Commits

Daniel Cid committed 84aeb53

Description:
Reviewed by:
Bug:

Comments (0)

Files changed (8)

src/analysisd/Makefile

 
 include ../Config.Make
 
-LOCAL= analysisd.c stats.c lists.c lists_list.c rules.c rules_list.c config.c fts.c dodiff.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c picviz.c prelude.c compiled_rules/*.o ${OS_CONFIG}
+OTHER   = stats.c lists.c lists_list.c rules.c rules_list.c config.c fts.c dodiff.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c picviz.c prelude.c compiled_rules/*.o ${OS_CONFIG}
+LOCAL   = analysisd.c ${OTHER}
 PLUGINS = decoders/decoders.a
 ALERTS  = alerts/alerts.a
+DBS     = cdb/cdb.a cdb/cdb_make.a
 
-loga_OBJS = ${LOCAL} ${PLUGINS} ${DBS} ${ALERTS} ${OS_XML} ${OS_NET} ${OS_SHARED} ${OS_REGEX} ${OS_ZLIB} ${CPRELUDE}
+loga_OBJS = ${LOCAL} ${PLUGINS} ${DBS} ${ALERTS} ${OS_XML} ${OS_REGEX} ${OS_NET} ${OS_SHARED} ${OS_ZLIB} ${CPRELUDE}
+lists_OBJS = lists_make.c ${OTHER} ${PLUGINS} ${DBS} ${ALERTS} ${OS_XML} ${OS_REGEX} ${OS_NET} ${OS_SHARED} ${OS_ZLIB} ${CPRELUDE}
 
+all: logaudit logtest makelists
 
 logaudit:
 	    cd ./cdb; make
 		cd ./decoders; make
 		cd ./compiled_rules; make;
 		$(CC) $(CFLAGS) ${OS_LINK} -I./ ${loga_OBJS} -o ${NAME}
-		make logtest
 
 logtest:
 	    cd ./cdb; make
 		cd ./compiled_rules; make;
 		$(CC) $(CFLAGS) ${OS_LINK} -DTESTRULE -I./ testrule.c ${loga_OBJS} -o ossec-logtest 
 
+makelists:
+		cd ./cdb; make
+		$(CC) $(CFLAGS) ${OS_LINK} -DTESTRULE -I./ makelists.c ${lists_OBJS}  -o ossec-makelists
+
 clean:
 	    cd ./cdb; make clean
 		cd ./alerts; make clean
 build:
 		${BUILD}
 		cp -pr ossec-logtest ${PT}../bin
+		cp -pr ossec-makelists ${PT}../bin

src/analysisd/analysisd.c

     }
     SetDecodeXML();
 
+    /* Createing the lists for use in rules */
+    Lists_OP_CreateLists();
+
+    /* Reading the lists */
+    {
+        char **listfiles;
+        listfiles = Config.lists;
+        while(listfiles && *listfiles)
+        {
+            if(!test_config)
+                verbose("%s: INFO: Reading loading the lists file: '%s'", ARGV0, *listfiles);
+            if(Lists_OP_LoadList(*listfiles) < 0)
+                ErrorExit(LISTS_ERROR, ARGV0, *listfiles);
+            free(*listfiles);
+            listfiles++;
+        }
+        free(Config.lists);
+        Config.lists = NULL;
+    }
+    
 
     /* Creating the rules list */
     Rules_OP_CreateRules();
 
 
    
+   
     /* Reading the rules */
     {
         char **rulesfiles;
         free(Config.includes);
         Config.includes = NULL;
     }
-
+    
     /* Creating the lists for use in rules */
     Lists_OP_CreateLists();
 
         free(Config.lists);
         Config.lists = NULL;
     }
-    
+
+    /* complete loading all lists as the rules have been loaded also */
+    OS_ListLoadRules();
+
     
     /* Fixing the levels/accuracy */
     {
                         return(NULL);
     }
 
