/* void __keysfree()
* Frees the auth keys.
*/
void OS_FreeKeys(keystore *keys)
{
unsigned int i = 0;
unsigned int _keysize = 0;
OSHash *hashid;
OSHash *haship;
_keysize = keys->keysize;
hashid = keys->keyhash_id;
haship = keys->keyhash_ip;
/* Zeroing the entries. */
keys->keysize = 0;
keys->keyhash_id =NULL;
keys->keyhash_ip = NULL;
/* Sleeping to give time to other threads to stop using them. */
sleep(1);
/* Freeing the hashes */
OSHash_Free(hashid);
OSHash_Free(haship);
for(i = 0; i<= _keysize; i++)
{
if(keys->keyentries[i])
{
if(keys->keyentries[i]->ip)
{
free(keys->keyentries[i]->ip->ip);
free(keys->keyentries[i]->ip);
}
if(keys->keyentries[i]->id)
free(keys->keyentries[i]->id);
if(keys->keyentries[i]->key)
free(keys->keyentries[i]->key);
if(keys->keyentries[i]->name)
free(keys->keyentries[i]->name);
/* Closing counter */
if(keys->keyentries[i]->fp)
fclose(keys->keyentries[i]->fp);
free(keys->keyentries[i]);
keys->keyentries[i] = NULL;
}
}
/* Freeing structure */
free(keys->keyentries);
keys->keyentries = NULL;
keys->keysize = 0;
}
/* CheckIfRuleMatch v0.1
* Will check if the currently_rule matches the event information
*/
RuleInfo *OS_CheckIfRuleMatch(Eventinfo *lf, RuleNode *curr_node)
{
/* We check for:
* decoded_as,
* fts,
* word match (fast regex),
* regex,
* url,
* id,
* user,
* maxsize,
* protocol,
* srcip,
* dstip,
* srcport,
* dstport,
* time,
* weekday,
* status,
*/
RuleInfo *currently_rule = curr_node->ruleinfo;
/* Can't be null */
if(!currently_rule)
{
merror("%s: Inconsistent state. currently rule NULL", ARGV0);
return(NULL);
}
#ifdef TESTRULE
if(full_output && !alert_only)
print_out(" Trying rule: %d - %s", currently_rule->sigid,
currently_rule->comment);
#endif
/* Checking if any decoder pre-matched here */
if(currently_rule->decoded_as &&
currently_rule->decoded_as != lf->decoder_info->id)
{
return(NULL);
}
/* Checking program name */
if(currently_rule->program_name)
{
if(!lf->program_name)
return(NULL);
if(!OSMatch_Execute(lf->program_name,
lf->p_name_size,
currently_rule->program_name))
return(NULL);
}
/* Checking for the id */
if(currently_rule->id)
{
if(!lf->id)
{
return(NULL);
}
if(!OSMatch_Execute(lf->id,
strlen(lf->id),
currently_rule->id))
return(NULL);
#ifdef CDBLOOKUP
#endif
}
/* Checking if any word to match exists */
if(currently_rule->match)
{
if(!OSMatch_Execute(lf->log, lf->size, currently_rule->match))
return(NULL);
}
/* Checking if exist any regex for this rule */
if(currently_rule->regex)
{
if(!OSRegex_Execute(lf->log, currently_rule->regex))
return(NULL);
}
/* Checking for actions */
if(currently_rule->action)
{
if(!lf->action)
return(NULL);
if(strcmp(currently_rule->action,lf->action) != 0)
return(NULL);
}
/* Checking for the url */
if(currently_rule->url)
{
if(!lf->url)
{
return(NULL);
}
if(!OSMatch_Execute(lf->url, strlen(lf->url), currently_rule->url))
{
return(NULL);
}
#ifdef CDBLOOKUP
#endif
}
/* Getting tcp/ip packet information */
if(currently_rule->alert_opts & DO_PACKETINFO)
{
/* Checking for the srcip */
if(currently_rule->srcip)
{
if(!lf->srcip)
{
return(NULL);
}
if(!OS_IPFoundList(lf->srcip, currently_rule->srcip))
{
return(NULL);
}
#ifdef CDBLOOKUP
#endif
}
/* Checking for the dstip */
if(currently_rule->dstip)
{
if(!lf->dstip)
{
return(NULL);
}
if(!OS_IPFoundList(lf->dstip, currently_rule->dstip))
{
return(NULL);
}
#ifdef CDBLOOKUP
#endif
}
if(currently_rule->srcport)
{
if(!lf->srcport)
{
return(NULL);
}
if(!OSMatch_Execute(lf->srcport,
strlen(lf->srcport),
currently_rule->srcport))
{
return(NULL);
}
#ifdef CDBLOOKUP
#endif
}
if(currently_rule->dstport)
{
if(!lf->dstport)
{
return(NULL);
}
if(!OSMatch_Execute(lf->dstport,
strlen(lf->dstport),
currently_rule->dstport))
{
return(NULL);
}
#ifdef CDBLOOKUP
#endif
}
} /* END PACKET_INFO */
/* Extra information from event */
if(currently_rule->alert_opts & DO_EXTRAINFO)
{
/* Checking compiled rule. */
if(currently_rule->compiled_rule)
{
if(!currently_rule->compiled_rule(lf))
{
return(NULL);
}
}
/* Checking if exist any user to match */
if(currently_rule->user)
{
if(lf->dstuser)
{
if(!OSMatch_Execute(lf->dstuser,
strlen(lf->dstuser),
currently_rule->user))
return(NULL);
}
else if(lf->srcuser)
{
if(!OSMatch_Execute(lf->srcuser,
strlen(lf->srcuser),
currently_rule->user))
return(NULL);
}
else
{
/* no user set */
return(NULL);
}
