1 /* @(#) $Id: ./src/analysisd/eventinfo.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
12 * License details at the LICENSE file included with OSSEC or
13 * online at: http://www.ossec.net/en/licensing.html
18 * Available at http://www.ossec.net
24 #include "analysisd.h"
25 #include "eventinfo.h"
26 #include "os_regex/os_regex.h"
29 /* Search last times a signature fired
30 * Will look for only that specific signature.
32 Eventinfo *Search_LastSids(Eventinfo *my_lf, RuleInfo *currently_rule)
39 /* Setting frequency to 0 */
40 currently_rule->__frequency = 0;
43 /* checking sid search is valid */
44 if(!currently_rule->sid_search)
46 merror("%s: No sid search!! XXX", ARGV0);
49 /* Getting last node */
50 lf_node = OSList_GetLastNode(currently_rule->sid_search);
55 first_lf = (Eventinfo *)lf_node->data;
60 lf = (Eventinfo *)lf_node->data;
62 /* If time is outside the timeframe, return */
63 if((c_time - lf->time) > currently_rule->timeframe)
68 /* We avoid multiple triggers for the same rule
69 * or rules with a lower level.
71 else if(lf->matched >= currently_rule->level)
78 /* Checking for same id */
79 if(currently_rule->context_opts & SAME_ID)
81 if((!lf->id) || (!my_lf->id))
84 if(strcmp(lf->id,my_lf->id) != 0)
88 /* Checking for repetitions from same src_ip */
89 if(currently_rule->context_opts & SAME_SRCIP)
91 if((!lf->srcip)||(!my_lf->srcip))
94 if(strcmp(lf->srcip,my_lf->srcip) != 0)
99 /* Grouping of additional data */
100 if(currently_rule->alert_opts & SAME_EXTRAINFO)
102 /* Checking for same source port */
103 if(currently_rule->context_opts & SAME_SRCPORT)
105 if((!lf->srcport)||(!my_lf->srcport))
108 if(strcmp(lf->srcport, my_lf->srcport) != 0)
112 /* Checking for same dst port */
113 if(currently_rule->context_opts & SAME_DSTPORT)
115 if((!lf->dstport)||(!my_lf->dstport))
118 if(strcmp(lf->dstport, my_lf->dstport) != 0)
122 /* Checking for repetitions on user error */
123 if(currently_rule->context_opts & SAME_USER)
125 if((!lf->dstuser)||(!my_lf->dstuser))
128 if(strcmp(lf->dstuser,my_lf->dstuser) != 0)
132 /* Checking for same location */
133 if(currently_rule->context_opts & SAME_LOCATION)
135 if(strcmp(lf->hostname, my_lf->hostname) != 0)
140 /* Checking for different urls */
141 if(currently_rule->context_opts & DIFFERENT_URL)
143 if((!lf->url)||(!my_lf->url))
148 if(strcmp(lf->url, my_lf->url) == 0)
157 /* Checking if the number of matches worked */
158 if(currently_rule->__frequency <= 10)
160 currently_rule->last_events[currently_rule->__frequency]
162 currently_rule->last_events[currently_rule->__frequency+1]
166 if(currently_rule->__frequency < currently_rule->frequency)
168 currently_rule->__frequency++;
171 currently_rule->__frequency++;
174 /* If reached here, we matched */
175 my_lf->matched = currently_rule->level;
176 lf->matched = currently_rule->level;
177 first_lf->matched = currently_rule->level;
182 }while((lf_node = lf_node->prev) != NULL);
189 /* Search last times a group fired
190 * Will look for only that specific group on that rule.
192 Eventinfo *Search_LastGroups(Eventinfo *my_lf, RuleInfo *currently_rule)
199 /* Setting frequency to 0 */
200 currently_rule->__frequency = 0;
203 /* checking sid search is valid */
204 if(!currently_rule->group_search)
206 merror("%s: No group search!! XXX", ARGV0);
209 /* Getting last node */
210 lf_node = OSList_GetLastNode(currently_rule->group_search);
215 first_lf = (Eventinfo *)lf_node->data;
220 lf = (Eventinfo *)lf_node->data;
222 /* If time is outside the timeframe, return */
223 if((c_time - lf->time) > currently_rule->timeframe)
228 /* We avoid multiple triggers for the same rule
229 * or rules with a lower level.
231 else if(lf->matched >= currently_rule->level)
238 /* Checking for same id */
239 if(currently_rule->context_opts & SAME_ID)
241 if((!lf->id) || (!my_lf->id))
244 if(strcmp(lf->id,my_lf->id) != 0)
248 /* Checking for repetitions from same src_ip */
249 if(currently_rule->context_opts & SAME_SRCIP)
251 if((!lf->srcip)||(!my_lf->srcip))
254 if(strcmp(lf->srcip,my_lf->srcip) != 0)
259 /* Grouping of additional data */
260 if(currently_rule->alert_opts & SAME_EXTRAINFO)
262 /* Checking for same source port */
263 if(currently_rule->context_opts & SAME_SRCPORT)
265 if((!lf->srcport)||(!my_lf->srcport))
268 if(strcmp(lf->srcport, my_lf->srcport) != 0)
272 /* Checking for same dst port */
273 if(currently_rule->context_opts & SAME_DSTPORT)
275 if((!lf->dstport)||(!my_lf->dstport))
278 if(strcmp(lf->dstport, my_lf->dstport) != 0)
282 /* Checking for repetitions on user error */
283 if(currently_rule->context_opts & SAME_USER)
285 if((!lf->dstuser)||(!my_lf->dstuser))
288 if(strcmp(lf->dstuser,my_lf->dstuser) != 0)
292 /* Checking for same location */
293 if(currently_rule->context_opts & SAME_LOCATION)
295 if(strcmp(lf->hostname, my_lf->hostname) != 0)
300 /* Checking for different urls */
301 if(currently_rule->context_opts & DIFFERENT_URL)
303 if((!lf->url)||(!my_lf->url))
308 if(strcmp(lf->url, my_lf->url) == 0)
317 /* Checking if the number of matches worked */
318 if(currently_rule->__frequency < currently_rule->frequency)
320 if(currently_rule->__frequency <= 10)
322 currently_rule->last_events[currently_rule->__frequency]
324 currently_rule->last_events[currently_rule->__frequency+1]
328 currently_rule->__frequency++;
333 /* If reached here, we matched */
334 my_lf->matched = currently_rule->level;
335 lf->matched = currently_rule->level;
336 first_lf->matched = currently_rule->level;
341 }while((lf_node = lf_node->prev) != NULL);
347 /* Search LastEvents.
