1 /*
2 **
3 ** Copyright (C) 2008-2013 Ian Firns (SecurixLive) <dev@securixlive.com>
4 **
5 ** This program is free software; you can redistribute it and/or modify
6 ** it under the terms of the GNU General Public License Version 2 as
7 ** published by the Free Software Foundation.  You may not use, modify or
8 ** distribute this program under any other version of the GNU General
9 ** Public License.
10 **
11 ** This program is distributed in the hope that it will be useful,
12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14 ** GNU General Public License for more details.
15 **
16 ** You should have received a copy of the GNU General Public License
17 ** along with this program; if not, write to the Free Software
18 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19 **
20 **
21 */
22 
23 /*
24 ** Description:
25 **   In memory linked list structures of sid-msg.map, gen-msg.map and
26 ** classification.config
27 **
28 ** Author(s):
29 **   firnsy <firnsy@securixlive.com>
30 **   SecurixLive.com Team <dev@securixlive.com>
31 **
32 ** Comments:
33 **   Ideas stolen liberally from:
34 **     1. the orginal barnyard (A. Baker, M. Roesch)
35 **
36 */
37 
38 #ifndef __MAP_H__
39 #define __MAP_H__
40 
41 #ifdef HAVE_CONFIG_H
42 #include "config.h"
43 #endif
44 
45 #include <stdio.h>
46 #include <sys/types.h>
47 #include "sf_types.h"
48 
49 #define BUGTRAQ_URL_HEAD   "http://www.securityfocus.com/bid/"
50 #define CVE_URL_HEAD       "http://cve.mitre.org/cgi-bin/cvename.cgi?name="
51 #define ARACHNIDS_URL_HEAD "http://www.whitehats.com/info/IDS"
52 #define MCAFEE_URL_HEAD    "http://vil.nai.com/vil/content/v_"
53 #define URL_HEAD           "http://"
54 #define NESSUS_URL_HEAD	   "http://cgi.nessus.org/plugins/dump.php3?id="
55 
56 #define BUFFER_SIZE  1024
57 
58 
59 #define SOURCE_SID_MSG     0x0001
60 #define SOURCE_GEN_MSG     0x0002
61 #define SOURCE_GEN_RUNTIME 0x0004
62 
63 struct _Barnyard2Config;
64 
65 /* this contains a list of the URLs for various reference systems */
66 typedef struct _ReferenceSystemNode
67 {
68     char *name;
69     char *url;
70     struct _ReferenceSystemNode *next;
71 
72 } ReferenceSystemNode;
73 
74 typedef struct _ReferenceNode
75 {
76     char *id;
77     ReferenceSystemNode *system;
78     struct _ReferenceNode *next;
79 } ReferenceNode;
80 
81 
82 typedef struct _ClassType
83 {
84     char *type;
85     char *name;		/* "pretty" name */
86     uint32_t id;
87     uint32_t priority;
88     struct _ClassType	*next;
89 
90 
91 } ClassType;
92 
93 typedef struct _SigNode
94 {
95     struct _SigNode		*next;
96     uint32_t			generator;	/* generator ID */
97     uint32_t			id;		/* Snort ID */
98     uint32_t			rev;		/* revision (for future expansion) */
99     uint32_t			class_id;
100     uint32_t			priority;
101     u_int8_t                    source_file;     /* where was it parsed from */
102     char                        *classLiteral;  /* sid-msg.map v2 type only */
103     char			*msg;		/* messages */
104     ReferenceNode		*refs;		/* references (eg bugtraq) */
105 
106 } SigNode;
107 
108 
109 #define SS_SINGLE 0x0001
110 #define SS_RANGE  0x0002
111 
112 typedef struct _SigSuppress_list
113 {
114     u_int8_t  ss_type;  /* Single or Range */
115     u_int8_t  flag;     /* Flagged for deletion */
116     unsigned long gid;  /* Generator id */
117     unsigned long ss_min; /* VAL for SS_SINGLE, MIN VAL for RANGE */
118     unsigned long ss_max; /* VAL for SS_SINGLE, MAX VAL for RANGE */
119     struct _SigSuppress_list *next;
120 } SigSuppress_list;
121 
122 
123 
124 ReferenceSystemNode * ReferenceSystemAdd(ReferenceSystemNode **, char *, char *);
125 ReferenceSystemNode * ReferenceSystemLookup(ReferenceSystemNode *, char *);
126 ReferenceNode * AddReference(struct _Barnyard2Config *, ReferenceNode **, char *, char *);
127 
128 SigNode *GetSigByGidSid(uint32_t, uint32_t, uint32_t);
129 SigNode *CreateSigNode(SigNode **,u_int8_t);
130 
131 ClassType * ClassTypeLookupByType(struct _Barnyard2Config *, char *);
132 ClassType * ClassTypeLookupById(struct _Barnyard2Config *, int);
133 
134 int ReadReferenceFile(struct _Barnyard2Config *, const char *);
135 int ReadClassificationFile(struct _Barnyard2Config *);
136 int ReadSidFile(struct _Barnyard2Config *);
137 int ReadGenFile(struct _Barnyard2Config *);
138 int SignatureResolveClassification(ClassType *class,SigNode *sig,char *sid_map_file,char *classification_file);
139 
140 void DeleteReferenceSystems(struct _Barnyard2Config *);
141 void DeleteReferences(struct _Barnyard2Config *);
142 
143 void ParseReferenceSystemConfig(struct _Barnyard2Config *, char *args);
144 void ParseClassificationConfig(struct _Barnyard2Config *, char *args);
145 void ParseSidMapLine(struct _Barnyard2Config *, char *);
146 void ParseGenMapLine(char *);
147 
148 /* Destructors */
149 void FreeSigNodes(SigNode **);
150 void FreeClassifications(ClassType **);
151 void FreeReferences(ReferenceSystemNode **);
152 void FreeSigSuppression(SigSuppress_list **);
153 
154 
155 #endif  /* __MAP_H__ */
156