/* void __keysfree() * Frees the auth keys. */ void OS_FreeKeys(keystore *keys) { unsigned int i = 0; unsigned int _keysize = 0; OSHash *hashid; OSHash *haship; _keysize = keys->keysize; hashid = keys->keyhash_id; haship = keys->keyhash_ip; /* Zeroing the entries. */ keys->keysize = 0; keys->keyhash_id =NULL; keys->keyhash_ip = NULL; /* Sleeping to give time to other threads to stop using them. */ sleep(1); /* Freeing the hashes */ OSHash_Free(hashid); OSHash_Free(haship); for(i = 0; i<= _keysize; i++) { if(keys->keyentries[i]) { if(keys->keyentries[i]->ip) { free(keys->keyentries[i]->ip->ip); free(keys->keyentries[i]->ip); } if(keys->keyentries[i]->id) free(keys->keyentries[i]->id); if(keys->keyentries[i]->key) free(keys->keyentries[i]->key); if(keys->keyentries[i]->name) free(keys->keyentries[i]->name); /* Closing counter */ if(keys->keyentries[i]->fp) fclose(keys->keyentries[i]->fp); free(keys->keyentries[i]); keys->keyentries[i] = NULL; } } /* Freeing structure */ free(keys->keyentries); keys->keyentries = NULL; keys->keysize = 0; }
/* CheckIfRuleMatch v0.1 * Will check if the currently_rule matches the event information */ RuleInfo *OS_CheckIfRuleMatch(Eventinfo *lf, RuleNode *curr_node) { /* We check for: * decoded_as, * fts, * word match (fast regex), * regex, * url, * id, * user, * maxsize, * protocol, * srcip, * dstip, * srcport, * dstport, * time, * weekday, * status, */ RuleInfo *currently_rule = curr_node->ruleinfo; /* Can't be null */ if(!currently_rule) { merror("%s: Inconsistent state. currently rule NULL", ARGV0); return(NULL); } #ifdef TESTRULE if(full_output && !alert_only) print_out(" Trying rule: %d - %s", currently_rule->sigid, currently_rule->comment); #endif /* Checking if any decoder pre-matched here */ if(currently_rule->decoded_as && currently_rule->decoded_as != lf->decoder_info->id) { return(NULL); } /* Checking program name */ if(currently_rule->program_name) { if(!lf->program_name) return(NULL); if(!OSMatch_Execute(lf->program_name, lf->p_name_size, currently_rule->program_name)) return(NULL); } /* Checking for the id */ if(currently_rule->id) { if(!lf->id) { return(NULL); } if(!OSMatch_Execute(lf->id, strlen(lf->id), currently_rule->id)) return(NULL); #ifdef CDBLOOKUP #endif } /* Checking if any word to match exists */ if(currently_rule->match) { if(!OSMatch_Execute(lf->log, lf->size, currently_rule->match)) return(NULL); } /* Checking if exist any regex for this rule */ if(currently_rule->regex) { if(!OSRegex_Execute(lf->log, currently_rule->regex)) return(NULL); } /* Checking for actions */ if(currently_rule->action) { if(!lf->action) return(NULL); if(strcmp(currently_rule->action,lf->action) != 0) return(NULL); } /* Checking for the url */ if(currently_rule->url) { if(!lf->url) { return(NULL); } if(!OSMatch_Execute(lf->url, strlen(lf->url), currently_rule->url)) { return(NULL); } #ifdef CDBLOOKUP #endif } /* Getting tcp/ip packet information */ if(currently_rule->alert_opts & DO_PACKETINFO) { /* Checking for the srcip */ if(currently_rule->srcip) { if(!lf->srcip) { return(NULL); } if(!OS_IPFoundList(lf->srcip, currently_rule->srcip)) { return(NULL); } #ifdef CDBLOOKUP #endif } /* Checking for the dstip */ if(currently_rule->dstip) { if(!lf->dstip) { return(NULL); } if(!OS_IPFoundList(lf->dstip, currently_rule->dstip)) { return(NULL); } #ifdef CDBLOOKUP #endif } if(currently_rule->srcport) { if(!lf->srcport) { return(NULL); } if(!OSMatch_Execute(lf->srcport, strlen(lf->srcport), currently_rule->srcport)) { return(NULL); } #ifdef CDBLOOKUP #endif } if(currently_rule->dstport) { if(!lf->dstport) { return(NULL); } if(!OSMatch_Execute(lf->dstport, strlen(lf->dstport), currently_rule->dstport)) { return(NULL); } #ifdef CDBLOOKUP #endif } } /* END PACKET_INFO */ /* Extra information from event */ if(currently_rule->alert_opts & DO_EXTRAINFO) { /* Checking compiled rule. */ if(currently_rule->compiled_rule) { if(!currently_rule->compiled_rule(lf)) { return(NULL); } } /* Checking if exist any user to match */ if(currently_rule->user) { if(lf->dstuser) { if(!OSMatch_Execute(lf->dstuser, strlen(lf->dstuser), currently_rule->user)) return(NULL); } else if(lf->srcuser) { if(!OSMatch_Execute(lf->srcuser, strlen(lf->srcuser), currently_rule->user)) return(NULL); } else { /* no user set */ return(NULL); } } if(currently_rule->srcgeoip) { if(lf->srcgeoip) { if(!OSMatch_Execute(lf->srcgeoip, strlen(lf->srcgeoip), currently_rule->srcgeoip)) return(NULL); } else { return(NULL); } } if(currently_rule->dstgeoip) { if(lf->dstgeoip) { if(!OSMatch_Execute(lf->dstgeoip, strlen(lf->dstgeoip), currently_rule->dstgeoip)) return(NULL); } else { return(NULL); } } /* Checking if any rule related to the size exist */ if(currently_rule->maxsize) { if(lf->size < currently_rule->maxsize) return(NULL); } /* Checking if we are in the right time */ if(currently_rule->day_time) { if(!OS_IsonTime(lf->hour, currently_rule->day_time)) { return(NULL); } } /* Checking week day */ if(currently_rule->week_day) { if(!OS_IsonDay(__crt_wday, currently_rule->week_day)) { return(NULL); } } /* Getting extra data */ if(currently_rule->extra_data) { if(!lf->data) return(NULL); if(!OSMatch_Execute(lf->data, strlen(lf->data), currently_rule->extra_data)) return(NULL); } /* Checking hostname */ if(currently_rule->hostname) { if(!lf->hostname) return(NULL); if(!OSMatch_Execute(lf->hostname, strlen(lf->hostname), currently_rule->hostname)) return(NULL); } /* Checking for status */ if(currently_rule->status) { if(!lf->status) return(NULL); if(!OSMatch_Execute(lf->status, strlen(lf->status), currently_rule->status)) return(NULL); } /* Do diff check. */ if(currently_rule->context_opts & SAME_DODIFF) { if(!doDiff(currently_rule, lf)) { return(NULL); } } } /* Checking for the FTS flag */ if(currently_rule->alert_opts & DO_FTS) { /** FTS CHECKS **/ if(lf->decoder_info->fts) { if(lf->decoder_info->fts & FTS_DONE) { /* We already did the fts in here. */ } else if(!FTS(lf)) { return(NULL); } } else { return(NULL); } } /* List lookups */ if(currently_rule->lists != NULL) { ListRule *list_holder=currently_rule->lists; while(list_holder) { switch(list_holder->field) { case RULE_SRCIP: if(!lf->srcip) return(NULL); if(!OS_DBSearch(list_holder,lf->srcip)) return(NULL); break; case RULE_SRCPORT: if(!lf->srcport) return(NULL); if(!OS_DBSearch(list_holder,lf->srcport)) return(NULL); break; case RULE_DSTIP: if(!lf->dstip) return(NULL); if(!OS_DBSearch(list_holder,lf->dstip)) return(NULL); break; case RULE_DSTPORT: if(!lf->dstport) return(NULL); if(!OS_DBSearch(list_holder,lf->dstport)) return(NULL); break; case RULE_USER: if(lf->srcuser) { if(!OS_DBSearch(list_holder,lf->srcuser)) return(NULL); } else if(lf->dstuser) { if(!OS_DBSearch(list_holder,lf->dstuser)) return(NULL); } else { return(NULL); } break; case RULE_URL: if(!lf->url) return(NULL); if(!OS_DBSearch(list_holder,lf->url)) return(NULL); break; case RULE_ID: if(!lf->id) return(NULL); if(!OS_DBSearch(list_holder,lf->id)) return(NULL); break; case RULE_HOSTNAME: if(!lf->hostname) return(NULL); if(!OS_DBSearch(list_holder,lf->hostname)) return(NULL); break; case RULE_PROGRAM_NAME: if(!lf->program_name) return(NULL); if(!OS_DBSearch(list_holder,lf->program_name)) return(NULL); break; case RULE_STATUS: if(!lf->status) return(NULL); if(!OS_DBSearch(list_holder,lf->status)) return(NULL); break; case RULE_ACTION: if(!lf->action) return(NULL); if(!OS_DBSearch(list_holder,lf->action)) return(NULL); break; default: return(NULL); } list_holder = list_holder->next; } } /* If it is a context rule, search for it */ if(currently_rule->context == 1) { if(!currently_rule->event_search(lf, currently_rule)) { /* Cleaning up hash */ if(currently_rule->event_hash) { OSHash_Free(currently_rule->event_hash); currently_rule->event_hash = NULL; } return(NULL); } /* Cleaning up hash */ if(currently_rule->event_hash) { OSHash_Free(currently_rule->event_hash); currently_rule->event_hash = NULL; } } #ifdef TESTRULE if(full_output && !alert_only) print_out(" *Rule %d matched.", currently_rule->sigid); #endif /* Search for dependent rules */ if(curr_node->child) { RuleNode *child_node = curr_node->child; RuleInfo *child_rule = NULL; #ifdef TESTRULE if(full_output && !alert_only) print_out(" *Trying child rules."); #endif while(child_node) { child_rule = OS_CheckIfRuleMatch(lf, child_node); if(child_rule != NULL) { return(child_rule); } child_node = child_node->next; } } /* If we are set to no alert, keep going */ if(currently_rule->alert_opts & NO_ALERT) { return(NULL); } hourly_alerts++; currently_rule->firedtimes++; return(currently_rule); /* Matched */ }