1 /*
2  * VRT RULES
3  *
4  * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
5  * Copyright (C) 2005-2013 Sourcefire, Inc.
6  *
7  * This file is autogenerated via rules2c, by Brian Caswell <bmc@sourcefire.com>
8  */
9 
10 
11 #ifdef HAVE_CONFIG_H
12 #include "config.h"
13 #endif
14 
15 #include "sf_snort_plugin_api.h"
16 #include "sf_snort_packet.h"
17 
18 
19 /* declare detection functions */
20 int rule637eval(void *p);
21 
22 /* declare rule data structures */
23 /* precompile the stuff that needs pre-compiled */
24 // content:"|0A|help|0A|quite|0A|";
25 static ContentInfo rule637content0 =
26 {
27     (u_int8_t *)("|0A|help|0A|quite|0A|"), /* pattern (now in snort content format) */
28     0, /* depth */
29     0, /* offset */
30     CONTENT_BUF_NORMALIZED, /* flags */ // XXX - need to add CONTENT_FAST_PATTERN support
31     NULL, /* holder for boyer/moore PTR */
32     NULL, /* more holder info - byteform */
33     0, /* byteform length */
34     0, /* increment length*/
35     0,                      /* holder for fp offset */
36     0,                      /* holder for fp length */
37     0,                      /* holder for fp only */
38     NULL, // offset_refId
39     NULL, // depth_refId
40     NULL, // offset_location
41     NULL  // depth_location
42 };
43 
44 static RuleOption rule637option0 =
45 {
46     OPTION_TYPE_CONTENT,
47     { &rule637content0 }
48 };
49 
50 /* references for sid 637 */
51 /* reference: arachnids "308"; */
52 static RuleReference rule637ref1 =
53 {
54     "arachnids", /* type */
55     "308" /* value */
56 };
57 
58 static RuleReference *rule637refs[] =
59 {
60     &rule637ref1,
61     NULL
62 };
63 RuleOption *rule637options[] =
64 {
65     &rule637option0,
66     NULL
67 };
68 
69 Rule rule637 = {
70 
71    /* rule header, akin to => tcp any any -> any any               */{
72        IPPROTO_UDP, /* proto */
73        "$EXTERNAL_NET", /* SRCIP     */
74        "any", /* SRCPORT   */
75        1, /* DIRECTION */
76        "$HOME_NET", /* DSTIP     */
77        "any", /* DSTPORT   */
78    },
79    /* metadata */
80    {
81        3,  /* genid (HARDCODED!!!) */
82        637, /* sigid */
83        3, /* revision */
84 
85        "attempted-recon", /* classification */
86        0,  /* hardcoded priority XXX NOT PROVIDED BY GRAMMAR YET! */
87        "SCAN Webtrends Scanner UDP Probe",     /* message */
88        rule637refs, /* ptr to references */
89        NULL /* Meta data */
90    },
91    rule637options, /* ptr to rule options */
92    NULL, // &rule637eval, /* use the built in detection function */
93    0, /* am I initialized yet? */
94    0, /* num options */
95    0, /* no alert */
96    NULL /* ptr to internal data... setup during rule registration */
97 };
98 
99 
100 /* detection functions */
rule637eval(void * p)101 int rule637eval(void *p) {
102     //const u_int8_t *cursor_uri = 0;
103     //const u_int8_t *cursor_raw = 0;
104     const u_int8_t *cursor_normal = 0;
105 
106 
107     // content:"|0A|help|0A|quite|0A|";
108     if (contentMatch(p, rule637options[0]->option_u.content, &cursor_normal) > 0) {
109         return RULE_MATCH;
110     }
111     return RULE_NOMATCH;
112 }
113 
114