"Fossies" - the Fresh Open Source Software Archive

Member "snort-2.9.17/src/preprocids.h" (16 Oct 2020, 7920 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "preprocids.h" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.9.16.1_vs_2.9.17.

    1 /****************************************************************************
    2  *
    3  * Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
    4  * Copyright (C) 2005-2013 Sourcefire, Inc.
    5  *
    6  * This program is free software; you can redistribute it and/or modify
    7  * it under the terms of the GNU General Public License Version 2 as
    8  * published by the Free Software Foundation.  You may not use, modify or
    9  * distribute this program under any other version of the GNU General
   10  * Public License.
   11  *
   12  * This program is distributed in the hope that it will be useful,
   13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
   14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   15  * GNU General Public License for more details.
   16  *
   17  * You should have received a copy of the GNU General Public License
   18  * along with this program; if not, write to the Free Software
   19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   20  *
   21  ****************************************************************************/
   22 
   23 #ifndef _PREPROC_IDS_H
   24 #define _PREPROC_IDS_H
   25 
   26 #include <stdint.h>
   27 #ifdef DUMP_BUFFER
   28 #include "sf_types.h"
   29 #endif
   30 /*
   31 **  Preprocessor Communication Defines
   32 **  ----------------------------------
   33 **  These defines allow preprocessors to be turned
   34 **  on and off for each packet.  Preprocessors can be
   35 **  turned off and on before preprocessing occurs and
   36 **  during preprocessing.
   37 **
   38 **  Currently, the order in which the preprocessors are
   39 **  placed in the snort.conf determine the order of
   40 **  evaluation.  So if one module wants to turn off
   41 **  another module, it must come first in the order.
   42 */
   43 
   44 // currently 64 bits (preprocessors)
   45 // are available.
   46 
   47 #define PP_BO                      0
   48 #define PP_APP_ID                  1
   49 #define PP_DNS                     2
   50 #define PP_FRAG3                   3
   51 #define PP_FTPTELNET               4
   52 #define PP_HTTPINSPECT             5
   53 #define PP_PERFMONITOR             6
   54 #define PP_RPCDECODE               7
   55 #define PP_SHARED_RULES            8
   56 #define PP_SFPORTSCAN              9
   57 #define PP_SMTP                   10
   58 #define PP_SSH                    11
   59 #define PP_SSL                    12
   60 #define PP_STREAM                 13
   61 #define PP_TELNET                 14
   62 #define PP_ARPSPOOF               15
   63 #define PP_DCE2                   16
   64 #define PP_SDF                    17
   65 #define PP_NORMALIZE              18
   66 #define PP_ISAKMP                 19  // used externally
   67 #define PP_SESSION                20
   68 #define PP_SIP                    21
   69 #define PP_POP                    22
   70 #define PP_IMAP                   23
   71 #define PP_NETWORK_DISCOVERY      24  // used externally
   72 #define PP_FW_RULE_ENGINE         25  // used externally
   73 #define PP_REPUTATION             26
   74 #define PP_GTP                    27
   75 #define PP_MODBUS                 28
   76 #define PP_DNP3                   29
   77 #define PP_FILE                   30
   78 #define PP_FILE_INSPECT           31
   79 #define PP_NAP_RULE_ENGINE        32
   80 #define PP_PREFILTER_RULE_ENGINE  33  // used externally
   81 #define PP_HTTPMOD                34
   82 #define PP_HTTP2                  35
   83 #define PP_CIP                    36
   84 #define PP_S7COMMPLUS             37
   85 #define PP_MAX                    38
   86 #define PP_ALL                    50
   87 #define PP_ENABLE_ALL (~0)
   88 #define PP_DISABLE_ALL 0x0
   89 
   90 #ifdef WIN32
   91 #ifndef UINT64_C
   92 #define UINT64_C(v) (v)
   93 #endif
   94 #endif
   95 
   96 // preprocessors that run before or as part of Network Analysis Policy processing... If enabled by
   97 // configuration they are never disabled
   98 #define PP_CLASS_NETWORK ( ( UINT64_C(1) << PP_FRAG3 ) | ( UINT64_C(1) << PP_PERFMONITOR ) | \
   99                            ( UINT64_C(1) << PP_SFPORTSCAN ) | ( UINT64_C(1) << PP_STREAM ) | \
  100                            ( UINT64_C(1) << PP_NORMALIZE ) | ( UINT64_C(1) << PP_SESSION ) | \
  101                            ( UINT64_C(1) << PP_REPUTATION ) )
  102 
  103 // Firewall and Application ID & Netowrk Discovery preprocessors...also always run if enabled by configuration
  104 #define PP_CLASS_NGFW ( ( UINT64_C(1) << PP_APP_ID ) | ( UINT64_C(1) << PP_FW_RULE_ENGINE ) | \
  105                         ( UINT64_C(1) << PP_NETWORK_DISCOVERY ) | ( UINT64_C(1) << PP_PREFILTER_RULE_ENGINE ) | \
  106                         ( UINT64_C(1) << PP_HTTPMOD) )
  107 
  108 // Application preprocessors...once the application or protocol for a stream is determined only preprocessors
  109 // that analyze that type of stream are enabled (usually there is only 1...)
