1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 // Copyright (C) 2002-2013 Sourcefire, Inc.
4 // Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
5 //
6 // This program is free software; you can redistribute it and/or modify it
7 // under the terms of the GNU General Public License Version 2 as published
8 // by the Free Software Foundation.  You may not use, modify or distribute
9 // this program under any other version of the GNU General Public License.
10 //
11 // This program is distributed in the hope that it will be useful, but
12 // WITHOUT ANY WARRANTY; without even the implied warranty of
13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14 // General Public License for more details.
15 //
16 // You should have received a copy of the GNU General Public License along
17 // with this program; if not, write to the Free Software Foundation, Inc.,
18 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
19 //--------------------------------------------------------------------------
20 
21 #ifndef RULES_H
22 #define RULES_H
23 
24 // misc rule and rule list support
25 // FIXIT-L refactor this header
26 
27 #include <map>
28 #include <string>
29 
30 #include "actions/actions.h"
31 #include "main/policy.h"
32 
33 #define GID_DEFAULT          1
34 #define GID_SESSION        135
35 
36 #define GID_BUILTIN_MIN    100
37 #define GID_BUILTIN_MAX    999
38 
39 // should be revoked in the future
40 #define GID_EXCEPTION_SDF  138
41 
42 #define SESSION_EVENT_SYN_RX 1
43 #define SESSION_EVENT_SETUP  2
44 #define SESSION_EVENT_CLEAR  3
45 
46 #define EventIsInternal(gid) ((gid) == GID_SESSION)
47 
48 namespace snort
49 {
50     class IpsAction;
51     struct SnortConfig;
52 }
53 struct OutputSet;
54 struct RuleTreeNode;
55 
56 struct ListHead
57 {
58     OutputSet* LogList;
59     OutputSet* AlertList;
60     struct RuleListNode* ruleListNode;
61 };
62 
63 // for top-level rule lists by type (alert, drop, etc.)
64 struct RuleListNode
65 {
66     ListHead* RuleList;   /* The rule list associated with this node */
67     Actions::Type mode;        /* the rule mode */
68     unsigned evalIndex;        /* eval index for this rule set */
69     char* name;           /* name of this rule list */
70     RuleListNode* next;   /* the next RuleListNode */
71 };
72 
73 struct RuleKey
74 {
75     unsigned policy_id;
76     unsigned gid;
77     unsigned sid;
78 
79     friend bool operator< (const RuleKey&, const RuleKey&);
80 };
81 
82 struct RuleState
83 {
84     std::string rule_action;
85     uint8_t action;
86     IpsPolicy::Enable enable;
87 };
88 
89 class RuleStateMap
90 {
91 public:
add(const RuleKey & key,const RuleState & state)92     void add(const RuleKey& key, const RuleState& state)
93     { map[key] = state; }
94 
95     void apply(snort::SnortConfig*);
96 
97 private:
98     RuleTreeNode* dup_rtn(RuleTreeNode*, IpsPolicy*);
99     void update_rtn(snort::SnortConfig*, RuleTreeNode*, const RuleState&);
100     void apply(snort::SnortConfig*, OptTreeNode*, unsigned ips_num, const RuleState&);
101 
102 private:
103     std::map<RuleKey, RuleState> map;
104 };
105 
106 #endif
107 
108