diff --git a/src/Makefile b/src/Makefile index 7c494e306..497c84de3 100644 --- a/src/Makefile +++ b/src/Makefile @@ -1109,7 +1109,7 @@ ossec-logtest: ${analysisd_test_o} ${output_o} ${format_o} analysisd/testrule-te ossec-analysisd: ${analysisd_live_o} analysisd/analysisd-live.o ${output_o} ${format_o} alerts.a cdb.a decoders-live.a ${ossec_libs} ${ZLIB_LIB} ${JSON_LIB} ${OSSEC_CCBIN} ${OSSEC_CFLAGS} $^ ${OSSEC_LDFLAGS} -o $@ -ossec-makelists: analysisd/makelists-live.o ${analysisd_live_o} ${output_o} ${format_o} alerts.a cdb.a decoders-test.a ${ossec_libs} ${ZLIB_LIB} ${JSON_LIB} +ossec-makelists: analysisd/makelists-live.o ${analysisd_live_o} ${output_o} ${format_o} alerts.a cdb.a decoders-live.a ${ossec_libs} ${ZLIB_LIB} ${JSON_LIB} ${OSSEC_CCBIN} ${OSSEC_CFLAGS} $^ ${OSSEC_LDFLAGS} -o $@ diff --git a/src/analysisd/accumulator.c b/src/analysisd/accumulator.c index 7ec090836..33a9c2ead 100644 --- a/src/analysisd/accumulator.c +++ b/src/analysisd/accumulator.c @@ -15,13 +15,37 @@ #include "accumulator.h" #include "eventinfo.h" -/* Global variables */ -OSHash *acm_store = NULL; +/* Local variables */ +static OSHash *acm_store = NULL; /* Counters for Purging */ -int acm_lookups = 0; -int acm_purge_ts = 0; - +static int acm_lookups = 0; +static time_t acm_purge_ts = 0; + +/* Accumulator Constants */ +#define OS_ACM_EXPIRE_ELM 120 +#define OS_ACM_PURGE_INTERVAL 300 +#define OS_ACM_PURGE_COUNT 200 + +/* Accumulator Max Values */ +#define OS_ACM_MAXKEY 256 +#define OS_ACM_MAXELM 81 + +typedef struct _OS_ACM_Store { + time_t timestamp; + char *dstuser; + char *srcuser; + char *dstip; + char *srcip; + char *dstport; + char *srcport; + char *data; +} OS_ACM_Store; + +/* Internal Functions */ +static int acm_str_replace(char **dst, const char *src); +static OS_ACM_Store *InitACMStore(void); +static void FreeACMStore(OS_ACM_Store *obj); /* Start the Accumulator module */ int Accumulate_Init() @@ -56,7 +80,7 @@ Eventinfo *Accumulate(Eventinfo *lf) char _key[OS_ACM_MAXKEY]; OS_ACM_Store *stored_data = 0; - int current_ts; + time_t current_ts; struct timeval tp; if ( lf == NULL ) { @@ -192,7 +216,7 @@ Eventinfo *Accumulate(Eventinfo *lf) void Accumulate_CleanUp() { struct timeval tp; - int current_ts = 0; + time_t current_ts = 0; int expired = 0; OSHashNode *curr; @@ -230,7 +254,7 @@ void Accumulate_CleanUp() /* Check for a valid element */ if ( stored_data != NULL ) { /* Check for expiration */ - debug2("accumulator: DEBUG: CleanUp() elm:%d, curr:%d", stored_data->timestamp, current_ts); + debug2("accumulator: DEBUG: CleanUp() elm:%ld, curr:%ld", stored_data->timestamp, current_ts); if ( stored_data->timestamp < current_ts - OS_ACM_EXPIRE_ELM ) { debug2("accumulator: DEBUG: CleanUp() Expiring '%s'", key); if ( OSHash_Delete(acm_store, key) != NULL ) { @@ -295,7 +319,7 @@ int acm_str_replace(char **dst, const char *src) } /* Make sure we have data to write */ - int slen = strlen(src); + size_t slen = strlen(src); if ( slen <= 0 || slen > OS_ACM_MAXELM - 1 ) { return -1; } diff --git a/src/analysisd/accumulator.h b/src/analysisd/accumulator.h index 12d52198b..8c0cc34a5 100644 --- a/src/analysisd/accumulator.h +++ b/src/analysisd/accumulator.h @@ -10,45 +10,12 @@ #ifndef __ACCUMULATOR_H #define __ACCUMULATOR_H -/* Accumulator queues */ -#ifdef TESTRULE -#define ACM_CACHE "var/accumulator-cache" -#else -#define ACM_CACHE "/var/accumulator-queue" -#endif - #include "eventinfo.h" -/* Accumulator Max Values */ -#define OS_ACM_MAXKEY 256 -#define OS_ACM_MAXELM 81 -#define OS_ACM_MAXDATA 2048 - -typedef struct _OS_ACM_Store { - int timestamp; - char *dstuser; - char *srcuser; - char *dstip; - char *srcip; - char *dstport; - char *srcport; - char *data; -} OS_ACM_Store; - -/* Accumulator Constants */ -#define OS_ACM_EXPIRE_ELM 120 -#define OS_ACM_PURGE_INTERVAL 300 -#define OS_ACM_PURGE_COUNT 200 - /* Accumulator Functions */ int Accumulate_Init(void); Eventinfo *Accumulate(Eventinfo *lf); void Accumulate_CleanUp(void); -/* Internal Functions */ -int acm_str_replace(char **dst, const char *src); -OS_ACM_Store *InitACMStore(void); -void FreeACMStore(OS_ACM_Store *obj); - #endif /* __ACCUMULATOR_H */ diff --git a/src/analysisd/active-response.c b/src/analysisd/active-response.c index 858f8c70c..1613e267a 100644 --- a/src/analysisd/active-response.c +++ b/src/analysisd/active-response.c @@ -10,6 +10,9 @@ #include "shared.h" #include "active-response.h" +/* Active response commands */ +static OSList *ar_commands; +OSList *active_responses; /* Initialize active response */ void AR_Init() diff --git a/src/analysisd/active-response.h b/src/analysisd/active-response.h index 9985189a4..6fb51a2be 100644 --- a/src/analysisd/active-response.h +++ b/src/analysisd/active-response.h @@ -22,11 +22,8 @@ void AR_Init(void); */ int AR_ReadConfig(const char *cfgfile); -/* Active response commands */ -OSList *ar_commands; - /* Active response information */ -OSList *active_responses; +extern OSList *active_responses; #endif /* _AR__H */ diff --git a/src/analysisd/alerts/exec.c b/src/analysisd/alerts/exec.c index 4e8116b77..ad11426de 100644 --- a/src/analysisd/alerts/exec.c +++ b/src/analysisd/alerts/exec.c @@ -18,15 +18,14 @@ #include "eventinfo.h" -void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) +void OS_Exec(int execq, int arq, const Eventinfo *lf, const active_response *ar) { char exec_msg[OS_SIZE_1024 + 1]; - char *ip; - char *user; - char *filename; - int do_free_filename = 0; + const char *ip; + const char *user; + char *filename = NULL; - ip = user = filename = "-"; + ip = user = "-"; /* Clean the IP */ if (lf->srcip && (ar->ar_cmd->expect & SRCIP)) { @@ -45,7 +44,7 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) /* Check if it is a hostname */ if (Config.hostname_white_list) { - int srcip_size; + size_t srcip_size; OSMatch **wl; srcip_size = strlen(ip); @@ -68,7 +67,6 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) /* Get filename */ if (lf->filename && (ar->ar_cmd->expect & FILENAME)) { filename = os_shell_escape(lf->filename); - do_free_filename = 1; } /* Active Response on the server @@ -83,7 +81,7 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) } snprintf(exec_msg, OS_SIZE_1024, - "%s %s %s %d.%ld %d %s %s", + "%s %s %s %ld.%ld %d %s %s", ar->name, user, ip, @@ -91,9 +89,9 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) __crt_ftell, lf->generated_rule->sigid, lf->location, - filename); + filename ? filename : "-"); - if (OS_SendUnix(*execq, exec_msg, 0) < 0) { + if (OS_SendUnix(execq, exec_msg, 0) < 0) { merror("%s: Error communicating with execd.", ARGV0); } } @@ -106,7 +104,7 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) * generated by the local analysisd, so prepend a false id tag */ if (lf->location[0] == '(') { snprintf(exec_msg, OS_SIZE_1024, - "%s %c%c%c %s %s %s %s %d.%ld %d %s %s", + "%s %c%c%c %s %s %s %s %ld.%ld %d %s %s", lf->location, (ar->location & ALL_AGENTS) ? ALL_AGENTS_C : NONE_C, (ar->location & REMOTE_AGENT) ? REMOTE_AGENT_C : NONE_C, @@ -122,7 +120,7 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) filename); } else { snprintf(exec_msg, OS_SIZE_1024, - "(local_source) %s %c%c%c %s %s %s %s %d.%ld %d %s %s", + "(local_source) %s %c%c%c %s %s %s %s %ld.