From 6325d4d336f36421dcb8ed9ee6af53834036046f Mon Sep 17 00:00:00 2001 From: "Scott R. Shinn" Date: Wed, 24 Aug 2016 12:29:08 -0400 Subject: [PATCH 1/3] - Remove duplicitous country_code check --- src/analysisd/decoders/geoip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analysisd/decoders/geoip.c b/src/analysisd/decoders/geoip.c index 08da3e236..464e4bb71 100644 --- a/src/analysisd/decoders/geoip.c +++ b/src/analysisd/decoders/geoip.c @@ -47,7 +47,7 @@ char *GetGeoInfobyIP(char *ip_addr) return(NULL); } - if(geoiprecord->country_code == NULL || geoiprecord->country_code == NULL) + if(geoiprecord->country_code == NULL) { GeoIPRecord_delete(geoiprecord); return(NULL); From 3a36fec6017d839f4dc9eba87663bfb1eef50072 Mon Sep 17 00:00:00 2001 From: "Scott R. Shinn" Date: Wed, 24 Aug 2016 12:36:59 -0400 Subject: [PATCH 2/3] Add rule check for different_geoip --- src/analysisd/analysisd.c | 2 +- src/analysisd/eventinfo.c | 13 +++++++++++++ src/analysisd/rules.c | 10 +++++++--- src/analysisd/rules.h | 2 +- src/headers/rules_op.h | 2 +- 5 files changed, 23 insertions(+), 6 deletions(-) diff --git a/src/analysisd/analysisd.c b/src/analysisd/analysisd.c index eabf86e51..b2eb7b928 100644 --- a/src/analysisd/analysisd.c +++ b/src/analysisd/analysisd.c @@ -235,7 +235,7 @@ int main_analysisd(int argc, char **argv) geoipdb = GeoIP_open(Config.geoipdb_file, GEOIP_INDEX_CACHE); if (geoipdb == NULL) { - merror("%s: Unable to open GeoIP database from: %s (disabling GeoIP).", ARGV0, Config.geoipdb_file); + merror("%s: ERROR: Unable to open GeoIP database from: %s (disabling GeoIP).", ARGV0, Config.geoipdb_file); } } #endif diff --git a/src/analysisd/eventinfo.c b/src/analysisd/eventinfo.c index 363d03316..7ad382394 100644 --- a/src/analysisd/eventinfo.c +++ b/src/analysisd/eventinfo.c @@ -135,6 +135,17 @@ Eventinfo *Search_LastSids(Eventinfo *my_lf, RuleInfo *rule) } } + /* GEOIP version of check for repetitions from same src_ip */ + if (rule->context_opts & DIFFERENT_SRCGEOIP) { + if ((!lf->srcgeoip) || (!my_lf->srcgeoip)) { + continue; + } + + if (strcmp(lf->srcgeoip, my_lf->srcgeoip) == 0) { + continue; + } + } + /* Check if the number of matches worked */ if (rule->__frequency <= 10) { rule->last_events[rule->__frequency] @@ -404,6 +415,8 @@ Eventinfo *Search_LastEvents(Eventinfo *my_lf, RuleInfo *rule) } + + /* Check if the number of matches worked */ if (rule->__frequency < rule->frequency) { if (rule->__frequency <= 10) { diff --git a/src/analysisd/rules.c b/src/analysisd/rules.c index e2c915f22..f61d2731b 100644 --- a/src/analysisd/rules.c +++ b/src/analysisd/rules.c @@ -112,7 +112,7 @@ int Rules_OP_ReadRules(const char *rulefile) const char *xml_different_url = "different_url"; const char *xml_different_srcip = "different_srcip"; - const char *xml_different_geoip = "different_geoip"; + const char *xml_different_geoip = "different_srcgeoip"; const char *xml_notsame_source_ip = "not_same_source_ip"; const char *xml_notsame_user = "not_same_user"; @@ -825,8 +825,8 @@ int Rules_OP_ReadRules(const char *rulefile) if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO)) config_ruleinfo->alert_opts |= SAME_EXTRAINFO; } else if(strcmp(rule_opt[k]->element, - xml_different_geoip) == 0) { - config_ruleinfo->context_opts|= DIFFERENT_GEOIP; + xml_different_srcgeoip) == 0) { + config_ruleinfo->context_opts|= DIFFERENT_SRCGEOIP; if(!(config_ruleinfo->alert_opts & SAME_EXTRAINFO)) config_ruleinfo->alert_opts |= SAME_EXTRAINFO; @@ -1228,6 +1228,10 @@ int Rules_OP_ReadRules(const char *rulefile) /* Mark rules that match this id */ OS_MarkID(NULL, config_ruleinfo); + + /* Set function pointer */ + config_ruleinfo->event_search = (void *(*)(void *, void *)) + Search_LastEvents; } /* Mark the rules that match if_matched_group */ diff --git a/src/analysisd/rules.h b/src/analysisd/rules.h index d13f917b6..2e9982e46 100644 --- a/src/analysisd/rules.h +++ b/src/analysisd/rules.h @@ -25,7 +25,7 @@ #define SAME_LOCATION 0x008 /* 8 */ #define DIFFERENT_URL 0x010 /* */ #define DIFFERENT_SRCIP 0x200 -#define DIFFERENT_GEOIP 0x400 +#define DIFFERENT_SRCGEOIP 0x400 #define SAME_SRCPORT 0x020 #define SAME_DSTPORT 0x040 #define SAME_DODIFF 0x100 diff --git a/src/headers/rules_op.h b/src/headers/rules_op.h index 841bc1911..7981f1173 100644 --- a/src/headers/rules_op.h +++ b/src/headers/rules_op.h @@ -21,7 +21,7 @@ #define SAME_LOCATION 0x008 /* 8 */ #define DIFFERENT_URL 0x010 #define DIFFERENT_SRCIP 0x200 -#define DIFFERENT_GEOIP 0x400 +#define DIFFERENT_SRCGEOIP 0x400 #define SAME_SRCPORT 0x020 #define SAME_DSTPORT 0x040 #define SAME_DODIFF 0x100 From ed3efbc3e8b8a2bda80f40bfc7d86d96fbd5ee60 Mon Sep 17 00:00:00 2001 From: "Scott R. Shinn" Date: Wed, 24 Aug 2016 12:56:49 -0400 Subject: [PATCH 3/3] - Missed a commit here --- src/analysisd/rules.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analysisd/rules.c b/src/analysisd/rules.c index f61d2731b..d1b540b67 100644 --- a/src/analysisd/rules.c +++ b/src/analysisd/rules.c @@ -112,7 +112,7 @@ int Rules_OP_ReadRules(const char *rulefile) const char *xml_different_url = "different_url"; const char *xml_different_srcip = "different_srcip"; - const char *xml_different_geoip = "different_srcgeoip"; + const char *xml_different_srcgeoip = "different_srcgeoip"; const char *xml_notsame_source_ip = "not_same_source_ip"; const char *xml_notsame_user = "not_same_user";