2016-11-16 20:33:09 +00:00
|
|
|
/* snort-config.h
|
|
|
|
*
|
|
|
|
* Copyright 2016, Martin Mathieson
|
|
|
|
*
|
|
|
|
* Wireshark - Network traffic analyzer
|
|
|
|
* By Gerald Combs <gerald@wireshark.org>
|
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
#include <glib.h>
|
|
|
|
|
|
|
|
#ifndef SNORT_CONFIG_H
|
|
|
|
#define SNORT_CONFIG_H
|
|
|
|
|
|
|
|
/************************************************************************/
|
|
|
|
/* Rule related data types */
|
|
|
|
|
|
|
|
typedef enum content_type_t {
|
|
|
|
Content,
|
|
|
|
UriContent,
|
|
|
|
Pcre
|
|
|
|
} content_type_t;
|
|
|
|
|
|
|
|
/* Content (within an alert/rule) */
|
|
|
|
typedef struct content_t {
|
|
|
|
/* Details as parsed from rule */
|
|
|
|
content_type_t content_type;
|
|
|
|
|
|
|
|
char *str;
|
|
|
|
gboolean negation; /* i.e. pattern must not appear */
|
|
|
|
gboolean nocase; /* when set, do case insensitive match */
|
|
|
|
|
|
|
|
gboolean offset_set; /* Where to start looking within packet. -65535 -> 65535 */
|
|
|
|
gint offset;
|
|
|
|
|
|
|
|
guint depth; /* How far to look into packet. Can't be 0 */
|
|
|
|
|
|
|
|
gboolean distance_set;
|
|
|
|
gint distance; /* Same as offset but relative to last match. -65535 -> 65535 */
|
|
|
|
|
|
|
|
guint within; /* Most bytes from end of previous match. Max 65535 */
|
|
|
|
|
|
|
|
gboolean fastpattern; /* Is most distinctive content in rule */
|
|
|
|
|
2017-06-18 21:01:04 +00:00
|
|
|
gboolean rawbytes; /* Match should be done against raw bytes (which we do anyway) */
|
|
|
|
|
2016-11-16 20:33:09 +00:00
|
|
|
/* http preprocessor modifiers */
|
|
|
|
gboolean http_method;
|
|
|
|
gboolean http_client_body;
|
|
|
|
gboolean http_cookie;
|
2017-06-18 21:01:04 +00:00
|
|
|
gboolean http_user_agent;
|
2016-11-16 20:33:09 +00:00
|
|
|
|
2017-02-19 10:32:04 +00:00
|
|
|
/* Pattern converted into bytes for matching against packet.
|
|
|
|
Used for regular patterns and PCREs alike. */
|
|
|
|
guchar *translated_str;
|
2016-11-16 20:33:09 +00:00
|
|
|
gboolean translated;
|
|
|
|
guint translated_length;
|
2017-02-19 10:32:04 +00:00
|
|
|
|
|
|
|
gboolean pcre_case_insensitive;
|
2017-04-14 21:37:10 +00:00
|
|
|
gboolean pcre_dot_includes_newline;
|
|
|
|
gboolean pcre_raw;
|
|
|
|
gboolean pcre_multiline;
|
2016-11-16 20:33:09 +00:00
|
|
|
} content_t;
|
|
|
|
|
|
|
|
/* This is to keep track of a variable referenced by a rule */
|
|
|
|
typedef struct used_variable_t {
|
|
|
|
char *name;
|
|
|
|
char *value;
|
|
|
|
} used_variable_t;
|
|
|
|
|
|
|
|
/* The collection of variables referenced by a rule */
|
|
|
|
typedef struct relevant_vars_t {
|
|
|
|
gboolean relevant_vars_set;
|
|
|
|
|
|
|
|
#define MAX_RULE_PORT_VARS 6
|
|
|
|
guint num_port_vars;
|
|
|
|
used_variable_t port_vars[MAX_RULE_PORT_VARS];
|
|
|
|
|
|
|
|
#define MAX_RULE_IP_VARS 6
|
|
|
|
guint num_ip_vars;
|
|
|
|
used_variable_t ip_vars[MAX_RULE_IP_VARS];
|
|
|
|
|
|
|
|
} relevant_vars_t;
|
|
|
|
|
|
|
|
|
|
|
|
/* This is purely the information parsed from the config */
|
|
|
|
typedef struct Rule_t {
|
|
|
|
|
|
|
|
char *rule_string; /* The whole rule as read from the rule file */
|
|
|
|
char *file; /* Name of the rule file */
|
|
|
|
guint line_number; /* Line number of rule within rule file */
