pattern.c

Go to the documentation of this file.

/*----------------------------------------------------------------------------
 secwatch - Copyright (C) 2006 Nic Stevens -- See COPYING for license details
------------------------------------------------------------------------------
 pattern.c - Implement pattern matching functions using PCRE or simple text
 comparisons
-----------------------------------------------------------------------------*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <pcre.h>
#include "strutil.h"

typedef struct _pattern {
     char * logdef;             // logfile name
     pcre *logrx;               // compiled RE for logfile
     char * match[2];           // match1/2 strings
     pcre *matchrx[2];          // compiled REs for match 1/2
     int pos;                   // where to expect IP addr in log file line
} pat_t;

static pat_t ** _pats;
static int _patcnt = 0;
static int _regxerr = 0;

void dumpPats(void) {
     int i;
     pat_t *p;
     printf(">> Pattern Dump << \n");
     for(i = 0; i < _patcnt; i++) {
          p = _pats[i];
          printf("Pattern %d PCRE:[%s,%s,%s]: %s:%s:%s@%d\n\n",
                 i,
                 (p->logrx != NULL) ? "yes" : "no",
                 (p->matchrx[0] != NULL) ? "yes" : "no",
                 (p->matchrx[1] != NULL) ? "yes" : "no",
                 p->logdef,p->match[0],p->match[1],p->pos);
     }
}
static pcre * patrx(const char *buf,char *errbuf, size_t ebufsz) {
     pcre *p;
     char *errptr;
     int eoff;
     char rebuf[10240];
     memset(rebuf,'\0',sizeof(rebuf));
     strncpy(rebuf,&buf[1],strlen(buf)-2);
     if((p = pcre_compile(rebuf,0,(const char **)&errptr, &eoff,NULL)) == NULL) {
          strncpy(errbuf,errptr,ebufsz);
          return NULL;
     }
     return p;
}
int patternMatch(char *filename, char *str, int *ip) {
     int i, j;
     pat_t *p;
     for(i = 0; i < _patcnt; i++) {
          p = _pats[i];
          if(p->logrx != NULL) {
               if(pcre_exec(p->logrx,NULL,filename,strlen(filename),0,0,NULL,0) <= 0)
                    continue;
          } else {
               if(strpos(filename,p->logdef) < 0)
                    continue;
          }
          if(p->matchrx[0] != NULL) {
               if(pcre_exec(p->matchrx[0],NULL,str,strlen(str),0,0,NULL,0) <= 0)
                    continue;
          } else {
               if(strpos(str,p->match[0]) <= 0)
                    continue;
          }
          if(p->matchrx[1] != NULL) {
               if(pcre_exec(p->matchrx[1],NULL,str,strlen(str),0,0,NULL,0) <= 0)
                    continue;
          } else {
               if(strpos(str,p->match[1]) <= 0)
                    continue;
          }
          *ip = p->pos;
          return 0;
     }
     return -1;
}
int loadPatterns(char *file, char *ebuf, size_t ebsiz) {
     char eb2[10240];
     char buf[1024], name[1024], val[1024];
     char *p, *ep, *p1;
     int ipp, i, line = 0;
     struct cfgitem *c;
     pat_t x;
     FILE *f;
     
     if((f = fopen(file,"r")) == NULL) {
          snprintf(ebuf,ebsiz,"%s(%d) Cannot open config file \"%s\": %m",file,line);
          return -1;
     }
     while((p = fgets(buf,sizeof(buf)-1,f)) != NULL) {
          line ++; 
          if(*p == '#') continue;
          if((p = strchr(buf,'#')) != NULL)
               *p = '\0';
          p = trim(buf);
          if(*p == '\0' || strlen(p) == 0)
               continue;
          x.logdef = p;
          if((p = strchr(x.logdef,':')) == NULL)
               continue;
          *p++ = '\0';
          x.match[0] = p;
          if((p = strchr(x.match[0],':')) == NULL)
               continue;
          *p++ = '\0';
          x.match[1] = p;
          if((p = strchr(x.match[1],'@')) == NULL)
               continue;
          *p++ = '\0';
          if((x.pos = atoi(p)) <= 0) {
               snprintf(ebuf,ebsiz,"%s:(%d) Invalid position specified in rule.",file,line);
               fclose(f);
               return -1;
          }
          if(strncmp(x.logdef,"//",2) == 0) {
               if((x.logrx = patrx(x.logdef,eb2,sizeof(eb2))) == NULL)
                    snprintf(ebuf,ebsiz,"%s(%d): WARNING: pcre compile failed for logmatch: %s",file,line,eb2);
          }
          else
               x.logrx = NULL;
          for(i = 0; i < 2; i++) {
               x.matchrx[i] = NULL;
               if(x.match[i][0] == '/') {
                    if((x.matchrx[i] = patrx(x.match[i],eb2,sizeof(eb2))) == NULL) 
                         snprintf(ebuf,ebsiz,"%s(%d): WARNING: pcre compile failed for match %d: %s",file,line,i+1,eb2);
               }
          }
          //
          // realloc and catenation of pattern to pats
          // 
          ipp = _patcnt ++;
          if((_pats = realloc(_pats,(sizeof(pat_t *)*_patcnt))) == NULL){
               snprintf(ebuf,ebsiz,"%s(%d): Could not allocate space for pat_t: %m",file,line);
               fclose(f);
               return -1;
          }
          if((_pats[ipp] = calloc(sizeof(pat_t),1)) == NULL) {
               snprintf(ebuf,ebsiz,"%s(%d): Could not allocate space for pat_t: %m",file,line);
               fclose(f);
               return -1;
          }
          x.logdef = strdup(x.logdef);
          for(i = 0; i < 2; i++) 
               x.match[i] = strdup(x.match[i]);
          *_pats[ipp] = x;
     }
     fclose(f);
     return 0;
}

---