-    /*
-    if(currently_rule->program_name_list)
-    {
-        if(!lf->program_name)
-            return(NULL);
-        if(OS_SearchKey(currently_rule->program_name_list, lf->program_name)) 
-            printf("OS_MatchKey found\n");
-        else
-            return(NULL);
-    }*/
 
     /* Checking for the id */
     if(currently_rule->id)
         }
     }
 
-
     /* List lookups */
-    if(currently_rule->lists)
+    if(currently_rule->lists != NULL)
     {
-        ListRule *list_holder = currently_rule->lists;
+        ListRule *list_holder=currently_rule->lists;
         while(list_holder)
         {
             switch(list_holder->field)
                 case RULE_SRCIP:
                     if(!lf->srcip)
                         return(NULL);
-                    if(!OS_SearchKey(list_holder->db->filename,lf->srcip))
+                    if(!OS_DBSearch(list_holder,lf->srcip))
                         return(NULL);
                     break;
                 case RULE_SRCPORT:
                     if(!lf->srcport)
                         return(NULL);
-                    if(!OS_SearchKey(list_holder->db->filename,lf->srcport))
+                    if(!OS_DBSearch(list_holder,lf->srcport))
                         return(NULL);
                     break;
                 case RULE_DSTIP:
                     if(!lf->dstip)
                         return(NULL);
-                    if(!OS_SearchKey(list_holder->db->filename,lf->dstip))
+                    if(!OS_DBSearch(list_holder,lf->dstip))
                         return(NULL);
                     break;
                 case RULE_DSTPORT:
                     if(!lf->dstport)
                         return(NULL);
-                    if(!OS_SearchKey(list_holder->db->filename,lf->dstport))
+                    if(!OS_DBSearch(list_holder,lf->dstport))
                         return(NULL);
                     break;
                 case RULE_USER:
                     if(lf->srcuser)
                     {
-                        if(!OS_SearchKey(list_holder->db->filename,lf->srcuser))
+                        if(!OS_DBSearch(list_holder,lf->srcuser))
                             return(NULL);
                     }
                     else if(lf->dstuser)
                     {
-                        if(!OS_SearchKey(list_holder->db->filename,lf->dstuser))
+                        if(!OS_DBSearch(list_holder,lf->dstuser))
                             return(NULL);
                     }
                     else
                 case RULE_URL:
                     if(!lf->url)
                         return(NULL);
-                    if(!OS_SearchKey(list_holder->db->filename,lf->url))
+                    if(!OS_DBSearch(list_holder,lf->url))
                         return(NULL);
                     break;
                 case RULE_ID:
                     if(!lf->id)
                         return(NULL);
-                    if(!OS_SearchKey(list_holder->db->filename,lf->id))
+                    if(!OS_DBSearch(list_holder,lf->id))
                         return(NULL);
                     break;
                 case RULE_HOSTNAME:
                     if(!lf->hostname)
                         return(NULL);
-                    if(!OS_SearchKey(list_holder->db->filename,lf->hostname))
+                    if(!OS_DBSearch(list_holder,lf->hostname))
                         return(NULL);
                     break;
                 case RULE_PROGRAM_NAME:
                     if(!lf->program_name)
                         return(NULL);
-                    if(!OS_SearchKey(list_holder->db->filename,lf->program_name))
+                    if(!OS_DBSearch(list_holder,lf->program_name))
                         return(NULL);
                     break;
                 case RULE_STATUS:
                     if(!lf->status)
                         return(NULL);
-                    if(!OS_SearchKey(list_holder->db->filename,lf->status))
+                    if(!OS_DBSearch(list_holder,lf->status))
                         return(NULL);
                     break;
                 case RULE_ACTION:
                     if(!lf->action)
                         return(NULL);
-                    if(!OS_SearchKey(list_holder->db->filename,lf->action))
+                    if(!OS_DBSearch(list_holder,lf->action))
                         return(NULL);
                     break;
                 default:

src/analysisd/cdb/Makefile

 response:
 		$(CC) -I../ $(CFLAGS) -c $(SRCS)
 		ar cru cdb.a $(OBJS)
+		ar cru cdb_make.a $(OBJS)
 		ranlib cdb.a
+		ranlib cdb_make.a
 
