Wireshark
4.5.0
The Wireshark network protocol analyzer
Loading...
Searching...
No Matches
epan
dissectors
packet-snort-config.h
1
/* packet-snort-config.h
2
*
3
* Copyright 2016, Martin Mathieson
4
*
5
* Wireshark - Network traffic analyzer
6
* By Gerald Combs <gerald@wireshark.org>
7
* Copyright 1998 Gerald Combs
8
*
9
* SPDX-License-Identifier: GPL-2.0-or-later
10
*/
11
12
#ifndef __PACKET_SNORT_CONFIG_H__
13
#define __PACKET_SNORT_CONFIG_H__
14
15
#include <glib.h>
16
17
/* #define SNORT_CONFIG_DEBUG */
18
#ifdef SNORT_CONFIG_DEBUG
19
#include <stdio.h>
20
#define snort_debug_printf printf
21
#else
22
#define snort_debug_printf(...)
23
#endif
24
25
/************************************************************************/
26
/* Rule related data types */
27
28
typedef
enum
content_type_t {
29
Content,
30
UriContent,
31
Pcre
32
} content_type_t;
33
34
/* Content (within an alert/rule) */
35
typedef
struct
content_t
{
36
/* Details as parsed from rule */
37
content_type_t content_type;
38
39
char
*str;
40
bool
negation;
/* i.e. pattern must not appear */
41
bool
nocase;
/* when set, do case insensitive match */
42
43
bool
offset_set;
/* Where to start looking within packet. -65535 -> 65535 */
44
int
offset;
45
46
unsigned
depth;
/* How far to look into packet. Can't be 0 */
47
48
bool
distance_set;
49
int
distance;
/* Same as offset but relative to last match. -65535 -> 65535 */
50
51
unsigned
within;
/* Most bytes from end of previous match. Max 65535 */
52
53
bool
fastpattern;
/* Is most distinctive content in rule */
54
55
bool
rawbytes;
/* Match should be done against raw bytes (which we do anyway) */
56
57
/* http preprocessor modifiers */
58
bool
http_method;
59
bool
http_client_body;
60
bool
http_cookie;
61
bool
http_user_agent;
62
63
/* Pattern converted into bytes for matching against packet.
64
Used for regular patterns and PCREs alike. */
65
unsigned
char
*translated_str;
66
bool
translated;
67
unsigned
translated_length;
68
69
bool
pcre_case_insensitive;
70
bool
pcre_dot_includes_newline;
71
bool
pcre_raw;
72
bool
pcre_multiline;
73
}
content_t
;
74
75
/* This is to keep track of a variable referenced by a rule */
76
typedef
struct
used_variable_t
{
77
char
*name;
78
char
*value;
79
}
used_variable_t
;
80
81
/* The collection of variables referenced by a rule */
82
typedef
struct
relevant_vars_t
{
83
bool
relevant_vars_set;
84
85
#define MAX_RULE_PORT_VARS 6
86
unsigned
num_port_vars;
87
used_variable_t
port_vars[MAX_RULE_PORT_VARS];
88
89
#define MAX_RULE_IP_VARS 6
90
unsigned
num_ip_vars;
91
used_variable_t
ip_vars[MAX_RULE_IP_VARS];
92
93
}
relevant_vars_t
;
94
95
96
/* This is purely the information parsed from the config */
97
typedef
struct
Rule_t
{
98
99
char
*rule_string;
/* The whole rule as read from the rule file */
100
char
*file;
/* Name of the rule file */
101
unsigned
line_number;
/* Line number of rule within rule file */
102
103
char
*msg;
/* Description of the rule */
104
char
*classtype;
105
uint32_t sid, rev;
106
107
char
*protocol;
108
109
/* content strings to match on */
110
unsigned
int
number_contents;
111
#define MAX_CONTENT_ENTRIES 30
112
content_t
contents[MAX_CONTENT_ENTRIES];
113
114
/* Keep this pointer so can update attributes as parse modifier options */
115
content_t
*last_added_content;
116
117
/* References describing the rule */
118
unsigned
int
number_references;
119
#define MAX_REFERENCE_ENTRIES 20
120
char
*references[MAX_REFERENCE_ENTRIES];
121
122
relevant_vars_t
relevant_vars;
123
124
/* Statistics */
125
unsigned
matches_seen;
126
}
Rule_t
;
127
128
129
130
/* Whole global snort config as learned by parsing config files */
131
typedef
struct
SnortConfig_t
132
{
133
/* Variables (var, ipvar, portvar) */
134
GHashTable *vars;
135
GHashTable *ipvars;
136
GHashTable *portvars;
137
138
char
*rule_path;
139
bool
rule_path_is_absolute;
140
141
/* (sid -> Rule_t*) table */
142
GHashTable *rules;
143
/* Reference (web .link) prefixes */
144
GHashTable *references_prefixes;
145
146
/* Statistics (that may be reset) */
147
unsigned
stat_rules_files;
148
unsigned
stat_rules;
149
unsigned
stat_alerts_detected;
150
151
}
SnortConfig_t
;
152
153
154
/*************************************************************************************/
155
/* API functions */
156
157
void
create_config(
SnortConfig_t
**snort_config,
const
char
*snort_config_file);
158
void
delete_config(
SnortConfig_t
**snort_config);
159
160
/* Look up rule by SID */
161
Rule_t
*get_rule(
SnortConfig_t
*snort_config, uint32_t sid);
162
void
rule_set_alert(
SnortConfig_t
*snort_config,
Rule_t
*rule,
unsigned
*global_match_number,
unsigned
*rule_match_number);
163
164
/* IP and port vars */
165
void
rule_set_relevant_vars(
SnortConfig_t
*snort_config,
Rule_t
*rule);
166
167
/* Substitute prefix (from reference.config) into reference string */
168
char
*expand_reference(
SnortConfig_t
*snort_config,
char
*reference);
169
170
/* Rule stats */
171
void
get_global_rule_stats(
SnortConfig_t
*snort_config,
unsigned
int
sid,
172
unsigned
int
*number_rules_files,
unsigned
int
*number_rules,
173
unsigned
int
*alerts_detected,
unsigned
int
*this_rule_alerts_detected);
174
void
reset_global_rule_stats(
SnortConfig_t
*snort_config);
175
176
/* Expanding a content field string to the expected binary bytes */
177
unsigned
content_convert_to_binary(
content_t
*content);
178
179
bool
content_convert_pcre_for_regex(
content_t
*content);
180
181
#endif
182
183
/*
184
* Editor modelines - https://www.wireshark.org/tools/modelines.html
185
*
186
* Local variables:
187
* c-basic-offset: 4
188
* tab-width: 8
189
* indent-tabs-mode: nil
190
* End:
191
*
192
* vi: set shiftwidth=4 tabstop=8 expandtab:
193
* :indentSize=4:tabSize=8:noTabs=true:
194
*/
Rule_t
Definition
packet-snort-config.h:97
SnortConfig_t
Definition
packet-snort-config.h:132
content_t
Definition
packet-snort-config.h:35
relevant_vars_t
Definition
packet-snort-config.h:82
used_variable_t
Definition
packet-snort-config.h:76
Generated by
1.9.8