is_simple_http_request(Eventinfo *lf)
113 /* Simple GET / request */
114 if (strcmp(lf->url, "/") == 0) {
118 /* Simple request, no query */
119 if (!strchr(lf->url, '?')) {
123 /* In here, we have an additional query to be checked */
127 /* Example 5: Checking if the source IP is from a valid bot */
128 void *is_valid_crawler(Eventinfo *lf)
130 if ((strncmp(lf->log, "66.249.", 7) == 0) || /* Google bot */
131 (strncmp(lf->log, "72.14.", 6) == 0) || /* Feedfetcher-Google */
132 (strncmp(lf->log, "209.85.", 7) == 0) || /* Feedfetcher-Google */
133 (strncmp(lf->log, "65.55.", 6) == 0) || /* MSN/Bing */
134 (strncmp(lf->log, "207.46.", 7) == 0) || /* MSN/Bing */
135 (strncmp(lf->log, "74.6.", 5) == 0) || /* Yahoo */
136 (strncmp(lf->log, "72.30.", 6) == 0) || /* Yahoo */
137 (strncmp(lf->log, "67.195.", 7) == 0) /* Yahoo */