%ld %d %s %s", lf->location, (ar->location & ALL_AGENTS) ? ALL_AGENTS_C : NONE_C, (ar->location & REMOTE_AGENT) ? REMOTE_AGENT_C : NONE_C, @@ -138,7 +136,7 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) filename); } - if ((rc = OS_SendUnix(*arq, exec_msg, 0)) < 0) { + if ((rc = OS_SendUnix(arq, exec_msg, 0)) < 0) { if (rc == OS_SOCKBUSY) { merror("%s: AR socket busy.", ARGV0); } else { @@ -151,9 +149,7 @@ void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar) cleanup: /* Clean up Memory */ - if ( filename != NULL && do_free_filename == 1 ) { - free(filename); - } + free(filename); return; } diff --git a/src/analysisd/alerts/exec.h b/src/analysisd/alerts/exec.h index 1a8dacfd6..3b8aa02e9 100644 --- a/src/analysisd/alerts/exec.h +++ b/src/analysisd/alerts/exec.h @@ -13,7 +13,7 @@ #include "eventinfo.h" #include "active-response.h" -void OS_Exec(int *execq, int *arq, Eventinfo *lf, active_response *ar); +void OS_Exec(int execq, int arq, const Eventinfo *lf, const active_response *ar); #endif diff --git a/src/analysisd/alerts/getloglocation.c b/src/analysisd/alerts/getloglocation.c index cfec3d386..c4f13c625 100644 --- a/src/analysisd/alerts/getloglocation.c +++ b/src/analysisd/alerts/getloglocation.c @@ -10,12 +10,16 @@ /* Get the log directory/file based on the day/month/year */ #include "getloglocation.h" +/* Global definitions */ +FILE *_eflog; +FILE *_aflog; +FILE *_fflog; /* Global variables */ -int __crt_day; -char __elogfile[OS_FLSIZE + 1]; -char __alogfile[OS_FLSIZE + 1]; -char __flogfile[OS_FLSIZE + 1]; +static int __crt_day; +static char __elogfile[OS_FLSIZE + 1]; +static char __alogfile[OS_FLSIZE + 1]; +static char __flogfile[OS_FLSIZE + 1]; void OS_InitLog() @@ -37,7 +41,7 @@ void OS_InitLog() umask(0027); } -int OS_GetLogLocation(Eventinfo *lf) +int OS_GetLogLocation(const Eventinfo *lf) { /* Check what directories to create * Check if the year directory is there diff --git a/src/analysisd/alerts/getloglocation.h b/src/analysisd/alerts/getloglocation.h index f1ae18131..9ac963dd9 100644 --- a/src/analysisd/alerts/getloglocation.h +++ b/src/analysisd/alerts/getloglocation.h @@ -19,11 +19,12 @@ void OS_InitFwLog(void); /* Get the log file based on the date/logtype * Returns 0 on success or -1 on error */ -int OS_GetLogLocation(Eventinfo *lf); +int OS_GetLogLocation(const Eventinfo *lf); -FILE *_eflog; -FILE *_aflog; -FILE *_fflog; +/* Global declarations */ +extern FILE *_eflog; +extern FILE *_aflog; +extern FILE *_fflog; #endif /* __GETLL_H */ diff --git a/src/analysisd/alerts/log.c b/src/analysisd/alerts/log.c index b6cbfa30d..df857b5d7 100644 --- a/src/analysisd/alerts/log.c +++ b/src/analysisd/alerts/log.c @@ -101,8 +101,8 @@ static void GeoIP_Lookup(const char *ip, char *buffer, const size_t length) #endif /* LIBGEOIP_ENABLED */ /* Drop/allow patterns */ -OSMatch FWDROPpm; -OSMatch FWALLOWpm; +static OSMatch FWDROPpm; +static OSMatch FWALLOWpm; /* Allow custom alert output tokens */ typedef enum e_custom_alert_tokens_id { @@ -121,7 +121,7 @@ typedef enum e_custom_alert_tokens_id { CUSTOM_ALERT_TOKEN_LAST } CustomAlertTokenID; -char CustomAlertTokenName[CUSTOM_ALERT_TOKEN_LAST][15] = { +static const char CustomAlertTokenName[CUSTOM_ALERT_TOKEN_LAST][15] = { { "$TIMESTAMP" }, { "$FTELL" }, { "$RULEALERT" }, @@ -140,7 +140,7 @@ char CustomAlertTokenName[CUSTOM_ALERT_TOKEN_LAST][15] = { * The string must be null terminated and contain * any necessary new lines, tabs, etc. */ -void OS_Store(Eventinfo *lf) +void OS_Store(const Eventinfo *lf) { if (strcmp(lf->location, "ossec-keepalive") == 0) { return; @@ -181,7 +181,7 @@ void OS_LogOutput(Eventinfo *lf) } #endif printf( - "** Alert %d.%ld:%s - %s\n" + "** Alert %ld.%ld:%s - %s\n" "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'" "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n", lf->time, @@ -266,7 +266,7 @@ void OS_Log(Eventinfo *lf) #endif /* Writing to the alert log file */ fprintf(_aflog, - "** Alert %d.%ld:%s - %s\n" + "** Alert %ld.%ld:%s - %s\n" "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'" "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n", lf->time, @@ -333,7 +333,7 @@ void OS_Log(Eventinfo *lf) return; } -void OS_CustomLog(Eventinfo *lf, char *format) +void OS_CustomLog(const Eventinfo *lf, const char *format) { char *log; char *tmp_log; @@ -342,7 +342,7 @@ void OS_CustomLog(Eventinfo *lf, char *format) /* Replace all the tokens */ os_strdup(format, log); - snprintf(tmp_buffer, 1024, "%d", lf->time); + snprintf(tmp_buffer, 1024, "%ld", lf->time); tmp_log = searchAndReplace(log, CustomAlertTokenName[CUSTOM_ALERT_TOKEN_TIMESTAMP], tmp_buffer); if (log) { os_free(log); diff --git a/src/analysisd/alerts/log.h b/src/analysisd/alerts/log.h index 25412dc0c..057633700 100644 --- a/src/analysisd/alerts/log.h +++ b/src/analysisd/alerts/log.h @@ -19,8 +19,8 @@ void OS_LogOutput(Eventinfo *lf); void OS_Log(Eventinfo *lf); -void OS_CustomLog(Eventinfo *lf, char *format); -void OS_Store(Eventinfo *lf); +void OS_CustomLog(const Eventinfo *lf, const char *format); +void OS_Store(const Eventinfo *lf); int FW_Log(Eventinfo *lf); #endif diff --git a/src/analysisd/analysisd.c b/src/analysisd/analysisd.c index 5595f4cce..752ffbfd4 100644 --- a/src/analysisd/analysisd.c +++ b/src/analysisd/analysisd.c @@ -29,6 +29,8 @@ #include "accumulator.h" #include "analysisd.h" #include "fts.h" +#include "cleanevent.h" +#include "dodiff.h" #ifdef PICVIZ_OUTPUT_ENABLED #include "output/picviz.h" @@ -45,23 +47,7 @@ /** Prototypes **/ void OS_ReadMSG(int m_queue); RuleInfo *OS_CheckIfRuleMatch(Eventinfo *lf, RuleNode *curr_node); - -/* For config */ -int GlobalConf(char *cfgfile); - -/* For rules */ -int Rules_OP_ReadRules(char *cfgfile); -int _setlevels(RuleNode *node, int nnode); -int AddHash_Rule(RuleNode *node); - -/* For cleanmsg */ -int OS_CleanMSG(char *msg, Eventinfo *lf); - -/* for FTS */ -int FTS(Eventinfo *lf); -int AddtoIGnore(Eventinfo *lf); -int IGnore(Eventinfo *lf); -int doDiff(RuleInfo *currently_rule, Eventinfo *lf); +static void LoopRule(RuleNode *curr_node, FILE *flog); /* For decoders */ void DecodeEvent(Eventinfo *lf); @@ -69,24 +55,30 @@ int DecodeSyscheck(Eventinfo *lf); int DecodeRootcheck(Eventinfo *lf); int DecodeHostinfo(Eventinfo *lf); -/* For Decoders */ -int ReadDecodeXML(char *file); - /* For stats */ -void DumpLogstats(void); - -/** Global variables **/ +static void DumpLogstats(void); + +/** Global definitions **/ +int today; +int thishour; +int prev_year; +char prev_month[4]; +int __crt_hour; +int __crt_wday; +time_t c_time; +char __shost[512]; +OSDecoderInfo *NULL_Decoder; /* execd queue */ -int execdq = 0; +static int execdq = 0; /* Active response queue */ -int arq = 0; +static int arq = 0; -int hourly_alerts; -int hourly_events; -int hourly_syscheck; -int hourly_firewall; +static int hourly_alerts; +static int hourly_events; +static int hourly_syscheck; +static int hourly_firewall; /* Print help statement */ @@ -119,13 +111,13 @@ int main_analysisd(int argc, char **argv) { int c = 0, m_queue = 0, test_config = 0, run_foreground = 0; int debug_level = 0; - char *dir = DEFAULTDIR; - char *user = USER; - char *group = GROUPGLOBAL; + const char *dir = DEFAULTDIR; + const char *user = USER; + const char *group = GROUPGLOBAL; uid_t uid; gid_t gid; - char *cfg = DEFAULTCPATH; + const char *cfg = DEFAULTCPATH; /* Set the name */ OS_SetName(ARGV0); @@ -431,7 +423,7 @@ int main_analysisd(int argc, char **argv) } /* Check if log_fw is enabled */ - Config.logfw = getDefine_Int("analysisd", + Config.logfw = (u_int8_t) getDefine_Int("analysisd", "log_fw", 0, 1); @@ -976,7 +968,7 @@ void OS_ReadMSG_analysisd(int m_queue) } if (do_ar) { - OS_Exec(&execdq, &arq, lf, *rule_ar); + OS_Exec(execdq, arq, lf, *rule_ar); } rule_ar++; } @@ -993,15 +985,15 @@ void OS_ReadMSG_analysisd(int m_queue) } /* Group list */ else if (currently_rule->group_prev_matched) { - i = 0; + unsigned int j = 0; - while (i < currently_rule->group_prev_matched_sz) { + while (j < currently_rule->group_prev_matched_sz) { if (!OSList_AddData( - currently_rule->group_prev_matched[i], + currently_rule->group_prev_matched[j], lf)) { merror("%s: Unable to add data to grp list.", ARGV0); } - i++; + j++; } } @@ -1449,7 +1441,7 @@ RuleInfo *OS_CheckIfRuleMatch(Eventinfo *lf, RuleNode *curr_node) } /* Update each rule and print it to the logs */ -void LoopRule(RuleNode *curr_node, FILE *flog) +static void LoopRule(RuleNode *curr_node, FILE *flog) { if (curr_node->ruleinfo->firedtimes) { fprintf(flog, "%d-%d-%d-%d\n", @@ -1472,7 +1464,7 @@ void LoopRule(RuleNode *curr_node, FILE *flog) } /* Dump the hourly stats about each rule */ -void DumpLogstats() +static void DumpLogstats() { RuleNode *rulenode_pt; char logfile[OS_FLSIZE + 1]; diff --git a/src/analysisd/analysisd.h b/src/analysisd/analysisd.h index 0924e93b3..a1a9472a2 100644 --- a/src/analysisd/analysisd.h +++ b/src/analysisd/analysisd.h @@ -15,21 +15,20 @@ #include "decoders/decoder.h" /* Time structures */ -int today; -int thishour; +extern int today; +extern int thishour; +extern int prev_year; +extern char prev_month[4]; -int prev_year; -char prev_month[4]; +extern int __crt_hour; +extern int __crt_wday; -int __crt_hour; -int __crt_wday; - -time_t c_time; /* Current time of event. Used everywhere */ +extern time_t c_time; /* Current time of event. Used everywhere */ /* Local host name */ -char __shost[512]; +extern char __shost[512]; -OSDecoderInfo *NULL_Decoder; +extern OSDecoderInfo *NULL_Decoder; #define OSSEC_SERVER "ossec-server" diff --git a/src/analysisd/cleanevent.c b/src/analysisd/cleanevent.c index 1447850fe..e40223de5 100644 --- a/src/analysisd/cleanevent.c +++ b/src/analysisd/cleanevent.c @@ -7,15 +7,16 @@ * Foundation. */ +#include "cleanevent.h" + #include "shared.h" #include "os_regex/os_regex.h" -#include "eventinfo.h" #include "analysisd.h" #include "fts.h" #include "config.h" /* To translate between month (int) to month (char) */ -char *(month[]) = {"Jan", "Feb", "Mar", "Apr", "May", "Jun", +static const char *(month[]) = {"Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" }; @@ -23,7 +24,7 @@ char *(month[]) = {"Jan", "Feb", "Mar", "Apr", "May", "Jun", /* Format a received message in the Eventinfo structure */ int OS_CleanMSG(char *msg, Eventinfo *lf) { - int loglen; + size_t loglen; char *pieces; struct tm *p; diff --git a/src/analysisd/cleanevent.h b/src/analysisd/cleanevent.h new file mode 100644 index 000000000..b93ddcc02 --- /dev/null +++ b/src/analysisd/cleanevent.h @@ -0,0 +1,18 @@ +/* Copyright (C) 2015 Trend Micro Inc. + * All rights reserved. + * + * This program is a free software; you can redistribute it + * and/or modify it under the terms of the GNU General Public + * License (version 2) as published by the FSF - Free Software + * Foundation. + */ + +#ifndef _CLEANEVENT_H_ +#define _CLEANEVENT_H_ + +#include "eventinfo.h" + +int OS_CleanMSG(char *msg, Eventinfo *lf); + + +#endif /* _CLEANEVENT_H_ */ diff --git a/src/analysisd/compiled_rules/generic_samples.c b/src/analysisd/compiled_rules/generic_samples.c index 4a28002d0..c7afccc50 100644 --- a/src/analysisd/compiled_rules/generic_samples.c +++ b/src/analysisd/compiled_rules/generic_samples.c @@ -7,8 +7,8 @@ * Foundation. */ -#include "shared.h" #include "eventinfo.h" +#include "shared.h" #include "config.h" diff --git a/src/analysisd/compiled_rules/register_rule.sh b/src/analysisd/compiled_rules/register_rule.sh index 4a1d0f336..e51ece8f7 100755 --- a/src/analysisd/compiled_rules/register_rule.sh +++ b/src/analysisd/compiled_rules/register_rule.sh @@ -133,7 +133,7 @@ elif [ "x$1" = "xbuild" ]; then echo "" >> ${CHF}; echo "/* Adding the rules list names. */" >> ${CHF}; - echo "char *(compiled_rules_name[]) = " >> ${CHF}; + echo "const char *(compiled_rules_name[]) = " >> ${CHF}; echo "{" >> ${CHF}; for i in `cat .function_list |sort | uniq`; do echo " \"$i\"," >> ${CHF}; diff --git a/src/analysisd/config.c b/src/analysisd/config.c index c0a098ec9..34a18791a 100644 --- a/src/analysisd/config.c +++ b/src/analysisd/config.c @@ -15,8 +15,10 @@ #include "analysisd.h" #include "config.h" +long int __crt_ftell; /* Global ftell pointer */ +_Config Config; /* Global Config structure */ -int GlobalConf(char *cfgfile) +int GlobalConf(const char *cfgfile) { int modules = 0; diff --git a/src/analysisd/config.h b/src/analysisd/config.h index a90ed3140..af6033dc6 100644 --- a/src/analysisd/config.h +++ b/src/analysisd/config.h @@ -13,8 +13,10 @@ #include "config/config.h" #include "config/global-config.h" -long int __crt_ftell; /* Global ftell pointer */ -_Config Config; /* Global Config structure */ +extern long int __crt_ftell; /* Global ftell pointer */ +extern _Config Config; /* Global Config structure */ + +int GlobalConf(const char *cfgfile); #endif /* _CONFIG__H */ diff --git a/src/analysisd/decoders/decode-xml.c b/src/analysisd/decoders/decode-xml.c index 0f94fce2b..6e99c330e 100644 --- a/src/analysisd/decoders/decode-xml.c +++ b/src/analysisd/decoders/decode-xml.c @@ -21,11 +21,14 @@ #endif /* Internal functions */ -char *_loadmemory(char *at, char *str); -OSStore *os_decoder_store = NULL; +static char *_loadmemory(char *at, char *str); +static int addDecoder2list(const char *name); +static int os_setdecoderids(const char *p_name); +static int ReadDecodeAttrs(char *const *names, char *const *values); +static OSStore *os_decoder_store = NULL; -int getDecoderfromlist(char *name) +int getDecoderfromlist(const char *name) { if (os_decoder_store) { return (OSStore_GetPosition(os_decoder_store, name)); @@ -34,7 +37,7 @@ int getDecoderfromlist(char *name) return (0); } -int addDecoder2list(char *name) +static int addDecoder2list(const char *name) { if (os_decoder_store == NULL) { os_decoder_store = OSStore_Create(); @@ -53,7 +56,7 @@ int addDecoder2list(char *name) return (1); } -int os_setdecoderids(char *p_name) +static int os_setdecoderids(const char *p_name) { OSDecoderNode *node; OSDecoderNode *child_node; @@ -111,7 +114,7 @@ int os_setdecoderids(char *p_name) return (1); } -int ReadDecodeAttrs(char **names, char **values) +static int ReadDecodeAttrs(char *const *names, char *const *values) { if (!names || !values) { return (0); @@ -146,7 +149,7 @@ int ReadDecodeAttrs(char **names, char **values) return (AFTER_ERROR); } -int ReadDecodeXML(char *file) +int ReadDecodeXML(const char *file) { OS_XML xml; XML_NODE node = NULL; @@ -154,20 +157,20 @@ int ReadDecodeXML(char *file) /* XML variables */ /* These are the available options for the rule configuration */ - char *xml_plugindecoder = "plugin_decoder"; - char *xml_decoder = "decoder"; - char *xml_decoder_name = "name"; - char *xml_decoder_status = "status"; - char *xml_usename = "use_own_name"; - char *xml_parent = "parent"; - char *xml_program_name = "program_name"; - char *xml_prematch = "prematch"; - char *xml_regex = "regex"; - char *xml_order = "order"; - char *xml_type = "type"; - char *xml_fts = "fts"; - char *xml_ftscomment = "ftscomment"; - char *xml_accumulate = "accumulate"; + const char *xml_plugindecoder = "plugin_decoder"; + const char *xml_decoder = "decoder"; + const char *xml_decoder_name = "name"; + const char *xml_decoder_status = "status"; + const char *xml_usename = "use_own_name"; + const char *xml_parent = "parent"; + const char *xml_program_name = "program_name"; + const char *xml_prematch = "prematch"; + const char *xml_regex = "regex"; + const char *xml_order = "order"; + const char *xml_type = "type"; + const char *xml_fts = "fts"; + const char *xml_ftscomment = "ftscomment"; + const char *xml_accumulate = "accumulate"; int i = 0; OSDecoderInfo *NULL_Decoder_tmp = NULL; @@ -713,7 +716,7 @@ int SetDecodeXML() char *_loadmemory(char *at, char *str) { if (at == NULL) { - int strsize = 0; + size_t strsize = 0; if ((strsize = strlen(str)) < OS_SIZE_1024) { at = (char *) calloc(strsize + 1, sizeof(char)); if (at == NULL) { @@ -729,9 +732,9 @@ char *_loadmemory(char *at, char *str) } /* At is not null. Need to reallocate its memory and copy str to it */ else { - int strsize = strlen(str); - int atsize = strlen(at); - int finalsize = atsize + strsize + 1; + size_t strsize = strlen(str); + size_t atsize = strlen(at); + size_t finalsize = atsize + strsize + 1; if (finalsize > OS_SIZE_1024) { merror(SIZE_ERROR, ARGV0, str); return (NULL); diff --git a/src/analysisd/decoders/decoder.h b/src/analysisd/decoders/decoder.h index f7d9a34f3..72c41bbb5 100644 --- a/src/analysisd/decoders/decoder.h +++ b/src/analysisd/decoders/decoder.h @@ -54,12 +54,14 @@ typedef struct _OSDecoderNode { */ void OS_CreateOSDecoderList(void); int OS_AddOSDecoder(OSDecoderInfo *pi); -OSDecoderNode *OS_GetFirstOSDecoder(char *pname); -int getDecoderfromlist(char *name); +OSDecoderNode *OS_GetFirstOSDecoder(const char *pname); +int getDecoderfromlist(const char *name); int SetDecodeXML(void); void HostinfoInit(void); void SyscheckInit(void); void RootcheckInit(void); +int ReadDecodeXML(const char *file); + #endif diff --git a/src/analysisd/decoders/decoders_list.c b/src/analysisd/decoders/decoders_list.c index bb826bc77..9f4b9f747 100644 --- a/src/analysisd/decoders/decoders_list.c +++ b/src/analysisd/decoders/decoders_list.c @@ -19,9 +19,10 @@ * and one without. This is going to improve greatly the * performance of our decoder matching. */ -OSDecoderNode *osdecodernode_forpname; -OSDecoderNode *osdecodernode_nopname; +static OSDecoderNode *osdecodernode_forpname; +static OSDecoderNode *osdecodernode_nopname; +static OSDecoderNode *_OS_AddOSDecoder(OSDecoderNode *s_node, OSDecoderInfo *pi); /* Create the Event List */ void OS_CreateOSDecoderList() @@ -33,7 +34,7 @@ void OS_CreateOSDecoderList() } /* Get first osdecoder */ -OSDecoderNode *OS_GetFirstOSDecoder(char *p_name) +OSDecoderNode *OS_GetFirstOSDecoder(const char *p_name) { /* If program name is set, we return the forpname list */ if (p_name) { @@ -44,7 +45,7 @@ OSDecoderNode *OS_GetFirstOSDecoder(char *p_name) } /* Add an osdecoder to the list */ -OSDecoderNode *_OS_AddOSDecoder(OSDecoderNode *s_node, OSDecoderInfo *pi) +static OSDecoderNode *_OS_AddOSDecoder(OSDecoderNode *s_node, OSDecoderInfo *pi) { OSDecoderNode *tmp_node = s_node; OSDecoderNode *new_node; diff --git a/src/analysisd/decoders/hostinfo.c b/src/analysisd/decoders/hostinfo.c index 4a48ac8b3..51c4e3a43 100644 --- a/src/analysisd/decoders/hostinfo.c +++ b/src/analysisd/decoders/hostinfo.c @@ -8,6 +8,7 @@ */ /* Hostinfo decoder */ +#include "decoder.h" #include "config.h" #include "os_regex/os_regex.h" @@ -16,27 +17,27 @@ #define HOSTINFO_FILE "/queue/fts/hostinfo" #define HOST_HOST "Host: " -#define HOST_PORT " open ports: " +/*#define HOST_PORT " open ports: " #define HOST_CHANGED "Host information changed." -#define HOST_NEW "New host information added." +#define HOST_NEW "New host information added."*/ #define PREV_OPEN "Previously" -/* Global variables */ -int hi_err = 0; -int id_new = 0; -int id_mod = 0; -char _hi_buf[OS_MAXSTR + 1]; -FILE *_hi_fp = NULL; +/* Local variables */ +static int hi_err = 0; +static int id_new = 0; +static int id_mod = 0; +static char _hi_buf[OS_MAXSTR + 1]; +static FILE *_hi_fp = NULL; /* Hostinfo decoder */ -OSDecoderInfo *hostinfo_dec = NULL; +static OSDecoderInfo *hostinfo_dec = NULL; /* Check if the string matches */ -static char *__go_after(char *x, char *y) +static char *__go_after(char *x, const char *y) { - int x_s; - int y_s; + size_t x_s; + size_t y_s; /* X and Y must be not null */ if (!x || !y) { @@ -116,7 +117,7 @@ static FILE *HI_File(void) int DecodeHostinfo(Eventinfo *lf) { int changed = 0; - int bf_size; + size_t bf_size; char *ip; char *portss; diff --git a/src/analysisd/decoders/plugin_decoders.c b/src/analysisd/decoders/plugin_decoders.c index 1c542556e..12113a128 100644 --- a/src/analysisd/decoders/plugin_decoders.c +++ b/src/analysisd/decoders/plugin_decoders.c @@ -10,7 +10,7 @@ #include "plugin_decoders.h" /* List of plugins. All three lists must be in the same order */ -char *(plugin_decoders[]) = {"PF_Decoder", +const char *(plugin_decoders[]) = {"PF_Decoder", "SymantecWS_Decoder", "SonicWall_Decoder", "OSSECAlert_Decoder", diff --git a/src/analysisd/decoders/plugin_decoders.h b/src/analysisd/decoders/plugin_decoders.h index 05082034a..50d07a9f1 100644 --- a/src/analysisd/decoders/plugin_decoders.h +++ b/src/analysisd/decoders/plugin_decoders.h @@ -29,7 +29,7 @@ void *OSSECAlert_Decoder_Init(void); void *OSSECAlert_Decoder_Exec(Eventinfo *lf); /* List of plugins. All three lists must be in the same order */ -extern char *(plugin_decoders[]); +extern const char *(plugin_decoders[]); extern void *(plugin_decoders_init[]); extern void *(plugin_decoders_exec[]); diff --git a/src/analysisd/decoders/plugins/ossecalert_decoder.c b/src/analysisd/decoders/plugins/ossecalert_decoder.c index 1bca5bd34..a438769cc 100644 --- a/src/analysisd/decoders/plugins/ossecalert_decoder.c +++ b/src/analysisd/decoders/plugins/ossecalert_decoder.c @@ -29,9 +29,9 @@ void *OSSECAlert_Decoder_Init() */ void *OSSECAlert_Decoder_Exec(Eventinfo *lf) { - char *oa_id = 0; - char *oa_location; - char *oa_val; + const char *oa_id = NULL; + const char *oa_location; + const char *oa_val; char oa_newlocation[256]; char *tmp_str = NULL; RuleInfo *rule_pointer; diff --git a/src/analysisd/decoders/plugins/sonicwall_decoder.c b/src/analysisd/decoders/plugins/sonicwall_decoder.c index 0365a0ce5..c078af412 100644 --- a/src/analysisd/decoders/plugins/sonicwall_decoder.c +++ b/src/analysisd/decoders/plugins/sonicwall_decoder.c @@ -25,9 +25,9 @@ /* Global variables -- not thread safe. If we ever multi thread * analysisd, these will need to be changed. */ -OSRegex *__sonic_regex_prid = NULL; -OSRegex *__sonic_regex_sdip = NULL; -OSRegex *__sonic_regex_prox = NULL; +static OSRegex *__sonic_regex_prid = NULL; +static OSRegex *__sonic_regex_sdip = NULL; +static OSRegex *__sonic_regex_prox = NULL; void *SonicWall_Decoder_Init() @@ -235,7 +235,7 @@ void *SonicWall_Decoder_Exec(Eventinfo *lf) if (__sonic_regex_prox->sub_strings[1] && __sonic_regex_prox->sub_strings[2]) { char *final_url; - int url_size = strlen(__sonic_regex_prox->sub_strings[1]) + + size_t url_size = strlen(__sonic_regex_prox->sub_strings[1]) + strlen(__sonic_regex_prox->sub_strings[2]) + 2; os_calloc(url_size + 1, sizeof(char), final_url); diff --git a/src/analysisd/decoders/rootcheck.c b/src/analysisd/decoders/rootcheck.c index e1d265791..dde4b4fae 100644 --- a/src/analysisd/decoders/rootcheck.c +++ b/src/analysisd/decoders/rootcheck.c @@ -17,13 +17,13 @@ #define ROOTCHECK_DIR "/queue/rootcheck" -/* Global variables */ -char *rk_agent_ips[MAX_AGENTS]; -FILE *rk_agent_fps[MAX_AGENTS]; -int rk_err; +/* Local variables */ +static char *rk_agent_ips[MAX_AGENTS]; +static FILE *rk_agent_fps[MAX_AGENTS]; +static int rk_err; /* Rootcheck decoder */ -OSDecoderInfo *rootcheck_dec = NULL; +static OSDecoderInfo *rootcheck_dec = NULL; /* Initialize the necessary information to process the rootcheck information */ @@ -51,7 +51,7 @@ void RootcheckInit() } /* Return the file pointer to be used */ -FILE *RK_File(char *agent, int *agent_id) +static FILE *RK_File(const char *agent, int *agent_id) { int i = 0; char rk_buf[OS_SIZE_1024 + 1]; @@ -176,7 +176,7 @@ int DecodeRootcheck(Eventinfo *lf) /* Matches, we need to upgrade last time saw */ if (strcmp(lf->log, tmpstr) == 0) { fsetpos(fp, &fp_pos); - fprintf(fp, "!%d", lf->time); + fprintf(fp, "!%ld", lf->time); rootcheck_dec->fts = 0; lf->decoder_info = rootcheck_dec; return (1); @@ -192,7 +192,7 @@ int DecodeRootcheck(Eventinfo *lf) /* Add the new entry at the end of the file */ fseek(fp, 0, SEEK_END); - fprintf(fp, "!%d!%d %s\n", lf->time, lf->time, lf->log); + fprintf(fp, "!%ld!