syslog-ng source
test_patterndb.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2010-2018 Balabit
3  * Copyright (c) 2010-2015 Balázs Scheidler <balazs.scheidler@balabit.com>
4  *
5  * This program is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 as published
7  * by the Free Software Foundation, or (at your option) any later version.
8  *
9  * This program is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12  * GNU General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
17  *
18  * As an additional exemption you are allowed to compile & link against the
19  * OpenSSL libraries as published by the OpenSSL project. See the file
20  * COPYING for details.
21  *
22  */
23 
24 #ifndef __TEST_PATTERNDB_H__
25 #define __TEST_PATTERNDB_H__
26 
27 #define MYHOST "MYHOST"
28 #define MYPID "999"
29 
30 #define pdb_conflicting_rules_with_different_parsers "<patterndb version='4' pub_date='2010-02-22'>\
31  <ruleset name='testset' id='1'> \
32  <patterns>\
33  <pattern>prog1</pattern>\
34  <pattern>prog2</pattern>\
35  </patterns>\
36  <rules>\
37  <!-- different parsers at the same location -->\
38  <rule provider='test' id='11' class='short'>\
39  <patterns>\
40  <pattern>pattern @ESTRING:foo1: @</pattern>\
41  </patterns>\
42  </rule>\
43  <rule provider='test' id='12' class='long'>\
44  <patterns>\
45  <pattern>pattern @ESTRING:foo2: @tail</pattern>\
46  </patterns>\
47  </rule>\
48  </rules>\
49  </ruleset>\
50 </patterndb>"
51 
52 #define pdb_conflicting_rules_with_the_same_parsers "<patterndb version='4' pub_date='2010-02-22'>\
53  <ruleset name='testset' id='1'>\
54  <patterns>\
55  <pattern>prog1</pattern>\
56  <pattern>prog2</pattern>\
57  </patterns>\
58  <rules>\
59  <!-- different parsers at the same location -->\
60  <rule provider='test' id='11' class='short'>\
61  <patterns>\
62  <pattern>pattern @ESTRING:foo: @</pattern>\
63  </patterns>\
64  </rule>\
65  <rule provider='test' id='12' class='long'>\
66  <patterns>\
67  <pattern>pattern @ESTRING:foo: @tail</pattern>\
68  </patterns>\
69  </rule>\
70  </rules>\
71  </ruleset>\
72 </patterndb>"
73 
74 /* pdb skeleton used to test patterndb rule actions. E.g. whenever a rule
75  * matches, certain actions described in the rule need to be performed.
76  * This tests those */
77 #define pdb_ruletest_skeleton "<patterndb version='5' pub_date='2010-02-22'>\
78  <ruleset name='testset' id='1'>\
79  <description>This is a test set</description>\
80  <patterns>\
81  <pattern>prog1</pattern>\
82  <pattern>prog2</pattern>\
83  </patterns>\
84  <rules>\
85  <rule provider='test' id='10' class='system' context-scope='program'>\
86  <patterns>\
87  <pattern>simple-message</pattern>\
88  </patterns>\
89  <tags>\
90  <tag>simple-msg-tag1</tag>\
91  <tag>simple-msg-tag2</tag>\
92  </tags>\
93  <values>\
94  <value name='simple-msg-value-1'>value1</value>\
95  <value name='simple-msg-value-2'>value2</value>\
96  <value name='simple-msg-host'>${HOST}</value>\
97  </values>\
98  </rule>\
99  <rule provider='test' id='10a' class='system' context-scope='program' context-id='$PID' context-timeout='60'>\
100  <patterns>\
101  <pattern>correlated-message-based-on-pid</pattern>\
102  </patterns>\
103  <values>\
104  <value name='correlated-msg-context-id'>${CONTEXT_ID}</value>\
105  <value name='correlated-msg-context-length'>$(context-length)</value>\
106  </values>\
107  </rule>\
108  <rule provider='test' id='10b' class='violation' context-scope='program' context-id='$PID' context-timeout='60'>\
109  <patterns>\