 clean:
 		${CLEAN}

src/analysisd/rules.c

     char *xml_status = "status";
     char *xml_action = "action";
     char *xml_compiled = "compiled_rule";
+
     char *xml_list = "list";
-    
+    char *xml_list_lookup = "lookup";
+    char *xml_list_field = "field";
+    char *xml_list_cvalue = "check_value";
+    char *xml_match_key = "match_key";
+    char *xml_not_match_key = "not_match_key";
+    char *xml_match_key_value = "match_key_value";
+    char *xml_address_key = "address_match_key";
+    char *xml_not_address_key = "not_address_match_key";
+    char *xml_address_key_value = "address_match_key_value";         
+
     char *xml_if_sid = "if_sid";
     char *xml_if_group = "if_group";
     char *xml_if_level = "if_level";
                     {
                         if (rule_opt[k]->attributes && rule_opt[k]->values && rule_opt[k]->content)
                         {
-                            int list_att_num = 0;
-                            int rule_type = 0;
-                            while(rule_opt[k]->attributes[list_att_num] && rule_opt[k]->values[list_att_num])
+                            int list_att_num=0;
+                            int rule_type=0;
+                            OSMatch *matcher=NULL;
+                            int lookup_type = LR_STRING_MATCH;
+                            while(rule_opt[k]->attributes[list_att_num])
                             {
-                                if(strcasecmp(rule_opt[k]->values[list_att_num],xml_srcip) )
-                                	rule_type = RULE_SRCIP;
-                                else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_srcport) )
-                                	rule_type = RULE_SRCPORT;
-                                else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_srcip) )
-                                	rule_type = RULE_SRCIP;
-                                else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_dstport) )
-                                	rule_type = RULE_DSTPORT;
-                                else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_user) )
-                                	rule_type = RULE_USER;
-                                else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_url) )
-                                	rule_type = RULE_URL;
-                                else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_id) )
-                                	rule_type = RULE_ID;
-                                else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_hostname) )
-                                	rule_type = RULE_HOSTNAME;
-                                else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_program_name) )
-                                	rule_type = RULE_PROGRAM_NAME;
-                                else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_status) )
-                                	rule_type = RULE_STATUS;
-                                else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_action) )
-                                	rule_type = RULE_ACTION;
-
-                                if (rule_type)
-                                {   
-                                	OS_AddListRule(config_ruleinfo->lists, 
-                                                   rule_type,
-                                                   rule_opt[k]->content);
-                                    printf("DEBUG\n");
-                                } 
+                                if(strcasecmp(rule_opt[k]->attributes[list_att_num], xml_list_lookup) == 0)
+                                {
+                                    if(strcasecmp(rule_opt[k]->values[list_att_num],xml_match_key) == 0)
+                                        lookup_type = LR_STRING_MATCH;
+                                    else if(strcasecmp(rule_opt[k]->values[list_att_num],xml_not_match_key)==0)
+                                        lookup_type = LR_STRING_NOT_MATCH;
+                                    else if(strcasecmp(rule_opt[k]->values[list_att_num],xml_match_key_value)==0)
+                                        lookup_type = LR_STRING_MATCH_VALUE;
+                                    else if(strcasecmp(rule_opt[k]->values[list_att_num],xml_address_key)==0)
+                                        lookup_type = LR_ADDRESS_MATCH;
+                                    else if(strcasecmp(rule_opt[k]->values[list_att_num],xml_not_address_key)==0)
+                                        lookup_type = LR_ADDRESS_NOT_MATCH;
+                                    else if(strcasecmp(rule_opt[k]->values[list_att_num],xml_address_key_value)==0)
+                                        lookup_type = LR_ADDRESS_MATCH_VALUE;
+                                    else 
+                                    {
+                                        merror(INVALID_CONFIG, ARGV0, 
+                                               rule_opt[k]->element, 
+                                               rule_opt[k]->content);
+                                        merror("%s: List match lookup=\"%s\" is not valid.", 
+                                                ARGV0,rule_opt[k]->values[list_att_num]);
+                                        return(-1);
+                                     }
+                                }
+                                else if(strcasecmp(rule_opt[k]->attributes[list_att_num], xml_list_field)==0)
+                                {
+                                    if(strcasecmp(rule_opt[k]->values[list_att_num],xml_srcip)==0)
+                                        rule_type = RULE_SRCIP;