|
|
|
|
|
|
|
|
char *msg; /* Description of the rule */
|
|
|
|
char *classtype;
|
|
|
|
guint32 sid, rev;
|
|
|
|
|
|
|
|
char *protocol;
|
|
|
|
|
|
|
|
/* content strings to match on */
|
|
|
|
unsigned int number_contents;
|
|
|
|
#define MAX_CONTENT_ENTRIES 30
|
|
|
|
content_t contents[MAX_CONTENT_ENTRIES];
|
|
|
|
|
|
|
|
/* Keep this pointer so can update attributes as parse modifier options */
|
|
|
|
content_t *last_added_content;
|
|
|
|
|
|
|
|
/* References describing the rule */
|
|
|
|
unsigned int number_references;
|
|
|
|
#define MAX_REFERENCE_ENTRIES 20
|
|
|
|
char *references[MAX_REFERENCE_ENTRIES];
|
|
|
|
|
|
|
|
relevant_vars_t relevant_vars;
|
|
|
|
|
|
|
|
/* Statistics */
|
|
|
|
guint matches_seen;
|
|
|
|
} Rule_t;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Whole global snort config as learned by parsing config files */
|
|
|
|
typedef struct SnortConfig_t
|
|
|
|
{
|
|
|
|
/* Variables (var, ipvar, portvar) */
|
|
|
|
GHashTable *vars;
|
|
|
|
GHashTable *ipvars;
|
|
|
|
GHashTable *portvars;
|
|
|
|
|
|
|
|
char *rule_path;
|
|
|
|
gboolean rule_path_is_absolute;
|
|
|
|
|
|
|
|
/* (sid -> Rule_t*) table */
|
|
|
|
GHashTable *rules;
|
|
|
|
/* Reference (web .link) prefixes */
|
|
|
|
GHashTable *references_prefixes;
|
|
|
|
|
|
|
|
/* Statistics (that may be reset) */
|
|
|
|
guint stat_rules_files;
|
|
|
|
guint stat_rules;
|
|
|
|
guint stat_alerts_detected;
|
|
|
|
|
|
|
|
} SnortConfig_t;
|
|
|
|
|
|
|
|
|
|
|
|
/*************************************************************************************/
|
|
|
|
/* API functions */
|
|
|
|
void create_config(SnortConfig_t **snort_config, const char *snort_config_file);
|
|
|
|
void delete_config(SnortConfig_t **snort_config);
|
|
|
|
|
|
|
|
/* Look up rule by SID */
|
|
|
|
Rule_t *get_rule(SnortConfig_t *snort_config, guint32 sid);
|
|
|
|
void rule_set_alert(SnortConfig_t *snort_config, Rule_t *rule, guint *global_match_number, guint *rule_match_number);
|
|
|
|
|
|
|
|
/* IP and port vars */
|
|
|
|
void rule_set_relevant_vars(SnortConfig_t *snort_config, Rule_t *rule);
|
|
|
|
|
|
|
|
/* Substitute prefix (from reference.config) into reference string */
|
|
|
|
char *expand_reference(SnortConfig_t *snort_config, char *reference);
|
|
|
|
|
|
|
|
/* Rule stats */
|
|
|
|
void get_global_rule_stats(SnortConfig_t *snort_config, unsigned int sid,
|
|
|
|
unsigned int *number_rules_files, unsigned int *number_rules,
|
|
|
|
unsigned int *alerts_detected, unsigned int *this_rule_alerts_detected);
|
|
|
|
void reset_global_rule_stats(SnortConfig_t *snort_config);
|
|
|
|
|
|
|
|
/* Expanding a content field string to the expected binary bytes */
|
|
|
|
guint content_convert_to_binary(content_t *content);
|
|
|
|
|
2017-02-19 10:32:04 +00:00
|
|
|
gboolean content_convert_pcre_for_regex(content_t *content);
|
|
|
|
|
2016-11-16 20:33:09 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Editor modelines - http://www.wireshark.org/tools/modelines.html
|
|
|
|
*
|
|
|
|
* Local variables:
|
|
|
|
* c-basic-offset: 4
|
|
|
|
* tab-width: 8
|
|
|
|
* indent-tabs-mode: nil
|
|
|
|
* End:
|
|
|
|
*
|
|
|
|
* vi: set shiftwidth=4 tabstop=8 expandtab:
|
|
|
|
* :indentSize=4:tabSize=8:noTabs=true:
|
|
|
|
*/
|