1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
10 /* Common API for dealing with rules */
17 /* Event context - stored in a uint8 */
18 #define SAME_USER 0x001 /* 1 */
19 #define SAME_SRCIP 0x002 /* 2 */
20 #define SAME_ID 0x004 /* 4 */
21 #define SAME_LOCATION 0x008 /* 8 */
22 #define DIFFERENT_URL 0x010
23 #define DIFFERENT_SRCIP 0x200
24 #define DIFFERENT_SRCGEOIP 0x400
25 #define SAME_SRCPORT 0x020
26 #define SAME_DSTPORT 0x040
27 #define SAME_DODIFF 0x100
28 #define NOT_SAME_USER 0xffe /* 0xfff - 0x001 */
29 #define NOT_SAME_SRCIP 0xffd /* 0xfff - 0x002 */
30 #define NOT_SAME_ID 0xffb /* 0xfff - 0x004 */
31 #define NOT_SAME_AGENT 0xff7 /* 0xfff - 0x008 */
33 /* Alert options - stored in a uint8 */
35 #define DO_MAILALERT 0x002
36 #define DO_LOGALERT 0x004
38 #define NO_ALERT 0x010
39 #define DO_OVERWRITE 0x020
40 #define DO_PACKETINFO 0x040
41 #define DO_EXTRAINFO 0x100
42 #define SAME_EXTRAINFO 0x200
44 /* Types of events (from decoders) */
45 #define UNKNOWN 0 /* Unknown */
46 #define SYSLOG 1 /* syslog message */
47 #define IDS 2 /* IDS alert */
48 #define FIREWALL 3 /* Firewall event */
49 #define WEBLOG 7 /* Apache log */
50 #define SQUID 8 /* Squid log */
51 #define DECODER_WINDOWS 9 /* Windows log */
52 #define HOST_INFO 10 /* Host information log (from nmap or similar) */
53 #define OSSEC_RL 11 /* OSSEC rule */
55 /* FTS allowed values */
56 #define FTS_NAME 001000
57 #define FTS_USER 002000
58 #define FTS_DSTUSER 004000
59 #define FTS_SRCIP 000100
60 #define FTS_DSTIP 000200
61 #define FTS_LOCATION 000400
63 #define FTS_DATA 000020
64 #define FTS_SYSTEMNAME 000040
66 typedef struct _RuleInfo {
67 int sigid; /* id attribute -- required */
68 int level; /* level attribute --required */
73 u_int8_t context; /* Not a user option */
75 int firedtimes; /* Not a user option */
76 int time_ignored; /* Not a user option */
80 int group_prev_matched_sz;
85 /* Not an option in the rule */
89 u_int16_t context_opts;
97 /* List of previously matched events */
98 OSList *sid_prev_matched;
100 /* Pointer to a list (points to sid_prev_matched of if_matched_sid */
103 /* List of previously matched events in this group
105 * Every rule that has if_matched_group will have this list. Every rule that
106 * matches this group, is going to have a pointer to it (group_search).
108 OSList **group_prev_matched;
110 /* Pointer to group_prev_matched */
111 OSList *group_search;
113 /* Function pointer to the event_search */
114 void *(*event_search)(void *lf, void *rule);
120 /* Policy-based rules */
133 OSMatch *program_name;
137 char *comment; /* Description in the xml */
145 OSRegex *if_matched_regex;
146 OSMatch *if_matched_group;
153 int OS_ReadXMLRules(const char *rulefile,
154 void *(*ruleact_function)(RuleInfo *rule_1, void *data_1),
155 void *data) __attribute__((nonnull(1, 2)));