3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 2) as published by the FSF - Free Software
11 * License details at the LICENSE file included with OSSEC or
12 * online at: http://www.ossec.net/en/licensing.html
17 #include "os_regex/os_regex.h"
18 #include "os_xml/os_xml.h"
21 #include "eventinfo.h"
27 * Will use the osdecoders to decode the received event.
29 void DecodeEvent(Eventinfo *lf)
32 OSDecoderNode *child_node;
38 char *regex_prev = NULL;
41 node = OS_GetFirstOSDecoder(lf->program_name);
44 /* Return if no node...
45 * This shouldn't happen here anyways.
54 print_out("\n**Phase 2: Completed decoding.");
60 nnode = node->osdecoder;
63 /* First checking program name */
66 if(!OSMatch_Execute(lf->program_name, lf->p_name_size,
75 /* If prematch fails, go to the next osdecoder in the list */
78 if(!(pmatch = OSRegex_Execute(lf->log, nnode->prematch)))
90 if(!alert_only)print_out(" decoder: '%s'", nnode->name);
94 lf->decoder_info = nnode;
97 child_node = node->child;
100 /* If no child node is set, set the child node
101 * as if it were the child (ugh)
110 /* Check if we have any child osdecoder */
113 nnode = child_node->osdecoder;
116 /* If we have a pre match and it matches, keep
117 * going. If we don't have a prematch, stop
118 * and go for the regexes.
124 /* If we have an offset set, use it */
125 if(nnode->prematch_offset & AFTER_PARENT)
134 if((cmatch = OSRegex_Execute(llog, nnode->prematch)))
139 lf->decoder_info = nnode;
151 /* If we have multiple regex-only childs,
152 * do not attempt to go any further with them.
154 if(child_node->osdecoder->get_next)
158 child_node = child_node->next;
159 }while(child_node && child_node->osdecoder->get_next);
164 child_node = child_node->next;
169 child_node = child_node->next;
176 /* Nothing matched */
181 /* If we have a external decoder, execute it */
182 if(nnode->plugindecoder)
184 nnode->plugindecoder(lf);
189 /* Getting the regex */
196 /* With regex we have multiple options
197 * regarding the offset:
198 * after the prematch,
200 * after some previous regex,
203 if(nnode->regex_offset)
205 if(nnode->regex_offset & AFTER_PARENT)
209 else if(nnode->regex_offset & AFTER_PREMATCH)
213 else if(nnode->regex_offset & AFTER_PREVREGEX)
226 /* If Regex does not match, return */
227 if(!(regex_prev = OSRegex_Execute(llog, nnode->regex)))
231 child_node = child_node->next;
232 nnode = child_node->osdecoder;
239 /* Fixing next pointer */
240 if(*regex_prev != '\0')
243 while(nnode->regex->sub_strings[i])
247 nnode->order[i](lf, nnode->regex->sub_strings[i]);
248 nnode->regex->sub_strings[i] = NULL;
253 /* We do not free any memory used above */
254 os_free(nnode->regex->sub_strings[i]);
255 nnode->regex->sub_strings[i] = NULL;
259 /* If we have a next regex, try getting it */
262 child_node = child_node->next;
263 nnode = child_node->osdecoder;
270 /* If we don't have a regex, we may leave now */
276 }while((node=node->next) != NULL);
281 print_out(" No decoder matched.");
288 /*** Event decoders ****/
289 void *DstUser_FP(Eventinfo *lf, char *field)
292 if(!alert_only)print_out(" dstuser: '%s'", field);
298 void *SrcUser_FP(Eventinfo *lf, char *field)
301 if(!alert_only)print_out(" srcuser: '%s'", field);
307 void *SrcIP_FP(Eventinfo *lf, char *field)
310 if(!alert_only)print_out(" srcip: '%s'", field);
316 void *DstIP_FP(Eventinfo *lf, char *field)
319 if(!alert_only)print_out(" dstip: '%s'", field);
325 void *SrcPort_FP(Eventinfo *lf, char *field)
328 if(!alert_only)print_out(" srcport: '%s'", field);
334 void *DstPort_FP(Eventinfo *lf, char *field)
337 if(!alert_only)print_out(" dstport: '%s'", field);
343 void *Protocol_FP(Eventinfo *lf, char *field)
346 if(!alert_only)print_out(" proto: '%s'", field);
349 lf->protocol = field;
352 void *Action_FP(Eventinfo *lf, char *field)
355 if(!alert_only)print_out(" action: '%s'", field);
361 void *ID_FP(Eventinfo *lf, char *field)
364 if(!alert_only)print_out(" id: '%s'", field);
370 void *Url_FP(Eventinfo *lf, char *field)
373 if(!alert_only)print_out(" url: '%s'", field);
379 void *Data_FP(Eventinfo *lf, char *field)
382 if(!alert_only)print_out(" extra_data: '%s'", field);
388 void *Status_FP(Eventinfo *lf, char *field)
391 if(!alert_only)print_out(" status: '%s'", field);
397 void *SystemName_FP(Eventinfo *lf, char *field)
400 if(!alert_only)print_out(" system_name: '%s'", field);
403 lf->systemname = field;
406 void *None_FP(Eventinfo *lf, char *field)