1 /* @(#) $Id: ./src/analysisd/eventinfo.h, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
20 #include "decoders/decoder.h"
23 /* Event Information structure */
24 typedef struct _Eventinfo
26 /* Extracted from the event */
34 /* Extracted from the decoders */
51 /* Pointer to the rule that generated it */
52 RuleInfo *generated_rule;
54 /* Pointer to the decoder that matched */
55 OSDecoderInfo *decoder_info;
57 /* Sid node to delete */
58 OSListNode *sid_node_to_delete;
60 /* Extract when the event fires a rule */
65 /* Other internal variables */
74 /* SYSCHECK Results variables -- only used by prelude for now */
93 /* Events List structure */
94 typedef struct _EventNode
97 struct _EventNode *next;
98 struct _EventNode *prev;
103 /* For test rule only. */
110 /** Types of events (from decoders) **/
111 #define UNKNOWN 0 /* Unkown */
112 #define SYSLOG 1 /* syslog messages */
113 #define IDS 2 /* IDS alerts */
114 #define FIREWALL 3 /* Firewall events */
115 #define WEBLOG 7 /* Apache logs */
116 #define SQUID 8 /* Squid logs */
117 #define WINDOWS 9 /* Windows logs */
118 #define HOST_INFO 10 /* Host information logs (from nmap or similar) */
119 #define OSSEC_RL 11 /* Ossec rules */
120 #define OSSEC_ALERT 12 /* Ossec Alerts */
123 /* FTS allowed values */
124 #define FTS_NAME 001000
125 #define FTS_SRCUSER 002000
126 #define FTS_DSTUSER 004000
127 #define FTS_SRCIP 000100
128 #define FTS_DSTIP 000200
129 #define FTS_LOCATION 000400
130 #define FTS_ID 000010
131 #define FTS_DATA 000020
132 #define FTS_SYSTEMNAME 000040
133 #define FTS_DONE 010000
136 /** Functions for events **/
138 /* Search for matches in the last events */
139 Eventinfo *Search_LastEvents(Eventinfo *lf, RuleInfo *currently_rule);
140 Eventinfo *Search_LastSids(Eventinfo *my_lf, RuleInfo *currently_rule);
141 Eventinfo *Search_LastGroups(Eventinfo *my_lf, RuleInfo *currently_rule);
143 /* Zero the eventinfo structure */
144 void Zero_Eventinfo(Eventinfo *lf);
146 /* Free the eventinfo structure */
147 void Free_Eventinfo(Eventinfo *lf);
149 /* Add and event to the list of previous events */
150 void OS_AddEvent(Eventinfo *lf);
152 /* Return the last event from the Event list */
153 EventNode *OS_GetLastEvent();
155 /* Create the event list. Maxsize must be specified */
156 void OS_CreateEventList(int maxsize);
159 /* Pointers to the event decoders */
160 void *SrcUser_FP(Eventinfo *lf, char *field);
161 void *DstUser_FP(Eventinfo *lf, char *field);
162 void *SrcIP_FP(Eventinfo *lf, char *field);
163 void *DstIP_FP(Eventinfo *lf, char *field);
164 void *SrcPort_FP(Eventinfo *lf, char *field);
165 void *DstPort_FP(Eventinfo *lf, char *field);
166 void *Protocol_FP(Eventinfo *lf, char *field);
167 void *Action_FP(Eventinfo *lf, char *field);
168 void *ID_FP(Eventinfo *lf, char *field);
169 void *Url_FP(Eventinfo *lf, char *field);
170 void *Data_FP(Eventinfo *lf, char *field);
171 void *Status_FP(Eventinfo *lf, char *field);
172 void *SystemName_FP(Eventinfo *lf, char *field);
173 void *None_FP(Eventinfo *lf, char *field);
177 #endif /* _EVTINFO__H */