+                                    else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_srcport)==0)
+                                        rule_type = RULE_SRCPORT;
+                                    else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_dstip)==0)
+                                        rule_type = RULE_DSTIP;
+                                    else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_dstport)==0)
+                                        rule_type = RULE_DSTPORT;
+                                    else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_user)==0)
+                                        rule_type = RULE_USER;
+                                    else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_url)==0)
+                                        rule_type = RULE_URL;
+                                    else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_id)==0)
+                                        rule_type = RULE_ID;
+                                    else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_hostname)==0)
+                                        rule_type = RULE_HOSTNAME;
+                                    else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_program_name)==0)
+                                        rule_type = RULE_PROGRAM_NAME;
+                                    else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_status)==0)
+                                        rule_type = RULE_STATUS;
+                                    else if (strcasecmp(rule_opt[k]->values[list_att_num],xml_action)==0)
+                                        rule_type = RULE_ACTION;
+                                    else 
+                                    {
+                                        merror(INVALID_CONFIG, ARGV0, 
+                                               rule_opt[k]->element, 
+                                               rule_opt[k]->content);
+                                        merror("%s: List match field=\"%s\" is not valid.", 
+                                                ARGV0,rule_opt[k]->values[list_att_num]);
+                                        return(-1);
+                                     }
+                                }
+                                else if(strcasecmp(rule_opt[k]->attributes[list_att_num], xml_list_cvalue)==0)
+                                {
+                                    os_calloc(1, sizeof(OSMatch), matcher);
+                                    if(!OSMatch_Compile(rule_opt[k]->values[list_att_num], matcher, 0))
+                                    {
+                                        merror(INVALID_CONFIG, ARGV0, 
+                                               rule_opt[k]->element, 
+                                               rule_opt[k]->content);
+                                        merror(REGEX_COMPILE, 
+                                               ARGV0, 
+                                               rule_opt[k]->values[list_att_num], 
+                                               matcher->error);
+                                        return(-1);
+                                    }
+                                }
                                 else
                                 {
-                                	merror("%s: ERROR: List field '%s' is not valid",ARGV0,
+                                	merror("%s:List feild=\"%s\" is not valid",ARGV0,
                                            rule_opt[k]->values[list_att_num]);
                                     merror(INVALID_CONFIG, ARGV0, 
                                            rule_opt[k]->element, rule_opt[k]->content);
                                 }
                                 list_att_num++;
                             }
+                            if(rule_type == 0)
+                            {
+                                merror("%s:List requires the field=\"\" Attrubute",ARGV0);
+                                merror(INVALID_CONFIG, ARGV0, 
+                                       rule_opt[k]->element, rule_opt[k]->content);
+                                return(-1);
+                            }
+
+                            /* Wow it's all ready - this seams too complex to get to this point */
+                            config_ruleinfo->lists = OS_AddListRule(config_ruleinfo->lists,
+                                           lookup_type, 
+                                           rule_type, 
+                                           rule_opt[k]->content,
+                                           matcher);
+                            if (config_ruleinfo->lists == NULL)
+                            {
+                                merror("%s: List error: Could not load %s", ARGV0, rule_opt[k]->content);
+                                return(-1);
+                            }
                         }
                         else
                         {
-                            merror("%s: ERROR: List must have a correctly formtted field attribute",
+                            merror("%s:List must have a correctly formatted feild attribute",
                                    ARGV0);
                             merror(INVALID_CONFIG, 
                                    ARGV0, 
                                    rule_opt[k]->content);
                             return(-1);
                         }                        
+                        /* xml_list eval is done */
                     }
                     else if(strcasecmp(rule_opt[k]->element,xml_url)==0)
                     {

