+
+ if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
+ config_ruleinfo->alert_opts |= DO_EXTRAINFO;
+ } else if (strcasecmp(rule_opt[k]->element, xml_id_pcre2) == 0) {
+ id_pcre2 =
+ loadmemory(id_pcre2,
+ rule_opt[k]->content);
+ } else if (strcasecmp(rule_opt[k]->element, xml_srcport_pcre2) == 0) {
+ srcport_pcre2 =
+ loadmemory(srcport_pcre2,
+ rule_opt[k]->content);
+ if (!(config_ruleinfo->alert_opts & DO_PACKETINFO)) {
+ config_ruleinfo->alert_opts |= DO_PACKETINFO;
+ }
+ } else if (strcasecmp(rule_opt[k]->element, xml_dstport_pcre2) == 0) {
+ dstport_pcre2 =
+ loadmemory(dstport_pcre2,
+ rule_opt[k]->content);
+
+ if (!(config_ruleinfo->alert_opts & DO_PACKETINFO)) {
+ config_ruleinfo->alert_opts |= DO_PACKETINFO;
+ }
+ } else if (strcasecmp(rule_opt[k]->element, xml_status_pcre2) == 0) {
+ status_pcre2 =
+ loadmemory(status_pcre2,
+ rule_opt[k]->content);
+
+ if (!(config_ruleinfo->alert_opts & DO_EXTRAINFO)) {
+ config_ruleinfo->alert_opts |= DO_EXTRAINFO;
+ }
+ } else if (strcasecmp(rule_opt[k]->element, xml_hostname_pcre2) == 0) {
+ hostname_pcre2 =
+ loadmemory(hostname_pcre2,
+ rule_opt[k]->content);
+
+ if (!(config_ruleinfo->alert_opts & DO_EXTRAINFO)) {
+ config_ruleinfo->alert_opts |= DO_EXTRAINFO;
+ }
+ } else if (strcasecmp(rule_opt[k]->element, xml_data_pcre2) == 0) {
+ extra_data_pcre2 =
+ loadmemory(extra_data_pcre2,
+ rule_opt[k]->content);
+
+ if (!(config_ruleinfo->alert_opts & DO_EXTRAINFO)) {
+ config_ruleinfo->alert_opts |= DO_EXTRAINFO;
+ }
+ } else if (strcasecmp(rule_opt[k]->element,
+ xml_program_name_pcre2) == 0) {
+ program_name_pcre2 =
+ loadmemory(program_name_pcre2,
+ rule_opt[k]->content);
+ } else if (strcasecmp(rule_opt[k]->element, xml_action) == 0) {
+ config_ruleinfo->action =
+ loadmemory(config_ruleinfo->action,
+ rule_opt[k]->content);
+ } else if (strcasecmp(rule_opt[k]->element, xml_field) == 0) {
+ if (rule_opt[k]->attributes[0]) {
+ os_calloc(1, sizeof(FieldInfo), config_ruleinfo->fields[ifield]);
+
+ if (strcasecmp(rule_opt[k]->attributes[0], xml_name) == 0) {
+ config_ruleinfo->fields[ifield]->name = loadmemory(config_ruleinfo->fields[ifield]->name, rule_opt[k]->values[0]);
+ } else {
+ merror("%s: Bad attribute '%s' for field.", ARGV0, rule_opt[k]->attributes[0]);
+ return -1;
+ }
+ } else {
+ merror("%s: No such attribute '%s' for field.", ARGV0, xml_name);
+ return (-1);
+ }
+
+ os_calloc(1, sizeof(OSRegex), config_ruleinfo->fields[ifield]->regex);
+
+ if (!OSRegex_Compile(rule_opt[k]->content, config_ruleinfo->fields[ifield]->regex, 0)) {
+ merror(REGEX_COMPILE, ARGV0, rule_opt[k]->content, config_ruleinfo->fields[ifield]->regex->error);
+ return -1;
+ }
+
+ ifield++;
+
+ } else if (strcasecmp(rule_opt[k]->element, xml_list) == 0) {
+ debug1("-> %s == %s", rule_opt[k]->element, xml_list);
+ if (rule_opt[k]->attributes && rule_opt[k]->values && rule_opt[k]->content) {
+ int list_att_num = 0;
+ int rule_type = 0;
+ OSMatch *matcher = NULL;
+ int lookup_type = LR_STRING_MATCH;
+ while (rule_opt[k]->attributes[list_att_num]) {
+ if (strcasecmp(rule_opt[k]->attributes[list_att_num], xml_list_lookup) == 0) {
+ if (strcasecmp(rule_opt[k]->values[list_att_num], xml_match_key) == 0) {
+ lookup_type = LR_STRING_MATCH;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_not_match_key) == 0) {
+ lookup_type = LR_STRING_NOT_MATCH;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_match_key_value) == 0) {
