Wireshark
4.5.0
The Wireshark network protocol analyzer
Loading...
Searching...
No Matches
epan
dissectors
packet-snort-config.h
1
/* packet-snort-config.h
2
*
3
* Copyright 2016, Martin Mathieson
4
*
5
* Wireshark - Network traffic analyzer
6
* By Gerald Combs <
[email protected]
>
7
* Copyright 1998 Gerald Combs
8
*
9
* SPDX-License-Identifier: GPL-2.0-or-later
10
*/
11
12
#ifndef __PACKET_SNORT_CONFIG_H__
13
#define __PACKET_SNORT_CONFIG_H__
14
15
#include <glib.h>
16
17
/************************************************************************/
18
/* Rule related data types */
19
20
typedef
enum
content_type_t {
21
Content,
22
UriContent,
23
Pcre
24
} content_type_t;
25
26
/* Content (within an alert/rule) */
27
typedef
struct
content_t
{
28
/* Details as parsed from rule */
29
content_type_t content_type;
30
31
char
*str;
32
bool
negation;
/* i.e. pattern must not appear */
33
bool
nocase;
/* when set, do case insensitive match */
34
35
bool
offset_set;
/* Where to start looking within packet. -65535 -> 65535 */
36
int
offset;
37
38
unsigned
depth;
/* How far to look into packet. Can't be 0 */
39
40
bool
distance_set;
41
int
distance;
/* Same as offset but relative to last match. -65535 -> 65535 */
42
43
unsigned
within;
/* Most bytes from end of previous match. Max 65535 */
44
45
bool
fastpattern;
/* Is most distinctive content in rule */
46
47
bool
rawbytes;
/* Match should be done against raw bytes (which we do anyway) */
48
49
/* http preprocessor modifiers */
50
bool
http_method;
51
bool
http_client_body;
52
bool
http_cookie;
53
bool
http_user_agent;
54
55
/* Pattern converted into bytes for matching against packet.
56
Used for regular patterns and PCREs alike. */
57
unsigned
char
*translated_str;
58
bool
translated;
59
unsigned
translated_length;
60
61
bool
pcre_case_insensitive;
62
bool
pcre_dot_includes_newline;
63
bool
pcre_raw;
64
bool
pcre_multiline;
65
}
content_t
;
66
67
/* This is to keep track of a variable referenced by a rule */
68
typedef
struct
used_variable_t
{
69
char
*name;
70
char
*value;
71
}
used_variable_t
;
72
73
/* The collection of variables referenced by a rule */
74
typedef
struct
relevant_vars_t
{
75
bool
relevant_vars_set;
76
77
#define MAX_RULE_PORT_VARS 6
78
unsigned
num_port_vars;
79
used_variable_t
port_vars[MAX_RULE_PORT_VARS];
80
81
#define MAX_RULE_IP_VARS 6
82
unsigned
num_ip_vars;
83
used_variable_t
ip_vars[MAX_RULE_IP_VARS];
84
85
}
relevant_vars_t
;
86
87
88
/* This is purely the information parsed from the config */
89
typedef
struct
Rule_t
{
90
91
char
*rule_string;
/* The whole rule as read from the rule file */
92
char
*file;
/* Name of the rule file */
93
unsigned
line_number;
/* Line number of rule within rule file */
94
95
char
*msg;
/* Description of the rule */
96
char
*classtype;
97
uint32_t sid, rev;
98
99
char
*protocol;
100
101
/* content strings to match on */
102
unsigned
int
number_contents;
103
#define MAX_CONTENT_ENTRIES 30
104
content_t
contents[MAX_CONTENT_ENTRIES];
105
106
/* Keep this pointer so can update attributes as parse modifier options */
107
content_t
*last_added_content;
108
109
/* References describing the rule */
110
unsigned
int
number_references;
111
#define MAX_REFERENCE_ENTRIES 20
112
char
*references[MAX_REFERENCE_ENTRIES];
113
114
relevant_vars_t
relevant_vars;
115
116
/* Statistics */
117
unsigned
matches_seen;
118
}
Rule_t
;
119
120
121
122
/* Whole global snort config as learned by parsing config files */
123
typedef
struct
SnortConfig_t
124
{
125
/* Variables (var, ipvar, portvar) */
126
GHashTable *vars;
127
GHashTable *ipvars;
128
GHashTable *portvars;
129
130
char
*rule_path;
131
bool
rule_path_is_absolute;
132
133
/* (sid -> Rule_t*) table */
134
GHashTable *rules;
135
/* Reference (web .link) prefixes */
136
GHashTable *references_prefixes;
137
138
/* Statistics (that may be reset) */
139
unsigned
stat_rules_files;
140
unsigned
stat_rules;
141
unsigned
stat_alerts_detected;
142
143
}
SnortConfig_t
;
144
145
146
/*************************************************************************************/
147
/* API functions */
148
149
void
create_config(
SnortConfig_t
**snort_config,
const
char
*snort_config_file);
150
void
delete_config(
SnortConfig_t
**snort_config);
151
152
/* Look up rule by SID */
153
Rule_t
*get_rule(
SnortConfig_t
*snort_config, uint32_t sid);
154
void
rule_set_alert(
SnortConfig_t
*snort_config,
Rule_t
*rule,
unsigned
*global_match_number,
unsigned
*rule_match_number);
155
156
/* IP and port vars */
157
void
rule_set_relevant_vars(
SnortConfig_t
*snort_config,
Rule_t
*rule);
158
159
/* Substitute prefix (from reference.config) into reference string */
160
char
*expand_reference(
SnortConfig_t
*snort_config,
char
*reference);
161
162
/* Rule stats */
163
void
get_global_rule_stats(
SnortConfig_t
*snort_config,
unsigned
int
sid,
164
unsigned
int
*number_rules_files,
unsigned
int
*number_rules,
165
unsigned
int
*alerts_detected,
unsigned
int
*this_rule_alerts_detected);
166
void
reset_global_rule_stats(
SnortConfig_t
*snort_config);
167
168
/* Expanding a content field string to the expected binary bytes */
169
unsigned
content_convert_to_binary(
content_t
*content);
170
171
bool
content_convert_pcre_for_regex(
content_t
*content);
172
173
#endif
174
175
/*
176
* Editor modelines - https://www.wireshark.org/tools/modelines.html
177
*
178
* Local variables:
179
* c-basic-offset: 4
180
* tab-width: 8
181
* indent-tabs-mode: nil
182
* End:
183
*
184
* vi: set shiftwidth=4 tabstop=8 expandtab:
185
* :indentSize=4:tabSize=8:noTabs=true:
186
*/
Rule_t
Definition
packet-snort-config.h:89
SnortConfig_t
Definition
packet-snort-config.h:124
content_t
Definition
packet-snort-config.h:27
relevant_vars_t
Definition
packet-snort-config.h:74
used_variable_t
Definition
packet-snort-config.h:68
Generated by
1.9.8