1 /* 2 ** $Id$ 3 ** 4 ** fpcreate.h 5 ** 6 ** Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 7 ** Copyright (C) 2002-2013 Sourcefire, Inc. 8 ** Dan Roelker <droelker@sourcefire.com> 9 ** Marc Norton <mnorton@sourcefire.com> 10 ** 11 ** NOTES 12 ** 5.7.02 - Initial Sourcecode. Norton/Roelker 13 ** 14 ** This program is free software; you can redistribute it and/or modify 15 ** it under the terms of the GNU General Public License Version 2 as 16 ** published by the Free Software Foundation. You may not use, modify or 17 ** distribute this program under any other version of the GNU General 18 ** Public License. 19 ** 20 ** This program is distributed in the hope that it will be useful, 21 ** but WITHOUT ANY WARRANTY; without even the implied warranty of 22 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 23 ** GNU General Public License for more details. 24 ** 25 ** You should have received a copy of the GNU General Public License 26 ** along with this program; if not, write to the Free Software 27 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 28 ** 29 ** 6/13/05 - marc norton 30 ** Added plugin support for fast pattern match data 31 ** 32 */ 33 #ifndef __FPCREATE_H__ 34 #define __FPCREATE_H__ 35 36 #ifdef HAVE_CONFIG_H 37 #include "config.h" 38 #endif 39 40 #include "rules.h" 41 #include "treenodes.h" 42 //#include "parser.h" 43 #include "pcrm.h" 44 45 /* 46 * Max Number of Protocols Supported by Rules in fpcreate.c 47 * for tcp,udp,icmp,ip ... this is an array dimesnion used to 48 * map protocol-ordinals to port_groups ... 49 */ 50 /* This is now defined in sftarget_protocol_refererence.h" 51 * #define MAX_PROTOCOL_ORDINAL 8192 */ 52 #include "sftarget_protocol_reference.h" 53 54 55 /* 56 * This controls how many fast pattern match contents may be 57 * used/retrieved per rule in fpcreate.c. 58 */ 59 #define PLUGIN_MAX_FPLIST_SIZE 16 60 61 #define PL_BLEEDOVER_WARNINGS_ENABLED 0x01 62 #define PL_DEBUG_PRINT_NC_DETECT_RULES 0x02 63 #define PL_DEBUG_PRINT_RULEGROWP_BUILD 0x04 64 #define PL_DEBUG_PRINT_RULEGROUPS_UNCOMPILED 0x08 65 #define PL_DEBUG_PRINT_RULEGROUPS_COMPILED 0x10 66 #define PL_SINGLE_RULE_GROUP 0x20 67 68 typedef struct _pmx_ 69 { 70 71 void * RuleNode; 72 void * PatternMatchData; 73 74 } PMX; 75 76 /* Used for negative content list */ 77 typedef struct _NCListNode 78 { 79 PMX *pmx; 80 struct _NCListNode *next; 81 82 } NCListNode; 83 84 /* 85 ** This structure holds configuration options for the 86 ** detection engine. 87 */ 88 typedef struct _FastPatternConfig 89 { 90 int inspect_stream_insert; 91 int search_method; 92 int search_opt; 93 int search_method_verbose; 94 int debug; 95 unsigned int max_queue_events; 96 unsigned int bleedover_port_limit; 97 int configured; 98 int portlists_flags; 99 int split_any_any; 100 int max_pattern_len; 101 int num_patterns_truncated; /* due to max_pattern_len */ 102 int num_patterns_trimmed; /* due to zero byte prefix */ 103 int debug_print_fast_pattern; 104 105 } FastPatternConfig; 106 107 #ifdef TARGET_BASED 108 /* 109 * Service Rule Map Master Table 110 */ 111 typedef struct 112 { 113 SFGHASH * tcp_to_srv; 114 SFGHASH * tcp_to_cli; 115 116 SFGHASH * udp_to_srv; 117 SFGHASH * udp_to_cli; 118 119 SFGHASH * icmp_to_srv; 120 SFGHASH * icmp_to_cli; 121 122 SFGHASH * ip_to_srv; 123 SFGHASH * ip_to_cli; 124 125 } srmm_table_t; 126 127 /* 128 * Service/Protocol Oridinal To PORT_GROUP table 129 */ 130 typedef struct 131 { 132 PORT_GROUP *tcp_to_srv[MAX_PROTOCOL_ORDINAL]; 133 PORT_GROUP *tcp_to_cli[MAX_PROTOCOL_ORDINAL]; 134 135 PORT_GROUP *udp_to_srv[MAX_PROTOCOL_ORDINAL]; 136 PORT_GROUP *udp_to_cli[MAX_PROTOCOL_ORDINAL]; 137 138 PORT_GROUP *icmp_to_srv[MAX_PROTOCOL_ORDINAL]; 139 PORT_GROUP *icmp_to_cli[MAX_PROTOCOL_ORDINAL]; 140 141 PORT_GROUP *ip_to_srv[MAX_PROTOCOL_ORDINAL]; 142 PORT_GROUP *ip_to_cli[MAX_PROTOCOL_ORDINAL]; 143 144 } sopg_table_t; 145 #endif 146 147 /* 148 ** This function initializes the detection engine configuration 149 ** options before setting them. 150 */ 151 int fpInitDetectionEngine(void); 152 153 /* 154 ** This is the main routine to create a FastPacket inspection 155 ** engine. It reads in the snort list of RTNs and OTNs and 156 ** assigns them to PORT_MAPS. 157 */ 158 int fpCreateFastPacketDetection(struct _SnortConfig *); 159 160 FastPatternConfig * FastPatternConfigNew(void); 161 void fpSetDefaults(FastPatternConfig *); 162 void FastPatternConfigFree(FastPatternConfig *); 163 164 /* 165 ** Functions that allow the detection routins to 166 ** find the right classification for a given packet. 167 */ 168 int prmFindRuleGroupIp(PORT_RULE_MAP *, int, PORT_GROUP **, PORT_GROUP **); 169 int prmFindRuleGroupIcmp(PORT_RULE_MAP *, int, PORT_GROUP **, PORT_GROUP **); 170 171 #ifdef TARGET_BASED 172 int prmFindRuleGroupTcp(PORT_RULE_MAP *prm, int dport, int sport, PORT_GROUP ** src, PORT_GROUP **dst, PORT_GROUP **nssrc, PORT_GROUP **nsdst, PORT_GROUP ** gen); 173 int prmFindRuleGroupUdp(PORT_RULE_MAP *prm, int dport, int sport, PORT_GROUP ** src, PORT_GROUP ** dst, PORT_GROUP **nssrc, PORT_GROUP **nsdst, PORT_GROUP ** gen); 174 #else 175 int prmFindRuleGroupTcp(PORT_RULE_MAP *, int, int, PORT_GROUP **, PORT_GROUP **, PORT_GROUP **); 176 int prmFindRuleGroupUdp(PORT_RULE_MAP *, int, int, PORT_GROUP **, PORT_GROUP **, PORT_GROUP **); 177 #endif 178 179 int fpSetDetectSearchMethod(FastPatternConfig *, char *); 180 void fpSetDetectSearchOpt(FastPatternConfig *, int flag); 181 void fpSetDebugMode(FastPatternConfig *); 182 void fpSetStreamInsert(FastPatternConfig *); 183 void fpSetMaxQueueEvents(FastPatternConfig *, unsigned int); 184 void fpDetectSetSplitAnyAny(FastPatternConfig *, int); 185 void fpSetMaxPatternLen(FastPatternConfig *, unsigned int); 186 187 void fpDetectSetSingleRuleGroup(FastPatternConfig *); 188 void fpDetectSetBleedOverPortLimit(FastPatternConfig *, unsigned int); 189 void fpDetectSetBleedOverWarnings(FastPatternConfig *); 190 void fpDetectSetDebugPrintNcRules(FastPatternConfig *); 191 void fpDetectSetDebugPrintRuleGroupBuildDetails(FastPatternConfig *); 192 void fpDetectSetDebugPrintRuleGroupsCompiled(FastPatternConfig *); 193 void fpDetectSetDebugPrintRuleGroupsUnCompiled(FastPatternConfig *); 194 void fpDetectSetDebugPrintFastPatterns(FastPatternConfig *, int); 195 196 int fpDetectGetSingleRuleGroup(FastPatternConfig *); 197 int fpDetectGetBleedOverPortLimit(FastPatternConfig *); 198 int fpDetectGetBleedOverWarnings(FastPatternConfig *); 199 int fpDetectGetDebugPrintNcRules(FastPatternConfig *); 200 int fpDetectGetDebugPrintRuleGroupBuildDetails(FastPatternConfig *); 201 int fpDetectGetDebugPrintRuleGroupsCompiled(FastPatternConfig *); 202 int fpDetectGetDebugPrintRuleGroupsUnCompiled(FastPatternConfig *); 203 int fpDetectSplitAnyAny(FastPatternConfig *); 204 int fpDetectGetDebugPrintFastPatterns(FastPatternConfig *); 205 206 void fpDeleteFastPacketDetection(struct _SnortConfig *); 207 void free_detection_option_tree(detection_option_tree_node_t *node); 208 209 int OtnFlowDir( OptTreeNode * p ); 210 #ifdef TARGET_BASED 211 PORT_GROUP * fpGetServicePortGroupByOrdinal(sopg_table_t *, int, int, int16_t); 212 #endif 213 214 /* 215 ** Shows the event stats for the created FastPacketDetection 216 */ 217 void fpShowEventStats(struct _SnortConfig *); 218 typedef int (*OtnWalkFcn)(int, RuleTreeNode *, OptTreeNode *); 219 void fpWalkOtns(int, OtnWalkFcn); 220 void fpDynamicDataFree(void *); 221 222 const char * PatternRawToContent(const char *pattern, int pattern_len); 223 224 #endif /* __FPCREATE_H__ */ 225