/* @(#) $Id: eventinfo.h,v 1.31 2007/06/30 21:48:13 dcid Exp $ */ /* Copyright (C) 2004-2007 Daniel B. Cid * All right reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public * License (version 2) as published by the FSF - Free Software * Foundation */ #ifndef _EVTINFO__H #define _EVTINFO__H #include "rules.h" #include "decoders/decoder.h" /* Event Information structure */ typedef struct _Eventinfo { /* Extracted from the event */ char *log; char *full_log; char *location; char *hostname; char *program_name; /* Extracted from the decoders */ char *srcip; char *dstip; char *srcport; char *dstport; char *protocol; char *action; char *user; char *dstuser; char *id; char *status; char *command; char *url; char *data; char *systemname; /* Pointer to the rule that generated it */ RuleInfo *generated_rule; /* Pointer to the decoder that matched */ OSDecoderInfo *decoder_info; /* Sid node to delete */ OSListNode *sid_node_to_delete; /* Extract when the event fires a rule */ int size; int p_name_size; /* Other internal variables */ short int matched; int time; int day; int year; char hour[9]; char mon[4]; }Eventinfo; /* Events List structure */ typedef struct _EventNode { Eventinfo *event; struct _EventNode *next; struct _EventNode *prev; }EventNode; /** Types of events (from decoders) **/ #define UNKNOWN 0 /* Unkown */ #define SYSLOG 1 /* syslog messages */ #define IDS 2 /* IDS alerts */ #define FIREWALL 3 /* Firewall events */ #define WEBLOG 7 /* Apache logs */ #define SQUID 8 /* Squid logs */ #define WINDOWS 9 /* Windows logs */ #define HOST_INFO 10 /* Host information logs (from nmap or similar) */ #define OSSEC_RL 11 /* Ossec rules */ /* FTS allowed values */ #define FTS_NAME 001000 #define FTS_USER 002000 #define FTS_DSTUSER 004000 #define FTS_SRCIP 000100 #define FTS_DSTIP 000200 #define FTS_LOCATION 000400 #define FTS_ID 000010 #define FTS_DATA 000020 #define FTS_SYSTEMNAME 000040 /** Functions for events **/ /* Search for matches in the last events */ Eventinfo *Search_LastEvents(Eventinfo *lf, RuleInfo *currently_rule); Eventinfo *Search_LastSids(Eventinfo *my_lf, RuleInfo *currently_rule); Eventinfo *Search_LastGroups(Eventinfo *my_lf, RuleInfo *currently_rule); /* Zero the eventinfo structure */ void Zero_Eventinfo(Eventinfo *lf); /* Free the eventinfo structure */ void Free_Eventinfo(Eventinfo *lf); /* Add and event to the list of previous events */ void OS_AddEvent(Eventinfo *lf); /* Return the last event from the Event list */ EventNode *OS_GetLastEvent(); /* Create the event list. Maxsize must be specified */ void OS_CreateEventList(int maxsize); /* Pointers to the event decoders */ void *DstUser_FP(Eventinfo *lf, char *field); void *User_FP(Eventinfo *lf, char *field); void *SrcIP_FP(Eventinfo *lf, char *field); void *DstIP_FP(Eventinfo *lf, char *field); void *SrcPort_FP(Eventinfo *lf, char *field); void *DstPort_FP(Eventinfo *lf, char *field); void *Protocol_FP(Eventinfo *lf, char *field); void *Action_FP(Eventinfo *lf, char *field); void *ID_FP(Eventinfo *lf, char *field); void *Url_FP(Eventinfo *lf, char *field); void *Data_FP(Eventinfo *lf, char *field); void *Status_FP(Eventinfo *lf, char *field); void *SystemName_FP(Eventinfo *lf, char *field); void *None_FP(Eventinfo *lf, char *field); #endif /* _EVTINFO__H */