110  <pattern>correlated-message-with-action-on-match</pattern>\
111  </patterns>\
112  <actions>\
113  <action trigger='match'>\
114  <message>\
115  <values>\
116  <value name='MESSAGE'>generated-message-on-match</value>\
117  <value name='context-id'>${CONTEXT_ID}</value>\
118  </values>\
119  <tags>\
120  <tag>correlated-msg-tag</tag>\
121  </tags>\
122  </message>\
123  </action>\
124  </actions>\
125  </rule>\
126  <rule provider='test' id='10c' class='violation' context-scope='program' context-id='$PID' context-timeout='60'>\
127  <patterns>\
128  <pattern>correlated-message-with-action-on-timeout</pattern>\
129  </patterns>\
130  <actions>\
131  <action trigger='timeout'>\
132  <message>\
133  <values>\
134  <value name='MESSAGE'>generated-message-on-timeout</value>\
135  </values>\
136  </message>\
137  </action>\
138  </actions>\
139  </rule>\
140  <rule provider='test' id='10d' class='violation' context-scope='program' context-id='$PID' context-timeout='60'>\
141  <patterns>\
142  <pattern>correlated-message-with-action-condition</pattern>\
143  </patterns>\
144  <actions>\
145  <action trigger='match' condition='\"${PID}\" ne \"" MYPID "\"' >\
146  <message>\
147  <values>\
148  <value name='MESSAGE'>not-generated-message</value>\
149  </values>\
150  </message>\
151  </action>\
152  <action trigger='match' condition='\"${PID}\" eq \"" MYPID "\"' >\
153  <message>\
154  <values>\
155  <value name='MESSAGE'>generated-message-on-condition</value>\
156  </values>\
157  </message>\
158  </action>\
159  </actions>\
160  </rule>\
161  <rule provider='test' id='10e' class='violation' context-scope='program' context-id='$PID' context-timeout='60'>\
162  <patterns>\
163  <pattern>correlated-message-with-rate-limited-action</pattern>\
164  </patterns>\
165  <actions>\
166  <action trigger='match' rate='1/60'>\
167  <message>\
168  <values>\
169  <value name='MESSAGE'>generated-message-rate-limit</value>\
170  </values>\
171  </message>\
172  </action>\
173  </actions>\
174  </rule>\
175  <rule provider='test' id='10f' class='violation' context-scope='program' context-id='$PROGRAM' context-timeout='60'>\
176  <patterns>\
177  <pattern>correlated-message-with-action-condition-filter</pattern>\
178  </patterns>\
179  <actions>\
180  <action trigger='match' condition='message(\"filter-not-exists\" type(pcre))' >\
181  <message>\
182  <values>\
183  <value name='MESSAGE'>not-generated-message</value>\
184  </values>\
185  </message>\
186  </action>\
187  <action trigger='match' condition='message(\"filter\" type(pcre))' >\
188  <message>\
189  <values>\
190  <value name='MESSAGE'>generated-message-on-condition</value>\
191  </values>\
192  </message>\
193  </action>\
194  </actions>\
195  </rule>\
196  <rule provider='test' id='11b' class='violation'>\
197  <patterns>\
198  <pattern>simple-message-with-action-on-match</pattern>\
199  </patterns>\
200  <actions>\
201  <action trigger='match'>\
202  <message>\
203  <values>\
204  <value name='MESSAGE'>generated-message-on-match</value>\
205  <value name='context-id'>${CONTEXT_ID}</value>\
206  </values>\
207  <tags>\
208  <tag>simple-msg-tag</tag>\
209  </tags>\
210  </message>\
211  </action>\
212  </actions>\
213  </rule>\
214  <rule provider='test' id='11d' class='violation'>\
215  <patterns>\
216  <pattern>simple-message-with-action-condition</pattern>\
217  </patterns>\
218  <actions>\
219  <action trigger='match' condition='\"${PID}\" ne \"" MYPID "\"' >\
220  <message>\
221  <values>\
222  <value name='MESSAGE'>not-generated-message</value>\
