1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
|
/*
* Copyright (c) 2002-2010 BalaBit IT Ltd, Budapest, Hungary
* Copyright (c) 1998-2010 Balázs Scheidler
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 as published
* by the Free Software Foundation, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
* As an additional exemption you are allowed to compile & link against the
* OpenSSL libraries as published by the OpenSSL project. See the file
* COPYING for details.
*
* Internal declarations to be used by pdbtool/patterndb internals. Not a
* public API.
*
*/
#ifndef PATTERNDB_INT_H_INCLUDED
#define PATTERNDB_INT_H_INCLUDED
#include "patterndb.h"
typedef struct _PDBRule PDBRule;
/* rule context scope */
enum
{
/* correllation happens globally, e.g. log messages even on different hosts are considered */
RCS_GLOBAL,
/* correllation happens inside the same host only, e.g. messages from other hosts are not considered */
RCS_HOST,
/* correllation happens for the same program only, e.g. messages from other programs are not considered */
RCS_PROGRAM,
/* correllation happens for the same process only, e.g. messages from a different program/pid are not considered */
RCS_PROCESS,
};
/* type field for state key */
enum
{
/* state entry contains a context */
PSK_CONTEXT,
/* state entry contains a ratelimit state */
PSK_RATE_LIMIT,
};
typedef struct _PDBStateKey
{
const gchar *host;
const gchar *program;
const gchar *pid;
gchar *session_id;
guint8 scope;
guint8 type;
} PDBStateKey;
/* This class encapsulates a correllation context, keyed by PDBStateKey, type == PSK_RULE. */
typedef struct _PDBContext
{
/* key in the hashtable. NOTE: host/program/pid/session_id are borrowed pointers from the first message in the state */
PDBStateKey key;
/* back reference to the PatternDB */
PatternDB *db;
/* back reference to the last rule touching this context */
PDBRule *rule;
/* timeout timer */
TWEntry *timer;
/* messages belonging to this context */
GPtrArray *messages;
gint ref_cnt;
} PDBContext;
/* This class encapsulates a rate-limit state stored in
db->state. */
typedef struct _PDBRateLimit
{
/* key in the hashtable. NOTE: host/program/pid/session_id are allocated, thus they need to be freed when the structure is freed. */
PDBStateKey key;
gint buckets;
guint64 last_check;
} PDBRateLimit;
typedef struct _PDBStateEntry
{
union
{
PDBStateKey key;
PDBContext context;
PDBRateLimit rate_limit;
};
} PDBStateEntry;
typedef struct _PDBMessage
{
GArray *tags;
GPtrArray *values;
} PDBMessage;
/* rule action triggers */
enum
{
RAT_MATCH = 1,
RAT_TIMEOUT
};
/* action content*/
enum
{
RAC_NONE,
RAC_MESSAGE
};
/* a rule may contain one or more actions to be performed */
typedef struct _PDBAction
{
FilterExprNode *condition;
guint8 trigger;
guint8 content_type;
guint16 rate;
guint32 id:8, rate_quantum:24;
union
{
PDBMessage message;
} content;
} PDBAction;
/* this class encapsulates a the verdict of a rule in the pattern
* database and is stored as the "value" member in the RADIX tree
* node. It contains a reference the the original rule in the rule
* database. */
struct _PDBRule
{
GAtomicCounter ref_cnt;
gchar *class;
gchar *rule_id;
PDBMessage msg;
gint context_timeout;
gint context_scope;
LogTemplate *context_id_template;
GPtrArray *actions;
};
void pdb_rule_unref(PDBRule *self);
/* this class encapsulates an example message in the pattern database
* used for testing rules and patterns. It contains the message with the
* program field and the expected rule_id with the expected name/value
* pairs. */
typedef struct _PDBExample
{
PDBRule *rule;
gchar *message;
gchar *program;
GPtrArray *values;
} PDBExample;
void pdb_example_free(PDBExample *s);
/*
* This class encapsulates a set of program related rules in the
* pattern database. Its instances are stored as "value" in the
* program name RADIX tree. It basically contains another RADIX for
* the per-program patterns.
*/
typedef struct _PDBProgram
{
guint ref_cnt;
RNode *rules;
} PDBProgram;
/* rules loaded from a pdb file */
typedef struct _PDBRuleSet
{
RNode *programs;
gchar *version;
gchar *pub_date;
} PDBRuleSet;
gboolean pdb_rule_set_load(PDBRuleSet *self, GlobalConfig *cfg, const gchar *config, GList **examples);
PDBRule *pdb_rule_set_lookup(PDBRuleSet *self, LogMessage *msg, GArray *dbg_list);
PDBRuleSet *pdb_rule_set_new(void);
void pdb_rule_set_free(PDBRuleSet *self);
struct _PatternDB
{
GStaticRWLock lock;
PDBRuleSet *ruleset;
GHashTable *state;
TimerWheel *timer_wheel;
GTimeVal last_tick;
PatternDBEmitFunc emit;
gpointer emit_data;
};
#endif
|
