19                RuleNode *r_node, RuleInfo *read_rule);
38                RuleNode *r_node, RuleInfo *read_rule)  in _AddtoRule()  argument
45     if (!r_node) {  in _AddtoRule()
46         r_node = OS_GetFirstRule();  in _AddtoRule()
49     while (r_node) {  in _AddtoRule()
52             if (r_node->ruleinfo->sigid == sid) {  in _AddtoRule()
56                 read_rule->category = r_node->ruleinfo->category;  in _AddtoRule()
61                 if (!read_rule->last_events && r_node->ruleinfo->last_events) {  in _AddtoRule()
62                     read_rule->last_events = r_node->ruleinfo->last_events;  in _AddtoRule()
65                 r_node->child =  in _AddtoRule()
66                     _OS_AddRule(r_node->child, read_rule);  in _AddtoRule()
73             if (OS_WordMatch(group, r_node->ruleinfo->group) &&  in _AddtoRule()
74                     (r_node->ruleinfo->sigid != read_rule->sigid)) {  in _AddtoRule()
78                 if (!read_rule->last_events && r_node->ruleinfo->last_events) {  in _AddtoRule()
79                     read_rule->last_events = r_node->ruleinfo->last_events;  in _AddtoRule()
83                 r_node->child =  in _AddtoRule()
84                     _OS_AddRule(r_node->child, read_rule);  in _AddtoRule()
91             if ((r_node->ruleinfo->level >= level) &&  in _AddtoRule()
92                     (r_node->ruleinfo->sigid != read_rule->sigid)) {  in _AddtoRule()
93                 r_node->child =  in _AddtoRule()
94                     _OS_AddRule(r_node->child, read_rule);  in _AddtoRule()
102         else if (read_rule->category != r_node->ruleinfo->category) {  in _AddtoRule()
103             r_node = r_node->next;  in _AddtoRule()
110             read_rule->category = r_node->ruleinfo->category;  in _AddtoRule()
111             r_node->child =  in _AddtoRule()
112                 _OS_AddRule(r_node->child, read_rule);  in _AddtoRule()
117         if (r_node->child) {  in _AddtoRule()
118             if (_AddtoRule(sid, level, none, group, r_node->child, read_rule)) {  in _AddtoRule()
123         r_node = r_node->next;  in _AddtoRule()
268 int OS_AddRuleInfo(RuleNode *r_node, RuleInfo *newrule, int sid)  in OS_AddRuleInfo()  argument
271     if (r_node == NULL) {  in OS_AddRuleInfo()
272         r_node = OS_GetFirstRule();  in OS_AddRuleInfo()
279     while (r_node) {  in OS_AddRuleInfo()
281         if (r_node->ruleinfo->sigid == sid) {  in OS_AddRuleInfo()
282             r_node->ruleinfo->level = newrule->level;  in OS_AddRuleInfo()
283             r_node->ruleinfo->maxsize = newrule->maxsize;  in OS_AddRuleInfo()
284             r_node->ruleinfo->frequency = newrule->frequency;  in OS_AddRuleInfo()
285             r_node->ruleinfo->timeframe = newrule->timeframe;  in OS_AddRuleInfo()
286             r_node->ruleinfo->ignore_time = newrule->ignore_time;  in OS_AddRuleInfo()
288             r_node->ruleinfo->group = newrule->group;  in OS_AddRuleInfo()
289             r_node->ruleinfo->match = newrule->match;  in OS_AddRuleInfo()
290             r_node->ruleinfo->regex = newrule->regex;  in OS_AddRuleInfo()
291             r_node->ruleinfo->day_time = newrule->day_time;  in OS_AddRuleInfo()
292             r_node->ruleinfo->week_day = newrule->week_day;  in OS_AddRuleInfo()
293             r_node->ruleinfo->srcip = newrule->srcip;  in OS_AddRuleInfo()
294             r_node->ruleinfo->dstip = newrule->dstip;  in OS_AddRuleInfo()
295             r_node->ruleinfo->srcport = newrule->srcport;  in OS_AddRuleInfo()
296             r_node->ruleinfo->dstport = newrule->dstport;  in OS_AddRuleInfo()
297             r_node->ruleinfo->user = newrule->user;  in OS_AddRuleInfo()
298             r_node->ruleinfo->url = newrule->url;  in OS_AddRuleInfo()
299             r_node->ruleinfo->id = newrule->id;  in OS_AddRuleInfo()
300             r_node->ruleinfo->status = newrule->status;  in OS_AddRuleInfo()
