/* Checks if an IP is not allowed */
static int OS_IPNotAllowed(char *srcip)
{
if (logr.denyips != NULL) {
if (OS_IPFoundList(srcip, logr.denyips)) {
return (1);
}
}
if (logr.allowips != NULL) {
if (OS_IPFoundList(srcip, logr.allowips)) {
return (0);
}
}
/* If the IP is not allowed, it will be denied */
return (1);
}
/* CheckIfRuleMatch v0.1
* Will check if the currently_rule matches the event information
*/
RuleInfo *OS_CheckIfRuleMatch(Eventinfo *lf, RuleNode *curr_node)
{
/* We check for:
* decoded_as,
* fts,
* word match (fast regex),
* regex,
* url,
* id,
* user,
* maxsize,
* protocol,
* srcip,
* dstip,
* srcport,
* dstport,
* time,
* weekday,
* status,
*/
RuleInfo *currently_rule = curr_node->ruleinfo;
/* Can't be null */
if(!currently_rule)
{
merror("%s: Inconsistent state. currently rule NULL", ARGV0);
return(NULL);
}
#ifdef TESTRULE
if(full_output && !alert_only)
print_out(" Trying rule: %d - %s", currently_rule->sigid,
currently_rule->comment);
#endif
/* Checking if any decoder pre-matched here */
if(currently_rule->decoded_as &&
currently_rule->decoded_as != lf->decoder_info->id)
{
return(NULL);
}
/* Checking program name */
if(currently_rule->program_name)
{
if(!lf->program_name)
return(NULL);
if(!OSMatch_Execute(lf->program_name,
lf->p_name_size,
currently_rule->program_name))
return(NULL);
}
/* Checking for the id */
if(currently_rule->id)
{
if(!lf->id)
{
return(NULL);
}
if(!OSMatch_Execute(lf->id,
strlen(lf->id),
currently_rule->id))
return(NULL);
#ifdef CDBLOOKUP
#endif
}
/* Checking if any word to match exists */
if(currently_rule->match)
{
if(!OSMatch_Execute(lf->log, lf->size, currently_rule->match))
return(NULL);
}
/* Checking if exist any regex for this rule */
if(currently_rule->regex)
{
if(!OSRegex_Execute(lf->log, currently_rule->regex))
return(NULL);
}
/* Checking for actions */
if(currently_rule->action)
{
if(!lf->action)
return(NULL);
if(strcmp(currently_rule->action,lf->action) != 0)
return(NULL);
}
/* Checking for the url */
if(currently_rule->url)
{
if(!lf->url)
{
return(NULL);
}
if(!OSMatch_Execute(lf->url, strlen(lf->url), currently_rule->url))
{
return(NULL);
}
#ifdef CDBLOOKUP
#endif
}
/* Getting tcp/ip packet information */
if(currently_rule->alert_opts & DO_PACKETINFO)
{
/* Checking for the srcip */
if(currently_rule->srcip)
{
if(!lf->srcip)
{
return(NULL);
}
if(!OS_IPFoundList(lf->srcip, currently_rule->srcip))
{
return(NULL);
}
#ifdef CDBLOOKUP
#endif
}
/* Checking for the dstip */
if(currently_rule->dstip)
{
if(!lf->dstip)
{
return(NULL);
}
if(!OS_IPFoundList(lf->dstip, currently_rule->dstip))
{
return(NULL);
}
#ifdef CDBLOOKUP
#endif
}
if(currently_rule->srcport)
{
if(!lf->srcport)
{
return(NULL);
}
if(!OSMatch_Execute(lf->srcport,
strlen(lf->srcport),
currently_rule->srcport))
{
return(NULL);
}
#ifdef CDBLOOKUP
#endif
}
if(currently_rule->dstport)
{
if(!lf->dstport)
{
return(NULL);
}
if(!OSMatch_Execute(lf->dstport,
strlen(lf->dstport),
currently_rule->dstport))
{
return(NULL);
}
#ifdef CDBLOOKUP
#endif
}
} /* END PACKET_INFO */
/* Extra information from event */
if(currently_rule->alert_opts & DO_EXTRAINFO)
{
/* Checking compiled rule. */
if(currently_rule->compiled_rule)
{
if(!currently_rule->compiled_rule(lf))
{
return(NULL);
}
}
/* Checking if exist any user to match */
if(currently_rule->user)
{
if(lf->dstuser)
{
if(!OSMatch_Execute(lf->dstuser,
strlen(lf->dstuser),
currently_rule->user))
return(NULL);
}
else if(lf->srcuser)
