|
snort
2.9.17
About: Snort is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.
 Fossies Dox: snort-2.9.17.tar.gz ("unofficial" and yet experimental doxygen-generated source code documentation)  |
Support functions for rule option tree. More...
#include "sfutil/sfxhash.h"#include "sfutil/sfhashfcn.h"#include "detection_options.h"#include "detection_util.h"#include "rules.h"#include "treenodes.h"#include "util.h"#include "fpcreate.h"#include "parser.h"#include "sp_asn1.h"#include "sp_byte_check.h"#include "sp_byte_jump.h"#include "sp_byte_extract.h"#include "sp_byte_math.h"#include "sp_clientserver.h"#include "sp_cvs.h"#include "sp_dsize_check.h"#include "sp_flowbits.h"#include "sp_ftpbounce.h"#include "sp_icmp_code_check.h"#include "sp_icmp_id_check.h"#include "sp_icmp_seq_check.h"#include "sp_icmp_type_check.h"#include "sp_ip_fragbits.h"#include "sp_ip_id_check.h"#include "sp_ipoption_check.h"#include "sp_ip_proto.h"#include "sp_ip_same_check.h"#include "sp_ip_tos_check.h"#include "sp_file_data.h"#include "sp_base64_decode.h"#include "sp_isdataat.h"#include "sp_pattern_match.h"#include "sp_pcre.h"#include "sp_replace.h"#include "sp_rpc_check.h"#include "sp_session.h"#include "sp_tcp_ack_check.h"#include "sp_tcp_flag_check.h"#include "sp_tcp_seq_check.h"#include "sp_tcp_win_check.h"#include "sp_ttl_check.h"#include "sp_urilen_check.h"#include "sp_hdr_opt_wrap.h"#include "sp_file_type.h"#include "sp_preprocopt.h"#include "sp_dynamic.h"#include "fpdetect.h"#include "ppm.h"#include "profiler.h"#include "sfPolicy.h"#include "detection_filter.h"#include "encode.h"#include "detection_leaf_node.c"Go to the source code of this file.
Data Structures | |
| struct | _detection_option_key |
Macros | |
| #define | HASH_RULE_OPTIONS 16384 |
| #define | HASH_RULE_TREE 8192 |
Typedefs | |
| typedef struct _detection_option_key | detection_option_key_t |
Variables | |
| char * | option_type_str [] |
| uint64_t | rule_eval_pkt_count = 0 |
Support functions for rule option tree.
This implements tree processing for rule options, evaluating common detection options only once per pattern match.
Definition in file detection_options.c.
| #define HASH_RULE_OPTIONS 16384 |
Definition at line 112 of file detection_options.c.
| #define HASH_RULE_TREE 8192 |
Definition at line 113 of file detection_options.c.
| typedef struct _detection_option_key detection_option_key_t |
| int add_detection_option | ( | struct _SnortConfig * | sc, |
| option_type_t | type, | ||
| void * | option_data, | ||
| void ** | existing_data | ||
| ) |
Definition at line 597 of file detection_options.c.
References DETECTION_OPTION_EQUAL, _SnortConfig::detection_option_hash_table, DETECTION_OPTION_NOT_EQUAL, DetectionHashTableNew(), FatalError(), NULL, _detection_option_key::option_data, _detection_option_key::option_type, sfxhash_add(), sfxhash_find(), and type.
Referenced by AddPreprocessorRuleOption(), AppIdInit(), Asn1Init(), Base64DecodeInit(), ByteExtractInit(), ByteJumpInit(), ByteMathInit(), ByteTestInit(), ConvertAsn1Option(), ConvertBase64DecodeOption(), ConvertByteExtractOption(), ConvertByteJumpOption(), ConvertByteMathOption(), ConvertByteTestOption(), ConvertCursorOption(), ConvertFileDataOption(), ConvertFlowbitOption(), ConvertFlowflagsOption(), ConvertHdrCheckOption(), ConvertPcreOption(), ConvertPreprocessorOption(), CvsInit(), DynamicInit(), FileDataInit(), FinalizeContentUniqueness(), FlowBitsInit(), FTPBounceInit(), IpProtoInit(), IpSameCheckInit(), IsDataAtInit(), ParseDsize(), ParseFlowArgs(), ParseFragBits(), ParseFragOffset(), ParseIcmpCode(), ParseIcmpId(), ParseIcmpSeq(), ParseIcmpType(), ParseIpId(), ParseIpOptionData(), ParseIpTos(), ParseRpc(), ParseSession(), ParseTcpAck(), ParseTCPFlags(), ParseTcpSeq(), ParseTcpWin(), ParseTtl(), ParseUriLen(), RegisterDynamicRule(), Rule_Init(), and SnortPcreInit().