223  </values>\
224  </message>\
225  </action>\
226  <action trigger='match' condition='\"${PID}\" eq \"" MYPID "\"' >\
227  <message>\
228  <values>\
229  <value name='MESSAGE'>generated-message-on-condition</value>\
230  </values>\
231  </message>\
232  </action>\
233  </actions>\
234  </rule>\
235  <rule provider='test' id='11e' class='violation'>\
236  <patterns>\
237  <pattern>simple-message-with-rate-limited-action</pattern>\
238  </patterns>\
239  <actions>\
240  <action trigger='match' rate='1/60'>\
241  <message>\
242  <values>\
243  <value name='MESSAGE'>generated-message-rate-limit</value>\
244  </values>\
245  </message>\
246  </action>\
247  </actions>\
248  <examples>\
249  <example>\
250  <test_message program='prog1'>simple-message-with-rate-limited-action</test_message>\
251  <test_values>\
252  <test_value name='PROGRAM'>prog1</test_value>\
253  <test_value name='MESSAGE'>foobar</test_value>\
254  </test_values>\
255  </example>\
256  <example>\
257  <test_message program='prog2'>simple-message-with-rate-limited-action</test_message>\
258  </example>\
259  </examples>\
260  </rule>\
261  <rule provider='test' id='12' class='violation'>\
262  <patterns>\
263  <pattern>simple-message-with-action-to-create-context</pattern>\
264  </patterns>\
265  <actions>\
266  <action trigger='match'>\
267  <create-context context-id='1000' context-timeout='60' context-scope='program'>\
268  <message inherit-properties='context'>\
269  <values>\
270  <value name='MESSAGE'>context message</value>\
271  </values>\
272  </message>\
273  </create-context>\
274  </action>\
275  </actions>\
276  </rule>\
277  <rule provider='test' id='13' class='violation' context-id='1000' context-timeout='60' context-scope='program'>\
278  <patterns>\
279  <pattern>correlated-message-that-uses-context-created-by-rule-id#12</pattern>\
280  </patterns>\
281  <values>\
282  <value name='triggering-message'>${MESSAGE}@1 assd</value>\
283  </values>\
284  </rule>\
285  <rule provider='test' id='14' class='violation' context-id='1001' context-timeout='60' context-scope='program'>\
286  <patterns>\
287  <pattern>correlated-message-with-action-to-create-context</pattern>\
288  </patterns>\
289  <values>\
290  <value name='rule-msg-context-id'>${.classifier.context_id}</value>\
291  </values>\
292  <actions>\
293  <action trigger='match'>\
294  <create-context context-id='1002' context-timeout='60' context-scope='program'>\
295  <message inherit-properties='context'>\
296  <values>\
297  <!-- we should inherit from the LogMessage matching this rule and not the to be created context -->\
298  <value name='MESSAGE'>context message ${rule-msg-context-id}</value>\
299  </values>\
300  </message>\
301  </create-context>\
302  </action>\
303  </actions>\
304  </rule>\
305  <rule provider='test' id='15' class='violation' context-id='1002' context-timeout='60' context-scope='program'>\
306  <patterns>\
307  <pattern>correlated-message-that-uses-context-created-by-rule-id#14</pattern>\
308  </patterns>\
309  <values>\
310  <value name='triggering-message'>${MESSAGE}@1 assd</value>\
311  <value name='triggering-message-context-id'>$(grep ('${rule-msg-context-id}' ne '') ${rule-msg-context-id})</value>\
312  </values>\
313  </rule>\
314  </rules>\
315  </ruleset>\
316 </patterndb>"
317 
318 #define pdb_complete_syntax "\
319 <patterndb version='5' pub_date='2010-02-22'>\
320  <ruleset name='testset' id='1'>\
321  <url>http://foobar.org/</url>\
322  <urls>\
323  <url>http://foobar.org/1</url>\
324  <url>http://foobar.org/2</url>\