301             r_node->ruleinfo->hostname = newrule->hostname;  in OS_AddRuleInfo()
302             r_node->ruleinfo->program_name = newrule->program_name;  in OS_AddRuleInfo()
303             r_node->ruleinfo->extra_data = newrule->extra_data;  in OS_AddRuleInfo()
304             r_node->ruleinfo->action = newrule->action;  in OS_AddRuleInfo()
305             r_node->ruleinfo->comment = newrule->comment;  in OS_AddRuleInfo()
306             r_node->ruleinfo->info = newrule->info;  in OS_AddRuleInfo()
307             r_node->ruleinfo->cve = newrule->cve;  in OS_AddRuleInfo()
308             r_node->ruleinfo->if_matched_regex = newrule->if_matched_regex;  in OS_AddRuleInfo()
309             r_node->ruleinfo->if_matched_group = newrule->if_matched_group;  in OS_AddRuleInfo()
310             r_node->ruleinfo->if_matched_sid = newrule->if_matched_sid;  in OS_AddRuleInfo()
311             r_node->ruleinfo->alert_opts = newrule->alert_opts;  in OS_AddRuleInfo()
312             r_node->ruleinfo->context_opts = newrule->context_opts;  in OS_AddRuleInfo()
313             r_node->ruleinfo->context = newrule->context;  in OS_AddRuleInfo()
314             r_node->ruleinfo->decoded_as = newrule->decoded_as;  in OS_AddRuleInfo()
315             r_node->ruleinfo->ar = newrule->ar;  in OS_AddRuleInfo()
316             r_node->ruleinfo->compiled_rule = newrule->compiled_rule;  in OS_AddRuleInfo()
317             if ((newrule->context_opts & SAME_DODIFF) && r_node->ruleinfo->last_events == NULL) {  in OS_AddRuleInfo()
318                 r_node->ruleinfo->last_events = newrule->last_events;  in OS_AddRuleInfo()
326         if (r_node->child) {  in OS_AddRuleInfo()
327             if (OS_AddRuleInfo(r_node->child, newrule, sid)) {  in OS_AddRuleInfo()
332         r_node = r_node->next;  in OS_AddRuleInfo()
339 int OS_MarkID(RuleNode *r_node, RuleInfo *orig_rule)  in OS_MarkID()  argument
342     if (r_node == NULL) {  in OS_MarkID()
343         r_node = OS_GetFirstRule();  in OS_MarkID()
346     while (r_node) {  in OS_MarkID()
347         if (r_node->ruleinfo->sigid == orig_rule->if_matched_sid) {  in OS_MarkID()
349             if (!r_node->ruleinfo->sid_prev_matched) {  in OS_MarkID()
350                 r_node->ruleinfo->sid_prev_matched = OSList_Create();  in OS_MarkID()
351                 if (!r_node->ruleinfo->sid_prev_matched) {  in OS_MarkID()
357             orig_rule->sid_search = r_node->ruleinfo->sid_prev_matched;  in OS_MarkID()
361         if (r_node->child) {  in OS_MarkID()
362             OS_MarkID(r_node->child, orig_rule);  in OS_MarkID()
365         r_node = r_node->next;  in OS_MarkID()
372 int OS_MarkGroup(RuleNode *r_node, RuleInfo *orig_rule)  in OS_MarkGroup()  argument
375     if (r_node == NULL) {  in OS_MarkGroup()
376         r_node = OS_GetFirstRule();  in OS_MarkGroup()
379     while (r_node) {  in OS_MarkGroup()
380         if (OSMatch_Execute(r_node->ruleinfo->group,  in OS_MarkGroup()
381                             strlen(r_node->ruleinfo->group),  in OS_MarkGroup()
384             if (r_node->ruleinfo->group_prev_matched) {  in OS_MarkGroup()
385                 while (r_node->ruleinfo->group_prev_matched[rule_g]) {  in OS_MarkGroup()
390             os_realloc(r_node->ruleinfo->group_prev_matched,  in OS_MarkGroup()
392                        r_node->ruleinfo->group_prev_matched);  in OS_MarkGroup()
394             r_node->ruleinfo->group_prev_matched[rule_g] = NULL;  in OS_MarkGroup()
395             r_node->ruleinfo->group_prev_matched[rule_g + 1] = NULL;  in OS_MarkGroup()
398             r_node->ruleinfo->group_prev_matched_sz = rule_g + 1;  in OS_MarkGroup()
400             r_node->ruleinfo->group_prev_matched[rule_g] =  in OS_MarkGroup()
405         if (r_node->child) {  in OS_MarkGroup()
406             OS_MarkGroup(r_node->child, orig_rule);  in OS_MarkGroup()
409         r_node = r_node->next;  in OS_MarkGroup()