1 /* @(#) $Id: decoder.c,v 1.42 2009/06/24 17:06:23 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
11 * License details at the LICENSE file included with OSSEC or
12 * online at: http://www.ossec.net/en/licensing.html
17 #include "os_regex/os_regex.h"
18 #include "os_xml/os_xml.h"
21 #include "eventinfo.h"
27 * Will use the osdecoders to decode the received event.
29 void DecodeEvent(Eventinfo *lf)
32 OSDecoderNode *child_node;
38 char *regex_prev = NULL;
41 node = OS_GetFirstOSDecoder(lf->program_name);
44 /* Return if no node...
45 * This shouldn't happen here anyways.
52 print_out("\n**Phase 2: Completed decoding.");
57 nnode = node->osdecoder;
60 /* First checking program name */
63 if(!OSMatch_Execute(lf->program_name, lf->p_name_size,
72 /* If prematch fails, go to the next osdecoder in the list */
75 if(!(pmatch = OSRegex_Execute(lf->log, nnode->prematch)))
87 print_out(" decoder: '%s'", nnode->name);
91 lf->decoder_info = nnode;
94 child_node = node->child;
97 /* If no child node is set, set the child node
98 * as if it were the child (ugh)
107 /* Check if we have any child osdecoder */
110 nnode = child_node->osdecoder;
113 /* If we have a pre match and it matches, keep
114 * going. If we don't have a prematch, stop
115 * and go for the regexes.
121 /* If we have an offset set, use it */
122 if(nnode->prematch_offset & AFTER_PARENT)
131 if((cmatch = OSRegex_Execute(llog, nnode->prematch)))
136 lf->decoder_info = nnode;
148 /* If we have multiple regex-only childs,
149 * do not attempt to go any further with them.
151 if(child_node->osdecoder->get_next)
155 child_node = child_node->next;
156 }while(child_node && child_node->osdecoder->get_next);
161 child_node = child_node->next;
166 child_node = child_node->next;
173 /* Nothing matched */
178 /* If we have a external decoder, execute it */
179 if(nnode->plugindecoder)
181 nnode->plugindecoder(lf);
186 /* Getting the regex */
193 /* With regex we have multiple options
194 * regarding the offset:
195 * after the prematch,
197 * after some previous regex,
200 if(nnode->regex_offset)
202 if(nnode->regex_offset & AFTER_PARENT)
206 else if(nnode->regex_offset & AFTER_PREMATCH)
210 else if(nnode->regex_offset & AFTER_PREVREGEX)
223 /* If Regex does not match, return */
224 if(!(regex_prev = OSRegex_Execute(llog, nnode->regex)))
228 child_node = child_node->next;
229 nnode = child_node->osdecoder;
236 /* Fixing next pointer */
237 if(*regex_prev != '\0')
240 while(nnode->regex->sub_strings[i])
244 nnode->order[i](lf, nnode->regex->sub_strings[i]);
245 nnode->regex->sub_strings[i] = NULL;
250 /* We do not free any memory used above */
251 os_free(nnode->regex->sub_strings[i]);
252 nnode->regex->sub_strings[i] = NULL;
256 /* If we have a next regex, try getting it */
259 child_node = child_node->next;
260 nnode = child_node->osdecoder;
267 /* If we don't have a regex, we may leave now */
273 }while((node=node->next) != NULL);
276 print_out(" No decoder matched.");
282 /*** Event decoders ****/
283 void *DstUser_FP(Eventinfo *lf, char *field)
286 print_out(" dstuser: '%s'", field);
292 void *SrcUser_FP(Eventinfo *lf, char *field)
295 print_out(" srcuser: '%s'", field);
301 void *SrcIP_FP(Eventinfo *lf, char *field)
304 print_out(" srcip: '%s'", field);
310 void *DstIP_FP(Eventinfo *lf, char *field)
313 print_out(" dstip: '%s'", field);
319 void *SrcPort_FP(Eventinfo *lf, char *field)
322 print_out(" srcport: '%s'", field);
328 void *DstPort_FP(Eventinfo *lf, char *field)
331 print_out(" dstport: '%s'", field);
337 void *Protocol_FP(Eventinfo *lf, char *field)
340 print_out(" proto: '%s'", field);
343 lf->protocol = field;
346 void *Action_FP(Eventinfo *lf, char *field)
349 print_out(" action: '%s'", field);
355 void *ID_FP(Eventinfo *lf, char *field)
358 print_out(" id: '%s'", field);
364 void *Url_FP(Eventinfo *lf, char *field)
367 print_out(" url: '%s'", field);
373 void *Data_FP(Eventinfo *lf, char *field)
376 print_out(" extra_data: '%s'", field);
382 void *Status_FP(Eventinfo *lf, char *field)
385 print_out(" status: '%s'", field);
391 void *SystemName_FP(Eventinfo *lf, char *field)
394 print_out(" system_name: '%s'", field);
397 lf->systemname = field;
400 void *None_FP(Eventinfo *lf, char *field)