%ld %s\n", lf->time, lf->time, lf->log); fflush(fp); rootcheck_dec->fts = 0; diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c index 3a0d352ec..13e8c1625 100644 --- a/src/analysisd/decoders/syscheck.c +++ b/src/analysisd/decoders/syscheck.c @@ -47,8 +47,8 @@ typedef struct __sdb { } _sdb; /* syscheck db information */ -/* Global variables */ -_sdb sdb; +/* Local variables */ +static _sdb sdb; /* Initialize the necessary information to process the syscheck information */ @@ -95,7 +95,7 @@ void SyscheckInit() /* Check if the db is completed for that specific agent */ #define DB_IsCompleted(x) (sdb.agent_cp[x][0] == '1')?1:0 -void __setcompleted(char *agent) +static void __setcompleted(const char *agent) { FILE *fp; @@ -109,7 +109,7 @@ void __setcompleted(char *agent) } } -int __iscompleted(char *agent) +static int __iscompleted(const char *agent) { FILE *fp; @@ -125,7 +125,7 @@ int __iscompleted(char *agent) } /* Set the database of a specific agent as completed */ -void DB_SetCompleted(Eventinfo *lf) +static void DB_SetCompleted(const Eventinfo *lf) { int i = 0; @@ -150,7 +150,7 @@ void DB_SetCompleted(Eventinfo *lf) /* Return the file pointer to be used to verify the integrity */ -FILE *DB_File(char *agent, int *agent_id) +static FILE *DB_File(const char *agent, int *agent_id) { int i = 0; @@ -210,10 +210,10 @@ FILE *DB_File(char *agent, int *agent_id) } /* Search the DB for any entry related to the file being received */ -int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) +static int DB_Search(const char *f_name, const char *c_sum, Eventinfo *lf) { int p = 0; - int sn_size; + size_t sn_size; int agent_id; char *saved_sum; @@ -334,7 +334,7 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) /* Add the new entry at the end of the file */ fseek(fp, 0, SEEK_END); - fprintf(fp, "%c%c%c%s !%d %s\n", + fprintf(fp, "%c%c%c%s !%ld %s\n", '!', p >= 1 ? '!' : '+', p == 2 ? '!' : (p > 2) ? '?' : '+', @@ -362,7 +362,7 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) int oldperm = 0, newperm = 0; /* Provide more info about the file change */ - char *oldsize = NULL, *newsize = NULL; + const char *oldsize = NULL, *newsize = NULL; char *olduid = NULL, *newuid = NULL; char *c_oldperm = NULL, *c_newperm = NULL; char *oldgid = NULL, *newgid = NULL; @@ -580,7 +580,7 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) /* If we reach here, this file is not present in our database */ fseek(fp, 0, SEEK_END); - fprintf(fp, "+++%s !%d %s\n", c_sum, lf->time, f_name); + fprintf(fp, "+++%s !%ld %s\n", c_sum, lf->time, f_name); fflush(fp); /* Alert if configured to notify on new files */ @@ -614,7 +614,7 @@ int DB_Search(char *f_name, char *c_sum, Eventinfo *lf) */ int DecodeSyscheck(Eventinfo *lf) { - char *c_sum; + const char *c_sum; char *f_name; /* Every syscheck message must be in the following format: diff --git a/src/analysisd/dodiff.c b/src/analysisd/dodiff.c index a34808ac1..d05860153 100644 --- a/src/analysisd/dodiff.c +++ b/src/analysisd/dodiff.c @@ -7,10 +7,11 @@ * Foundation. */ -#include "eventinfo.h" +#include "dodiff.h" + #include "shared.h" -static int _add2last(char *str, int strsize, char *file) +static int _add2last(const char *str, size_t strsize, const char *file) { FILE *fp; @@ -65,9 +66,9 @@ static int _add2last(char *str, int strsize, char *file) return (1); } -int doDiff(RuleInfo *rule, Eventinfo *lf) +int doDiff(RuleInfo *rule, const Eventinfo *lf) { - int date_of_change; + time_t date_of_change; char *htpt = NULL; char flastfile[OS_SIZE_2048 + 1]; char flastcontent[OS_SIZE_8192 + 1]; @@ -96,7 +97,7 @@ int doDiff(RuleInfo *rule, Eventinfo *lf) /* lf->size can't be too long */ if (lf->size >= OS_SIZE_8192) { - merror("%s: ERROR: event size (%d) too long for diff.", ARGV0, lf->size); + merror("%s: ERROR: event size (%ld) too long for diff.", ARGV0, lf->size); return (0); } @@ -110,7 +111,7 @@ int doDiff(RuleInfo *rule, Eventinfo *lf) return (0); } else { FILE *fp; - int n; + size_t n; fp = fopen(flastfile, "r"); if (!fp) { merror(FOPEN_ERROR, ARGV0, flastfile, errno, strerror(errno)); diff --git a/src/analysisd/dodiff.h b/src/analysisd/dodiff.h new file mode 100644 index 000000000..d9ed75cb1 --- /dev/null +++ b/src/analysisd/dodiff.h @@ -0,0 +1,19 @@ +/* Copyright (C) 2015 Trend Micro Inc. + * All rights reserved. + * + * This program is a free software; you can redistribute it + * and/or modify it under the terms of the GNU General Public + * License (version 2) as published by the FSF - Free Software + * Foundation. + */ + +#ifndef _DODIFF_H_ +#define _DODIFF_H_ + +#include "rules.h" +#include "eventinfo.h" + +int doDiff(RuleInfo *rule, const Eventinfo *lf); + + +#endif /* _DODIFF_H_ */ diff --git a/src/analysisd/eventinfo.c b/src/analysisd/eventinfo.c index f637845fb..504bc58a6 100644 --- a/src/analysisd/eventinfo.c +++ b/src/analysisd/eventinfo.c @@ -12,6 +12,12 @@ #include "eventinfo.h" #include "os_regex/os_regex.h" +/* Global definitions */ +#ifdef TESTRULE +int full_output; +int alert_only; +#endif + /* Search last times a signature fired * Will look for only that specific signature. @@ -573,7 +579,7 @@ void Free_Eventinfo(Eventinfo *lf) OSList_DeleteThisNode(lf->generated_rule->sid_prev_matched, lf->sid_node_to_delete); } else if (lf->generated_rule && lf->generated_rule->group_prev_matched) { - int i = 0; + unsigned int i = 0; while (i < lf->generated_rule->group_prev_matched_sz) { OSList_DeleteOldestNode(lf->generated_rule->group_prev_matched[i]); diff --git a/src/analysisd/eventinfo.h b/src/analysisd/eventinfo.h index be7a3c6b5..5c3980303 100644 --- a/src/analysisd/eventinfo.h +++ b/src/analysisd/eventinfo.h @@ -48,13 +48,13 @@ typedef struct _Eventinfo { OSListNode *sid_node_to_delete; /* Extract when the event fires a rule */ - int size; - int p_name_size; + size_t size; + size_t p_name_size; /* Other internal variables */ - short int matched; + int matched; - int time; + time_t time; int day; int year; char hour[10]; @@ -84,8 +84,8 @@ typedef struct _EventNode { } EventNode; #ifdef TESTRULE -int full_output; -int alert_only; +extern int full_output; +extern int alert_only; #endif /* Types of events (from decoders) */ diff --git a/src/analysisd/eventinfo_list.c b/src/analysisd/eventinfo_list.c index 7de3eda5a..e8b768c71 100644 --- a/src/analysisd/eventinfo_list.c +++ b/src/analysisd/eventinfo_list.c @@ -9,13 +9,14 @@ #include "shared.h" #include "eventinfo.h" +#include "rules.h" -/* Global variables */ -EventNode *eventnode; -EventNode *lastnode; +/* Local variables */ +static EventNode *eventnode; +static EventNode *lastnode; -int _memoryused = 0; -int _memorymaxsize = 0; +static int _memoryused = 0; +static int _memorymaxsize = 0; int _max_freq = 0; diff --git a/src/analysisd/fts.c b/src/analysisd/fts.c index c42d76073..bf0c86103 100644 --- a/src/analysisd/fts.c +++ b/src/analysisd/fts.c @@ -12,14 +12,14 @@ #include "fts.h" #include "eventinfo.h" -/* Global variables */ -unsigned int fts_minsize_for_str = 0; +/* Local variables */ +static unsigned int fts_minsize_for_str = 0; -OSList *fts_list = NULL; -OSHash *fts_store = NULL; +static OSList *fts_list = NULL; +static OSHash *fts_store = NULL; -FILE *fp_list = NULL; -FILE *fp_ignore = NULL; +static FILE *fp_list = NULL; +static FILE *fp_ignore = NULL; /* Start the FTS module */ diff --git a/src/analysisd/fts.h b/src/analysisd/fts.h index 164e00817..8de7ee912 100644 --- a/src/analysisd/fts.h +++ b/src/analysisd/fts.h @@ -10,6 +10,8 @@ #ifndef __FTS_H #define __FTS_H +#include "eventinfo.h" + /* FTS queues */ #ifdef TESTRULE #define FTS_QUEUE "queue/fts/fts-queue" @@ -20,6 +22,9 @@ #endif int FTS_Init(void); +void AddtoIGnore(Eventinfo *lf); +int IGnore(Eventinfo *lf); +int FTS(Eventinfo *lf); #endif /* __FTS_H */ diff --git a/src/analysisd/lists.c b/src/analysisd/lists.c index 7e0530342..2e4c962a2 100644 --- a/src/analysisd/lists.c +++ b/src/analysisd/lists.c @@ -41,7 +41,7 @@ int Lists_OP_LoadList(char *listfile) snprintf(a_filename, OS_MAXSTR - 1, "%s", b_filename); } if ((holder = strstr(a_filename, ".cdb"))) { - snprintf(b_filename, (int)(holder - a_filename) + 1, "%s", a_filename); + snprintf(b_filename, (size_t)(holder - a_filename) + 1, "%s", a_filename); snprintf(a_filename, OS_MAXSTR - 1, "%s", b_filename); } diff --git a/src/analysisd/lists.h b/src/analysisd/lists.h index f6cc00ab2..c89a086f1 100644 --- a/src/analysisd/lists.h +++ b/src/analysisd/lists.h @@ -59,7 +59,7 @@ ListRule *OS_AddListRule(ListRule *first_rule_list, int lookup_type, int field, ListNode *OS_GetFirstList(void); -ListNode *OS_FindList(char *listname); +ListNode *OS_FindList(const char *listname); void Lists_OP_CreateLists(void); diff --git a/src/analysisd/lists_list.c b/src/analysisd/lists_list.c index cb78f263c..28e6ace71 100644 --- a/src/analysisd/lists_list.c +++ b/src/analysisd/lists_list.c @@ -15,9 +15,9 @@ #include #include -/* Global variables */ -ListNode *global_listnode; -ListRule *global_listrule; +/* Local variables */ +static ListNode *global_listnode; +static ListRule *global_listrule; /* Create the ListRule */ @@ -49,21 +49,6 @@ void OS_ListLoadRules() } } -ListRule *_OS_AddListRule(ListRule *new_listrule) -{ - - if (global_listrule == NULL) { - global_listrule = new_listrule; - } else { - ListRule *last_list_rule = global_listrule; - while (last_list_rule->next != NULL) { - last_list_rule = last_list_rule->next; - } - last_list_rule->next = new_listrule; - } - return (global_listrule); -} - /* External AddList */ int OS_AddList(ListNode *new_listnode) { @@ -83,7 +68,7 @@ int OS_AddList(ListNode *new_listnode) return 0; } -ListNode *OS_FindList(char *listname) +ListNode *OS_FindList(const char *listname) { ListNode *last_list_node = OS_GetFirstList(); if (last_list_node != NULL) { @@ -136,7 +121,7 @@ ListRule *OS_AddListRule(ListRule *first_rule_list, return first_rule_list; } -int _OS_CDBOpen(ListNode *lnode) +static int _OS_CDBOpen(ListNode *lnode) { int fd; if (lnode->loaded != 1) { @@ -150,7 +135,7 @@ int _OS_CDBOpen(ListNode *lnode) return 0; } -int OS_DBSearchKeyValue(ListRule *lrule, char *key) +static int OS_DBSearchKeyValue(ListRule *lrule, char *key) { int result = -1; char *val; @@ -174,7 +159,7 @@ int OS_DBSearchKeyValue(ListRule *lrule, char *key) return 0; } -int OS_DBSeachKey(ListRule *lrule, char *key) +static int OS_DBSeachKey(ListRule *lrule, char *key) { if (lrule->db != NULL) { if (_OS_CDBOpen(lrule->db) == -1) { @@ -187,7 +172,7 @@ int OS_DBSeachKey(ListRule *lrule, char *key) return 0; } -int OS_DBSeachKeyAddress(ListRule *lrule, char *key) +static int OS_DBSeachKeyAddress(ListRule *lrule, char *key) { if (lrule->db != NULL) { if (_OS_CDBOpen(lrule->db) == -1) { @@ -214,7 +199,7 @@ int OS_DBSeachKeyAddress(ListRule *lrule, char *key) return 0; } -int OS_DBSearchKeyAddressValue(ListRule *lrule, char *key) +static int OS_DBSearchKeyAddressValue(ListRule *lrule, char *key) { int result = -1; char *val; @@ -271,50 +256,38 @@ int OS_DBSearch(ListRule *lrule, char *key) //debug1("LR_STRING_MATCH"); if (OS_DBSeachKey(lrule, key) == 1) { return 1; - } else { - return 0; } - break; + return 0; case LR_STRING_NOT_MATCH: //debug1("LR_STRING_NOT_MATCH"); if (OS_DBSeachKey(lrule, key) == 1) { return 0; - } else { - return 1; } - break; + return 1; case LR_STRING_MATCH_VALUE: //debug1("LR_STRING_MATCH_VALUE"); if (OS_DBSearchKeyValue(lrule, key) == 1) { return 1; - } else { - return 0; } - break; + return 0; case LR_ADDRESS_MATCH: //debug1("LR_ADDRESS_MATCH"); return OS_DBSeachKeyAddress(lrule, key); - break; case LR_ADDRESS_NOT_MATCH: //debug1("LR_ADDRESS_NOT_MATCH"); if (OS_DBSeachKeyAddress(lrule, key) == 0) { return 1; - } else { - return 0; } - break; + return 0; case LR_ADDRESS_MATCH_VALUE: //debug1("LR_ADDRESS_MATCH_VALUE"); if (OS_DBSearchKeyAddressValue(lrule, key) == 0) { return 1; - } else { - return 0; } - break; + return 0; default: debug1("lists_list.c::OS_DBSearch should never hit default"); return 0; } - return 0; } diff --git a/src/analysisd/lists_make.c b/src/analysisd/lists_make.c index a43eef1a4..16e7842e3 100644 --- a/src/analysisd/lists_make.c +++ b/src/analysisd/lists_make.c @@ -29,7 +29,7 @@ void Lists_OP_MakeAll(int force) } } -void Lists_OP_MakeCDB(char *txt_filename, char *cdb_filename, int force) +void Lists_OP_MakeCDB(const char *txt_filename, const char *cdb_filename, int force) { struct cdb_make cdbm; FILE *tmp_fd; diff --git a/src/analysisd/lists_make.h b/src/analysisd/lists_make.h index be0946884..7ea2c0214 100644 --- a/src/analysisd/lists_make.h +++ b/src/analysisd/lists_make.h @@ -10,7 +10,7 @@ #ifndef __LISTSMAKE_H #define __LISTSMAKE_H -void Lists_OP_MakeCDB(char *txt_filename, char *cdb_filename, int force); +void Lists_OP_MakeCDB(const char *txt_filename, const char *cdb_filename, int force); void Lists_OP_MakeAll(int force); #endif /* __LISTSMAKE_H */ diff --git a/src/analysisd/makelists.c b/src/analysisd/makelists.c index c48378d66..06c90db70 100644 --- a/src/analysisd/makelists.c +++ b/src/analysisd/makelists.c @@ -21,10 +21,16 @@ #include "eventinfo.h" #include "analysisd.h" -/** External functions prototypes (only called here) **/ -/* For config */ -int GlobalConf(char *cfgfile); - +/** Global definitions **/ +int today; +int thishour; +int prev_year; +char prev_month[4]; +int __crt_hour; +int __crt_wday; +time_t c_time; +char __shost[512]; +OSDecoderInfo *NULL_Decoder; /* print help statement */ __attribute__((noreturn)) @@ -51,14 +57,14 @@ int main(int argc, char **argv) { int test_config = 0; int c = 0; - char *dir = DEFAULTDIR; - char *user = USER; - char *group = GROUPGLOBAL; + const char *dir = DEFAULTDIR; + const char *user = USER; + const char *group = GROUPGLOBAL; uid_t uid; gid_t gid; int force = 0; - char *cfg = DEFAULTCPATH; + const char *cfg = DEFAULTCPATH; /* Set the name */ OS_SetName(ARGV0); diff --git a/src/analysisd/rules.c b/src/analysisd/rules.c index 835639e77..8531ce95f 100644 --- a/src/analysisd/rules.c +++ b/src/analysisd/rules.c @@ -12,6 +12,9 @@ #include "eventinfo.h" #include "compiled_rules/compiled_rules.h" +/* Global definition */ +RuleInfo *currently_rule; + /* Change path for test rule */ #ifdef TESTRULE #undef RULEPATH @@ -19,19 +22,16 @@ #endif /* Prototypes */ -int getattributes(char **attributes, +static int getattributes(char **attributes, char **values, int *id, int *level, int *maxsize, int *timeframe, int *frequency, int *accuracy, int *noalert, int *ignore_time, int *overwrite); -int doesRuleExist(int sid, RuleNode *r_node); -void Rule_AddAR(RuleInfo *config_rule); -char *loadmemory(char *at, char *str); - -/* Global variables */ -extern int _max_freq; - +static int doesRuleExist(int sid, RuleNode *r_node); +static void Rule_AddAR(RuleInfo *config_rule); +static char *loadmemory(char *at, const char *str); +static void printRuleinfo(const RuleInfo *rule, int node); /* Will initialize the rules list */ void Rules_OP_CreateRules() @@ -43,7 +43,7 @@ void Rules_OP_CreateRules() } /* Read the log rules */ -int Rules_OP_ReadRules(char *rulefile) +int Rules_OP_ReadRules(const char *rulefile) { OS_XML xml; XML_NODE node = NULL; @@ -51,75 +51,75 @@ int Rules_OP_ReadRules(char *rulefile) /* XML variables */ /* These are the available options for the rule configuration */ - char *xml_group = "group"; - char *xml_rule = "rule"; - - char *xml_regex = "regex"; - char *xml_match = "match"; - char *xml_decoded = "decoded_as"; - char *xml_category = "category"; - char *xml_cve = "cve"; - char *xml_info = "info"; - char *xml_day_time = "time"; - char *xml_week_day = "weekday"; - char *xml_comment = "description"; - char *xml_ignore = "ignore"; - char *xml_check_if_ignored = "check_if_ignored"; - - char *xml_srcip = "srcip"; - char *xml_srcport = "srcport"; - char *xml_dstip = "dstip"; - char *xml_dstport = "dstport"; - char *xml_user = "user"; - char *xml_url = "url"; - char *xml_id = "id"; - char *xml_data = "extra_data"; - char *xml_hostname = "hostname"; - char *xml_program_name = "program_name"; - char *xml_status = "status"; - char *xml_action = "action"; - char *xml_compiled = "compiled_rule"; - - char *xml_list = "list"; - char *xml_list_lookup = "lookup"; - char *xml_list_field = "field"; - char *xml_list_cvalue = "check_value"; - char *xml_match_key = "match_key"; - char *xml_not_match_key = "not_match_key"; - char *xml_match_key_value = "match_key_value"; - char *xml_address_key = "address_match_key"; - char *xml_not_address_key = "not_address_match_key"; - char *xml_address_key_value = "address_match_key_value"; - - char *xml_if_sid = "if_sid"; - char *xml_if_group = "if_group"; - char *xml_if_level = "if_level"; - char *xml_fts = "if_fts"; - - char *xml_if_matched_regex = "if_matched_regex"; - char *xml_if_matched_group = "if_matched_group"; - char *xml_if_matched_sid = "if_matched_sid"; - - char *xml_same_source_ip = "same_source_ip"; - char *xml_same_src_port = "same_src_port"; - char *xml_same_dst_port = "same_dst_port"; - char *xml_same_user = "same_user"; - char *xml_same_location = "same_location"; - char *xml_same_id = "same_id"; - char *xml_dodiff = "check_diff"; - - char *xml_different_url = "different_url"; - - char *xml_notsame_source_ip = "not_same_source_ip"; - char *xml_notsame_user = "not_same_user"; - char *xml_notsame_agent = "not_same_agent"; - char *xml_notsame_id = "not_same_id"; - - char *xml_options = "options"; + const char *xml_group = "group"; + const char *xml_rule = "rule"; + + const char *xml_regex = "regex"; + const char *xml_match = "match"; + const char *xml_decoded = "decoded_as"; + const char *xml_category = "category"; + const char *xml_cve = "cve"; + const char *xml_info = "info"; + const char *xml_day_time = "time"; + const char *xml_week_day = "weekday"; + const char *xml_comment = "description"; + const char *xml_ignore = "ignore"; + const char *xml_check_if_ignored = "check_if_ignored"; + + const char *xml_srcip = "srcip"; + const char *xml_srcport = "srcport"; + const char *xml_dstip = "dstip"; + const char *xml_dstport = "dstport"; + const char *xml_user = "user"; + const char *xml_url = "url"; + const char *xml_id = "id"; + const char *xml_data = "extra_data"; + const char *xml_hostname = "hostname"; + const char *xml_program_name = "program_name"; + const char *xml_status = "status"; + const char *xml_action = "action"; + const char *xml_compiled = "compiled_rule"; + + const char *xml_list = "list"; + const char *xml_list_lookup = "lookup"; + const char *xml_list_field = "field"; + const char *xml_list_cvalue = "check_value"; + const char *xml_match_key = "match_key"; + const char *xml_not_match_key = "not_match_key"; + const char *xml_match_key_value = "match_key_value"; + const char *xml_address_key = "address_match_key"; + const char *xml_not_address_key = "not_address_match_key"; + const char *xml_address_key_value = "address_match_key_value"; + + const char *xml_if_sid = "if_sid"; + const char *xml_if_group = "if_group"; + const char *xml_if_level = "if_level"; + const char *xml_fts = "if_fts"; + + const char *xml_if_matched_regex = "if_matched_regex"; + const char *xml_if_matched_group = "if_matched_group"; + const char *xml_if_matched_sid = "if_matched_sid"; + + const char *xml_same_source_ip = "same_source_ip"; + const char *xml_same_src_port = "same_src_port"; + const char *xml_same_dst_port = "same_dst_port"; + const char *xml_same_user = "same_user"; + const char *xml_same_location = "same_location"; + const char *xml_same_id = "same_id"; + const char *xml_dodiff = "check_diff"; + + const char *xml_different_url = "different_url"; + + const char *xml_notsame_source_ip = "not_same_source_ip"; + const char *xml_notsame_user = "not_same_user"; + const char *xml_notsame_agent = "not_same_agent"; + const char *xml_notsame_id = "not_same_id"; + + const char *xml_options = "options"; char *rulepath; - int i; + size_t i; int default_timeframe = 360; /* If no directory in the rulefile, add the default */ @@ -439,7 +439,7 @@ int Rules_OP_ReadRules(char *rulefile) loadmemory(config_ruleinfo->comment, rule_opt[k]->content); } else if (strcasecmp(rule_opt[k]->element, xml_srcip) == 0) { - int ip_s = 0; + unsigned int ip_s = 0; /* Getting size of source ip list */ while (config_ruleinfo->srcip && @@ -469,7 +469,7 @@ int Rules_OP_ReadRules(char *rulefile) config_ruleinfo->alert_opts |= DO_PACKETINFO; } } else if (strcasecmp(rule_opt[k]->element, xml_dstip) == 0) { - int ip_s = 0; + unsigned int ip_s = 0; /* Getting size of source ip list */ while (config_ruleinfo->dstip && @@ -1227,10 +1227,10 @@ int Rules_OP_ReadRules(char *rulefile) * If *at already exist, realloc the memory and cat str on it. * Returns the new string */ -char *loadmemory(char *at, char *str) +static char *loadmemory(char *at, const char *str) { if (at == NULL) { - int strsize = 0; + size_t strsize = 0; if ((strsize = strlen(str)) < OS_SIZE_2048) { at = (char *) calloc(strsize + 1, sizeof(char)); if (at == NULL) { @@ -1245,9 +1245,9 @@ char *loadmemory(char *at, char *str) } } else { /* at is not null. Need to reallocate its memory and copy str to it */ - int strsize = strlen(str); - int atsize = strlen(at); - int finalsize = atsize + strsize + 1; + size_t strsize = strlen(str); + size_t atsize = strlen(at); + size_t finalsize = atsize + strsize + 1; if ((atsize > OS_SIZE_2048) || (strsize > OS_SIZE_2048)) { merror(SIZE_ERROR, ARGV0, str); @@ -1269,7 +1269,7 @@ char *loadmemory(char *at, char *str) return (NULL); } -RuleInfoDetail *zeroinfodetails(int type, char *data) +RuleInfoDetail *zeroinfodetails(int type, const char *data) { RuleInfoDetail *info_details_pt = NULL; @@ -1394,7 +1394,7 @@ RuleInfo *zerorulemember(int id, int level, int get_info_attributes(char **attributes, char **values) { - char *xml_type = "type"; + const char *xml_type = "type"; int k = 0; if (!attributes) { @@ -1422,7 +1422,7 @@ int get_info_attributes(char **attributes, char **values) } /* Get the attributes */ -int getattributes(char **attributes, char **values, +static int getattributes(char **attributes, char **values, int *id, int *level, int *maxsize, int *timeframe, int *frequency, int *accuracy, @@ -1430,15 +1430,15 @@ int getattributes(char **attributes, char **values, { int k = 0; - char *xml_id = "id"; - char *xml_level = "level"; - char *xml_maxsize = "maxsize"; - char *xml_timeframe = "timeframe"; - char *xml_frequency = "frequency"; - char *xml_accuracy = "accuracy"; - char *xml_noalert = "noalert"; - char *xml_ignore_time = "ignore"; - char *xml_overwrite = "overwrite"; + const char *xml_id = "id"; + const char *xml_level = "level"; + const char *xml_maxsize = "maxsize"; + const char *xml_timeframe = "timeframe"; + const char *xml_frequency = "frequency"; + const char *xml_accuracy = "accuracy"; + const char *xml_noalert = "noalert"; + const char *xml_ignore_time = "ignore"; + const char *xml_overwrite = "overwrite"; /* Get attributes */ while (attributes[k]) { @@ -1549,9 +1549,9 @@ int getattributes(char **attributes, char **values, } /* Bind active responses to a rule */ -void Rule_AddAR(RuleInfo *rule_config) +static void Rule_AddAR(RuleInfo *rule_config) { - int rule_ar_size = 0; + unsigned int rule_ar_size = 0; int mark_to_ar = 0; int rule_real_level = 0; @@ -1670,7 +1670,7 @@ void Rule_AddAR(RuleInfo *rule_config) return; } -void printRuleinfo(RuleInfo *rule, int node) +static void printRuleinfo(const RuleInfo *rule, int node) { debug1("%d : rule:%d, level %d, timeout: %d", node, @@ -1732,7 +1732,7 @@ int _setlevels(RuleNode *node, int nnode) /* Test if a rule id exists * return 1 if exists, otherwise 0 */ -int doesRuleExist(int sid, RuleNode *r_node) +static int doesRuleExist(int sid, RuleNode *r_node) { /* Start from the beginning of the list by default */ if (!r_node) { diff --git a/src/analysisd/rules.h b/src/analysisd/rules.h index 071d50b7f..aaa6c9593 