/* Search last times a signature fired
* Will look for only that specific signature.
*/
Eventinfo *Search_LastSids(Eventinfo *my_lf, RuleInfo *rule)
{
Eventinfo *lf;
Eventinfo *first_lf;
OSListNode *lf_node;
/* Set frequency to 0 */
rule->__frequency = 0;
/* Checking if sid search is valid */
if (!rule->sid_search) {
merror("%s: ERROR: No sid search.", ARGV0);
return (NULL);
}
/* Get last node */
lf_node = OSList_GetLastNode(rule->sid_search);
if (!lf_node) {
return (NULL);
}
first_lf = (Eventinfo *)lf_node->data;
do {
lf = (Eventinfo *)lf_node->data;
/* If time is outside the timeframe, return */
if ((c_time - lf->time) > rule->timeframe) {
return (NULL);
}
/* Check for same ID */
if (rule->context_opts & SAME_ID) {
if ((!lf->id) || (!my_lf->id)) {
continue;
}
if (strcmp(lf->id, my_lf->id) != 0) {
continue;
}
}
/* Check for repetitions from same src_ip */
if (rule->context_opts & SAME_SRCIP) {
if ((!lf->srcip) || (!my_lf->srcip)) {
continue;
}
if (strcmp(lf->srcip, my_lf->srcip) != 0) {
continue;
}
}
/* Grouping of additional data */
if (rule->alert_opts & SAME_EXTRAINFO) {
/* Check for same source port */
if (rule->context_opts & SAME_SRCPORT) {
if ((!lf->srcport) || (!my_lf->srcport)) {
continue;
}
if (strcmp(lf->srcport, my_lf->srcport) != 0) {
continue;
}
}
/* Check for same dst port */
if (rule->context_opts & SAME_DSTPORT) {
if ((!lf->dstport) || (!my_lf->dstport)) {
continue;
}
if (strcmp(lf->dstport, my_lf->dstport) != 0) {
continue;
}
}
/* Check for repetitions on user error */
if (rule->context_opts & SAME_USER) {
if ((!lf->dstuser) || (!my_lf->dstuser)) {
continue;
}
if (strcmp(lf->dstuser, my_lf->dstuser) != 0) {
continue;
}
}
/* Check for same location */
if (rule->context_opts & SAME_LOCATION) {
if (strcmp(lf->hostname, my_lf->hostname) != 0) {
continue;
}
}
/* Check for different URLs */
if (rule->context_opts & DIFFERENT_URL) {
if ((!lf->url) || (!my_lf->url)) {
continue;
}
if (strcmp(lf->url, my_lf->url) == 0) {
continue;
}
}
/* Check for different from same srcgeoip */
if (rule->context_opts & DIFFERENT_SRCGEOIP) {
if ((!lf->srcgeoip) || (!my_lf->srcgeoip)) {
continue;
}
if (strcmp(lf->srcgeoip, my_lf->srcgeoip) == 0) {
continue;
}
}
}
/* We avoid multiple triggers for the same rule
* or rules with a lower level.
*/
else if (lf->matched >= rule->level) {
return (NULL);
}
/* Check if the number of matches worked */
if (rule->__frequency <= 10) {
rule->last_events[rule->__frequency]
= lf->full_log;
rule->last_events[rule->__frequency + 1]
= NULL;
}
if (rule->__frequency < rule->frequency) {
rule->__frequency++;
continue;
}
rule->__frequency++;
/* If reached here, we matched */
my_lf->matched = rule->level;
lf->matched = rule->level;
first_lf->matched = rule->level;
return (lf);
} while ((lf_node = lf_node->prev) != NULL);
return (NULL);
}
/* FTS v0.1
* Check if the word "msg" is present on the "queue".
* If it is not, write it there.
*/
int FTS(Eventinfo *lf)
{
int number_of_matches = 0;
char _line[OS_FLSIZE + 1];
char *line_for_list = NULL;
OSListNode *fts_node;
_line[OS_FLSIZE] = '\0';
/* Assigning the values to the FTS */
snprintf(_line, OS_FLSIZE, "%s %s %s %s %s %s %s %s %s",
lf->decoder_info->name,
(lf->id && (lf->decoder_info->fts & FTS_ID))?lf->id:"",
(lf->dstuser && (lf->decoder_info->fts & FTS_DSTUSER))?lf->dstuser:"",
(lf->srcuser && (lf->decoder_info->fts & FTS_SRCUSER))?lf->srcuser:"",
(lf->srcip && (lf->decoder_info->fts & FTS_SRCIP))?lf->srcip:"",
(lf->dstip && (lf->decoder_info->fts & FTS_DSTIP))?lf->dstip:"",
(lf->data && (lf->decoder_info->fts & FTS_DATA))?lf->data:"",
(lf->systemname && (lf->decoder_info->fts & FTS_SYSTEMNAME))?lf->systemname:"",
(lf->decoder_info->fts & FTS_LOCATION)?lf->location:"");
/** Checking if FTS is already present **/
if(OSHash_Get(fts_store, _line))
{
return(0);
}
/* Checking if from the last FTS events, we had
* at least 3 "similars" before. If yes, we just
* ignore it.
*/
if(lf->decoder_info->type == IDS)
{
fts_node = OSList_GetLastNode(fts_list);
while(fts_node)
{
if(OS_StrHowClosedMatch((char *)fts_node->data, _line) >
fts_minsize_for_str)
{
number_of_matches++;
/* We go and add this new entry to the list */
if(number_of_matches > 2)
{
_line[fts_minsize_for_str] = '\0';
break;
}
}
fts_node = OSList_GetPrevNode(fts_list);
}
os_strdup(_line, line_for_list);
OSList_AddData(fts_list, line_for_list);
}
/* Storing new entry */
if(line_for_list == NULL)
{
os_strdup(_line, line_for_list);
}
if(OSHash_Add(fts_store, line_for_list, line_for_list) <= 1)
{
return(0);
}
#ifdef TESTRULE
return(1);
#endif
/* Saving to fts fp */
fseek(fp_list, 0, SEEK_END);
fprintf(fp_list,"%s\n", _line);
fflush(fp_list);
return(1);
}