{
if(!OSMatch_Execute(lf->srcuser,
strlen(lf->srcuser),
currently_rule->user))
return(NULL);
}
else
#ifdef CDBLOOKUP
#endif
{
/* no user set */
return(NULL);
}
}
/* Checking if any rule related to the size exist */
if(currently_rule->maxsize)
{
if(lf->size < currently_rule->maxsize)
return(NULL);
}
/* Checking if we are in the right time */
if(currently_rule->day_time)
{
if(!OS_IsonTime(lf->hour, currently_rule->day_time))
{
return(NULL);
}
}
/* Checking week day */
if(currently_rule->week_day)
{
if(!OS_IsonDay(__crt_wday, currently_rule->week_day))
{
return(NULL);
}
}
/* Getting extra data */
if(currently_rule->extra_data)
{
if(!lf->data)
return(NULL);
if(!OSMatch_Execute(lf->data,
strlen(lf->data),
currently_rule->extra_data))
return(NULL);
}
/* Checking hostname */
if(currently_rule->hostname)
{
if(!lf->hostname)
return(NULL);
if(!OSMatch_Execute(lf->hostname,
strlen(lf->hostname),
currently_rule->hostname))
return(NULL);
}
/* Checking for status */
if(currently_rule->status)
{
if(!lf->status)
return(NULL);
if(!OSMatch_Execute(lf->status,
strlen(lf->status),
currently_rule->status))
return(NULL);
}
/* Do diff check. */
if(currently_rule->context_opts & SAME_DODIFF)
{
if(!doDiff(currently_rule, lf))
{
return(NULL);
}
}
}
/* Checking for the FTS flag */
if(currently_rule->alert_opts & DO_FTS)
{
/** FTS CHECKS **/
if(lf->decoder_info->fts)
{
if(lf->decoder_info->fts & FTS_DONE)
{
/* We already did the fts in here. */
}
else if(!FTS(lf))
{
return(NULL);
}
}
else
{
return(NULL);
}
}
/* List lookups */
if(currently_rule->lists != NULL)
{
ListRule *list_holder=currently_rule->lists;
while(list_holder)
{
switch(list_holder->field)
{
case RULE_SRCIP:
if(!lf->srcip)
return(NULL);
if(!OS_DBSearch(list_holder,lf->srcip))
return(NULL);
break;
case RULE_SRCPORT:
if(!lf->srcport)
return(NULL);
if(!OS_DBSearch(list_holder,lf->srcport))
return(NULL);
break;
case RULE_DSTIP:
if(!lf->dstip)
return(NULL);
if(!OS_DBSearch(list_holder,lf->dstip))
return(NULL);
break;
case RULE_DSTPORT:
if(!lf->dstport)
return(NULL);
if(!OS_DBSearch(list_holder,lf->dstport))
return(NULL);
break;
case RULE_USER:
if(lf->srcuser)
{
if(!OS_DBSearch(list_holder,lf->srcuser))
return(NULL);
}
else if(lf->dstuser)
{
if(!OS_DBSearch(list_holder,lf->dstuser))
return(NULL);
}
else
{
return(NULL);
}
break;
case RULE_URL:
if(!lf->url)
return(NULL);
if(!OS_DBSearch(list_holder,lf->url))
return(NULL);
break;
case RULE_ID:
if(!lf->id)
return(NULL);
if(!OS_DBSearch(list_holder,lf->id))
return(NULL);
break;
case RULE_HOSTNAME:
if(!lf->hostname)
return(NULL);
if(!OS_DBSearch(list_holder,lf->hostname))
return(NULL);
break;
case RULE_PROGRAM_NAME:
if(!lf->program_name)
return(NULL);
if(!OS_DBSearch(list_holder,lf->program_name))
return(NULL);
break;
case RULE_STATUS:
if(!lf->status)
return(NULL);
if(!OS_DBSearch(list_holder,lf->status))
return(NULL);
break;
case RULE_ACTION:
if(!lf->action)
return(NULL);
if(!OS_DBSearch(list_holder,lf->action))
return(NULL);
break;
default:
return(NULL);
}
list_holder = list_holder->next;
}
}
/* If it is a context rule, search for it */
if(currently_rule->context == 1)
{
if(!currently_rule->event_search(lf, currently_rule))
return(NULL);
}
#ifdef TESTRULE
if(full_output && !alert_only)
print_out(" *Rule %d matched.", currently_rule->sigid);
#endif
/* Search for dependent rules */
if(curr_node->child)
{
RuleNode *child_node = curr_node->child;
RuleInfo *child_rule = NULL;
#ifdef TESTRULE
