1 /* $Id$ */ 2 /* 3 ** Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 4 ** Copyright (C) 2007-2013 Sourcefire, Inc. 5 ** 6 ** This program is free software; you can redistribute it and/or modify 7 ** it under the terms of the GNU General Public License Version 2 as 8 ** published by the Free Software Foundation. You may not use, modify or 9 ** distribute this program under any other version of the GNU General 10 ** Public License. 11 ** 12 ** This program is distributed in the hope that it will be useful, 13 ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 ** GNU General Public License for more details. 16 ** 17 ** You should have received a copy of the GNU General Public License 18 ** along with this program; if not, write to the Free Software 19 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 ** 21 **/ 22 23 /** 24 ** @file detection_options.h 25 ** 26 ** @author Steven Sturges 27 ** 28 ** @brief Support functions for rule option tree 29 ** 30 ** This implements tree processing for rule options, evaluating common 31 ** detection options only once per pattern match. 32 ** 33 */ 34 35 #ifndef DETECTION_OPTIONS_H_ 36 #define DETECTION_OPTIONS_H_ 37 38 #include "sf_types.h" 39 #include "decode.h" 40 #include "sfutil/sfxhash.h" 41 #include "rule_option_types.h" 42 43 #define DETECTION_OPTION_EQUAL 0 44 #define DETECTION_OPTION_NOT_EQUAL 1 45 46 #define DETECTION_OPTION_NO_MATCH 0 47 #define DETECTION_OPTION_MATCH 1 48 #define DETECTION_OPTION_NO_ALERT 2 49 #define DETECTION_OPTION_FAILED_BIT 3 50 51 #include "sfutil/sfhashfcn.h" 52 53 typedef int (*eval_func_t)(void *option_data, Packet *p); 54 55 typedef struct _detection_option_tree_node 56 { 57 void *option_data; 58 option_type_t option_type; 59 eval_func_t evaluate; 60 int num_children; 61 struct _detection_option_tree_node **children; 62 int relative_children; 63 int result; 64 struct 65 { 66 struct timeval ts; 67 uint64_t packet_number; 68 uint32_t rebuild_flag; 69 char result; 70 char is_relative; 71 char flowbit_failed; 72 char pad; /* Keep 4 byte alignment */ 73 } last_check; 74 #ifdef PERF_PROFILING 75 uint64_t ticks; 76 uint64_t ticks_match; 77 uint64_t ticks_no_match; 78 uint64_t checks; 79 #endif 80 #ifdef PPM_MGR 81 uint64_t ppm_disable_cnt; /*PPM */ 82 uint64_t ppm_enable_cnt; /*PPM */ 83 #endif 84 } detection_option_tree_node_t; 85 86 typedef struct _detection_option_tree_root 87 { 88 int num_children; 89 detection_option_tree_node_t **children; 90 91 #ifdef PPM_MGR 92 uint64_t ppm_suspend_time; /* PPM */ 93 uint64_t ppm_disable_cnt; /*PPM */ 94 int tree_state; 95 #endif 96 } detection_option_tree_root_t; 97 98 typedef struct _detection_option_eval_data 99 { 100 void *pomd; 101 void *pmd; 102 Packet *p; 103 char flowbit_failed; 104 char flowbit_noalert; 105 uint8_t detection_filter_count; 106 } detection_option_eval_data_t; 107 108 int add_detection_option(struct _SnortConfig *, option_type_t type, void *option_data, void **existing_data); 109 int add_detection_option_tree(struct _SnortConfig *, detection_option_tree_node_t *option_tree, void **existing_data); 110 int detection_option_node_evaluate(detection_option_tree_node_t *node, detection_option_eval_data_t *eval_data); 111 void DetectionHashTableFree(SFXHASH *); 112 void DetectionTreeHashTableFree(SFXHASH *); 113 #ifdef DEBUG_OPTION_TREE 114 void print_option_tree(detection_option_tree_node_t *node, int level); 115 #endif 116 #ifdef PERF_PROFILING 117 void detection_option_tree_update_otn_stats(SFXHASH *); 118 #endif 119 120 #endif /* DETECTION_OPTIONS_H_ */ 121 122