1 /* $Id$ */
2 /****************************************************************************
3 *
4 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
5 * Copyright (C) 2004-2013 Sourcefire, Inc.
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License Version 2 as
9 * published by the Free Software Foundation. You may not use, modify or
10 * distribute this program under any other version of the GNU General
11 * Public License.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
21 *
22 ****************************************************************************/
23
24 /* flowbits detection plugin header */
25
26 #ifndef __SP_FLOWBITS_H__
27 #define __SP_FLOWBITS_H__
28
29 #include "sfghash.h"
30 #include "sf_types.h"
31 #include "decode.h"
32 #include "bitop_funcs.h"
33 #include "snort_debug.h"
34
35 /* Normally exported functions, for plugin registration. */
36 void SetupFlowBits(void);
37 void FlowBitsVerify(void);
38 void FlowBitsFree(void *d);
39 uint32_t FlowBitsHash(void *d);
40 int FlowBitsCompare(void *l, void *r);
41 int FlowBitsCheck(void *, Packet *);
42 void FlowBitsHashInit(void);
43 void FlowbitResetCounts(void);
44
45
46 /**
47 ** The FLOWBITS_OBJECT is used to track the different
48 ** flowbit names that set/unset/etc. bits. We use these
49 ** so that we can verify that the rules that use flowbits
50 ** make sense.
51 **
52 ** The types element tracks all the different operations that
53 ** may occur for a given object. This is different from how
54 ** the type element is used from the FLOWBITS_ITEM structure.
55 */
56 typedef struct _FLOWBITS_OBJECT
57 {
58 uint16_t id;
59 uint8_t types;
60 int toggle;
61 int set;
62 int isset;
63
64 } FLOWBITS_OBJECT;
65
66 typedef enum
67 {
68 FLOWBITS_AND,
69 FLOWBITS_OR,
70 FLOWBITS_ANY,
71 FLOWBITS_ALL
72 }Flowbits_eval;
73
74 /**
75 ** This structure is the context ptr for each detection option
76 ** on a rule. The id is associated with a FLOWBITS_OBJECT id.
77 **
78 ** The type element track only one operation.
79 */
80 typedef struct _FLOWBITS_OP
81 {
82 uint16_t *ids;
83 uint8_t num_ids;
84 uint8_t type; /* Set, Unset, Invert, IsSet, IsNotSet, Reset */
85 Flowbits_eval eval; /* and , or, all, any*/
86 char *name;
87 char *group;
88 uint32_t group_id;
89 } FLOWBITS_OP;
90
91 typedef struct _FLOWBITS_GRP
92 {
93 uint16_t count;
94 uint16_t max_id;
95 char *name;
96 uint32_t group_id;
97 BITOP GrpBitOp;
98 } FLOWBITS_GRP;
99
100 #define FLOWBITS_SET 0x01
101 #define FLOWBITS_UNSET 0x02
102 #define FLOWBITS_TOGGLE 0x04
103 #define FLOWBITS_ISSET 0x08
104 #define FLOWBITS_ISNOTSET 0x10
105 #define FLOWBITS_RESET 0x20
106 #define FLOWBITS_NOALERT 0x40
107 #define FLOWBITS_SETX 0x80
108
109 void processFlowBitsWithGroup(char *flowbitsName, char *groupName, FLOWBITS_OP *flowbits);
110 int checkFlowBits( uint8_t type, uint8_t evalType, uint16_t *ids, uint16_t num_ids, char *group, Packet *p);
111
FlowBits_SetOperation(void * option_data)112 static inline int FlowBits_SetOperation(void *option_data)
113 {
114 FLOWBITS_OP *flowbits = (FLOWBITS_OP*)option_data;
115 if (flowbits->type & (FLOWBITS_SET | FLOWBITS_SETX |FLOWBITS_UNSET | FLOWBITS_TOGGLE | FLOWBITS_RESET))
116 {
117 return 1;
118 }
119 return 0;
120 }
121
122 void setFlowbitSize(char *);
123 unsigned int getFlowbitSize(void);
124 unsigned int getFlowbitSizeInBytes(void);
125
126 #endif /* __SP_FLOWBITS_H__ */
127