100644 --- a/src/analysisd/rules.h +++ b/src/analysisd/rules.h @@ -71,18 +71,18 @@ typedef struct _RuleInfoDetail { typedef struct _RuleInfo { int sigid; /* id attribute -- required*/ int level; /* level attribute --required */ - int maxsize; + size_t maxsize; int frequency; int timeframe; u_int8_t context; /* Not an user option */ int firedtimes; /* Not an user option */ - int time_ignored; /* Not an user option */ + time_t time_ignored; /* Not an user option */ int ignore_time; int ignore; int ckignore; - int group_prev_matched_sz; + unsigned int group_prev_matched_sz; int __frequency; char **last_events; @@ -166,9 +166,9 @@ typedef struct _RuleNode { } RuleNode; -RuleInfo *currently_rule; +extern RuleInfo *currently_rule; -RuleInfoDetail *zeroinfodetails(int type, char *data); +RuleInfoDetail *zeroinfodetails(int type, const char *data); int get_info_attributes(char **attributes, char **values); /* RuleInfo functions */ @@ -207,6 +207,12 @@ RuleNode *OS_GetFirstRule(void); void Rules_OP_CreateRules(void); +int Rules_OP_ReadRules(const char *rulefile); + +int AddHash_Rule(RuleNode *node); + +int _setlevels(RuleNode *node, int nnode); + /** Definition of the internal rule IDS ** ** These SIGIDs cannot be used ** ** **/ @@ -225,5 +231,8 @@ void Rules_OP_CreateRules(void); #define SYSCHECK_NEW "syscheck_new_entry" #define SYSCHECK_DEL "syscheck_deleted" +/* Global variables */ +extern int _max_freq; + #endif /* _OS_RULES */ diff --git a/src/analysisd/rules_list.c b/src/analysisd/rules_list.c index 143674cca..f8bd8a713 100644 --- a/src/analysisd/rules_list.c +++ b/src/analysisd/rules_list.c @@ -10,11 +10,13 @@ #include "shared.h" #include "rules.h" -/* Rulenode global */ -RuleNode *rulenode; +/* Rulenode local */ +static RuleNode *rulenode; /* _OS_Addrule: Internal AddRule */ -RuleNode *_OS_AddRule(RuleNode *_rulenode, RuleInfo *read_rule); +static RuleNode *_OS_AddRule(RuleNode *_rulenode, RuleInfo *read_rule); +static int _AddtoRule(int sid, int level, int none, const char *group, + RuleNode *r_node, RuleInfo *read_rule); /* Create the RuleList */ @@ -32,7 +34,7 @@ RuleNode *OS_GetFirstRule() } /* Search all rules, including children */ -int _AddtoRule(int sid, int level, int none, char *group, +static int _AddtoRule(int sid, int level, int none, const char *group, RuleNode *r_node, RuleInfo *read_rule) { int r_code = 0; @@ -135,7 +137,7 @@ int OS_AddChild(RuleInfo *read_rule) /* Adding for if_sid */ if (read_rule->if_sid) { int val = 0; - char *sid; + const char *sid; sid = read_rule->if_sid; @@ -200,7 +202,7 @@ int OS_AddChild(RuleInfo *read_rule) } /* Add a rule in the chain */ -RuleNode *_OS_AddRule(RuleNode *_rulenode, RuleInfo *read_rule) +static RuleNode *_OS_AddRule(RuleNode *_rulenode, RuleInfo *read_rule) { RuleNode *tmp_rulenode = _rulenode; @@ -378,7 +380,7 @@ int OS_MarkGroup(RuleNode *r_node, RuleInfo *orig_rule) if (OSMatch_Execute(r_node->ruleinfo->group, strlen(r_node->ruleinfo->group), orig_rule->if_matched_group)) { - int rule_g = 0; + unsigned int rule_g = 0; if (r_node->ruleinfo->group_prev_matched) { while (r_node->ruleinfo->group_prev_matched[rule_g]) { rule_g++; diff --git a/src/analysisd/stats.c b/src/analysisd/stats.c index 4dd1459ad..d620d1781 100644 --- a/src/analysisd/stats.c +++ b/src/analysisd/stats.c @@ -16,34 +16,37 @@ #include "alerts/alerts.h" #include "headers/debug_op.h" -char *(weekdays[]) = {"Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", +/* Global definition */ +char __stats_comment[192]; + +static const char *(weekdays[]) = {"Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday" }; -char *(l_month[]) = {"Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", +static const char *(l_month[]) = {"Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" }; /* Global variables */ /* Hour 25 is internally used */ -int _RWHour[7][25]; -int _CWHour[7][25]; +static int _RWHour[7][25]; +static int _CWHour[7][25]; -int _RHour[25]; -int _CHour[25]; +static int _RHour[25]; +static int _CHour[25]; -int _cignorehour = 0; -int _fired = 0; -int _daily_errors = 0; -int maxdiff = 0; -int mindiff = 0; -int percent_diff = 20; +static int _cignorehour = 0; +static int _fired = 0; +static int _daily_errors = 0; +static int maxdiff = 0; +static int mindiff = 0; +static int percent_diff = 20; /* Last msgs, to avoid floods */ -char *_lastmsg; -char *_prevlast; -char *_pprevlast; +static char *_lastmsg; +static char *_prevlast; +static char *_pprevlast; static void print_totals(void) @@ -96,7 +99,7 @@ static void print_totals(void) * If event_number < mindiff, return mindiff * If event_number > maxdiff, return maxdiff */ -int gethour(int event_number) +static int gethour(int event_number) { int event_diff; @@ -427,7 +430,7 @@ int Start_Hour() /* Check if the message received is repeated to avoid * floods of the same message */ -int LastMsg_Stats(char *log) +int LastMsg_Stats(const char *log) { if (strcmp(log, _lastmsg) == 0) { return (1); @@ -447,7 +450,7 @@ int LastMsg_Stats(char *log) /* If the message is not repeated, rearrange the last * received messages */ -void LastMsg_Change(char *log) +void LastMsg_Change(const char *log) { /* Remove the last one */ free(_pprevlast); diff --git a/src/analysisd/stats.h b/src/analysisd/stats.h index e25d79cc1..be1503b04 100644 --- a/src/analysisd/stats.h +++ b/src/analysisd/stats.h @@ -10,10 +10,10 @@ #ifndef _STAT__H #define _STAT__H -void LastMsg_Change(char *log); -int LastMsg_Stats(char *log); +void LastMsg_Change(const char *log); +int LastMsg_Stats(const char *log); -char __stats_comment[192]; +extern char __stats_comment[192]; void Update_Hour(void); int Check_Hour(void); diff --git a/src/analysisd/testrule.c b/src/analysisd/testrule.c index 8267f7679..26644ebcd 100644 --- a/src/analysisd/testrule.c +++ b/src/analysisd/testrule.c @@ -26,35 +26,16 @@ #include "accumulator.h" #include "analysisd.h" #include "fts.h" +#include "cleanevent.h" /** Internal Functions **/ void OS_ReadMSG(char *ut_str); -RuleInfo *OS_CheckIfRuleMatch(Eventinfo *lf, RuleNode *curr_node); - -/** External functions prototypes (only called here) **/ - -/* For config */ -int GlobalConf(char *cfgfile); - -/* For rules */ -int Rules_OP_ReadRules(char *cfgfile); -int _setlevels(RuleNode *node, int nnode); -int AddHash_Rule(RuleNode *node); -/* For cleanmsg */ -int OS_CleanMSG(char *msg, Eventinfo *lf); - -/* for FTS */ -int AddtoIGnore(Eventinfo *lf); -int IGnore(Eventinfo *lf); +/* Analysisd function */ +RuleInfo *OS_CheckIfRuleMatch(Eventinfo *lf, RuleNode *curr_node); -/* For decoders */ void DecodeEvent(Eventinfo *lf); -/* For Decoders */ -int ReadDecodeXML(char *file); - - /* Print help statement */ __attribute__((noreturn)) static void help_logtest(void) @@ -81,8 +62,8 @@ int main(int argc, char **argv) int test_config = 0; int c = 0; char *ut_str = NULL; - char *dir = DEFAULTDIR; - char *cfg = DEFAULTCPATH; + const char *dir = DEFAULTDIR; + const char *cfg = DEFAULTCPATH; /* Set the name */ OS_SetName(ARGV0); @@ -301,7 +282,6 @@ int main(int argc, char **argv) __attribute__((noreturn)) void OS_ReadMSG(char *ut_str) { - int i; char msg[OS_MAXSTR + 1]; int exit_code = 0; char *ut_alertlevel = NULL; @@ -459,7 +439,7 @@ void OS_ReadMSG(char *ut_str) #ifdef TESTRULE if (!alert_only) { - char *(ruleinfodetail_text[]) = {"Text", "Link", "CVE", "OSVDB", "BUGTRACKID"}; + const char *(ruleinfodetail_text[]) = {"Text", "Link", "CVE", "OSVDB", "BUGTRACKID"}; print_out("\n**Phase 3: Completed filtering (rules)."); print_out(" Rule id: '%d'", currently_rule->sigid); print_out(" Level: '%d'", currently_rule->level); @@ -529,7 +509,7 @@ void OS_ReadMSG(char *ut_str) /* Group list */ else if (currently_rule->group_prev_matched) { - i = 0; + unsigned int i = 0; while (i < currently_rule->group_prev_matched_sz) { if (!OSList_AddData(