1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation.  You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
17 //--------------------------------------------------------------------------
18 // ips_manager.h author Russ Combs <rucombs@cisco.com>
19 
20 #ifndef IPS_OPTION_H
21 #define IPS_OPTION_H
22 
23 // All IPS rule keywords are realized as IpsOptions instantiated when rules
24 // are parsed.
25 
26 #include "detection/rule_option_types.h"
27 #include "framework/base_api.h"
28 #include "main/snort_types.h"
29 #include "target_based/snort_protocols.h"
30 
31 //-------------------------------------------------------------------------
32 // api for class
33 // eval and action are packet thread specific
34 //-------------------------------------------------------------------------
35 
36 class Cursor;
37 struct OptTreeNode;
38 struct PatternMatchData;
39 
40 namespace snort
41 {
42 struct Packet;
43 struct SnortConfig;
44 class Module;
45 
46 // this is the current version of the api
47 #define IPSAPI_VERSION ((BASE_API_VERSION << 16) | 0)
48 
49 enum CursorActionType
50 {
51     CAT_NONE,
52     CAT_ADJUST,
53     CAT_SET_OTHER,
54     CAT_SET_RAW,
55     CAT_SET_COOKIE,
56     CAT_SET_STAT_MSG,
57     CAT_SET_STAT_CODE,
58     CAT_SET_METHOD,
59     CAT_SET_RAW_HEADER,
60     CAT_SET_RAW_KEY,
61     CAT_SET_FILE,
62     CAT_SET_BODY,
63     CAT_SET_HEADER,
64     CAT_SET_KEY,
65     CAT_SET_JS_DATA,
66     CAT_SET_VBA,
67 };
68 
69 enum RuleDirection
70 {
71     RULE_FROM_CLIENT,
72     RULE_FROM_SERVER,
73     RULE_WO_DIR
74 };
75 
76 class SO_PUBLIC IpsOption
77 {
78 public:
79     virtual ~IpsOption() = default;
80 
81     // main thread
82     virtual uint32_t hash() const;
83     virtual bool operator==(const IpsOption& ips) const;
84 
85     bool operator!=(const IpsOption& ips) const
86     { return !(*this == ips); }
87 
is_agent()88     virtual bool is_agent() { return false; }
89 
90     // packet threads
is_relative()91     virtual bool is_relative() { return false; }
retry(Cursor &,const Cursor &)92     virtual bool retry(Cursor&, const Cursor&) { return false; }
action(Packet *)93     virtual void action(Packet*) { }
94 
95     enum EvalStatus { NO_MATCH, MATCH, NO_ALERT, FAILED_BIT };
eval(Cursor &,Packet *)96     virtual EvalStatus eval(Cursor&, Packet*) { return MATCH; }
97 
get_type()98     option_type_t get_type() const { return type; }
get_name()99     const char* get_name() const { return name; }
get_buffer()100     const char* get_buffer() const { return buffer; }
101 
get_cursor_type()102     virtual CursorActionType get_cursor_type() const
103     { return CAT_NONE; }
104 
105     // for fast-pattern options like content
106     virtual PatternMatchData* get_pattern(SnortProtocolId, RuleDirection = RULE_WO_DIR)
107     { return nullptr; }
108 
get_alternate_pattern()109     virtual PatternMatchData* get_alternate_pattern()
110     { return nullptr; }
111 
112     static void set_buffer(const char*);
113 
114 protected:
115     IpsOption(const char* s, option_type_t t = RULE_OPTION_TYPE_OTHER);
116 
117 private:
118     const char* name;
119     const char* buffer;
120     option_type_t type;
121 };
122 
123 enum RuleOptType
124 {
125     OPT_TYPE_LOGGING,
126     OPT_TYPE_DETECTION,
127     OPT_TYPE_META,
128     OPT_TYPE_MAX
129 };
130 
131 typedef void (* IpsOptFunc)(const SnortConfig*);
132 
133 typedef IpsOption* (* IpsNewFunc)(Module*, OptTreeNode*);
134 typedef void (* IpsDelFunc)(IpsOption*);
135 
136 struct IpsApi
137 {
138     BaseApi base;
139     RuleOptType type;
140 
141     unsigned max_per_rule;
142     unsigned protos;
143 
144     IpsOptFunc pinit;
145     IpsOptFunc pterm;
146     IpsOptFunc tinit;
147     IpsOptFunc tterm;
148     IpsNewFunc ctor;
149     IpsDelFunc dtor;
150     IpsOptFunc verify;
151 };
152 }
153 #endif
154 
155