1 /* Copyright (C) 2007-2013 Open Information Security Foundation 2 * 3 * You can copy, redistribute or modify this Program under the terms of 4 * the GNU General Public License version 2 as published by the Free 5 * Software Foundation. 6 * 7 * This program is distributed in the hope that it will be useful, 8 * but WITHOUT ANY WARRANTY; without even the implied warranty of 9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 * GNU General Public License for more details. 11 * 12 * You should have received a copy of the GNU General Public License 13 * version 2 along with this program; if not, write to the Free Software 14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 15 * 02110-1301, USA. 16 */ 17 18 /** 19 * \ingroup sigstate 20 * 21 * @{ 22 */ 23 24 /** 25 * \file 26 * 27 * \brief Data structures and function prototypes for keeping 28 * state for the detection engine. 29 * 30 * \author Victor Julien <victor@inliniac.net> 31 * \author Anoop Saldanha <anoopsaldanha@gmail.com> 32 */ 33 34 35 #ifndef __DETECT_ENGINE_STATE_H__ 36 #define __DETECT_ENGINE_STATE_H__ 37 38 #define DETECT_ENGINE_INSPECT_SIG_NO_MATCH 0 39 #define DETECT_ENGINE_INSPECT_SIG_MATCH 1 40 #define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH 2 41 /** indicate that the file inspection portion of a sig didn't match. 42 * This is used to handle state keeping as the detect engine is still 43 * only marginally aware of files. */ 44 #define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES 3 45 /** hack to work around a file inspection limitation. Since there can be 46 * multiple files in a TX and the detection engine really don't know 47 * about that, we have to give the file inspection engine a way to 48 * indicate that one of the files matched, but that there are still 49 * more files that have ongoing inspection. */ 50 #define DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES 4 51 52 /** number of DeStateStoreItem's in one DeStateStore object */ 53 #define DE_STATE_CHUNK_SIZE 15 54 55 /* per sig flags */ 56 #define DE_STATE_FLAG_FULL_INSPECT BIT_U32(0) 57 #define DE_STATE_FLAG_SIG_CANT_MATCH BIT_U32(1) 58 /* flag set if file inspecting sig did not match, but might need to be 59 * re-evaluated for a new file in a tx */ 60 #define DE_STATE_ID_FILE_INSPECT 2UL 61 #define DE_STATE_FLAG_FILE_INSPECT BIT_U32(DE_STATE_ID_FILE_INSPECT) 62 63 /* first bit position after the built-ins */ 64 #define DE_STATE_FLAG_BASE 3UL 65 66 /* state flags 67 * 68 * Used by app-layer-parsers to notify us that new files 69 * are available in the tx. 70 */ 71 #define DETECT_ENGINE_STATE_FLAG_FILE_NEW BIT_U8(0) 72 73 typedef struct DeStateStoreItem_ { 74 uint32_t flags; 75 SigIntId sid; 76 } DeStateStoreItem; 77 78 typedef struct DeStateStore_ { 79 DeStateStoreItem store[DE_STATE_CHUNK_SIZE]; 80 struct DeStateStore_ *next; 81 } DeStateStore; 82 83 typedef struct DetectEngineStateDirection_ { 84 DeStateStore *head; 85 DeStateStore *tail; 86 SigIntId cnt; 87 uint16_t filestore_cnt; 88 uint8_t flags; 89 /* coccinelle: DetectEngineStateDirection:flags:DETECT_ENGINE_STATE_FLAG_ */ 90 } DetectEngineStateDirection; 91 92 typedef struct DetectEngineState_ { 93 DetectEngineStateDirection dir_state[2]; 94 } DetectEngineState; 95 96 // TODO 97 typedef struct DetectTransaction_ { 98 void *tx_ptr; 99 const uint64_t tx_id; 100 struct AppLayerTxData *tx_data_ptr; 101 DetectEngineStateDirection *de_state; 102 const uint64_t detect_flags; /* detect flags get/set from/to applayer */ 103 uint64_t prefilter_flags; /* prefilter flags for direction, to be updated by prefilter code */ 104 const uint64_t prefilter_flags_orig; /* prefilter flags for direction, before prefilter has run */ 105 const int tx_progress; 106 const int tx_end_state; 107 } DetectTransaction; 108 109 /** 110 * \brief Alloc a DetectEngineState object. 111 * 112 * \retval Alloc'd instance of DetectEngineState. 113 */ 114 DetectEngineState *DetectEngineStateAlloc(void); 115 116 /** 117 * \brief Frees a DetectEngineState object. 118 * 119 * \param state DetectEngineState instance to free. 120 */ 121 void DetectEngineStateFree(DetectEngineState *state); 122 123 /** 124 * \brief Update the inspect id. 125 * 126 * \param f unlocked flow 127 * \param flags direction and disruption flags 128 */ 129 void DeStateUpdateInspectTransactionId(Flow *f, const uint8_t flags, 130 const bool tag_txs_as_inspected); 131 132 void DetectEngineStateResetTxs(Flow *f); 133 134 void DeStateRegisterTests(void); 135 136 137 void DetectRunStoreStateTx( 138 const SigGroupHead *sgh, 139 Flow *f, void *tx, uint64_t tx_id, 140 const Signature *s, 141 uint32_t inspect_flags, uint8_t flow_flags, 142 const uint16_t file_no_match); 143 144 void DetectRunStoreStateTxFileOnly( 145 const SigGroupHead *sgh, 146 Flow *f, void *tx, uint64_t tx_id, 147 const uint8_t flow_flags, 148 const uint16_t file_no_match); 149 150 #endif /* __DETECT_ENGINE_STATE_H__ */ 151 152 /** 153 * @} 154 */ 155