+ lookup_type = LR_STRING_MATCH_VALUE;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_address_key) == 0) {
+ lookup_type = LR_ADDRESS_MATCH;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_not_address_key) == 0) {
+ lookup_type = LR_ADDRESS_NOT_MATCH;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_address_key_value) == 0) {
+ lookup_type = LR_ADDRESS_MATCH_VALUE;
+ } else {
+ merror(INVALID_CONFIG, ARGV0,
+ rule_opt[k]->element,
+ rule_opt[k]->content);
+ merror("%s: List match lookup=\"%s\" is not valid.",
+ ARGV0, rule_opt[k]->values[list_att_num]);
+ return (-1);
+ }
+ } else if (strcasecmp(rule_opt[k]->attributes[list_att_num], xml_list_field) == 0) {
+ if (strcasecmp(rule_opt[k]->values[list_att_num], xml_srcip) == 0) {
+ rule_type = RULE_SRCIP;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_srcport) == 0) {
+ rule_type = RULE_SRCPORT;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_dstip) == 0) {
+ rule_type = RULE_DSTIP;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_dstport) == 0) {
+ rule_type = RULE_DSTPORT;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_user) == 0) {
+ rule_type = RULE_USER;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_url) == 0) {
+ rule_type = RULE_URL;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_id) == 0) {
+ rule_type = RULE_ID;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_hostname) == 0) {
+ rule_type = RULE_HOSTNAME;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_program_name) == 0) {
+ rule_type = RULE_PROGRAM_NAME;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_status) == 0) {
+ rule_type = RULE_STATUS;
+ } else if (strcasecmp(rule_opt[k]->values[list_att_num], xml_action) == 0) {
+ rule_type = RULE_ACTION;
+ } else {
+ merror(INVALID_CONFIG, ARGV0,
+ rule_opt[k]->element,
+ rule_opt[k]->content);
+ merror("%s: List match field=\"%s\" is not valid.",
+ ARGV0, rule_opt[k]->values[list_att_num]);
+ return (-1);
+ }
+ } else if (strcasecmp(rule_opt[k]->attributes[list_att_num], xml_list_cvalue) == 0) {
+ os_calloc(1, sizeof(OSMatch), matcher);
+ if (!OSMatch_Compile(rule_opt[k]->values[list_att_num], matcher, 0)) {
+ merror(INVALID_CONFIG, ARGV0,
+ rule_opt[k]->element,
+ rule_opt[k]->content);
+ merror(REGEX_COMPILE,
+ ARGV0,
+ rule_opt[k]->values[list_att_num],
+ matcher->error);
+ return (-1);
+ }
+ } else {
+ merror("%s:List field=\"%s\" is not valid", ARGV0,
+ rule_opt[k]->values[list_att_num]);
+ merror(INVALID_CONFIG, ARGV0,
+ rule_opt[k]->element, rule_opt[k]->content);
+ return (-1);
+ }
+ list_att_num++;
+ }
+ if (rule_type == 0) {
+ merror("%s:List requires the field=\"\" Attrubute", ARGV0);
+ merror(INVALID_CONFIG, ARGV0,
+ rule_opt[k]->element, rule_opt[k]->content);
+ return (-1);
+ }
+
+ /* Wow it's all ready - this seems too complex to get to this point */
+ config_ruleinfo->lists = OS_AddListRule(config_ruleinfo->lists,
+ lookup_type,
+ rule_type,
+ rule_opt[k]->content,
+ matcher);
+ if (config_ruleinfo->lists == NULL) {
+ merror("%s: List error: Could not load %s", ARGV0, rule_opt[k]->content);
+ return (-1);
+ }
+ } else {
+ merror("%s:List must have a correctly formatted field attribute",
+ ARGV0);
+ merror(INVALID_CONFIG,
+ ARGV0,
+ rule_opt[k]->element,
+ rule_opt[k]->content);
+ return (-1);
+ }
+ /* xml_list eval is done */
+ } else if (strcasecmp(rule_opt[k]->element, xml_url) == 0) {
+ url =