325  </urls>\
326  <description>This is a test set</description>\
327  <patterns>\
328  <pattern>prog2</pattern>\
329  <pattern>prog3</pattern>\
330  </patterns>\
331  <pattern>prog1</pattern>\
332  <rules>\
333  <rule provider='test' id='10' class='system' context-id='foobar' context-scope='program'>\
334  <description>This is a rule description</description>\
335  <urls>\
336  <url>http://foobar.org/1</url>\
337  <url>http://foobar.org/2</url>\
338  </urls>\
339  <patterns>\
340  <pattern>simple-message</pattern>\
341  <pattern>simple-message-alternative</pattern>\
342  </patterns>\
343  <tags>\
344  <tag>simple-msg-tag1</tag>\
345  <tag>simple-msg-tag2</tag>\
346  </tags>\
347  <values>\
348  <value name='simple-msg-value-1'>value1</value>\
349  <value name='simple-msg-value-2'>value2</value>\
350  <value name='simple-msg-host'>${HOST}</value>\
351  </values>\
352  <examples>\
353  <example>\
354  <test_message program='foobar'>This is foobar message</test_message>\
355  <test_values>\
356  <test_value name='foo'>foo</test_value>\
357  <test_value name='bar'>bar</test_value>\
358  </test_values>\
359  </example>\
360  </examples>\
361  <actions>\
362  <action>\
363  <message>\
364  <values>\
365  <value name='FOO'>foo</value>\
366  <value name='BAR'>bar</value>\
367  </values>\
368  <tags>\
369  <tag>tag1</tag>\
370  <tag>tag2</tag>\
371  </tags>\
372  </message>\
373  </action>\
374  <action>\
375  <create-context context-id='foobar'>\
376  <message>\
377  <values>\
378  <value name='FOO'>foo</value>\
379  <value name='BAR'>bar</value>\
380  </values>\
381  <tags>\
382  <tag>tag1</tag>\
383  <tag>tag2</tag>\
384  </tags>\
385  </message>\
386  </create-context>\
387  </action>\
388  </actions>\
389  </rule>\
390  </rules>\
391 </ruleset>\
392 </patterndb>"
393 
394 #define pdb_inheritance_enabled_skeleton "<patterndb version='4' pub_date='2010-02-22'>\
395  <ruleset name='testset' id='1'>\
396  <patterns>\
397  <pattern>prog2</pattern>\
398  </patterns>\
399  <rules>\
400  <rule provider='test' id='11' class='system'>\
401  <patterns>\
402  <pattern>pattern-with-inheritance-enabled</pattern>\
403  </patterns>\
404  <tags>\
405  <tag>basetag1</tag>\
406  <tag>basetag2</tag>\
407  </tags>\
408  <actions>\
409  <action trigger='match'>\
410  <message inherit-properties='TRUE'>\
411  <values>\
412  <value name='actionkey'>actionvalue</value>\
413  </values>\
414  <tags>\
415  <tag>actiontag</tag>\
416  </tags>\
417  </message>\
418  </action>\
419  </actions>\
420  </rule>\
421  </rules>\
422  </ruleset>\
423 </patterndb>"
424 
425 #define pdb_inheritance_disabled_skeleton "<patterndb version='4' pub_date='2010-02-22'>\
426  <ruleset name='testset' id='1'>\
427  <patterns>\
428  <pattern>prog2</pattern>\
429  </patterns>\
430  <rules>\
431  <rule provider='test' id='12' class='system'>\
432  <patterns>\
433  <pattern>pattern-with-inheritance-disabled</pattern>\
434  </patterns>\
435  <tags>\
436  <tag>basetag1</tag>\
437  <tag>basetag2</tag>\
438  </tags>\
439  <actions>\
440  <action trigger='match'>\
441  <message inherit-properties='FALSE'>\
442  <values>\
443  <value name='actionkey'>actionvalue</value>\
444  </values>\
445  <tags>\
446  <tag>actiontag</tag>\
447  </tags>\
448  </message>\
449  </action>\
450  </actions>\
451  </rule>\
452  </rules>\
453  </ruleset>\
454 </patterndb>"
455 
456 #define pdb_inheritance_context_skeleton "\
457 <patterndb version='4' pub_date='2010-02-22'>\
458  <ruleset name='testset' id='1'>\
459  <patterns>\
460  <pattern>prog2</pattern>\
