1 /* 2 ** Copyright (C) 2002-2009 Sourcefire, Inc. 3 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> 4 ** 5 ** This program is free software; you can redistribute it and/or modify 6 ** it under the terms of the GNU General Public License Version 2 as 7 ** published by the Free Software Foundation. You may not use, modify or 8 ** distribute this program under any other version of the GNU General 9 ** Public License. 10 ** 11 ** This program is distributed in the hope that it will be useful, 12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 ** GNU General Public License for more details. 15 ** 16 ** You should have received a copy of the GNU General Public License 17 ** along with this program; if not, write to the Free Software 18 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 19 */ 20 21 /* $Id$ */ 22 #ifndef __RULES_H__ 23 #define __RULES_H__ 24 25 26 #ifdef HAVE_CONFIG_H 27 #include "config.h" 28 #endif 29 30 #include "decode.h" 31 #include "plugbase.h" 32 #include "sf_types.h" 33 34 #define EXCEPT_SRC_IP 0x01 35 #define EXCEPT_DST_IP 0x02 36 #define ANY_SRC_PORT 0x04 37 #define ANY_DST_PORT 0x08 38 #define ANY_FLAGS 0x10 39 #define EXCEPT_SRC_PORT 0x20 40 #define EXCEPT_DST_PORT 0x40 41 #define BIDIRECTIONAL 0x80 42 #define ANY_SRC_IP 0x100 43 #define ANY_DST_IP 0x200 44 45 #define EXCEPT_IP 0x01 46 47 #define R_FIN 0x01 48 #define R_SYN 0x02 49 #define R_RST 0x04 50 #define R_PSH 0x08 51 #define R_ACK 0x10 52 #define R_URG 0x20 53 #define R_RES2 0x40 54 #define R_RES1 0x80 55 56 #define MODE_EXIT_ON_MATCH 0 57 #define MODE_FULL_SEARCH 1 58 59 #define CHECK_SRC_IP 0x01 60 #define CHECK_DST_IP 0x02 61 #define INVERSE 0x04 62 #define CHECK_SRC_PORT 0x08 63 #define CHECK_DST_PORT 0x10 64 65 #define SESSION_PRINTABLE 1 66 #define SESSION_ALL 2 67 68 #define RESP_RST_SND 0x01 69 #define RESP_RST_RCV 0x02 70 #define RESP_BAD_NET 0x04 71 #define RESP_BAD_HOST 0x08 72 #define RESP_BAD_PORT 0x10 73 74 #define MODE_EXIT_ON_MATCH 0 75 #define MODE_FULL_SEARCH 1 76 77 #define SRC 0 78 #define DST 1 79 80 #ifndef PARSERULE_SIZE 81 #define PARSERULE_SIZE 65535 82 #endif 83 84 /* D A T A S T R U C T U R E S *********************************************/ 85 /* I'm forward declaring the rules structures so that the function 86 pointer lists can reference them internally */ 87 88 struct _OptTreeNode; /* forward declaration of OTN data struct */ 89 struct _RuleTreeNode; /* forward declaration of RTN data struct */ 90 struct _ListHead; /* forward decleartion of ListHead data struct */ 91 92 typedef enum _RuleType 93 { 94 RULE_TYPE__NONE = 0, 95 RULE_TYPE__ACTIVATE, 96 RULE_TYPE__ALERT, 97 RULE_TYPE__DROP, 98 RULE_TYPE__DYNAMIC, 99 RULE_TYPE__LOG, 100 RULE_TYPE__PASS, 101 #ifdef GIDS 102 RULE_TYPE__REJECT, 103 RULE_TYPE__SDROP, 104 #endif 105 RULE_TYPE__MAX 106 107 } RuleType; 108 109 /* function pointer list for rule head nodes */ 110 typedef struct _RuleFpList 111 { 112 /* context data for this test */ 113 void *context; 114 115 /* rule check function pointer */ 116 int (*RuleHeadFunc)(Packet *, struct _RuleTreeNode *, struct _RuleFpList *, int); 117 118 /* pointer to the next rule function node */ 119 struct _RuleFpList *next; 120 } RuleFpList; 121 122 /* same as the rule header FP list */ 123 typedef struct _OptFpList 124 { 125 /* context data for this test */ 126 void *context; 127 128 int (*OptTestFunc)(void *option_data, Packet *p); 129 130 struct _OptFpList *next; 131 132 unsigned char isRelative; 133 // firnsy 134 // required for detection-plugins 135 //option_type_t type; 136 137 } OptFpList; 138 139 typedef struct _RspFpList 140 { 141 int (*func)(Packet *, struct _RspFpList *); 142 void *params; /* params for the plugin.. type defined by plugin */ 143 struct _RspFpList *next; 144 } RspFpList; 145 146 147 148 typedef struct _TagData 149 { 150 int tag_type; /* tag type (session/host) */ 151 int tag_seconds; /* number of "seconds" units to tag for */ 152 int tag_packets; /* number of "packets" units to tag for */ 153 int tag_bytes; /* number of "type" units to tag for */ 154 int tag_metric; /* (packets | seconds | bytes) units */ 155 int tag_direction; /* source or dest, used for host tagging */ 156 } TagData; 157 158 159 typedef struct _OptTreeNode 160 { 161 /* plugin/detection functions go here */ 162 OptFpList *opt_func; 163 RspFpList *rsp_func; /* response functions */ 164 OutputFuncNode *outputFuncs; /* per sid enabled output functions */ 165 166 /* the ds_list is absolutely essential for the plugin system to work, 167 it allows the plugin authors to associate "dynamic" data structures 168 with the rule system, letting them link anything they can come up 169 with to the rules list */ 170 // void *ds_list[PLUGIN_MAX]; /* list of plugin data struct pointers */ 171 172 int chain_node_number; 173 174 int evalIndex; /* where this rule sits in the evaluation sets */ 175 176 int proto; /* protocol, added for integrity checks 177 during rule parsing */ 178 179 int session_flag; /* record session data */ 180 181 char *logto; /* log file in which to write packets which 182 match this rule*/ 183 /* metadata about signature */ 184 // SigInfo sigInfo; 185 186 uint8_t stateless; /* this rule can fire regardless of session state */ 187 uint8_t established; /* this rule can only fire if it is established */ 188 uint8_t unestablished; 189 190 // Event event_data; 191 192 // void* detection_filter; /* if present, evaluated last, after header checks */ 193 TagData *tag; 194 195 /* stuff for dynamic rules activation/deactivation */ 196 int active_flag; 197 int activation_counter; 198 int countdown; 199 int activates; 200 int activated_by; 201 202 struct _OptTreeNode *OTN_activation_ptr; 203 struct _RuleTreeNode *RTN_activation_ptr; 204 205 struct _OptTreeNode *next; 206 207 struct _OptTreeNode *nextSoid; 208 209 /* ptr to list of RTNs (head part) */ 210 struct _RuleTreeNode **proto_nodes; 211 212 /**number of proto_nodes. */ 213 unsigned short proto_node_num; 214 215 uint8_t failedCheckBits; 216 217 int rule_state; /* Enabled or Disabled */ 218 219 #ifdef PERF_PROFILING 220 uint64_t ticks; 221 uint64_t ticks_match; 222 uint64_t ticks_no_match; 223 uint64_t checks; 224 uint64_t matches; 225 uint64_t alerts; 226 uint8_t noalerts; 227 #endif 228 229 int pcre_flag; /* PPM */ 230 uint64_t ppm_suspend_time; /* PPM */ 231 uint64_t ppm_disable_cnt; /*PPM */ 232 233 char generated; 234 uint32_t num_detection_opts; 235 236 /**unique index generated in ruleIndexMap. 237 */ 238 int ruleIndex; 239 240 } OptTreeNode; 241 242 243 typedef struct _ActivateListNode 244 { 245 int activated_by; 246 struct _ActivateListNode *next; 247 248 } ActivateListNode; 249 250 251 #if 0 /* RELOCATED to parser/IpAddrSet.h */ 252 typedef struct _IpAddrSet 253 { 254 uint32_t ip_addr; /* IP addr */ 255 uint32_t netmask; /* netmask */ 256 uint8_t addr_flags; /* flag for normal/exception processing */ 257 258 struct _IpAddrSet *next; 259 } IpAddrSet; 260 #endif /* RELOCATED to parser/IpAddrSet.h */ 261 262 typedef struct _RuleTreeNode 263 { 264 RuleFpList *rule_func; /* match functions.. (Bidirectional etc.. ) */ 265 266 int head_node_number; 267 268 RuleType type; 269 270 // IpAddrSet *sip; 271 // IpAddrSet *dip; 272 273 //PORTLISTS used for debugging. 274 int proto; 275 276 #ifdef PORTLISTS 277 PortObject * src_portobject; 278 PortObject * dst_portobject; 279 #else 280 int not_sp_flag; /* not source port flag */ 281 282 uint16_t hsp; /* hi src port */ 283 uint16_t lsp; /* lo src port */ 284 285 int not_dp_flag; /* not dest port flag */ 286 287 uint16_t hdp; /* hi dest port */ 288 uint16_t ldp; /* lo dest port */ 289 #endif 290 291 uint32_t flags; /* control flags */ 292 293 /* stuff for dynamic rules activation/deactivation */ 294 int active_flag; 295 int activation_counter; 296 int countdown; 297 ActivateListNode *activate_list; 298 299 #if 0 300 struct _RuleTreeNode *right; /* ptr to the next RTN in the list */ 301 302 /** list of rule options to associate with this rule node */ 303 OptTreeNode *down; 304 #endif 305 306 /**points to global parent RTN list (Drop/Alert) which contains this 307 * RTN. 308 */ 309 struct _ListHead *listhead; 310 311 /**reference count from otn. Multiple OTNs can reference this RTN with the same 312 * policy. 313 */ 314 unsigned int otnRefCount; 315 316 } RuleTreeNode; 317 318 struct _RuleListNode; 319 320 typedef struct _ListHead 321 { 322 struct _OutputFuncNode *LogList; 323 struct _OutputFuncNode *AlertList; 324 struct _RuleListNode *ruleListNode; 325 } ListHead; 326 327 typedef struct _RuleListNode 328 { 329 ListHead *RuleList; /* The rule list associated with this node */ 330 RuleType mode; /* the rule mode */ 331 int rval; /* 0 == no detection, 1 == detection event */ 332 int evalIndex; /* eval index for this rule set */ 333 char *name; /* name of this rule list (for debugging) */ 334 struct _RuleListNode *next; /* the next RuleListNode */ 335 } RuleListNode; 336 337 typedef struct _RuleState 338 { 339 uint32_t sid; 340 uint32_t gid; 341 int state; 342 RuleType action; 343 struct _RuleState *next; 344 345 } RuleState; 346 347 #endif /* __RULES_H__ */ 348