| int add_detection_option_tree | ( | SnortConfig * | sc, |
| detection_option_tree_node_t * | option_tree, | ||
| void ** | existing_data | ||
| ) |
Definition at line 839 of file detection_options.c.
References DETECTION_OPTION_EQUAL, DETECTION_OPTION_NOT_EQUAL, _SnortConfig::detection_option_tree_hash_table, DetectionTreeHashTableNew(), FatalError(), NULL, _detection_option_key::option_data, _detection_option_key::option_type, RULE_OPTION_TYPE_LEAF_NODE, sfxhash_add(), and sfxhash_find().
Referenced by finalize_detection_option_tree().
| int detection_hash_free_func | ( | void * | option_key, |
| void * | data | ||
| ) |
Definition at line 424 of file detection_options.c.
References ByteExtractFree(), ByteMathFree(), FileTypeFree(), FlowBitsFree(), fpDynamicDataFree(), _detection_option_key::option_data, _detection_option_key::option_type, optionAppIdFree(), PatternMatchFree(), PcreFree(), PreprocessorRuleOptionsFreeFunc(), RULE_OPTION_TYPE_ASN1, RULE_OPTION_TYPE_BASE64_DATA, RULE_OPTION_TYPE_BASE64_DECODE, RULE_OPTION_TYPE_BYTE_EXTRACT, RULE_OPTION_TYPE_BYTE_JUMP, RULE_OPTION_TYPE_BYTE_MATH, RULE_OPTION_TYPE_BYTE_TEST, RULE_OPTION_TYPE_CONTENT, RULE_OPTION_TYPE_CONTENT_URI, RULE_OPTION_TYPE_CVS, RULE_OPTION_TYPE_DSIZE, RULE_OPTION_TYPE_DYNAMIC, RULE_OPTION_TYPE_FILE_DATA, RULE_OPTION_TYPE_FILE_TYPE, RULE_OPTION_TYPE_FLOW, RULE_OPTION_TYPE_FLOWBIT, RULE_OPTION_TYPE_FTPBOUNCE, RULE_OPTION_TYPE_HDR_OPT_CHECK, RULE_OPTION_TYPE_ICMP_CODE, RULE_OPTION_TYPE_ICMP_ID, RULE_OPTION_TYPE_ICMP_SEQ, RULE_OPTION_TYPE_ICMP_TYPE, RULE_OPTION_TYPE_IP_FRAG_OFFSET, RULE_OPTION_TYPE_IP_FRAGBITS, RULE_OPTION_TYPE_IP_ID, RULE_OPTION_TYPE_IP_OPTION, RULE_OPTION_TYPE_IP_PROTO, RULE_OPTION_TYPE_IP_SAME, RULE_OPTION_TYPE_IP_TOS, RULE_OPTION_TYPE_IS_DATA_AT, RULE_OPTION_TYPE_LEAF_NODE, RULE_OPTION_TYPE_PCRE, RULE_OPTION_TYPE_PKT_DATA, RULE_OPTION_TYPE_PREPROCESSOR, RULE_OPTION_TYPE_RPC_CHECK, RULE_OPTION_TYPE_SESSION, RULE_OPTION_TYPE_TCP_ACK, RULE_OPTION_TYPE_TCP_FLAG, RULE_OPTION_TYPE_TCP_SEQ, RULE_OPTION_TYPE_TCP_WIN, RULE_OPTION_TYPE_TTL, and RULE_OPTION_TYPE_URILEN.
Referenced by DetectionHashTableNew().
Definition at line 115 of file detection_options.c.
References Asn1Hash(), Base64DecodeHash(), ByteExtractHash(), ByteJumpHash(), ByteMathHash(), ByteTestHash(), CvsHash(), DSizeCheckHash(), DynamicRuleHash(), FileDataHash(), FileTypeHash(), FlowBitsHash(), FlowHash(), HdrOptCheckHash(), IcmpCodeCheckHash(), IcmpIdCheckHash(), IcmpSeqCheckHash(), IcmpTypeCheckHash(), IpFragBitsCheckHash(), IpFragOffsetCheckHash(), IpIdCheckHash(), IpOptionCheckHash(), IpProtoCheckHash(), IpSameCheckHash(), IpTosCheckHash(), IsDataAtHash(), _detection_option_key::option_data, _detection_option_key::option_type, optionAppIdHash(), PatternMatchHash(), PcreHash(), PreprocessorRuleOptionHash(), RpcCheckHash(), RULE_OPTION_TYPE_ASN1, RULE_OPTION_TYPE_BASE64_DATA, RULE_OPTION_TYPE_BASE64_DECODE, RULE_OPTION_TYPE_BYTE_EXTRACT, RULE_OPTION_TYPE_BYTE_JUMP, RULE_OPTION_TYPE_BYTE_MATH, RULE_OPTION_TYPE_BYTE_TEST, RULE_OPTION_TYPE_CONTENT, RULE_OPTION_TYPE_CONTENT_URI, RULE_OPTION_TYPE_CVS, RULE_OPTION_TYPE_DSIZE, RULE_OPTION_TYPE_DYNAMIC, RULE_OPTION_TYPE_FILE_DATA, RULE_OPTION_TYPE_FILE_TYPE, RULE_OPTION_TYPE_FLOW, RULE_OPTION_TYPE_FLOWBIT, RULE_OPTION_TYPE_FTPBOUNCE, RULE_OPTION_TYPE_HDR_OPT_CHECK, RULE_OPTION_TYPE_ICMP_CODE, RULE_OPTION_TYPE_ICMP_ID, RULE_OPTION_TYPE_ICMP_SEQ, RULE_OPTION_TYPE_ICMP_TYPE, RULE_OPTION_TYPE_IP_FRAG_OFFSET, RULE_OPTION_TYPE_IP_FRAGBITS, RULE_OPTION_TYPE_IP_ID, RULE_OPTION_TYPE_IP_OPTION, RULE_OPTION_TYPE_IP_PROTO, RULE_OPTION_TYPE_IP_SAME, RULE_OPTION_TYPE_IP_TOS, RULE_OPTION_TYPE_IS_DATA_AT, RULE_OPTION_TYPE_LEAF_NODE, RULE_OPTION_TYPE_PCRE, RULE_OPTION_TYPE_PKT_DATA, RULE_OPTION_TYPE_PREPROCESSOR, RULE_OPTION_TYPE_RPC_CHECK, RULE_OPTION_TYPE_SESSION, RULE_OPTION_TYPE_TCP_ACK, RULE_OPTION_TYPE_TCP_FLAG, RULE_OPTION_TYPE_TCP_SEQ, RULE_OPTION_TYPE_TCP_WIN, RULE_OPTION_TYPE_TTL, RULE_OPTION_TYPE_URILEN, SessionHash(), TcpAckCheckHash(), TcpFlagCheckHash(), TcpSeqCheckHash(), TcpWinCheckHash(), TtlCheckHash(), and UriLenCheckHash().
Referenced by DetectionHashTableNew().
Definition at line 264 of file detection_options.c.
References Asn1Compare(), Base64DecodeCompare(), ByteExtractCompare(), ByteJumpCompare(), ByteMathCompare(), ByteTestCompare(), CvsCompare(), DETECTION_OPTION_NOT_EQUAL, DSizeCheckCompare(), DynamicRuleCompare(), FileDataCompare(), FileTypeCompare(), FlowBitsCompare(), FlowCompare(), HdrOptCheckCompare(), IcmpCodeCheckCompare(), IcmpIdCheckCompare(), IcmpSeqCheckCompare(), IcmpTypeCheckCompare(), IpFragBitsCheckCompare(), IpFragOffsetCheckCompare(), IpIdCheckCompare(), IpOptionCheckCompare(), IpProtoCheckCompare(), IpSameCheckCompare(), IpTosCheckCompare(), IsDataAtCompare(), _detection_option_key::option_data, _detection_option_key::option_type, optionAppIdCompare(), PatternMatchCompare(), PcreCompare(), PreprocessorRuleOptionCompare(), RpcCheckCompare(), RULE_OPTION_TYPE_ASN1, RULE_OPTION_TYPE_BASE64_DATA, RULE_OPTION_TYPE_BASE64_DECODE, RULE_OPTION_TYPE_BYTE_EXTRACT, RULE_OPTION_TYPE_BYTE_JUMP, RULE_OPTION_TYPE_BYTE_MATH, RULE_OPTION_TYPE_BYTE_TEST, RULE_OPTION_TYPE_CONTENT, RULE_OPTION_TYPE_CONTENT_URI, RULE_OPTION_TYPE_CVS, RULE_OPTION_TYPE_DSIZE, RULE_OPTION_TYPE_DYNAMIC, RULE_OPTION_TYPE_FILE_DATA, RULE_OPTION_TYPE_FILE_TYPE, RULE_OPTION_TYPE_FLOW, RULE_OPTION_TYPE_FLOWBIT, RULE_OPTION_TYPE_FTPBOUNCE, RULE_OPTION_TYPE_HDR_OPT_CHECK, RULE_OPTION_TYPE_ICMP_CODE, RULE_OPTION_TYPE_ICMP_ID, RULE_OPTION_TYPE_ICMP_SEQ, RULE_OPTION_TYPE_ICMP_TYPE, RULE_OPTION_TYPE_IP_FRAG_OFFSET, RULE_OPTION_TYPE_IP_FRAGBITS, RULE_OPTION_TYPE_IP_ID, RULE_OPTION_TYPE_IP_OPTION, RULE_OPTION_TYPE_IP_PROTO, RULE_OPTION_TYPE_IP_SAME, RULE_OPTION_TYPE_IP_TOS, RULE_OPTION_TYPE_IS_DATA_AT, RULE_OPTION_TYPE_LEAF_NODE, RULE_OPTION_TYPE_PCRE, RULE_OPTION_TYPE_PKT_DATA, RULE_OPTION_TYPE_PREPROCESSOR, RULE_OPTION_TYPE_RPC_CHECK, RULE_OPTION_TYPE_SESSION, RULE_OPTION_TYPE_TCP_ACK, RULE_OPTION_TYPE_TCP_FLAG, RULE_OPTION_TYPE_TCP_SEQ, RULE_OPTION_TYPE_TCP_WIN, RULE_OPTION_TYPE_TTL, RULE_OPTION_TYPE_URILEN, SessionCompare(), TcpAckCheckCompare(), TcpFlagCheckCompare(), TcpSeqCheckCompare(), TcpWinCheckCompare(), TtlCheckCompare(), and UriLenCheckCompare().
Referenced by DetectionHashTableNew().
| int detection_option_node_evaluate | ( | detection_option_tree_node_t * | node, |
| detection_option_eval_data_t * | eval_data | ||
| ) |
Definition at line 884 of file detection_options.c.
References HttpBuffer::buf, _PatternMatchData::buffer_func, CHECK_URI_PATTERN_MATCH, _detection_option_tree_node::children, _Packet::data, DataPointer::data, DataBuffer::data, DecodeBuffer, DetectBuffer, _OptTreeNode::detection_filter, detection_filter_test(), detection_leaf_node_eval(), DETECTION_OPTION_FAILED_BIT, DETECTION_OPTION_MATCH, DETECTION_OPTION_NO_ALERT, DETECTION_OPTION_NO_MATCH, detection_option_node_evaluate(), doe_buf_flags, doe_ptr, _detection_option_tree_node::evaluate, _PatternMatchData::exception_flag, FLAG_ALT_DECODE, FLAG_ALT_DETECT, _detection_option_tree_node::flowbit_failed, _detection_option_eval_data::flowbit_failed, _detection_option_eval_data::flowbit_noalert, FlowBits_SetOperation(), fpAddMatch(), fpEvalRTN(), Get_DetectFlags(), GET_DST_IP, GET_SRC_IP, GetByteExtractValue(), GetHttpBuffer(), GetRebuiltPktCount(), getRuntimeRtnFromOtn(), _PatternMatchData::http_buffer, Is_DetectFlag(), _detection_option_tree_node::is_relative, _detection_option_tree_node::last_check, _PatternMatchData::last_check, Leaf_Abort, Leaf_CheckPorts, Leaf_SkipPorts, NODE_PROFILE_END_MATCH, NODE_PROFILE_END_NOMATCH, NODE_PROFILE_START, NODE_PROFILE_TMPEND, NODE_PROFILE_TMPSTART, NODE_PROFILE_VARS, NULL, NUM_BYTE_EXTRACT_VARS, _detection_option_tree_node::num_children, _detection_option_tree_node::option_data, _detection_option_tree_node::option_type, _PcreData::options, _detection_option_eval_data::p, _Packet::packet_flags, _detection_option_tree_node::packet_number, _PatternMatchData::packet_number, PatternMatchAdjustRelativeOffsets(), PatternMatchDuplicatePmd(), PcreAdjustRelativeOffsets(), PcreDuplicatePcreData(), PKT_ALLOW_MULTIPLE_DETECT, PKT_IP_RULE_2ND, PKT_REBUILT_STREAM, _Packet::pkth, _detection_option_eval_data::pmd, PMD_WITHIN_UNDEFINED, _detection_option_eval_data::pomd, PPM_GET_TIME, _PatternMatchData::protected_pattern, PROTO_BIT__GTP, PROTO_BIT__TEREDO, _Packet::proto_bits, _PatternMatchData::rawbytes, _detection_option_tree_node::rebuild_flag, _PatternMatchData::rebuild_flag, _detection_option_tree_node::relative_children, Replace_OffsetStored(), Replace_QueueChange(), Reset_DetectFlags(), _detection_option_tree_node::result, rule_eval_pkt_count, RULE_OPTION_TYPE_ASN1, RULE_OPTION_TYPE_BASE64_DATA, RULE_OPTION_TYPE_BASE64_DECODE, RULE_OPTION_TYPE_BYTE_EXTRACT, RULE_OPTION_TYPE_BYTE_JUMP, RULE_OPTION_TYPE_BYTE_MATH, RULE_OPTION_TYPE_BYTE_TEST, RULE_OPTION_TYPE_CONTENT, RULE_OPTION_TYPE_CONTENT_URI, RULE_OPTION_TYPE_CVS, RULE_OPTION_TYPE_DSIZE, RULE_OPTION_TYPE_DYNAMIC, RULE_OPTION_TYPE_FILE_DATA, RULE_OPTION_TYPE_FILE_TYPE, RULE_OPTION_TYPE_FLOW, RULE_OPTION_TYPE_FLOWBIT, RULE_OPTION_TYPE_FTPBOUNCE, RULE_OPTION_TYPE_HDR_OPT_CHECK, RULE_OPTION_TYPE_ICMP_CODE, RULE_OPTION_TYPE_ICMP_ID, RULE_OPTION_TYPE_ICMP_SEQ, RULE_OPTION_TYPE_ICMP_TYPE, RULE_OPTION_TYPE_IP_FRAG_OFFSET, RULE_OPTION_TYPE_IP_FRAGBITS, RULE_OPTION_TYPE_IP_ID, RULE_OPTION_TYPE_IP_OPTION, RULE_OPTION_TYPE_IP_PROTO, RULE_OPTION_TYPE_IP_SAME, RULE_OPTION_TYPE_IP_TOS, RULE_OPTION_TYPE_IS_DATA_AT, RULE_OPTION_TYPE_LEAF_NODE, RULE_OPTION_TYPE_PCRE, RULE_OPTION_TYPE_PKT_DATA, RULE_OPTION_TYPE_PREPROCESSOR, RULE_OPTION_TYPE_RPC_CHECK, RULE_OPTION_TYPE_SESSION, RULE_OPTION_TYPE_TCP_ACK, RULE_OPTION_TYPE_TCP_FLAG, RULE_OPTION_TYPE_TCP_SEQ, RULE_OPTION_TYPE_TCP_WIN, RULE_OPTION_TYPE_TTL, RULE_OPTION_TYPE_URILEN, ScDisableReplaceOpt(), ScIpsInlineMode(), SetByteExtractValue(), SetDoePtr(), SNORT_PCRE_HTTP_BUFS, SNORT_PCRE_INVERT, SNORT_PCRE_RAWBYTES, SNORT_PCRE_RELATIVE, _detection_option_tree_node::ts, _PatternMatchData::ts, UpdateDoePtr(), _PatternMatchData::use_doe, and _PatternMatchData::within.
Referenced by detection_option_node_evaluate(), and detection_option_tree_evaluate().
| int detection_option_tree_compare | ( | detection_option_tree_node_t * | r, |
| detection_option_tree_node_t * | l | ||
| ) |
Definition at line 685 of file detection_options.c.
References _detection_option_tree_node::children, DETECTION_OPTION_EQUAL, DETECTION_OPTION_NOT_EQUAL, NULL, _detection_option_tree_node::num_children, and _detection_option_tree_node::option_data.
Referenced by detection_option_tree_compare_func().
Definition at line 713 of file detection_options.c.
References DETECTION_OPTION_NOT_EQUAL, detection_option_tree_compare(), and _detection_option_key::option_data.
Referenced by DetectionTreeHashTableNew().
| int detection_option_tree_free_func | ( | void * | option_key, |
| void * | data | ||
| ) |
Definition at line 729 of file detection_options.c.
References free_detection_option_tree().
Referenced by DetectionTreeHashTableNew().
| uint32_t detection_option_tree_hash | ( | detection_option_tree_node_t * | node | ) |
Definition at line 629 of file detection_options.c.
References _detection_option_tree_node::children, mix, _detection_option_tree_node::num_children, and _detection_option_tree_node::option_data.
Referenced by detection_option_tree_hash_func().
Definition at line 672 of file detection_options.c.
References detection_option_tree_hash(), and _detection_option_key::option_data.
Referenced by DetectionTreeHashTableNew().
| void DetectionHashTableFree | ( | SFXHASH * | doht | ) |
Definition at line 591 of file detection_options.c.
References NULL, and sfxhash_delete().
Referenced by fpDeleteFastPacketDetection().
| SFXHASH* DetectionHashTableNew | ( | void | ) |
Definition at line 570 of file detection_options.c.
References detection_hash_free_func(), detection_option_hash_func(), detection_option_key_compare_func(), FatalError(), HASH_RULE_OPTIONS, NULL, sfxhash_new(), and sfxhash_set_keyops().
Referenced by add_detection_option().
| void DetectionTreeHashTableFree | ( | SFXHASH * | dtht | ) |
Definition at line 737 of file detection_options.c.
References NULL, and sfxhash_delete().
Referenced by fpDeleteFastPacketDetection().
| SFXHASH* DetectionTreeHashTableNew | ( | void | ) |
Definition at line 743 of file detection_options.c.
References detection_option_tree_compare_func(), detection_option_tree_free_func(), detection_option_tree_hash_func(), FatalError(), HASH_RULE_TREE, NULL, sfxhash_new(), and sfxhash_set_keyops().
Referenced by add_detection_option_tree().
| char* option_type_str[] |
Definition at line 764 of file detection_options.c.
| uint64_t rule_eval_pkt_count = 0 |
Definition at line 872 of file detection_options.c.
Referenced by detection_option_node_evaluate(), PacketCallback(), and rule_tree_match().
1.9.0