source: trunk/src/sh_filter.c@ 565

Last change on this file since 565 was 560, checked in by katerina, 4 years ago

Fix for ticket #449 (gcc 10 compile issues).

File size: 6.5 KB
Line 
1/* SAMHAIN file system integrity testing */
2/* Copyright (C) 2009 Rainer Wichmann */
3/* */
4/* This program is free software; you can redistribute it */
5/* and/or modify */
6/* it under the terms of the GNU General Public License as */
7/* published by */
8/* the Free Software Foundation; either version 2 of the License, or */
9/* (at your option) any later version. */
10/* */
11/* This program is distributed in the hope that it will be useful, */
12/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14/* GNU General Public License for more details. */
15/* */
16/* You should have received a copy of the GNU General Public License */
17/* along with this program; if not, write to the Free Software */
18/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20
21#include "config_xor.h"
22
23#include <string.h>
24#ifdef HAVE_REGEX_H
25#include <regex.h>
26#endif
27
28#include "samhain.h"
29#include "sh_utils.h"
30#include "sh_mem.h"
31#include "sh_filter.h"
32
33#undef FIL__
34#define FIL__ _("sh_filter.c")
35
36
37void sh_filter_free (sh_filter_type * filter)
38{
39 int i;
40
41 if (filter)
42 {
43 for (i = 0; i < filter->for_c; ++i) {
44#ifdef HAVE_REGEX_H
45 if (filter->for_v[i])
46 regfree(filter->for_v[i]);
47#else
48 if (filter->for_v[i])
49 SH_FREE(filter->for_v[i]);
50#endif
51 filter->for_v[i] = NULL;
52 }
53 filter->for_c = 0;
54
55 for (i = 0; i < filter->fand_c; ++i) {
56#ifdef HAVE_REGEX_H
57 if (filter->fand_v[i])
58 regfree(filter->fand_v[i]);
59#else
60 if (filter->fand_v[i])
61 SH_FREE(filter->fand_v[i]);
62#endif
63 filter->fand_v[i] = NULL;
64 }
65 filter->fand_c = 0;
66
67 for (i = 0; i < filter->fnot_c; ++i) {
68#ifdef HAVE_REGEX_H
69 if (filter->fnot_v[i])
70 regfree(filter->fnot_v[i]);
71#else
72 if (filter->fnot_v[i])
73 SH_FREE(filter->fnot_v[i]);
74#endif
75 filter->fnot_v[i] = NULL;
76 }
77 filter->fnot_c = 0;
78 }
79}
80
81
82int sh_filter_add (const char * str, sh_filter_type * filter, int type)
83{
84 int i = 0;
85 int flag = 0;
86 size_t s;
87
88 char * dupp;
89 char * p;
90 char * end;
91 int * ntok;
92 void ** stok;
93
94 SL_ENTER(_("sh_filter_filteradd"));
95
96 if (NULL == str || NULL == filter)
97 {
98 SL_RETURN((-1), _("sh_filter_filteradd"));
99 }
100
101 if (type == SH_FILT_OR) {
102 ntok = &(filter->for_c);
103 stok = filter->for_v;
104 }
105 else if (type == SH_FILT_AND) {
106 ntok = &(filter->fand_c);
107 stok = filter->fand_v;
108 }
109 else if (type == SH_FILT_NOT) {
110 ntok = &(filter->fnot_c);
111 stok = filter->fnot_v;
112 }
113 else {
114 SL_RETURN((-1), _("sh_filter_filteradd"));
115 }
116
117 /* cppcheck-suppress uninitvar */
118 i = *ntok;
119 if (i == SH_FILT_NUM) {
120 SL_RETURN((-1), _("sh_filter_filteradd"));
121 }
122
123 dupp = sh_util_strdup(str);
124 p = dupp;
125
126 do
127 {
128 while (*p == ',' || *p == ' ' || *p == '\t')
129 ++p;
130 if (*p == '\0')
131 break;
132
133 end = p; ++end;
134 if (*end == '\0')
135 break;
136
137 if (*p == '\'')
138 {
139 ++p; end = p; if (*end != '\'') ++end;
140 if (*p == '\0' || *end == '\0')
141 break;
142 while (*end != '\0' && *end != '\'')
