Wireshark 4.5.0
The Wireshark network protocol analyzer
Loading...
Searching...
No Matches
packet-snort-config.h
1/* packet-snort-config.h
2 *
3 * Copyright 2016, Martin Mathieson
4 *
5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
8 *
9 * SPDX-License-Identifier: GPL-2.0-or-later
10 */
11
12#ifndef __PACKET_SNORT_CONFIG_H__
13#define __PACKET_SNORT_CONFIG_H__
14
15#include <glib.h>
16
17/* #define SNORT_CONFIG_DEBUG */
18#ifdef SNORT_CONFIG_DEBUG
19#include <stdio.h>
20#define snort_debug_printf printf
21#else
22#define snort_debug_printf(...)
23#endif
24
25/************************************************************************/
26/* Rule related data types */
27
28typedef enum content_type_t {
29 Content,
30 UriContent,
31 Pcre
32} content_type_t;
33
34/* Content (within an alert/rule) */
35typedef struct content_t {
36 /* Details as parsed from rule */
37 content_type_t content_type;
38
39 char *str;
40 bool negation; /* i.e. pattern must not appear */
41 bool nocase; /* when set, do case insensitive match */
42
43 bool offset_set; /* Where to start looking within packet. -65535 -> 65535 */
44 int offset;
45
46 unsigned depth; /* How far to look into packet. Can't be 0 */
47
48 bool distance_set;
49 int distance; /* Same as offset but relative to last match. -65535 -> 65535 */
50
51 unsigned within; /* Most bytes from end of previous match. Max 65535 */
52
53 bool fastpattern; /* Is most distinctive content in rule */
54
55 bool rawbytes; /* Match should be done against raw bytes (which we do anyway) */
56
57 /* http preprocessor modifiers */
58 bool http_method;
59 bool http_client_body;
60 bool http_cookie;
61 bool http_user_agent;
62
63 /* Pattern converted into bytes for matching against packet.
64 Used for regular patterns and PCREs alike. */
65 unsigned char *translated_str;
66 bool translated;
67 unsigned translated_length;
68
69 bool pcre_case_insensitive;
70 bool pcre_dot_includes_newline;
71 bool pcre_raw;
72 bool pcre_multiline;
73} content_t;
74
75/* This is to keep track of a variable referenced by a rule */
76typedef struct used_variable_t {
77 char *name;
78 char *value;
80
81/* The collection of variables referenced by a rule */
82typedef struct relevant_vars_t {
83 bool relevant_vars_set;
84
85 #define MAX_RULE_PORT_VARS 6
86 unsigned num_port_vars;
87 used_variable_t port_vars[MAX_RULE_PORT_VARS];
88
89 #define MAX_RULE_IP_VARS 6
90 unsigned num_ip_vars;
91 used_variable_t ip_vars[MAX_RULE_IP_VARS];
92
94
95
96/* This is purely the information parsed from the config */
97typedef struct Rule_t {
98
99 char *rule_string; /* The whole rule as read from the rule file */
100 char *file; /* Name of the rule file */
101 unsigned line_number; /* Line number of rule within rule file */
102
103 char *msg; /* Description of the rule */
104 char *classtype;
105 uint32_t sid, rev;
106
107 char *protocol;
108
109 /* content strings to match on */
110 unsigned int number_contents;
111#define MAX_CONTENT_ENTRIES 30
112 content_t contents[MAX_CONTENT_ENTRIES];
113
114 /* Keep this pointer so can update attributes as parse modifier options */
115 content_t *last_added_content;
116
117 /* References describing the rule */
118 unsigned int number_references;
119#define MAX_REFERENCE_ENTRIES 20
120 char *references[MAX_REFERENCE_ENTRIES];
121
122 relevant_vars_t relevant_vars;
123
124 /* Statistics */
125 unsigned matches_seen;
126} Rule_t;
127
128
129
130/* Whole global snort config as learned by parsing config files */
131typedef struct SnortConfig_t
132{
133 /* Variables (var, ipvar, portvar) */
134 GHashTable *vars;
135 GHashTable *ipvars;
136 GHashTable *portvars;
137
138 char *rule_path;
139 bool rule_path_is_absolute;
140
141 /* (sid -> Rule_t*) table */
142 GHashTable *rules;
143 /* Reference (web .link) prefixes */
144 GHashTable *references_prefixes;
145
146 /* Statistics (that may be reset) */
147 unsigned stat_rules_files;
148 unsigned stat_rules;
149 unsigned stat_alerts_detected;
150
152
153
154/*************************************************************************************/
155/* API functions */
156
157void create_config(SnortConfig_t **snort_config, const char *snort_config_file);
158void delete_config(SnortConfig_t **snort_config);
159
160/* Look up rule by SID */
161Rule_t *get_rule(SnortConfig_t *snort_config, uint32_t sid);
162void rule_set_alert(SnortConfig_t *snort_config, Rule_t *rule, unsigned *global_match_number, unsigned *rule_match_number);
163
164/* IP and port vars */
165void rule_set_relevant_vars(SnortConfig_t *snort_config, Rule_t *rule);
166
167/* Substitute prefix (from reference.config) into reference string */
168char *expand_reference(SnortConfig_t *snort_config, char *reference);
169
170/* Rule stats */
171void get_global_rule_stats(SnortConfig_t *snort_config, unsigned int sid,
172 unsigned int *number_rules_files, unsigned int *number_rules,
173 unsigned int *alerts_detected, unsigned int *this_rule_alerts_detected);
174void reset_global_rule_stats(SnortConfig_t *snort_config);
175
176/* Expanding a content field string to the expected binary bytes */
177unsigned content_convert_to_binary(content_t *content);
178
179bool content_convert_pcre_for_regex(content_t *content);
180
181#endif
182
183/*
184 * Editor modelines - https://www.wireshark.org/tools/modelines.html
185 *
186 * Local variables:
187 * c-basic-offset: 4
188 * tab-width: 8
189 * indent-tabs-mode: nil
190 * End:
191 *
192 * vi: set shiftwidth=4 tabstop=8 expandtab:
193 * :indentSize=4:tabSize=8:noTabs=true:
194 */
Definition packet-snort-config.h:97
Definition packet-snort-config.h:132
Definition packet-snort-config.h:35
Definition packet-snort-config.h:82
Definition packet-snort-config.h:76