Wireshark  2.9.0-477-g68ec514b
The Wireshark network protocol analyzer
snort-config.h
1 /* snort-config.h
2  *
3  * Copyright 2016, Martin Mathieson
4  *
5  * Wireshark - Network traffic analyzer
6  * By Gerald Combs <gerald@wireshark.org>
7  * Copyright 1998 Gerald Combs
8  *
9  * SPDX-License-Identifier: GPL-2.0-or-later
10  */
11 
12 
13 #include <glib.h>
14 
15 #ifndef SNORT_CONFIG_H
16 #define SNORT_CONFIG_H
17 
18 #include "ws_attributes.h"
19 
20 /* #define SNORT_CONFIG_DEBUG */
21 #ifdef SNORT_CONFIG_DEBUG
22 #define snort_debug_printf printf
23 #else
24 #define snort_debug_printf(...)
25 #endif
26 
27 /************************************************************************/
28 /* Rule related data types */
29 
30 typedef enum content_type_t {
31  Content,
32  UriContent,
33  Pcre
34 } content_type_t;
35 
36 /* Content (within an alert/rule) */
37 typedef struct content_t {
38  /* Details as parsed from rule */
39  content_type_t content_type;
40 
41  char *str;
42  gboolean negation; /* i.e. pattern must not appear */
43  gboolean nocase; /* when set, do case insensitive match */
44 
45  gboolean offset_set; /* Where to start looking within packet. -65535 -> 65535 */
46  gint offset;
47 
48  guint depth; /* How far to look into packet. Can't be 0 */
49 
50  gboolean distance_set;
51  gint distance; /* Same as offset but relative to last match. -65535 -> 65535 */
52 
53  guint within; /* Most bytes from end of previous match. Max 65535 */
54 
55  gboolean fastpattern; /* Is most distinctive content in rule */
56 
57  gboolean rawbytes; /* Match should be done against raw bytes (which we do anyway) */
58 
59  /* http preprocessor modifiers */
60  gboolean http_method;
61  gboolean http_client_body;
62  gboolean http_cookie;
63  gboolean http_user_agent;
64 
65  /* Pattern converted into bytes for matching against packet.
66  Used for regular patterns and PCREs alike. */
67  guchar *translated_str;
68  gboolean translated;
69  guint translated_length;
70 
71  gboolean pcre_case_insensitive;
72  gboolean pcre_dot_includes_newline;
73  gboolean pcre_raw;
74  gboolean pcre_multiline;
75 } content_t;
76 
77 /* This is to keep track of a variable referenced by a rule */
78 typedef struct used_variable_t {
79  char *name;
80  char *value;
82 
83 /* The collection of variables referenced by a rule */
84 typedef struct relevant_vars_t {
85  gboolean relevant_vars_set;
86 
87  #define MAX_RULE_PORT_VARS 6
88  guint num_port_vars;
89  used_variable_t port_vars[MAX_RULE_PORT_VARS];
90 
91  #define MAX_RULE_IP_VARS 6
92  guint num_ip_vars;
93  used_variable_t ip_vars[MAX_RULE_IP_VARS];
94 
96 
97 
98 /* This is purely the information parsed from the config */
99 typedef struct Rule_t {
100 
101  char *rule_string; /* The whole rule as read from the rule file */
102  char *file; /* Name of the rule file */
103  guint line_number; /* Line number of rule within rule file */
104 
105  char *msg; /* Description of the rule */
106  char *classtype;
107  guint32 sid, rev;
108 
109  char *protocol;
110 
111  /* content strings to match on */
112  unsigned int number_contents;
113 #define MAX_CONTENT_ENTRIES 30
114  content_t contents[MAX_CONTENT_ENTRIES];
115 
116  /* Keep this pointer so can update attributes as parse modifier options */
117  content_t *last_added_content;
118 
119  /* References describing the rule */
120  unsigned int number_references;
121 #define MAX_REFERENCE_ENTRIES 20
122  char *references[MAX_REFERENCE_ENTRIES];
123 
124  relevant_vars_t relevant_vars;
125 
126  /* Statistics */
127  guint matches_seen;
128 } Rule_t;
129 
130 
131 
132 /* Whole global snort config as learned by parsing config files */
133 typedef struct SnortConfig_t
134 {
135  /* Variables (var, ipvar, portvar) */
136  GHashTable *vars;
137  GHashTable *ipvars;
138  GHashTable *portvars;
139 
140  char *rule_path;
141  gboolean rule_path_is_absolute;
142 
143  /* (sid -> Rule_t*) table */
144  GHashTable *rules;
145  /* Reference (web .link) prefixes */
146  GHashTable *references_prefixes;
147 
148  /* Statistics (that may be reset) */
149  guint stat_rules_files;
150  guint stat_rules;
151  guint stat_alerts_detected;
152 
153 } SnortConfig_t;
154 
155 
156 /*************************************************************************************/
157 /* API functions */
158 
159 void create_config(SnortConfig_t **snort_config, const char *snort_config_file);
160 void delete_config(SnortConfig_t **snort_config);
161 
162 /* Look up rule by SID */
163 Rule_t *get_rule(SnortConfig_t *snort_config, guint32 sid);
164 void rule_set_alert(SnortConfig_t *snort_config, Rule_t *rule, guint *global_match_number, guint *rule_match_number);
165 
166 /* IP and port vars */
167 void rule_set_relevant_vars(SnortConfig_t *snort_config, Rule_t *rule);
168 
169 /* Substitute prefix (from reference.config) into reference string */
170 char *expand_reference(SnortConfig_t *snort_config, char *reference);
171 
172 /* Rule stats */
173 void get_global_rule_stats(SnortConfig_t *snort_config, unsigned int sid,
174  unsigned int *number_rules_files, unsigned int *number_rules,
175  unsigned int *alerts_detected, unsigned int *this_rule_alerts_detected);
176 void reset_global_rule_stats(SnortConfig_t *snort_config);
177 
178 /* Expanding a content field string to the expected binary bytes */
179 guint content_convert_to_binary(content_t *content);
180 
181 gboolean content_convert_pcre_for_regex(content_t *content);
182 
183 #endif
184 
185 /*
186  * Editor modelines - http://www.wireshark.org/tools/modelines.html
187  *
188  * Local variables:
189  * c-basic-offset: 4
190  * tab-width: 8
191  * indent-tabs-mode: nil
192  * End:
193  *
194  * vi: set shiftwidth=4 tabstop=8 expandtab:
195  * :indentSize=4:tabSize=8:noTabs=true:
196  */
Definition: snort-config.h:84
Definition: snort-config.h:37
Definition: snort-config.h:78
Definition: snort-config.h:99
Definition: snort-config.h:133