143 ++end;
144 }
145 else if (*p == '"')
146 {
147 ++p; end = p; if (*end != '"') ++end;
148 if (*p == '\0' || *end == '\0')
149 break;
150 while (*end != '\0' && *end != '"')
151 ++end;
152 }
153 else
154 {
155 while (*end != '\0' && *end != ',' && *end != ' ' && *end != '\t')
156 ++end;
157 }
158 if (*end == '\0')
159 flag = 1;
160 else
161 *end = '\0';
162
163 s = strlen(p);
164 if (s > 0)
165 {
166 ++s;
167#ifdef HAVE_REGEX_H
168 if (stok[i] != NULL)
169 regfree((regex_t *) stok[i]);
170 {
171 int status;
172
173 stok[i] = SH_ALLOC(sizeof(regex_t));
174
175 status = regcomp((regex_t *) stok[i], p,
176 REG_NOSUB|REG_EXTENDED);
177 if (status != 0)
178 {
179 char * errbuf = SH_ALLOC(BUFSIZ);
180 (void) regerror(status, (regex_t *) stok[i],
181 errbuf, BUFSIZ);
182 errbuf[BUFSIZ-1] = '\0';
183 sh_error_handle ((-1), FIL__, __LINE__, status, MSG_E_REGEX,
184 errbuf, p);
185 SH_FREE(errbuf);
186 }
187 }
188#else
189 if (stok[i] != NULL)
190 SH_FREE(stok[i]);
191
192 stok[i] = SH_ALLOC(s);
193 (void) sl_strlcpy((char *) stok[i], p, s);
194#endif
195 ++i;
196 }
197
198 p = end; ++p;
199
200 if (i == SH_FILT_NUM)
201 break;
202 }
203 while (p != NULL && *p != '\0' && flag == 0);
204
205 *ntok = i;
206 SH_FREE(dupp);
207
208 SL_RETURN (0, _("sh_filter_filteradd"));
209}
210
211#ifdef HAVE_REGEX_H
212static int sh_filter_cmp(const char * message, void * pattern)
213{
214 int result;
215
216 result = regexec((regex_t *)pattern, message, 0, NULL, 0);
217
218 if (result != 0)
219 return -1;
220
221 /* Successful match. */
222 return 0;
223}
224#else
225static int sh_filter_cmp(const char * message, void * pattern)
226{
227 if (NULL == sl_strstr(message, (char *)pattern))
228 return -1;
229
230 /* Successful match. */
231 return 0;
232}
233#endif
234
235/*
236 * -- Check filters. Returns 0 if message passes.
237 */
238int sh_filter_filter (const char * message, sh_filter_type * filter)
239{
240 int i;
241
242 SL_ENTER(_("sh_filter_filter"));
243
244 if (filter)
245 {
246
247 /* Presence of any of these keywords prevents execution.
248 */
249 if (filter->fnot_c > 0)
250 {
251 for (i = 0; i < filter->fnot_c; ++i)
252 {
253 if (0 == sh_filter_cmp(message, filter->fnot_v[i]))
254 {
255 SL_RETURN ((-1), _("sh_filter_filter"));
256 }
257 }
258 }
259
260 /* Presence of all of these keywords is required for execution.
261 */
262 if (filter->fand_c > 0)
263 {
264 for (i = 0; i < filter->fand_c; ++i)
265 {
266 if (0 != sh_filter_cmp(message, filter->fand_v[i]))
267 {
268 SL_RETURN ((-1), _("sh_filter_filter"));
269 }
270 }
271 }
272
273 /* Presence of at least one of these keywords is required for execution.
274 */
275 if (filter->for_c > 0)
276 {
277 for (i = 0; i < filter->for_c; ++i)
278 {
279 if (0 == sh_filter_cmp(message, filter->for_v[i]))
280 {
281 goto isok;
282 }
283 }
284 SL_RETURN ((-1), _("sh_filter_filter"));
285 }
286 }
287
288 isok:
289 SL_RETURN ((0), _("sh_filter_filter"));
290}
291
292sh_filter_type * sh_filter_alloc(void)
293{
294 sh_filter_type * filter = SH_ALLOC(sizeof(sh_filter_type));
295
296 memset(filter, 0, sizeof(sh_filter_type));
297 filter->for_c = 0;
298 filter->fand_c = 0;
299 filter->fnot_c = 0;
300 return filter;
301}
Note: See TracBrowser for help on using the repository browser.