1 /* $Id$ */
2 /*
3 ** Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
4 ** Copyright (C) 2007-2013 Sourcefire, Inc.
5 **
6 ** This program is free software; you can redistribute it and/or modify
7 ** it under the terms of the GNU General Public License Version 2 as
8 ** published by the Free Software Foundation.  You may not use, modify or
9 ** distribute this program under any other version of the GNU General
10 ** Public License.
11 **
12 ** This program is distributed in the hope that it will be useful,
13 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
14 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 ** GNU General Public License for more details.
16 **
17 ** You should have received a copy of the GNU General Public License
18 ** along with this program; if not, write to the Free Software
19 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
20 **
21 **/
22 
23 /**
24 **  @file        detection_options.h
25 **
26 **  @author      Steven Sturges
27 **
28 **  @brief       Support functions for rule option tree
29 **
30 **  This implements tree processing for rule options, evaluating common
31 **  detection options only once per pattern match.
32 **
33 */
34 
35 #ifndef DETECTION_OPTIONS_H_
36 #define DETECTION_OPTIONS_H_
37 
38 #include "sf_types.h"
39 #include "decode.h"
40 #include "sfutil/sfxhash.h"
41 #include "rule_option_types.h"
42 
43 #define DETECTION_OPTION_EQUAL 0
44 #define DETECTION_OPTION_NOT_EQUAL 1
45 
46 #define DETECTION_OPTION_NO_MATCH 0
47 #define DETECTION_OPTION_MATCH 1
48 #define DETECTION_OPTION_NO_ALERT 2
49 #define DETECTION_OPTION_FAILED_BIT 3
50 
51 #include "sfutil/sfhashfcn.h"
52 
53 typedef int (*eval_func_t)(void *option_data, Packet *p);
54 
55 typedef struct _detection_option_tree_node
56 {
57     void *option_data;
58     option_type_t option_type;
59     eval_func_t evaluate;
60     int num_children;
61     struct _detection_option_tree_node **children;
62     int relative_children;
63     int result;
64     struct
65     {
66         struct timeval ts;
67         uint64_t packet_number;
68         uint32_t rebuild_flag;
69         char result;
70         char is_relative;
71         char flowbit_failed;
72         char pad; /* Keep 4 byte alignment */
73     } last_check;
74 #ifdef PERF_PROFILING
75     uint64_t ticks;
76     uint64_t ticks_match;
77     uint64_t ticks_no_match;
78     uint64_t checks;
79 #endif
80 #ifdef PPM_MGR
81     uint64_t ppm_disable_cnt; /*PPM */
82     uint64_t ppm_enable_cnt; /*PPM */
83 #endif
84 } detection_option_tree_node_t;
85 
86 typedef struct _detection_option_tree_root
87 {
88     int num_children;
89     detection_option_tree_node_t **children;
90 
91 #ifdef PPM_MGR
92     uint64_t ppm_suspend_time; /* PPM */
93     uint64_t ppm_disable_cnt; /*PPM */
94     int tree_state;
95 #endif
96 } detection_option_tree_root_t;
97 
98 typedef struct _detection_option_eval_data
99 {
100     void *pomd;
101     void *pmd;
102     Packet *p;
103     char flowbit_failed;
104     char flowbit_noalert;
105     uint8_t detection_filter_count;
106 } detection_option_eval_data_t;
107 
108 int add_detection_option(struct _SnortConfig *, option_type_t type, void *option_data, void **existing_data);
109 int add_detection_option_tree(struct _SnortConfig *, detection_option_tree_node_t *option_tree, void **existing_data);
110 int detection_option_node_evaluate(detection_option_tree_node_t *node, detection_option_eval_data_t *eval_data);
111 void DetectionHashTableFree(SFXHASH *);
112 void DetectionTreeHashTableFree(SFXHASH *);
113 #ifdef DEBUG_OPTION_TREE
114 void print_option_tree(detection_option_tree_node_t *node, int level);
115 #endif
116 #ifdef PERF_PROFILING
117 void detection_option_tree_update_otn_stats(SFXHASH *);
118 #endif
119 
120 #endif /* DETECTION_OPTIONS_H_ */
121 
122