1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup sigstate
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \brief Data structures and function prototypes for keeping
28  *        state for the detection engine.
29  *
30  * \author Victor Julien <victor@inliniac.net>
31  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
32  */
33 
34 
35 #ifndef __DETECT_ENGINE_STATE_H__
36 #define __DETECT_ENGINE_STATE_H__
37 
38 #define DETECT_ENGINE_INSPECT_SIG_NO_MATCH 0
39 #define DETECT_ENGINE_INSPECT_SIG_MATCH 1
40 #define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH 2
41 /** indicate that the file inspection portion of a sig didn't match.
42  *  This is used to handle state keeping as the detect engine is still
43  *  only marginally aware of files. */
44 #define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES 3
45 /** hack to work around a file inspection limitation. Since there can be
46  *  multiple files in a TX and the detection engine really don't know
47  *  about that, we have to give the file inspection engine a way to
48  *  indicate that one of the files matched, but that there are still
49  *  more files that have ongoing inspection. */
50 #define DETECT_ENGINE_INSPECT_SIG_MATCH_MORE_FILES 4
51 
52 /** number of DeStateStoreItem's in one DeStateStore object */
53 #define DE_STATE_CHUNK_SIZE             15
54 
55 /* per sig flags */
56 #define DE_STATE_FLAG_FULL_INSPECT              BIT_U32(0)
57 #define DE_STATE_FLAG_SIG_CANT_MATCH            BIT_U32(1)
58 /* flag set if file inspecting sig did not match, but might need to be
59  * re-evaluated for a new file in a tx */
60 #define DE_STATE_ID_FILE_INSPECT                2UL
61 #define DE_STATE_FLAG_FILE_INSPECT              BIT_U32(DE_STATE_ID_FILE_INSPECT)
62 
63 /* first bit position after the built-ins */
64 #define DE_STATE_FLAG_BASE                      3UL
65 
66 /* state flags
67  *
68  * Used by app-layer-parsers to notify us that new files
69  * are available in the tx.
70  */
71 #define DETECT_ENGINE_STATE_FLAG_FILE_NEW       BIT_U8(0)
72 
73 typedef struct DeStateStoreItem_ {
74     uint32_t flags;
75     SigIntId sid;
76 } DeStateStoreItem;
77 
78 typedef struct DeStateStore_ {
79     DeStateStoreItem store[DE_STATE_CHUNK_SIZE];
80     struct DeStateStore_ *next;
81 } DeStateStore;
82 
83 typedef struct DetectEngineStateDirection_ {
84     DeStateStore *head;
85     DeStateStore *tail;
86     SigIntId cnt;
87     uint16_t filestore_cnt;
88     uint8_t flags;
89     /* coccinelle: DetectEngineStateDirection:flags:DETECT_ENGINE_STATE_FLAG_ */
90 } DetectEngineStateDirection;
91 
92 typedef struct DetectEngineState_ {
93     DetectEngineStateDirection dir_state[2];
94 } DetectEngineState;
95 
96 // TODO
97 typedef struct DetectTransaction_ {
98     void *tx_ptr;
99     const uint64_t tx_id;
100     struct AppLayerTxData *tx_data_ptr;
101     DetectEngineStateDirection *de_state;
102     const uint64_t detect_flags;            /* detect flags get/set from/to applayer */
103     uint64_t prefilter_flags;               /* prefilter flags for direction, to be updated by prefilter code */
104     const uint64_t prefilter_flags_orig;    /* prefilter flags for direction, before prefilter has run */
105     const int tx_progress;
106     const int tx_end_state;
107 } DetectTransaction;
108 
109 /**
110  * \brief Alloc a DetectEngineState object.
111  *
112  * \retval Alloc'd instance of DetectEngineState.
113  */
114 DetectEngineState *DetectEngineStateAlloc(void);
115 
116 /**
117  * \brief Frees a DetectEngineState object.
118  *
119  * \param state DetectEngineState instance to free.
120  */
121 void DetectEngineStateFree(DetectEngineState *state);
122 
123 /**
124  *  \brief Update the inspect id.
125  *
126  *  \param f unlocked flow
127  *  \param flags direction and disruption flags
128  */
129 void DeStateUpdateInspectTransactionId(Flow *f, const uint8_t flags,
130         const bool tag_txs_as_inspected);
131 
132 void DetectEngineStateResetTxs(Flow *f);
133 
134 void DeStateRegisterTests(void);
135 
136 
137 void DetectRunStoreStateTx(
138         const SigGroupHead *sgh,
139         Flow *f, void *tx, uint64_t tx_id,
140         const Signature *s,
141         uint32_t inspect_flags, uint8_t flow_flags,
142         const uint16_t file_no_match);
143 
144 void DetectRunStoreStateTxFileOnly(
145         const SigGroupHead *sgh,
146         Flow *f, void *tx, uint64_t tx_id,
147         const uint8_t flow_flags,
148         const uint16_t file_no_match);
149 
150 #endif /* __DETECT_ENGINE_STATE_H__ */
151 
152 /**
153  * @}
154  */
155