1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
13 #define MAX_LAST_EVENTS 11
15 #define MAX_TIMEFRAME 604800
18 #include "active-response.h"
21 /* Event context - stored on a uint8 */
22 #define SAME_USER 0x001 /* 1 */
23 #define SAME_SRCIP 0x002 /* 2 */
24 #define SAME_ID 0x004 /* 4 */
25 #define SAME_LOCATION 0x008 /* 8 */
26 #define DIFFERENT_URL 0x010 /* */
27 #define DIFFERENT_SRCIP 0x200
28 #define DIFFERENT_SRCGEOIP 0x400
29 #define SAME_SRCPORT 0x020
30 #define SAME_DSTPORT 0x040
31 #define SAME_DODIFF 0x100
32 #define NOT_SAME_USER 0xffe /* 0xfff - 0x001 */
33 #define NOT_SAME_SRCIP 0xffd /* 0xfff - 0x002 */
34 #define NOT_SAME_ID 0xffb /* 0xfff - 0x004 */
35 #define NOT_SAME_AGENT 0xff7 /* 0xfff - 0x008 */
37 /* Alert options - store on a uint8 */
39 #define DO_MAILALERT 0x002
40 #define DO_LOGALERT 0x004
42 #define NO_ALERT 0x010
43 #define DO_OVERWRITE 0x020
44 #define DO_PACKETINFO 0x040
45 #define DO_EXTRAINFO 0x100
46 #define SAME_EXTRAINFO 0x200
50 #define RULE_SRCPORT 4
52 #define RULE_DSTPORT 16
56 #define RULE_HOSTNAME 256
57 #define RULE_PROGRAM_NAME 512
58 #define RULE_STATUS 1024
59 #define RULE_ACTION 2048
61 #define RULEINFODETAIL_TEXT 0
62 #define RULEINFODETAIL_LINK 1
63 #define RULEINFODETAIL_CVE 2
64 #define RULEINFODETAIL_OSVDB 3
65 #define RULEINFODETAIL_BUGTRACK 4
67 #define MAX_RULEINFODETAIL 32
69 typedef struct _FieldInfo {
75 typedef struct _RuleInfoDetail {
78 struct _RuleInfoDetail *next;
81 typedef struct _RuleInfo {
82 int sigid; /* id attribute -- required*/
83 int level; /* level attribute --required */
88 u_int8_t context; /* Not an user option */
90 int firedtimes; /* Not an user option */
91 time_t time_ignored; /* Not an user option */
95 unsigned int group_prev_matched_sz;
100 /* Not an option in the rule */
101 u_int16_t alert_opts;
103 /* Context options */
104 u_int16_t context_opts;
110 u_int16_t decoded_as;
112 /* List of previously matched events */
113 OSList *sid_prev_matched;
115 /* Pointer to a list (points to sid_prev_matched of if_matched_sid */
118 /* List of previously matched events in this group.
119 * Every rule that has if_matched_group will have this
120 * list. Every rule that matches this group, it going to
121 * have a pointer to it (group_search).
123 OSList **group_prev_matched;
125 /* Pointer to group_prev_matched */
126 OSList *group_search;
128 /* Function pointer to the event_search */
129 void *(*event_search)(void *lf, void *rule);
133 OSPcre2 *match_pcre2;
137 /* Policy-based rules */
152 OSMatch *program_name;
157 OSPcre2 *srcgeoip_pcre2;
158 OSPcre2 *dstgeoip_pcre2;
159 OSPcre2 *srcport_pcre2;
160 OSPcre2 *dstport_pcre2;
164 OSPcre2 *status_pcre2;
165 OSPcre2 *hostname_pcre2;
166 OSPcre2 *program_name_pcre2;
167 OSPcre2 *extra_data_pcre2;
170 char *comment; /* description in the xml */
173 RuleInfoDetail *info_details;
180 OSRegex *if_matched_regex;
181 OSMatch *if_matched_group;
184 void *(*compiled_rule)(void *lf);
185 active_response **ar;
190 typedef struct _RuleNode {
192 struct _RuleNode *next;
193 struct _RuleNode *child;
197 extern RuleInfo *currently_rule;
199 RuleInfoDetail *zeroinfodetails(int type, const char *data);
200 int get_info_attributes(char **attributes, char **values);
202 /* RuleInfo functions */
203 RuleInfo *zerorulemember(int id,
213 /** Rule_list Functions **/
215 /* create the rule list */
216 void OS_CreateRuleList(void);
218 /* Add rule information to the list */
219 int OS_AddRule(RuleInfo *read_rule);
221 /* Add rule information as a child */
222 int OS_AddChild(RuleInfo *read_rule);
224 /* Add an overwrite rule */
225 int OS_AddRuleInfo(RuleNode *r_node, RuleInfo *newrule, int sid);
227 /* Mark groups (if_matched_group) */
228 int OS_MarkGroup(RuleNode *r_node, RuleInfo *orig_rule);
230 /* Mark IDs (if_matched_sid) */
231 int OS_MarkID(RuleNode *r_node, RuleInfo *orig_rule);
234 RuleNode *OS_GetFirstRule(void);
236 void Rules_OP_CreateRules(void);
238 int Rules_OP_ReadRules(const char *rulefile);
240 int AddHash_Rule(RuleNode *node);
242 int _setlevels(RuleNode *node, int nnode);
244 /** Definition of the internal rule IDS **
245 ** These SIGIDs cannot be used **
248 #define STATS_MODULE 11
249 #define FTS_MODULE 12
250 #define SYSCHECK_MODULE 13
251 #define HOSTINFO_MODULE 15
253 #define ROOTCHECK_MOD "rootcheck"
254 #define HOSTINFO_NEW "hostinfo_new"
255 #define HOSTINFO_MOD "hostinfo_modified"
256 #define SYSCHECK_MOD "syscheck_integrity_changed"
257 #define SYSCHECK_MOD2 "syscheck_integrity_changed_2nd"
258 #define SYSCHECK_MOD3 "syscheck_integrity_changed_3rd"
259 #define SYSCHECK_NEW "syscheck_new_entry"
260 #define SYSCHECK_DEL "syscheck_deleted"
262 /* Global variables */
263 extern int _max_freq;
265 #endif /* _OS_RULES */