1 /* @(#) $Id: ./src/headers/rules_op.h, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
12 * License details at the LICENSE file included with OSSEC or
13 * online at: http://www.ossec.net/en/licensing.html
16 /* Common API for dealing with directory trees */
25 /* Event context - stored on a uint8 */
26 #define SAME_USER 0x001 /* 1 */
27 #define SAME_SRCIP 0x002 /* 2 */
28 #define SAME_ID 0x004 /* 4 */
29 #define SAME_LOCATION 0x008 /* 8 */
30 #define DIFFERENT_URL 0x010 /* */
31 #define SAME_SRCPORT 0x020
32 #define SAME_DSTPORT 0x040
33 #define SAME_DODIFF 0x100
34 #define NOT_SAME_USER 0xffe /* 0xfff - 0x001 */
35 #define NOT_SAME_SRCIP 0xffd /* 0xfff - 0x002 */
36 #define NOT_SAME_ID 0xffb /* 0xfff - 0x004 */
37 #define NOT_SAME_AGENT 0xff7 /* 0xfff - 0x008 */
40 /* Alert options - store on a uint8 */
42 #define DO_MAILALERT 0x002
43 #define DO_LOGALERT 0x004
45 #define NO_ALERT 0x010
46 #define DO_OVERWRITE 0x020
47 #define DO_PACKETINFO 0x040
48 #define DO_EXTRAINFO 0x100
49 #define SAME_EXTRAINFO 0x200
52 /** Types of events (from decoders) **/
53 #define UNKNOWN 0 /* Unkown */
54 #define SYSLOG 1 /* syslog messages */
55 #define IDS 2 /* IDS alerts */
56 #define FIREWALL 3 /* Firewall events */
57 #define WEBLOG 7 /* Apache logs */
58 #define SQUID 8 /* Squid logs */
59 #define WINDOWS 9 /* Windows logs */
60 #define HOST_INFO 10 /* Host information logs (from nmap or similar) */
61 #define OSSEC_RL 11 /* Ossec rules */
64 /* FTS allowed values */
65 #define FTS_NAME 001000
66 #define FTS_USER 002000
67 #define FTS_DSTUSER 004000
68 #define FTS_SRCIP 000100
69 #define FTS_DSTIP 000200
70 #define FTS_LOCATION 000400
72 #define FTS_DATA 000020
73 #define FTS_SYSTEMNAME 000040
78 typedef struct _RuleInfo
80 int sigid; /* id attribute -- required*/
81 int level; /* level attribute --required */
86 u_int8_t context; /* Not an user option */
88 int firedtimes; /* Not an user option */
89 int time_ignored; /* Not an user option */
93 int group_prev_matched_sz;
99 /* Not an option in the rule */
100 u_int16_t alert_opts;
102 /* Context options */
103 u_int16_t context_opts;
109 u_int16_t decoded_as;
111 /* List of previously matched events */
112 OSList *sid_prev_matched;
114 /* Pointer to a list (points to sid_prev_matched of if_matched_sid */
117 /* List of previously matched events in this group.
118 * Every rule that has if_matched_group will have this
119 * list. Every rule that matches this group, it going to
120 * have a pointer to it (group_search).
122 OSList **group_prev_matched;
124 /* Pointer to group_prev_matched */
125 OSList *group_search;
127 /* Function pointer to the event_search. */
128 void *(*event_search)(void *lf, void *rule);
135 /* Policy-based rules */
148 OSMatch *program_name;
152 char *comment; /* description in the xml */
160 OSRegex *if_matched_regex;
161 OSMatch *if_matched_group;
170 int OS_ReadXMLRules(char *rulefile,
171 void *(*ruleact_function)(RuleInfo *rule, void *data),