461  </patterns>\
462  <rules>\
463  <rule provider='test' id='11' class='system' context-scope='program'\
464  context-id='$PID' context-timeout='60'>\
465  <patterns>\
466  <pattern>pattern-with-inheritance-context</pattern>\
467  </patterns>\
468  <tags>\
469  <tag>basetag1</tag>\
470  <tag>basetag2</tag>\
471  </tags>\
472  <actions>\
473  <action trigger='timeout'>\
474  <message inherit-properties='context'>\
475  <values>\
476  <value name='MESSAGE'>action message</value>\
477  </values>\
478  <tags>\
479  <tag>actiontag</tag>\
480  </tags>\
481  </message>\
482  </action>\
483  </actions>\
484  </rule>\
485  </rules>\
486  </ruleset>\
487 </patterndb>"
488 
489 #define pdb_msg_count_skeleton "<patterndb version='4' pub_date='2010-02-22'>\
490  <ruleset name='testset' id='1'>\
491  <patterns>\
492  <pattern>prog1</pattern>\
493  <pattern>prog2</pattern>\
494  </patterns>\
495  <rules>\
496  <rule provider='test' id='13' class='system' context-scope='program'\
497  context-id='$PID' context-timeout='60'>\
498  <patterns>\
499  <pattern>pattern13</pattern>\
500  </patterns>\
501  <values>\
502  <value name='n13-1'>v13-1</value>\
503  </values>\
504  <actions>\
505  <action condition='\"${n13-1}\" eq \"v13-1\"' trigger='match'>\
506  <message inherit-properties='TRUE'>\
507  <values>\
508  <value name='CONTEXT_LENGTH'>$(context-length)</value>\
509  </values>\
510  </message>\
511  </action>\
512  </actions>\
513  </rule>\
514  <rule provider='test' id='14' class='system' context-scope='program'\
515  context-id='$PID' context-timeout='60'>\
516  <patterns>\
517  <pattern>pattern14</pattern>\
518  </patterns>\
519  <actions>\
520  <action condition='\"$(context-length)\" eq \"1\"' trigger='match'>\
521  <message inherit-properties='TRUE'>\
522  <values>\
523  <value name='CONTEXT_LENGTH'>$(context-length)</value>\
524  </values>\
525  </message>\
526  </action>\
527  </actions>\
528  </rule>\
529  <rule provider='test' id='15' class='system' context-scope='program'\
530  context-id='$PID' context-timeout='60'>\
531  <patterns>\
532  <pattern>pattern15@ANYSTRING:p15@</pattern>\
533  </patterns>\
534  <actions>\
535  <action condition='\"$(context-length)\" eq \"2\"' trigger='match'>\
536  <message inherit-properties='FALSE'>\
537  <values>\
538  <value name='fired'>true</value>\
539  </values>\
540  </message>\
541  </action>\
542  </actions>\
543  </rule>\
544  </rules>\
545  </ruleset>\
546 </patterndb>"
547 
548 #define pdb_tag_outside_of_rule_skeleton "<patterndb version='3' pub_date='2010-02-22'>\
549  <ruleset name='testset' id='1'>\
550  <patterns>\
551  <pattern>prog1</pattern>\
552  </patterns>\
553  <tags>\
554  <tag>tag1</tag>\
555  </tags>\
556  </ruleset>\
557 </patterndb>"
558 
559 
560 #define pdb_test_match_in_program "<patterndb version='5' pub_date='2010-02-22'>\
561 <ruleset name='sshd' id='1'>\
562 <patterns>\
563  <pattern>sshd @NUMBER:num@</pattern>\
564 </patterns>\
565 <rules>\
566  <rule id='12347598' class='sshd' provider='batman'>\
567  <patterns><pattern>almafa</pattern></patterns>\
568  </rule>\
569 </rules>\
570 </ruleset>\
571 </patterndb>"
572 
573 #define pdb_test_program_template "<patterndb version='5' pub_date='2010-02-22'>\
574 <ruleset name='sshd' id='1'>\
575 <patterns>\
576  <pattern>sshd @NUMBER:num@</pattern>\
577 </patterns>\
578 <rules>\
579  <rule id='12347598' class='sshd' provider='batman'>\
580  <patterns><pattern>almafa @STRING:str@</pattern></patterns>\
581  </rule>\
582 </rules>\
583 </ruleset>\
584 </patterndb>"
585 
586 #endif