static int os_setdecoderids(const char *p_name)
{
OSDecoderNode *node;
OSDecoderNode *child_node;
OSDecoderInfo *nnode;
node = OS_GetFirstOSDecoder(p_name);
if (!node) {
return (0);
}
do {
int p_id = 0;
char *tmp_name;
nnode = node->osdecoder;
nnode->id = getDecoderfromlist(nnode->name);
/* Id cannot be 0 */
if (nnode->id == 0) {
return (0);
}
child_node = node->child;
if (!child_node) {
continue;
}
/* Set parent id */
p_id = nnode->id;
tmp_name = nnode->name;
/* Also set on the child nodes */
while (child_node) {
nnode = child_node->osdecoder;
if (nnode->use_own_name) {
nnode->id = getDecoderfromlist(nnode->name);
} else {
nnode->id = p_id;
/* Set parent name */
free(nnode->name);
nnode->name = strdup(tmp_name);
}
/* Id cannot be 0 */
if (nnode->id == 0) {
return (0);
}
child_node = child_node->next;
}
} while ((node = node->next) != NULL);
return (1);
}
/* Use the osdecoders to decode the received event */
void DecodeEvent(Eventinfo *lf)
{
OSDecoderNode *node;
OSDecoderNode *child_node;
OSDecoderInfo *nnode;
const char *llog = NULL;
const char *pmatch = NULL;
const char *cmatch = NULL;
const char *regex_prev = NULL;
node = OS_GetFirstOSDecoder(lf->program_name);
if (!node) {
return;
}
#ifdef TESTRULE
if (!alert_only) {
print_out("\n**Phase 2: Completed decoding.");
}
#endif
do {
nnode = node->osdecoder;
/* First check program name */
if (lf->program_name) {
if (!OSMatch_Execute(lf->program_name, lf->p_name_size,
nnode->program_name)) {
continue;
}
pmatch = lf->log;
}
/* If prematch fails, go to the next osdecoder in the list */
if (nnode->prematch) {
if (!(pmatch = OSRegex_Execute(lf->log, nnode->prematch))) {
continue;
}
/* Next character */
if (*pmatch != '\0') {
pmatch++;
}
}
#ifdef TESTRULE
if (!alert_only) {
print_out(" decoder: '%s'", nnode->name);
}
#endif
lf->decoder_info = nnode;
child_node = node->child;
/* If no child node is set, set the child node
* as if it were the child (ugh)
*/
if (!child_node) {
child_node = node;
}
else {
/* Check if we have any child osdecoder */
while (child_node) {
nnode = child_node->osdecoder;
/* If we have a pre match and it matches, keep
* going. If we don't have a prematch, stop
* and go for the regexes.
*/
if (nnode->prematch) {
const char *llog2;
/* If we have an offset set, use it */
if (nnode->prematch_offset & AFTER_PARENT) {
llog2 = pmatch;
} else {
llog2 = lf->log;
}
if ((cmatch = OSRegex_Execute(llog2, nnode->prematch))) {
if (*cmatch != '\0') {
cmatch++;
}
lf->decoder_info = nnode;
break;
}
} else {
cmatch = pmatch;
break;
}
/* If we have multiple regex-only childs,
* do not attempt to go any further with them.
*/
if (child_node->osdecoder->get_next) {
do {
child_node = child_node->next;
} while (child_node && child_node->osdecoder->get_next);
if (!child_node) {
return;
}
child_node = child_node->next;
nnode = NULL;
} else {
child_node = child_node->next;
nnode = NULL;
}
}
}
/* Nothing matched */
if (!nnode) {
return;
}
/* If we have an external decoder, execute it */
if (nnode->plugindecoder) {
nnode->plugindecoder(lf);
return;
}
/* Get the regex */
while (child_node) {
if (nnode->regex) {
int i;
/* With regex we have multiple options
* regarding the offset:
* after the prematch,
* after the parent,
* after some previous regex,
* or any offset
*/
if (nnode->regex_offset) {
if (nnode->regex_offset & AFTER_PARENT) {
llog = pmatch;
} else if (nnode->regex_offset & AFTER_PREMATCH) {
llog = cmatch;
} else if (nnode->regex_offset & AFTER_PREVREGEX) {
if (!regex_prev) {
llog = cmatch;
} else {
llog = regex_prev;
}
}
} else {
llog = lf->log;
}
/* If Regex does not match, return */
if (!(regex_prev = OSRegex_Execute(llog, nnode->regex))) {
if (nnode->get_next) {
child_node = child_node->next;
nnode = child_node->osdecoder;
continue;
}
return;
}
/* Fix next pointer */
if (*regex_prev != '\0') {
regex_prev++;
}
for (i = 0; nnode->regex->sub_strings[i]; i++) {
if (lf->nfields >= Config.decoder_order_size) {
merror("%s: ERROR: Regex has too many groups.", ARGV0);
return;
}
if (nnode->order[i])
nnode->order[i](lf, nnode->regex->sub_strings[i], nnode->fields[i]);
else
/* We do not free any memory used above */
os_free(nnode->regex->sub_strings[i]);
nnode->regex->sub_strings[i] = NULL;
}
/* If we have a next regex, try getting it */
if (nnode->get_next) {
child_node = child_node->next;
nnode = child_node->osdecoder;
continue;
}
break;
}
/* If we don't have a regex, we may leave now */
return;
}
/* ok to return */
return;
} while ((node = node->next) != NULL);
#ifdef TESTRULE
if (!alert_only) {
print_out(" No decoder matched.");
}
#endif
}
/* Set decoder ids */
int os_setdecoderids(char *p_name)
{
OSDecoderNode *node;
OSDecoderNode *child_node;
OSDecoderInfo *nnode;
node = OS_GetFirstOSDecoder(p_name);
/* Return if no node...
* This shouldn't happen here anyways.
*/
if(!node)
return(0);
do
{
int p_id = 0;
char *p_name;
nnode = node->osdecoder;
nnode->id = getDecoderfromlist(nnode->name);
/* Id can noit be 0 */
if(nnode->id == 0)
{
return(0);
}
child_node = node->child;
if(!child_node)
{
continue;
}
/* Setting parent id */
p_id = nnode->id;
p_name = nnode->name;
/* Also setting on the child nodes */
while(child_node)
{
nnode = child_node->osdecoder;
if(nnode->use_own_name)
{
nnode->id = getDecoderfromlist(nnode->name);
}
else
{
nnode->id = p_id;
/* Setting parent name */
nnode->name = p_name;
}
/* Id can noit be 0 */
if(nnode->id == 0)
{
return(0);
}
child_node = child_node->next;
}
}while((node=node->next) != NULL);
return(1);
}