  110 #define PP_CLASS_PROTO_APP ( ( UINT64_C(1) << PP_BO ) | ( UINT64_C(1) << PP_DNS ) | \
  111                              ( UINT64_C(1) << PP_FTPTELNET ) | ( UINT64_C(1) << PP_HTTPINSPECT ) | \
  112                              ( UINT64_C(1) << PP_RPCDECODE ) | ( UINT64_C(1) << PP_SHARED_RULES ) | \
  113                              ( UINT64_C(1) << PP_SMTP ) | ( UINT64_C(1) << PP_SSH ) | \
  114                              ( UINT64_C(1) << PP_SSL ) | ( UINT64_C(1) << PP_TELNET ) | \
  115                              ( UINT64_C(1) << PP_ARPSPOOF ) | ( UINT64_C(1) << PP_DCE2 ) | \
  116                              ( UINT64_C(1) << PP_SDF ) | ( UINT64_C(1) << PP_ISAKMP) | \
  117                              ( UINT64_C(1) << PP_POP ) | ( UINT64_C(1) << PP_IMAP ) | \
  118                              ( UINT64_C(1) << PP_GTP ) | ( UINT64_C(1) << PP_MODBUS ) | \
  119                              ( UINT64_C(1) << PP_DNP3 ) | ( UINT64_C(1) << PP_FILE ) | \
  120                              ( UINT64_C(1) << PP_FILE_INSPECT ) )
  121 
  122 #define PP_DEFINED_GLOBAL ( ( UINT64_C(1) << PP_APP_ID ) | ( UINT64_C(1) << PP_FW_RULE_ENGINE ) | \
  123                             ( UINT64_C(1) << PP_NETWORK_DISCOVERY ) | ( UINT64_C(1) << PP_PERFMONITOR) | \
  124                             ( UINT64_C(1) << PP_SESSION ) | ( UINT64_C(1) << PP_PREFILTER_RULE_ENGINE ) )
  125 
  126 #define PP_CORE_ORDER_SESSION   0
  127 #define PP_CORE_ORDER_IPREP     1
  128 #define PP_CORE_ORDER_NAP       2
  129 #define PP_CORE_ORDER_NORML     3
  130 #define PP_CORE_ORDER_FRAG3     4
  131 #define PP_CORE_ORDER_PREFILTER 5   // used externally
  132 #define PP_CORE_ORDER_STREAM    6
  133 
  134 #define PRIORITY_CORE            0x0
  135 #define PRIORITY_CORE_LAST      0x0f
  136 #define PRIORITY_FIRST          0x10
  137 #define PRIORITY_NETWORK        0x20
  138 #define PRIORITY_TRANSPORT     0x100
  139 #define PRIORITY_TUNNEL        0x105
  140 #define PRIORITY_SCANNER       0x110
  141 #define PRIORITY_APPLICATION   0x200
  142 #define PRIORITY_LAST         0xffff
  143 
  144 #ifdef DUMP_BUFFER
  145 
  146 /* dump_alert_only makes sure that bufferdump happens only when a rule is
  147    triggered.
  148 
  149    dumped_state avoids repeatition of buffer dump for a packet that has an
  150    alert, when --buffer-dump is given as command line option.
  151 
  152    dump_enabled gets set when --buffer-dump or --buffer-dump-alert option
  153    is given.
  154 */
  155 
  156 extern bool dump_alert_only;
  157 extern bool dumped_state;
  158 extern bool dump_enabled;
  159 
  160 #define MAX_BUFFER_DUMP_FUNC 13
  161 #define MAX_HTTP_BUFFER_DUMP 16
  162 #define MAX_SMTP_BUFFER_DUMP 7
  163 #define MAX_SIP_BUFFER_DUMP 16
  164 #define MAX_DNP3_BUFFER_DUMP 4
  165 #define MAX_POP_BUFFER_DUMP 7
  166 #define MAX_MODBUS_BUFFER_DUMP 3
  167 #define MAX_SSH_BUFFER_DUMP 11
  168 #define MAX_DNS_BUFFER_DUMP 10
  169 #define MAX_DCERPC2_BUFFER_DUMP 7
  170 #define MAX_FTPTELNET_BUFFER_DUMP 7
  171 #define MAX_IMAP_BUFFER_DUMP 4
  172 #define MAX_SSL_BUFFER_DUMP 4
  173 #define MAX_GTP_BUFFER_DUMP 6
  174 
  175 typedef enum {
  176     HTTP_BUFFER_DUMP_FUNC,
  177     SMTP_BUFFER_DUMP_FUNC,
  178     SIP_BUFFER_DUMP_FUNC,
  179     DNP3_BUFFER_DUMP_FUNC,
  180     POP_BUFFER_DUMP_FUNC,
  181     MODBUS_BUFFER_DUMP_FUNC,
  182     SSH_BUFFER_DUMP_FUNC,
  183     DNS_BUFFER_DUMP_FUNC,
  184     DCERPC2_BUFFER_DUMP_FUNC,
  185     FTPTELNET_BUFFER_DUMP_FUNC,
  186     IMAP_BUFFER_DUMP_FUNC,
  187     SSL_BUFFER_DUMP_FUNC,
  188     GTP_BUFFER_DUMP_FUNC
  189 } BUFFER_DUMP_FUNC;
  190 
  191 typedef struct _TraceBuffer {
  192     char *buf_name;
  193     char *buf_content;
  194     uint16_t length;
  195 } TraceBuffer;
  196 
  197 typedef uint64_t BufferDumpEnableMask;
  198 extern TraceBuffer *(*getBuffers[MAX_BUFFER_DUMP_FUNC])(void);
  199 extern BufferDumpEnableMask bdmask;
  200 
  201 #endif
  202 
  203 typedef uint64_t PreprocEnableMask;
  204 
  205 #endif /* _PREPROC_IDS_H */
  206