src/analysisd/rules.h

 #define RULE_ACTION     2048
 
 
+#define RULE_MASTER     1
+#define RULE_SRCIP      2
+#define RULE_SRCPORT    4
+#define RULE_DSTIP      8
+#define RULE_DSTPORT    16
+#define RULE_USER       32
+#define RULE_URL        64
+#define RULE_ID         128
+#define RULE_HOSTNAME   256
+#define RULE_PROGRAM_NAME 512
+#define RULE_STATUS     1024
+#define RULE_ACTION     2048
+
+
 #define RULEINFODETAIL_TEXT     0
 #define RULEINFODETAIL_LINK     1
 #define RULEINFODETAIL_CVE      2

src/analysisd/testrule.c

     SetDecodeXML();
 
     
+    /* Createing the lists for use in rules */
+    Lists_OP_CreateLists();
+
+    /* Reading the lists */
+    {
+        char **listfiles;
+        listfiles = Config.lists;
+        while(listfiles && *listfiles)
+        {
+            if(Lists_OP_LoadList(*listfiles) < 0)
+                ErrorExit(LISTS_ERROR, ARGV0, *listfiles);
+            free(*listfiles);
+            listfiles++;
+        }
+        free(Config.lists);
+        Config.lists = NULL;
+    }
+    
+
     /* Creating the rules list */
     Rules_OP_CreateRules();
 
-   
     /* Reading the rules */
     {
         char **rulesfiles;
         rulesfiles = Config.includes;
         while(rulesfiles && *rulesfiles)
         {
-            debug1("%s: INFO: Reading rules file: '%s'", ARGV0, *rulesfiles);
             if(Rules_OP_ReadRules(*rulesfiles) < 0)
                 ErrorExit(RULES_ERROR, ARGV0, *rulesfiles);
                 
         free(Config.lists);
         Config.lists = NULL;
     }
+
+    /* complete loading all lists as the rules have been loaded also */
+    OS_ListLoadRules();
     
     
     /* Fixing the levels/accuracy */
                 {
                     continue;
                 }
-            
+
 
                 /* Checking each rule. */
                 else if((currently_rule = OS_CheckIfRuleMatch(lf, rulenode_pt)) 

src/config/rules-config.c

 
     /* XML definitions */
     char *xml_rules_include = "include";
-    char *xml_rules_lists = "lists";
+    char *xml_rules_lists = "list";
 
     _Config *Config;
      
                 return(OS_INVALID);
             }
 
-            printf("adding %s to rules\n", node[i]->content);
             os_strdup(node[i]->content,Config->includes[rules_size -2]);
-            printf("got %s\n", Config->includes[rules_size -2]);
             Config->includes[rules_size -1] = NULL;
         }
         else if(strcmp(node[i]->element, xml_rules_lists) == 0)
                 merror(MEM_ERROR, ARGV0);
                 return(OS_INVALID);
             }
-            printf("adding %s to lists\n", node[i]->content);
             os_strdup(node[i]->content,Config->lists[lists_size -2]);
-            printf("got %s\n", Config->lists[lists_size -2]);
+            Config->lists[lists_size -1] = NULL;
+
+        }
+        else if(strcmp(node[i]->element, xml_rules_lists) == 0)
+        {
+            lists_size++;
+            Config->lists = realloc(Config->lists,
+                                    sizeof(char *)*lists_size);
+            if(!Config->lists)
+            {
+                merror(MEM_ERROR, ARGV0);
+                return(OS_INVALID);
+            }
+            os_strdup(node[i]->content,Config->lists[lists_size -2]);
             Config->lists[lists_size -1] = NULL;
 
         }

src/shared/report_op.c

     }
     if(r_filter->location)
     {
-        if(!OS_Match2(r_filter->location, al_data->location))
+        if(!OS_Match(r_filter->location, al_data->location))
         {
             return(0);
         }