1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
14 #include "decoders/decoder.h"
16 /* Event Information structure */
17 typedef struct _Eventinfo {
18 /* Extracted from the event */
25 /* Extracted from the decoders */
46 /* Pointer to the rule that generated it */
47 RuleInfo *generated_rule;
49 /* Pointer to the decoder that matched */
50 OSDecoderInfo *decoder_info;
52 /* Sid node to delete */
53 OSListNode *sid_node_to_delete;
55 /* Extract when the event fires a rule */
59 /* Other internal variables */
68 /* SYSCHECK Results variables */
84 /* Events List structure */
85 typedef struct _EventNode {
87 struct _EventNode *next;
88 struct _EventNode *prev;
92 extern int full_output;
93 extern int alert_only;
96 /* Types of events (from decoders) */
97 #define UNKNOWN 0 /* Unknown */
98 #define SYSLOG 1 /* syslog messages */
99 #define IDS 2 /* IDS alerts */
100 #define FIREWALL 3 /* Firewall events */
101 #define WEBLOG 7 /* Apache logs */
102 #define SQUID 8 /* Squid logs */
103 #define DECODER_WINDOWS 9 /* Windows logs */
104 #define HOST_INFO 10 /* Host information logs (from nmap or similar) */
105 #define OSSEC_RL 11 /* OSSEC rules */
106 #define OSSEC_ALERT 12 /* OSSEC alerts */
108 /* FTS allowed values */
109 #define FTS_NAME 001000
110 #define FTS_SRCUSER 002000
111 #define FTS_DSTUSER 004000
112 #define FTS_SRCIP 000100
113 #define FTS_DSTIP 000200
114 #define FTS_LOCATION 000400
115 #define FTS_ID 000010
116 #define FTS_DATA 000020
117 #define FTS_SYSTEMNAME 000040
118 #define FTS_DONE 010000
120 /** Functions for events **/
122 /* Search for matches in the last events */
123 Eventinfo *Search_LastEvents(Eventinfo *lf, RuleInfo *currently_rule);
124 Eventinfo *Search_LastSids(Eventinfo *my_lf, RuleInfo *currently_rule);
125 Eventinfo *Search_LastGroups(Eventinfo *my_lf, RuleInfo *currently_rule);
127 /* Zero the eventinfo structure */
128 void Zero_Eventinfo(Eventinfo *lf);
130 /* Free the eventinfo structure */
131 void Free_Eventinfo(Eventinfo *lf);
133 /* Add and event to the list of previous events */
134 void OS_AddEvent(Eventinfo *lf);
136 /* Return the last event from the Event list */
137 EventNode *OS_GetLastEvent(void);
139 /* Create the event list. Maxsize must be specified */
140 void OS_CreateEventList(int maxsize);
142 /* Pointers to the event decoders */
143 void *SrcUser_FP(Eventinfo *lf, char *field, int order);
144 void *DstUser_FP(Eventinfo *lf, char *field, int order);
145 void *SrcIP_FP(Eventinfo *lf, char *field, int order);
146 void *DstIP_FP(Eventinfo *lf, char *field, int order);
147 void *SrcPort_FP(Eventinfo *lf, char *field, int order);
148 void *DstPort_FP(Eventinfo *lf, char *field, int order);
149 void *Protocol_FP(Eventinfo *lf, char *field, int order);
150 void *Action_FP(Eventinfo *lf, char *field, int order);
151 void *ID_FP(Eventinfo *lf, char *field, int order);
152 void *Url_FP(Eventinfo *lf, char *field, int order);
153 void *Data_FP(Eventinfo *lf, char *field, int order);
154 void *Status_FP(Eventinfo *lf, char *field, int order);
155 void *SystemName_FP(Eventinfo *lf, char *field, int order);
156 void *FileName_FP(Eventinfo *lf, char *field, int order);
157 void *DynamicField_FP(Eventinfo *lf, char *field, int order);
158 void *None_FP(Eventinfo *lf, char *field, int order);
161 #endif /* _EVTINFO__H */