search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-snort-config.h
bloba7bf1aeb07966994bca074c8031e5c64b6051666
1 /* packet-snort-config.h
2 *
3 * Copyright 2016, Martin Mathieson
4 *
5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
8 *
9 * SPDX-License-Identifier: GPL-2.0-or-later
10 */
11
12 #ifndef __PACKET_SNORT_CONFIG_H__
13 #define __PACKET_SNORT_CONFIG_H__
14
15 #include <glib.h>
16
17 /************************************************************************/
18 /* Rule related data types */
19
20 typedef enum content_type_t {
21 Content,
22 UriContent,
23 Pcre
24 } content_type_t;
25
26 /* Content (within an alert/rule) */
27 typedef struct content_t {
28 /* Details as parsed from rule */
29 content_type_t content_type;
30
31 char *str;
32 bool negation; /* i.e. pattern must not appear */
33 bool nocase; /* when set, do case insensitive match */
34
35 bool offset_set; /* Where to start looking within packet. -65535 -> 65535 */
36 int offset;
37
38 unsigned depth; /* How far to look into packet. Can't be 0 */
39
40 bool distance_set;
41 int distance; /* Same as offset but relative to last match. -65535 -> 65535 */
42
43 unsigned within; /* Most bytes from end of previous match. Max 65535 */
44
45 bool fastpattern; /* Is most distinctive content in rule */
46
47 bool rawbytes; /* Match should be done against raw bytes (which we do anyway) */
48
49 /* http preprocessor modifiers */
50 bool http_method;
51 bool http_client_body;
52 bool http_cookie;
53 bool http_user_agent;
54
55 /* Pattern converted into bytes for matching against packet.
56 Used for regular patterns and PCREs alike. */
57 unsigned char *translated_str;
58 bool translated;
59 unsigned translated_length;
60
61 bool pcre_case_insensitive;
62 bool pcre_dot_includes_newline;
63 bool pcre_raw;
64 bool pcre_multiline;
65 } content_t;
66
67 /* This is to keep track of a variable referenced by a rule */
68 typedef struct used_variable_t {
69 char *name;
70 char *value;
71 } used_variable_t;
72
73 /* The collection of variables referenced by a rule */
74 typedef struct relevant_vars_t {
75 bool relevant_vars_set;
76
77 #define MAX_RULE_PORT_VARS 6
78 unsigned num_port_vars;
79 used_variable_t port_vars[MAX_RULE_PORT_VARS];
80
81 #define MAX_RULE_IP_VARS 6
82 unsigned num_ip_vars;
83 used_variable_t ip_vars[MAX_RULE_IP_VARS];
84
85 } relevant_vars_t;
86
87
88 /* This is purely the information parsed from the config */
89 typedef struct Rule_t {
90
91 char *rule_string; /* The whole rule as read from the rule file */
92 char *file; /* Name of the rule file */
93 unsigned line_number; /* Line number of rule within rule file */
94
95 char *msg; /* Description of the rule */
96 char *classtype;
97 uint32_t sid, rev;
98
99 char *protocol;
100
101 /* content strings to match on */
102 unsigned int number_contents;
103 #define MAX_CONTENT_ENTRIES 30
104 content_t contents[MAX_CONTENT_ENTRIES];
105
106 /* Keep this pointer so can update attributes as parse modifier options */
107 content_t *last_added_content;
108
109 /* References describing the rule */
110 unsigned int number_references;
111 #define MAX_REFERENCE_ENTRIES 20
112 char *references[MAX_REFERENCE_ENTRIES];
113
114 relevant_vars_t relevant_vars;
115
116 /* Statistics */
117 unsigned matches_seen;
118 } Rule_t;
119
120
121
122 /* Whole global snort config as learned by parsing config files */
123 typedef struct SnortConfig_t
124 {
125 /* Variables (var, ipvar, portvar) */
126 GHashTable *vars;
127 GHashTable *ipvars;
128 GHashTable *portvars;
129
130 char *rule_path;
131 bool rule_path_is_absolute;
132
133 /* (sid -> Rule_t*) table */
134 GHashTable *rules;
135 /* Reference (web .link) prefixes */
136 GHashTable *references_prefixes;
137
138 /* Statistics (that may be reset) */
139 unsigned stat_rules_files;
140 unsigned stat_rules;
141 unsigned stat_alerts_detected;
142
143 } SnortConfig_t;
144
145
146 /*************************************************************************************/
147 /* API functions */
148
149 void create_config(SnortConfig_t **snort_config, const char *snort_config_file);
150 void delete_config(SnortConfig_t **snort_config);
151
152 /* Look up rule by SID */
153 Rule_t *get_rule(SnortConfig_t *snort_config, uint32_t sid);
154 void rule_set_alert(SnortConfig_t *snort_config, Rule_t *rule, unsigned *global_match_number, unsigned *rule_match_number);
155
156 /* IP and port vars */
157 void rule_set_relevant_vars(SnortConfig_t *snort_config, Rule_t *rule);
158
159 /* Substitute prefix (from reference.config) into reference string */
160 char *expand_reference(SnortConfig_t *snort_config, char *reference);
161
162 /* Rule stats */
163 void get_global_rule_stats(SnortConfig_t *snort_config, unsigned int sid,
164 unsigned int *number_rules_files, unsigned int *number_rules,
165 unsigned int *alerts_detected, unsigned int *this_rule_alerts_detected);
166 void reset_global_rule_stats(SnortConfig_t *snort_config);
167
168 /* Expanding a content field string to the expected binary bytes */
169 unsigned content_convert_to_binary(content_t *content);
170
171 bool content_convert_pcre_for_regex(content_t *content);
172
173 #endif
174
175 /*
176 * Editor modelines - https://www.wireshark.org/tools/modelines.html
177 *
178 * Local variables:
179 * c-basic-offset: 4
180 * tab-width: 8
181 * indent-tabs-mode: nil
182 * End:
183 *
184 * vi: set shiftwidth=4 tabstop=8 expandtab:
185 * :indentSize=4:tabSize=8:noTabs=true:
186 */
Metzes wireshark repo