348 * Will look if any of the last events (inside the timeframe)
349 * match the specified rule.
351 Eventinfo *Search_LastEvents(Eventinfo *my_lf, RuleInfo *currently_rule)
353 EventNode *eventnode_pt;
358 merror("XXXX : remove me!");
362 eventnode_pt = OS_GetLastEvent();
369 /* Setting frequency to 0 */
370 currently_rule->__frequency = 0;
371 first_lf = (Eventinfo *)eventnode_pt->event;
374 /* Searching all previous events */
377 lf = eventnode_pt->event;
379 /* If time is outside the timeframe, return */
380 if((c_time - lf->time) > currently_rule->timeframe)
386 /* We avoid multiple triggers for the same rule
387 * or rules with a lower level.
389 else if(lf->matched >= currently_rule->level)
395 /* The category must be the same */
396 else if(lf->decoder_info->type != my_lf->decoder_info->type)
402 /* If regex does not match, go to next */
403 if(currently_rule->if_matched_regex)
405 if(!OSRegex_Execute(lf->log, currently_rule->if_matched_regex))
412 /* Checking for repetitions on user error */
413 if(currently_rule->context_opts & SAME_USER)
415 if((!lf->dstuser)||(!my_lf->dstuser))
418 if(strcmp(lf->dstuser,my_lf->dstuser) != 0)
422 /* Checking for same id */
423 if(currently_rule->context_opts & SAME_ID)
425 if((!lf->id) || (!my_lf->id))
428 if(strcmp(lf->id,my_lf->id) != 0)
432 /* Checking for repetitions from same src_ip */
433 if(currently_rule->context_opts & SAME_SRCIP)
435 if((!lf->srcip)||(!my_lf->srcip))
438 if(strcmp(lf->srcip,my_lf->srcip) != 0)
442 /* Checking for different urls */
443 if(currently_rule->context_opts & DIFFERENT_URL)
445 if((!lf->url)||(!my_lf->url))
450 if(strcmp(lf->url, my_lf->url) == 0)
457 /* Checking if the number of matches worked */
458 if(currently_rule->__frequency < currently_rule->frequency)
460 if(currently_rule->__frequency <= 10)
462 currently_rule->last_events[currently_rule->__frequency]
464 currently_rule->last_events[currently_rule->__frequency+1]
468 currently_rule->__frequency++;
473 /* If reached here, we matched */
474 my_lf->matched = currently_rule->level;
475 lf->matched = currently_rule->level;
476 first_lf->matched = currently_rule->level;
480 }while((eventnode_pt = eventnode_pt->next) != NULL);
487 /* Zero the loginfo structure */
488 void Zero_Eventinfo(Eventinfo *lf)
493 lf->program_name = NULL;
509 lf->systemname = NULL;
519 lf->generated_rule = NULL;
520 lf->sid_node_to_delete = NULL;
521 lf->decoder_info = NULL_Decoder;
527 lf->md5_before = NULL;
528 lf->md5_after = NULL;
529 lf->sha1_before = NULL;
530 lf->sha1_after = NULL;
531 lf->size_before = NULL;
532 lf->size_after = NULL;
533 lf->owner_before = NULL;
534 lf->owner_after = NULL;
535 lf->gowner_before = NULL;
536 lf->gowner_after = NULL;
542 /* Free the loginfo structure */
543 void Free_Eventinfo(Eventinfo *lf)
547 merror("%s: Trying to free NULL event. Inconsistent..",ARGV0);
584 free(lf->systemname);
590 free(lf->md5_before);
594 free(lf->sha1_before);
596 free(lf->sha1_after);
598 free(lf->size_before);
600 free(lf->size_after);
601 if (lf->owner_before)
602 free(lf->owner_before);
604 free(lf->owner_after);
605 if (lf->gowner_before)
606 free(lf->gowner_before);
607 if (lf->gowner_after)
608 free(lf->gowner_after);
611 /* Freeing node to delete */
612 if(lf->sid_node_to_delete)
614 OSList_DeleteThisNode(lf->generated_rule->sid_prev_matched,
615 lf->sid_node_to_delete);
617 else if(lf->generated_rule && lf->generated_rule->group_prev_matched)
621 while(i < lf->generated_rule->group_prev_matched_sz)
623 OSList_DeleteOldestNode(lf->generated_rule->group_prev_matched[i]);
628 /* We dont need to free: