Wireshark  4.3.0
The Wireshark network protocol analyzer
packet-snort-config.h
1 /* packet-snort-config.h
2  *
3  * Copyright 2016, Martin Mathieson
4  *
5  * Wireshark - Network traffic analyzer
6  * By Gerald Combs <gerald@wireshark.org>
7  * Copyright 1998 Gerald Combs
8  *
9  * SPDX-License-Identifier: GPL-2.0-or-later
10  */
11 
12 #ifndef __PACKET_SNORT_CONFIG_H__
13 #define __PACKET_SNORT_CONFIG_H__
14 
15 #include <glib.h>
16 
17 /* #define SNORT_CONFIG_DEBUG */
18 #ifdef SNORT_CONFIG_DEBUG
19 #include <stdio.h>
20 #define snort_debug_printf printf
21 #else
22 #define snort_debug_printf(...)
23 #endif
24 
25 /************************************************************************/
26 /* Rule related data types */
27 
28 typedef enum content_type_t {
29  Content,
30  UriContent,
31  Pcre
32 } content_type_t;
33 
34 /* Content (within an alert/rule) */
35 typedef struct content_t {
36  /* Details as parsed from rule */
37  content_type_t content_type;
38 
39  char *str;
40  gboolean negation; /* i.e. pattern must not appear */
41  gboolean nocase; /* when set, do case insensitive match */
42 
43  gboolean offset_set; /* Where to start looking within packet. -65535 -> 65535 */
44  gint offset;
45 
46  guint depth; /* How far to look into packet. Can't be 0 */
47 
48  gboolean distance_set;
49  gint distance; /* Same as offset but relative to last match. -65535 -> 65535 */
50 
51  guint within; /* Most bytes from end of previous match. Max 65535 */
52 
53  gboolean fastpattern; /* Is most distinctive content in rule */
54 
55  gboolean rawbytes; /* Match should be done against raw bytes (which we do anyway) */
56 
57  /* http preprocessor modifiers */
58  gboolean http_method;
59  gboolean http_client_body;
60  gboolean http_cookie;
61  gboolean http_user_agent;
62 
63  /* Pattern converted into bytes for matching against packet.
64  Used for regular patterns and PCREs alike. */
65  guchar *translated_str;
66  gboolean translated;
67  guint translated_length;
68 
69  gboolean pcre_case_insensitive;
70  gboolean pcre_dot_includes_newline;
71  gboolean pcre_raw;
72  gboolean pcre_multiline;
73 } content_t;
74 
75 /* This is to keep track of a variable referenced by a rule */
76 typedef struct used_variable_t {
77  char *name;
78  char *value;
80 
81 /* The collection of variables referenced by a rule */
82 typedef struct relevant_vars_t {
83  gboolean relevant_vars_set;
84 
85  #define MAX_RULE_PORT_VARS 6
86  guint num_port_vars;
87  used_variable_t port_vars[MAX_RULE_PORT_VARS];
88 
89  #define MAX_RULE_IP_VARS 6
90  guint num_ip_vars;
91  used_variable_t ip_vars[MAX_RULE_IP_VARS];
92 
94 
95 
96 /* This is purely the information parsed from the config */
97 typedef struct Rule_t {
98 
99  char *rule_string; /* The whole rule as read from the rule file */
100  char *file; /* Name of the rule file */
101  guint line_number; /* Line number of rule within rule file */
102 
103  char *msg; /* Description of the rule */
104  char *classtype;
105  guint32 sid, rev;
106 
107  char *protocol;
108 
109  /* content strings to match on */
110  unsigned int number_contents;
111 #define MAX_CONTENT_ENTRIES 30
112  content_t contents[MAX_CONTENT_ENTRIES];
113 
114  /* Keep this pointer so can update attributes as parse modifier options */
115  content_t *last_added_content;
116 
117  /* References describing the rule */
118  unsigned int number_references;
119 #define MAX_REFERENCE_ENTRIES 20
120  char *references[MAX_REFERENCE_ENTRIES];
121 
122  relevant_vars_t relevant_vars;
123 
124  /* Statistics */
125  guint matches_seen;
126 } Rule_t;
127 
128 
129 
130 /* Whole global snort config as learned by parsing config files */
131 typedef struct SnortConfig_t
132 {
133  /* Variables (var, ipvar, portvar) */
134  GHashTable *vars;
135  GHashTable *ipvars;
136  GHashTable *portvars;
137 
138  char *rule_path;
139  gboolean rule_path_is_absolute;
140 
141  /* (sid -> Rule_t*) table */
142  GHashTable *rules;
143  /* Reference (web .link) prefixes */
144  GHashTable *references_prefixes;
145 
146  /* Statistics (that may be reset) */
147  guint stat_rules_files;
148  guint stat_rules;
149  guint stat_alerts_detected;
150 
151 } SnortConfig_t;
152 
153 
154 /*************************************************************************************/
155 /* API functions */
156 
157 void create_config(SnortConfig_t **snort_config, const char *snort_config_file);
158 void delete_config(SnortConfig_t **snort_config);
159 
160 /* Look up rule by SID */
161 Rule_t *get_rule(SnortConfig_t *snort_config, guint32 sid);
162 void rule_set_alert(SnortConfig_t *snort_config, Rule_t *rule, guint *global_match_number, guint *rule_match_number);
163 
164 /* IP and port vars */
165 void rule_set_relevant_vars(SnortConfig_t *snort_config, Rule_t *rule);
166 
167 /* Substitute prefix (from reference.config) into reference string */
168 char *expand_reference(SnortConfig_t *snort_config, char *reference);
169 
170 /* Rule stats */
171 void get_global_rule_stats(SnortConfig_t *snort_config, unsigned int sid,
172  unsigned int *number_rules_files, unsigned int *number_rules,
173  unsigned int *alerts_detected, unsigned int *this_rule_alerts_detected);
174 void reset_global_rule_stats(SnortConfig_t *snort_config);
175 
176 /* Expanding a content field string to the expected binary bytes */
177 guint content_convert_to_binary(content_t *content);
178 
179 gboolean content_convert_pcre_for_regex(content_t *content);
180 
181 #endif
182 
183 /*
184  * Editor modelines - https://www.wireshark.org/tools/modelines.html
185  *
186  * Local variables:
187  * c-basic-offset: 4
188  * tab-width: 8
189  * indent-tabs-mode: nil
190  * End:
191  *
192  * vi: set shiftwidth=4 tabstop=8 expandtab:
193  * :indentSize=4:tabSize=8:noTabs=true:
194  */
Definition: packet-snort-config.h:97
Definition: packet-snort-config.h:132
Definition: packet-snort-config.h:35
Definition: packet-snort-config.h:82
Definition: packet-snort-config.h:76