-/* @(#) $Id: rules_op.c,v 1.6 2009/06/24 18:53:08 dcid Exp $ */
+/* @(#) $Id$ */
/* Copyright (C) 2009 Trend Micro Inc.
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 3) as published by the FSF - Free Software
+ * License (version 2) as published by the FSF - Free Software
* Foundation.
*
* License details at the LICENSE file included with OSSEC or
#include "rules_op.h"
+/* Chaging path for test rule. */
+#ifdef TESTRULE
+ #undef RULEPATH
+ #define RULEPATH "rules/"
+#endif
+
/** Prototypes **/
int _OS_GetRulesAttributes(char **attributes,
char *xml_same_user = "same_user";
char *xml_same_location = "same_location";
char *xml_same_id = "same_id";
+ char *xml_dodiff = "check_diff";
char *xml_different_url = "different_url";
int i;
- /* Building the rule file name + path */
- i = strlen(RULEPATH) + strlen(rulefile) + 2;
- rulepath = (char *)calloc(i,sizeof(char));
- if(!rulepath)
+ /* If no directory in the rulefile add the default */
+ if((strchr(rulefile, '/')) == NULL)
{
- ErrorExit(MEM_ERROR,__local_name);
+ /* Building the rule file name + path */
+ i = strlen(RULEPATH) + strlen(rulefile) + 2;
+ rulepath = (char *)calloc(i,sizeof(char));
+ if(!rulepath)
+ {
+ ErrorExit(MEM_ERROR,ARGV0);
+ }
+ snprintf(rulepath,i,"%s/%s",RULEPATH,rulefile);
+ }
+ else
+ {
+ os_strdup(rulefile, rulepath);
+ debug1("%s is the rulefile", rulefile);
+ debug1("Not modifing the rule path");
}
- snprintf(rulepath,i,"%s/%s",RULEPATH,rulefile);
/* Reading the XML */
config_ruleinfo->alert_opts |= SAME_EXTRAINFO;
}
else if(strcasecmp(rule_opt[k]->element,
+ xml_dodiff)==0)
+ {
+ config_ruleinfo->context++;
+ config_ruleinfo->context_opts|= SAME_DODIFF;
+ if(!(config_ruleinfo->alert_opts & DO_EXTRAINFO))
+ {
+ config_ruleinfo->alert_opts |= DO_EXTRAINFO;
+ }
+ }
+ else if(strcasecmp(rule_opt[k]->element,
xml_same_dst_port) == 0)
{
config_ruleinfo->context_opts|= SAME_DSTPORT;
config_ruleinfo->alert_opts &=0xfff-DO_LOGALERT;
}
}
+ else if(strcmp("no_ar", rule_opt[k]->content) == 0)
+ {
+ if(!(config_ruleinfo->alert_opts & NO_AR))
+ {
+ config_ruleinfo->alert_opts|= NO_AR;
+ }
+ }
else
{
merror(XML_VALUEERR, __local_name, xml_options,
return(-1);
}
}
+ /* XXX As new features are added into ../analysisd/rules.c
+ * This code needs to be updated to match, but is out of date
+ * it's become a nightmare to correct with out just make the
+ * problem for someone later.
+ *
+ * This hack will allow any crap xml to pass without an
+ * error. The correct fix is to refactor the code so that
+ * ../analysisd/rules* and this code are not duplicates
+ *
else
{
merror(XML_INVELEM, __local_name, rule_opt[k]->element);
OS_ClearXML(&xml);
return(-1);
}
+ */
k++;
}