1 /****************************************************************************
2  * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3  * Copyright (C) 2008-2013 Sourcefire, Inc.
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License Version 2 as
7  * published by the Free Software Foundation.  You may not use, modify or
8  * distribute this program under any other version of the GNU General
9  * Public License.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
19  *
20  ****************************************************************************/
21 
22 /* We moved the OptTreeNode and RuleTreeNode here to make them easier to
23    include in dynamic preprocessors. */
24 
25 #ifndef TREENODES_H
26 #define TREENODES_H
27 
28 #include "rules.h"
29 #include "plugin_enum.h"
30 #include "rule_option_types.h"
31 
32 struct _OptTreeNode;      /* forward declaration of OTN data struct */
33 struct _RuleTreeNode;     /* forward declaration of RTN data struct */
34 
35 /* same as the rule header FP list */
36 typedef struct _OptFpList
37 {
38     /* context data for this test */
39     void *context;
40 
41     int (*OptTestFunc)(void *option_data, Packet *p);
42 
43     struct _OptFpList *next;
44 
45     unsigned char isRelative;
46     option_type_t type;
47 
48 } OptFpList;
49 
50 typedef struct _OptTreeNode
51 {
52     /* plugin/detection functions go here */
53     OptFpList *opt_func;
54     RspFpList *rsp_func;  /* response functions */
55     OutputFuncNode *outputFuncs; /* per sid enabled output functions */
56 
57     /* the ds_list is absolutely essential for the plugin system to work,
58        it allows the plugin authors to associate "dynamic" data structures
59        with the rule system, letting them link anything they can come up
60        with to the rules list */
61     void *ds_list[PLUGIN_MAX];   /* list of plugin data struct pointers */
62 
63     int chain_node_number;
64 
65     int evalIndex;       /* where this rule sits in the evaluation sets */
66 
67     int proto;           /* protocol, added for integrity checks
68                             during rule parsing */
69 
70     int session_flag;    /* record session data */
71 
72     char *logto;         /* log file in which to write packets which
73                             match this rule*/
74     /* metadata about signature */
75     SigInfo sigInfo;
76 
77     uint8_t stateless;  /* this rule can fire regardless of session state */
78     uint8_t established; /* this rule can only fire if it is established */
79     uint8_t unestablished;
80 
81     Event event_data;
82 
83     void* detection_filter; /* if present, evaluated last, after header checks */
84     TagData *tag;
85 
86     /* stuff for dynamic rules activation/deactivation */
87     int active_flag;
88     int activation_counter;
89     int countdown;
90     int activates;
91     int activated_by;
92 
93     struct _OptTreeNode *OTN_activation_ptr;
94     struct _RuleTreeNode *RTN_activation_ptr;
95 
96     struct _OptTreeNode *next;
97 
98     struct _OptTreeNode *nextSoid;
99 
100     /* ptr to list of RTNs (head part) */
101     struct _RuleTreeNode **proto_nodes;
102 
103     /**number of proto_nodes. */
104     unsigned short proto_node_num;
105 
106     uint8_t failedCheckBits;
107     char generated;
108 
109     uint16_t longestPatternLen;
110 
111     int rule_state; /* Enabled or Disabled */
112 
113 #ifdef PERF_PROFILING
114     uint64_t ticks;
115     uint64_t ticks_match;
116     uint64_t ticks_no_match;
117     uint64_t checks;
118     uint64_t matches;
119     uint64_t alerts;
120     uint8_t noalerts;
121 #endif
122 
123     int pcre_flag; /* PPM */
124     uint64_t ppm_suspend_time; /* PPM */
125     uint64_t ppm_disable_cnt; /*PPM */
126 
127     uint32_t num_detection_opts;
128 
129     /**unique index generated in ruleIndexMap.
130      */
131     int ruleIndex;
132 
133     /* List of preprocessor registered fast pattern contents */
134     void *preproc_fp_list;
135 
136 } OptTreeNode;
137 
138 /* function pointer list for rule head nodes */
139 typedef struct _RuleFpList
140 {
141     /* context data for this test */
142     void *context;
143 
144     /* rule check function pointer */
145     int (*RuleHeadFunc)(Packet *, struct _RuleTreeNode *, struct _RuleFpList *, int);
146 
147     /* pointer to the next rule function node */
148     struct _RuleFpList *next;
149 } RuleFpList;
150 
151 typedef struct _RuleTreeNode
152 {
153     RuleFpList *rule_func; /* match functions.. (Bidirectional etc.. ) */
154 
155     int head_node_number;
156 
157     RuleType type;
158 
159     IpAddrSet *sip;
160     IpAddrSet *dip;
161 
162     int proto;
163 
164     PortObject * src_portobject;
165     PortObject * dst_portobject;
166 
167     uint32_t flags;     /* control flags */
168 
169 
170 #if 0
171     struct _RuleTreeNode *right;  /* ptr to the next RTN in the list */
172 
173     /** list of rule options to associate with this rule node */
174     OptTreeNode *down;
175 #endif
176 
177     /**points to global parent RTN list (Drop/Alert) which contains this
178      * RTN.
179      */
180     struct _ListHead *listhead;
181 
182     /**reference count from otn. Multiple OTNs can reference this RTN with the same
183      * policy.
184      */
185     unsigned int otnRefCount;
186 
187 } RuleTreeNode;
188 
189 #endif /* TREENODES_H */
190