3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 2) as published by the FSF - Free Software
17 #define MAX_LAST_EVENTS 11
20 #include "active-response.h"
24 /* Event context - stored on a uint8 */
25 #define SAME_USER 0x001 /* 1 */
26 #define SAME_SRCIP 0x002 /* 2 */
27 #define SAME_ID 0x004 /* 4 */
28 #define SAME_LOCATION 0x008 /* 8 */
29 #define DIFFERENT_URL 0x010 /* */
30 #define SAME_SRCPORT 0x020
31 #define SAME_DSTPORT 0x040
32 #define SAME_DODIFF 0x100
33 #define NOT_SAME_USER 0xffe /* 0xfff - 0x001 */
34 #define NOT_SAME_SRCIP 0xffd /* 0xfff - 0x002 */
35 #define NOT_SAME_ID 0xffb /* 0xfff - 0x004 */
36 #define NOT_SAME_AGENT 0xff7 /* 0xfff - 0x008 */
38 /* Alert options - store on a uint8 */
40 #define DO_MAILALERT 0x002
41 #define DO_LOGALERT 0x004
43 #define NO_ALERT 0x010
44 #define DO_OVERWRITE 0x020
45 #define DO_PACKETINFO 0x040
46 #define DO_EXTRAINFO 0x100
47 #define SAME_EXTRAINFO 0x200
51 #define RULE_SRCPORT 4
53 #define RULE_DSTPORT 16
57 #define RULE_HOSTNAME 256
58 #define RULE_PROGRAM_NAME 512
59 #define RULE_STATUS 1024
60 #define RULE_ACTION 2048
63 #define RULEINFODETAIL_TEXT 0
64 #define RULEINFODETAIL_LINK 1
65 #define RULEINFODETAIL_CVE 2
66 #define RULEINFODETAIL_OSVDB 3
67 #define RULEINFODETAIL_BUGTRACK 4
69 #define MAX_RULEINFODETAIL 32
71 typedef struct _RuleInfoDetail
75 struct _RuleInfoDetail *next;
78 typedef struct _RuleInfo
80 int sigid; /* id attribute -- required*/
81 int level; /* level attribute --required */
86 u_int8_t context; /* Not an user option */
88 int firedtimes; /* Not an user option */
89 int time_ignored; /* Not an user option */
93 int group_prev_matched_sz;
99 /* Not an option in the rule */
100 u_int16_t alert_opts;
102 /* Context options */
103 u_int16_t context_opts;
109 u_int16_t decoded_as;
111 /* List of previously matched events */
112 OSList *sid_prev_matched;
114 /* Pointer to a list (points to sid_prev_matched of if_matched_sid */
117 /* List of previously matched events in this group.
118 * Every rule that has if_matched_group will have this
119 * list. Every rule that matches this group, it going to
120 * have a pointer to it (group_search).
122 OSList **group_prev_matched;
124 /* Pointer to group_prev_matched */
125 OSList *group_search;
127 /* Function pointer to the event_search. */
128 void *(*event_search)(void *lf, void *rule);
135 /* Policy-based rules */
148 OSMatch *program_name;
152 char *comment; /* description in the xml */
155 RuleInfoDetail *info_details;
162 OSRegex *if_matched_regex;
163 OSMatch *if_matched_group;
166 void *(*compiled_rule)(void *lf);
167 active_response **ar;
172 typedef struct _RuleNode
175 struct _RuleNode *next;
176 struct _RuleNode *child;
180 RuleInfo *currently_rule; /* */
182 RuleInfoDetail *zeroinfodetails(int type, char *data);
183 int get_info_attributes(char **attributes, char **values);
185 /* RuleInfo functions */
186 RuleInfo *zerorulemember(int id,
196 /** Rule_list Functions **/
198 /* create the rule list */
199 void OS_CreateRuleList();
201 /* Add rule information to the list */
202 int OS_AddRule(RuleInfo *read_rule);
204 /* Add rule information as a child */
205 int OS_AddChild(RuleInfo *read_rule);
207 /* Add an overwrite rule */
208 int OS_AddRuleInfo(RuleNode *r_node, RuleInfo *newrule, int sid);
210 /* Mark groups (if_matched_group) */
211 int OS_MarkGroup(RuleNode *r_node, RuleInfo *orig_rule);
213 /* Mark IDs (if_matched_sid) */
214 int OS_MarkID(RuleNode *r_node, RuleInfo *orig_rule);
218 RuleNode *OS_GetFirstRule();
221 /** Defition of the internal rule IDS **
222 ** These SIGIDs cannot be used **
225 #define STATS_MODULE 11
226 #define FTS_MODULE 12
227 #define SYSCHECK_MODULE 13
228 #define HOSTINFO_MODULE 15
231 #define ROOTCHECK_MOD "rootcheck"
232 #define HOSTINFO_NEW "hostinfo_new"
233 #define HOSTINFO_MOD "hostinfo_modified"
234 #define SYSCHECK_MOD "syscheck_integrity_changed"
235 #define SYSCHECK_MOD2 "syscheck_integrity_changed_2nd"
236 #define SYSCHECK_MOD3 "syscheck_integrity_changed_3rd"
237 #define SYSCHECK_NEW "syscheck_new_entry"
238 #define SYSCHECK_DEL "syscheck_deleted"
241 #endif /* _OS_RULES */