if(full_output && !alert_only)
print_out(" *Trying child rules.");
#endif
while(child_node)
{
child_rule = OS_CheckIfRuleMatch(lf, child_node);
if(child_rule != NULL)
{
return(child_rule);
}
child_node = child_node->next;
}
}
/* If we are set to no alert, keep going */
if(currently_rule->alert_opts & NO_ALERT)
{
return(NULL);
}
hourly_alerts++;
currently_rule->firedtimes++;
return(currently_rule); /* Matched */
}
void OS_Exec(int execq, int arq, const Eventinfo *lf, const active_response *ar)
{
char exec_msg[OS_SIZE_1024 + 1];
const char *ip;
const char *user;
char *filename = NULL;
ip = user = "******";
/* Clean the IP */
if (lf->srcip && (ar->ar_cmd->expect & SRCIP)) {
if (strncmp(lf->srcip, "::ffff:", 7) == 0) {
ip = lf->srcip + 7;
} else {
ip = lf->srcip;
}
/* Check if IP is to be ignored */
if (Config.white_list) {
if (OS_IPFoundList(ip, Config.white_list)) {
return;
}
}
/* Check if it is a hostname */
if (Config.hostname_white_list) {
size_t srcip_size;
OSMatch **wl;
srcip_size = strlen(ip);
wl = Config.hostname_white_list;
while (*wl) {
if (OSMatch_Execute(ip, srcip_size, *wl)) {
return;
}
wl++;
}
}
}
/* Get username */
if (lf->dstuser && (ar->ar_cmd->expect & USERNAME)) {
user = lf->dstuser;
}
/* Get filename */
if (lf->filename && (ar->ar_cmd->expect & FILENAME)) {
filename = os_shell_escape(lf->filename);
}
/* Active Response on the server
* The response must be here if the ar->location is set to AS
* or the ar->location is set to local (REMOTE_AGENT) and the
* event location is from here.
*/
if ((ar->location & AS_ONLY) ||
((ar->location & REMOTE_AGENT) && (lf->location[0] != '(')) ) {
if (!(Config.ar & LOCAL_AR)) {
goto cleanup;
}
snprintf(exec_msg, OS_SIZE_1024,
"%s %s %s %ld.%ld %d %s %s",
ar->name,
user,
ip,
(long int)lf->time,
__crt_ftell,
lf->generated_rule->sigid,
lf->location,
filename ? filename : "-");
if (OS_SendUnix(execq, exec_msg, 0) < 0) {
merror("%s: Error communicating with execd.", ARGV0);
}
}
/* Active Response to the forwarder */
else if ((Config.ar & REMOTE_AR)) {
int rc;
/* If lf->location start with a ( was generated by remote agent and its
* ID is included in lf->location if missing then it must have been
* generated by the local analysisd, so prepend a false id tag */
if (lf->location[0] == '(') {
snprintf(exec_msg, OS_SIZE_1024,
"%s %c%c%c %s %s %s %s %ld.%ld %d %s %s",
lf->location,
(ar->location & ALL_AGENTS) ? ALL_AGENTS_C : NONE_C,
(ar->location & REMOTE_AGENT) ? REMOTE_AGENT_C : NONE_C,
(ar->location & SPECIFIC_AGENT) ? SPECIFIC_AGENT_C : NONE_C,
ar->agent_id != NULL ? ar->agent_id : "(null)",
ar->name,
user,
ip,
(long int)lf->time,
__crt_ftell,
lf->generated_rule->sigid,
lf->location,
filename);
} else {
snprintf(exec_msg, OS_SIZE_1024,
"(local_source) %s %c%c%c %s %s %s %s %ld.%ld %d %s %s",
lf->location,
(ar->location & ALL_AGENTS) ? ALL_AGENTS_C : NONE_C,
(ar->location & REMOTE_AGENT) ? REMOTE_AGENT_C : NONE_C,
(ar->location & SPECIFIC_AGENT) ? SPECIFIC_AGENT_C : NONE_C,
ar->agent_id != NULL ? ar->agent_id : "(null)",
ar->name,
user,
ip,
(long int)lf->time,
__crt_ftell,
lf->generated_rule->sigid,
lf->location,
filename);
}
if ((rc = OS_SendUnix(arq, exec_msg, 0)) < 0) {
if (rc == OS_SOCKBUSY) {
merror("%s: AR socket busy.", ARGV0);
} else {
merror("%s: AR socket error (shutdown?).", ARGV0);
}
merror("%s: Error communicating with ar queue (%d).", ARGV0, rc);
}
}
cleanup:
/* Clean up Memory */
free(filename);
return;
}