}
if(currently_rule->srcgeoip)
{
if(lf->srcgeoip)
{
if(!OSMatch_Execute(lf->srcgeoip,
strlen(lf->srcgeoip),
currently_rule->srcgeoip))
return(NULL);
}
else
{
return(NULL);
}
}
if(currently_rule->dstgeoip)
{
if(lf->dstgeoip)
{
if(!OSMatch_Execute(lf->dstgeoip,
strlen(lf->dstgeoip),
currently_rule->dstgeoip))
return(NULL);
}
else
{
return(NULL);
}
}
/* Checking if any rule related to the size exist */
if(currently_rule->maxsize)
{
if(lf->size < currently_rule->maxsize)
return(NULL);
}
/* Checking if we are in the right time */
if(currently_rule->day_time)
{
if(!OS_IsonTime(lf->hour, currently_rule->day_time))
{
return(NULL);
}
}
/* Checking week day */
if(currently_rule->week_day)
{
if(!OS_IsonDay(__crt_wday, currently_rule->week_day))
{
return(NULL);
}
}
/* Getting extra data */
if(currently_rule->extra_data)
{
if(!lf->data)
return(NULL);
if(!OSMatch_Execute(lf->data,
strlen(lf->data),
currently_rule->extra_data))
return(NULL);
}
/* Checking hostname */
if(currently_rule->hostname)
{
if(!lf->hostname)
return(NULL);
if(!OSMatch_Execute(lf->hostname,
strlen(lf->hostname),
currently_rule->hostname))
return(NULL);
}
/* Checking for status */
if(currently_rule->status)
{
if(!lf->status)
return(NULL);
if(!OSMatch_Execute(lf->status,
strlen(lf->status),
currently_rule->status))
return(NULL);
}
/* Do diff check. */
if(currently_rule->context_opts & SAME_DODIFF)
{
if(!doDiff(currently_rule, lf))
{
return(NULL);
}
}
}
/* Checking for the FTS flag */
if(currently_rule->alert_opts & DO_FTS)
{
/** FTS CHECKS **/
if(lf->decoder_info->fts)
{
if(lf->decoder_info->fts & FTS_DONE)
{
/* We already did the fts in here. */
}
else if(!FTS(lf))
{
return(NULL);
}
}
else
{
return(NULL);
}
}
/* List lookups */
if(currently_rule->lists != NULL)
{
ListRule *list_holder=currently_rule->lists;
while(list_holder)
{
switch(list_holder->field)
{
case RULE_SRCIP:
if(!lf->srcip)
return(NULL);
if(!OS_DBSearch(list_holder,lf->srcip))
return(NULL);
break;
case RULE_SRCPORT:
if(!lf->srcport)
return(NULL);
if(!OS_DBSearch(list_holder,lf->srcport))
return(NULL);
break;
case RULE_DSTIP:
if(!lf->dstip)
return(NULL);
if(!OS_DBSearch(list_holder,lf->dstip))
return(NULL);
break;
case RULE_DSTPORT:
if(!lf->dstport)
return(NULL);
if(!OS_DBSearch(list_holder,lf->dstport))
return(NULL);
break;
case RULE_USER:
if(lf->srcuser)
{
if(!OS_DBSearch(list_holder,lf->srcuser))
return(NULL);
}
else if(lf->dstuser)
{
if(!OS_DBSearch(list_holder,lf->dstuser))
return(NULL);
}
else
{
return(NULL);
}
break;
case RULE_URL:
if(!lf->url)
return(NULL);
if(!OS_DBSearch(list_holder,lf->url))
return(NULL);
break;
case RULE_ID:
if(!lf->id)
return(NULL);
if(!OS_DBSearch(list_holder,lf->id))
return(NULL);
break;
case RULE_HOSTNAME:
if(!lf->hostname)
return(NULL);
if(!OS_DBSearch(list_holder,lf->hostname))
return(NULL);
break;
case RULE_PROGRAM_NAME:
if(!lf->program_name)
return(NULL);
if(!OS_DBSearch(list_holder,lf->program_name))
return(NULL);
break;
case RULE_STATUS:
if(!lf->status)
return(NULL);
if(!OS_DBSearch(list_holder,lf->status))
return(NULL);
break;
case RULE_ACTION:
if(!lf->action)
return(NULL);
if(!OS_DBSearch(list_holder,lf->action))
return(NULL);
break;
default:
return(NULL);
}
list_holder = list_holder->next;
}
}
/* If it is a context rule, search for it */
if(currently_rule->context == 1)
{
if(!currently_rule->event_search(lf, currently_rule))
{
/* Cleaning up hash */
if(currently_rule->event_hash)
{
OSHash_Free(currently_rule->event_hash);
currently_rule->event_hash = NULL;
}
return(NULL);
}
/* Cleaning up hash */
if(currently_rule->event_hash)
{
OSHash_Free(currently_rule->event_hash);
currently_rule->event_hash = NULL;
}
}
#ifdef TESTRULE
if(full_output && !alert_only)
print_out(" *Rule %d matched.", currently_rule->sigid);
#endif
/* Search for dependent rules */
if(curr_node->child)
{
RuleNode *child_node = curr_node->child;
RuleInfo *child_rule = NULL;
#ifdef TESTRULE
if(full_output && !alert_only)
print_out(" *Trying child rules.");
#endif
while(child_node)
{
child_rule = OS_CheckIfRuleMatch(lf, child_node);
if(child_rule != NULL)
{
return(child_rule);
}
child_node = child_node->next;
}
}
/* If we are set to no alert, keep going */
if(currently_rule->alert_opts & NO_ALERT)
{
return(NULL);
}
hourly_alerts++;
currently_rule->firedtimes++;
return(currently_rule); /* Matched */
}
