Wireshark 4.5.0
The Wireshark network protocol analyzer
Loading...
Searching...
No Matches
packet-snort-config.h
1/* packet-snort-config.h
2 *
3 * Copyright 2016, Martin Mathieson
4 *
5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <[email protected]>
7 * Copyright 1998 Gerald Combs
8 *
9 * SPDX-License-Identifier: GPL-2.0-or-later
10 */
11
12#ifndef __PACKET_SNORT_CONFIG_H__
13#define __PACKET_SNORT_CONFIG_H__
14
15#include <glib.h>
16
17/************************************************************************/
18/* Rule related data types */
19
20typedef enum content_type_t {
21 Content,
22 UriContent,
23 Pcre
24} content_type_t;
25
26/* Content (within an alert/rule) */
27typedef struct content_t {
28 /* Details as parsed from rule */
29 content_type_t content_type;
30
31 char *str;
32 bool negation; /* i.e. pattern must not appear */
33 bool nocase; /* when set, do case insensitive match */
34
35 bool offset_set; /* Where to start looking within packet. -65535 -> 65535 */
36 int offset;
37
38 unsigned depth; /* How far to look into packet. Can't be 0 */
39
40 bool distance_set;
41 int distance; /* Same as offset but relative to last match. -65535 -> 65535 */
42
43 unsigned within; /* Most bytes from end of previous match. Max 65535 */
44
45 bool fastpattern; /* Is most distinctive content in rule */
46
47 bool rawbytes; /* Match should be done against raw bytes (which we do anyway) */
48
49 /* http preprocessor modifiers */
50 bool http_method;
51 bool http_client_body;
52 bool http_cookie;
53 bool http_user_agent;
54
55 /* Pattern converted into bytes for matching against packet.
56 Used for regular patterns and PCREs alike. */
57 unsigned char *translated_str;
58 bool translated;
59 unsigned translated_length;
60
61 bool pcre_case_insensitive;
62 bool pcre_dot_includes_newline;
63 bool pcre_raw;
64 bool pcre_multiline;
65} content_t;
66
67/* This is to keep track of a variable referenced by a rule */
68typedef struct used_variable_t {
69 char *name;
70 char *value;
72
73/* The collection of variables referenced by a rule */
74typedef struct relevant_vars_t {
75 bool relevant_vars_set;
76
77 #define MAX_RULE_PORT_VARS 6
78 unsigned num_port_vars;
79 used_variable_t port_vars[MAX_RULE_PORT_VARS];
80
81 #define MAX_RULE_IP_VARS 6
82 unsigned num_ip_vars;
83 used_variable_t ip_vars[MAX_RULE_IP_VARS];
84
86
87
88/* This is purely the information parsed from the config */
89typedef struct Rule_t {
90
91 char *rule_string; /* The whole rule as read from the rule file */
92 char *file; /* Name of the rule file */
93 unsigned line_number; /* Line number of rule within rule file */
94
95 char *msg; /* Description of the rule */
96 char *classtype;
97 uint32_t sid, rev;
98
99 char *protocol;
100
101 /* content strings to match on */
102 unsigned int number_contents;
103#define MAX_CONTENT_ENTRIES 30
104 content_t contents[MAX_CONTENT_ENTRIES];
105
106 /* Keep this pointer so can update attributes as parse modifier options */
107 content_t *last_added_content;
108
109 /* References describing the rule */
110 unsigned int number_references;
111#define MAX_REFERENCE_ENTRIES 20
112 char *references[MAX_REFERENCE_ENTRIES];
113
114 relevant_vars_t relevant_vars;
115
116 /* Statistics */
117 unsigned matches_seen;
118} Rule_t;
119
120
121
122/* Whole global snort config as learned by parsing config files */
123typedef struct SnortConfig_t
124{
125 /* Variables (var, ipvar, portvar) */
126 GHashTable *vars;
127 GHashTable *ipvars;
128 GHashTable *portvars;
129
130 char *rule_path;
131 bool rule_path_is_absolute;
132
133 /* (sid -> Rule_t*) table */
134 GHashTable *rules;
135 /* Reference (web .link) prefixes */
136 GHashTable *references_prefixes;
137
138 /* Statistics (that may be reset) */
139 unsigned stat_rules_files;
140 unsigned stat_rules;
141 unsigned stat_alerts_detected;
142
144
145
146/*************************************************************************************/
147/* API functions */
148
149void create_config(SnortConfig_t **snort_config, const char *snort_config_file);
150void delete_config(SnortConfig_t **snort_config);
151
152/* Look up rule by SID */
153Rule_t *get_rule(SnortConfig_t *snort_config, uint32_t sid);
154void rule_set_alert(SnortConfig_t *snort_config, Rule_t *rule, unsigned *global_match_number, unsigned *rule_match_number);
155
156/* IP and port vars */
157void rule_set_relevant_vars(SnortConfig_t *snort_config, Rule_t *rule);
158
159/* Substitute prefix (from reference.config) into reference string */
160char *expand_reference(SnortConfig_t *snort_config, char *reference);
161
162/* Rule stats */
163void get_global_rule_stats(SnortConfig_t *snort_config, unsigned int sid,
164 unsigned int *number_rules_files, unsigned int *number_rules,
165 unsigned int *alerts_detected, unsigned int *this_rule_alerts_detected);
166void reset_global_rule_stats(SnortConfig_t *snort_config);
167
168/* Expanding a content field string to the expected binary bytes */
169unsigned content_convert_to_binary(content_t *content);
170
171bool content_convert_pcre_for_regex(content_t *content);
172
173#endif
174
175/*
176 * Editor modelines - https://www.wireshark.org/tools/modelines.html
177 *
178 * Local variables:
179 * c-basic-offset: 4
180 * tab-width: 8
181 * indent-tabs-mode: nil
182 * End:
183 *
184 * vi: set shiftwidth=4 tabstop=8 expandtab:
185 * :indentSize=4:tabSize=8:noTabs=true:
186 */
Definition packet-snort-config.h:89
Definition packet-snort-config.h:124
Definition packet-snort-config.h:27
Definition packet-snort-config.h:74
Definition packet-snort-config.h:68