1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __UTIL_MPM_H__
25 #define __UTIL_MPM_H__
26 
27 #include "util-prefilter.h"
28 
29 #define MPM_INIT_HASH_SIZE 65536
30 
31 enum {
32     MPM_NOTSET = 0,
33 
34     /* aho-corasick */
35     MPM_AC,
36     MPM_AC_BS,
37     MPM_AC_KS,
38     MPM_HS,
39     /* table size */
40     MPM_TABLE_SIZE,
41 };
42 
43 /* Internal Pattern Index: 0 to pattern_cnt-1 */
44 typedef uint32_t MpmPatternIndex;
45 
46 typedef struct MpmThreadCtx_ {
47     void *ctx;
48 
49     uint32_t memory_cnt;
50     uint32_t memory_size;
51 
52 } MpmThreadCtx;
53 
54 typedef struct MpmPattern_ {
55     /* length of the pattern */
56     uint16_t len;
57     /* flags decribing the pattern */
58     uint8_t flags;
59 
60     /* offset into the buffer where match may start */
61     uint16_t offset;
62 
63     /* offset into the buffer before which match much complete */
64     uint16_t depth;
65 
66     /* holds the original pattern that was added */
67     uint8_t *original_pat;
68     /* case sensitive */
69     uint8_t *cs;
70     /* case INsensitive */
71     uint8_t *ci;
72     /* pattern id */
73     uint32_t id;
74 
75     /* sid(s) for this pattern */
76     uint32_t sids_size;
77     SigIntId *sids;
78 
79     struct MpmPattern_ *next;
80 } MpmPattern;
81 
82 /* Indicates if this a global mpm_ctx.  Global mpm_ctx is the one that
83  * is instantiated when we use "single".  Non-global is "full", i.e.
84  * one per sgh. */
85 #define MPMCTX_FLAGS_GLOBAL     BIT_U8(0)
86 #define MPMCTX_FLAGS_NODEPTH    BIT_U8(1)
87 
88 typedef struct MpmCtx_ {
89     void *ctx;
90     uint8_t mpm_type;
91 
92     uint8_t flags;
93 
94     uint16_t maxdepth;
95 
96     /* unique patterns */
97     uint32_t pattern_cnt;
98 
99     uint16_t minlen;
100     uint16_t maxlen;
101 
102     uint32_t memory_cnt;
103     uint32_t memory_size;
104 
105     uint32_t max_pat_id;
106 
107     /* hash used during ctx initialization */
108     MpmPattern **init_hash;
109 } MpmCtx;
110 
111 /* if we want to retrieve an unique mpm context from the mpm context factory
112  * we should supply this as the key */
113 #define MPM_CTX_FACTORY_UNIQUE_CONTEXT -1
114 
115 typedef struct MpmCtxFactoryItem_ {
116     const char *name;
117     MpmCtx *mpm_ctx_ts;
118     MpmCtx *mpm_ctx_tc;
119     int32_t id;
120     int32_t sm_list;
121 } MpmCtxFactoryItem;
122 
123 typedef struct MpmCtxFactoryContainer_ {
124     MpmCtxFactoryItem *items;
125     int32_t no_of_items;
126     int32_t max_id;
127 } MpmCtxFactoryContainer;
128 
129 /** pattern is case insensitive */
130 #define MPM_PATTERN_FLAG_NOCASE     0x01
131 /** pattern is negated */
132 #define MPM_PATTERN_FLAG_NEGATED    0x02
133 /** pattern has a depth setting */
134 #define MPM_PATTERN_FLAG_DEPTH      0x04
135 /** pattern has an offset setting */
136 #define MPM_PATTERN_FLAG_OFFSET     0x08
137 /** one byte pattern (used in b2g) */
138 #define MPM_PATTERN_ONE_BYTE        0x10
139 /** the ctx uses it's own internal id instead of
140  *  what is passed through the API */
141 #define MPM_PATTERN_CTX_OWNS_ID     0x20
142 
143 typedef struct MpmTableElmt_ {
144     const char *name;
145     void (*InitCtx)(struct MpmCtx_ *);
146     void (*InitThreadCtx)(struct MpmCtx_ *, struct MpmThreadCtx_ *);
147     void (*DestroyCtx)(struct MpmCtx_ *);
148     void (*DestroyThreadCtx)(struct MpmCtx_ *, struct MpmThreadCtx_ *);
149 
150     /** function pointers for adding patterns to the mpm ctx.
151      *
152      *  \param mpm_ctx Mpm context to add the pattern to
153      *  \param pattern pointer to the pattern
154      *  \param pattern_len length of the pattern in bytes
155      *  \param offset pattern offset setting
156      *  \param depth pattern depth setting
157      *  \param pid pattern id
158      *  \param sid signature _internal_ id
159      *  \param flags pattern flags
160      */
161     int  (*AddPattern)(struct MpmCtx_ *, uint8_t *, uint16_t, uint16_t, uint16_t, uint32_t, SigIntId, uint8_t);
162     int  (*AddPatternNocase)(struct MpmCtx_ *, uint8_t *, uint16_t, uint16_t, uint16_t, uint32_t, SigIntId, uint8_t);
163     int  (*Prepare)(struct MpmCtx_ *);
164     uint32_t (*Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t);
165     void (*PrintCtx)(struct MpmCtx_ *);
166     void (*PrintThreadCtx)(struct MpmThreadCtx_ *);
167     void (*RegisterUnittests)(void);
168     uint8_t flags;
169 } MpmTableElmt;
170 
171 extern MpmTableElmt mpm_table[MPM_TABLE_SIZE];
172 extern int mpm_default_matcher;
173 
174 struct DetectEngineCtx_;
175 
176 int32_t MpmFactoryRegisterMpmCtxProfile(struct DetectEngineCtx_ *, const char *, const int);
177 void MpmFactoryReClaimMpmCtx(const struct DetectEngineCtx_ *, MpmCtx *);
178 MpmCtx *MpmFactoryGetMpmCtxForProfile(const struct DetectEngineCtx_ *, int32_t, int);
179 void MpmFactoryDeRegisterAllMpmCtxProfiles(struct DetectEngineCtx_ *);
180 int32_t MpmFactoryIsMpmCtxAvailable(const struct DetectEngineCtx_ *, const MpmCtx *);
181 
182 int PmqSetup(PrefilterRuleStore *);
183 void PmqReset(PrefilterRuleStore *);
184 void PmqCleanup(PrefilterRuleStore *);
185 void PmqFree(PrefilterRuleStore *);
186 
187 void MpmTableSetup(void);
188 void MpmRegisterTests(void);
189 
190 void MpmInitCtx(MpmCtx *mpm_ctx, uint16_t matcher);
191 void MpmInitThreadCtx(MpmThreadCtx *mpm_thread_ctx, uint16_t);
192 
193 int MpmAddPatternCS(struct MpmCtx_ *mpm_ctx, uint8_t *pat, uint16_t patlen,
194                     uint16_t offset, uint16_t depth,
195                     uint32_t pid, SigIntId sid, uint8_t flags);
196 int MpmAddPatternCI(struct MpmCtx_ *mpm_ctx, uint8_t *pat, uint16_t patlen,
197                     uint16_t offset, uint16_t depth,
198                     uint32_t pid, SigIntId sid, uint8_t flags);
199 
200 void MpmFreePattern(MpmCtx *mpm_ctx, MpmPattern *p);
201 
202 int MpmAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen,
203                             uint16_t offset, uint16_t depth, uint32_t pid,
204                             SigIntId sid, uint8_t flags);
205 
206 #endif /* __UTIL_MPM_H__ */
207