00001 /* 00002 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> 00003 ** 00004 ** This program is free software; you can redistribute it and/or modify 00005 ** it under the terms of the GNU General Public License as published by 00006 ** the Free Software Foundation; either version 2 of the License, or 00007 ** (at your option) any later version. 00008 ** 00009 ** This program is distributed in the hope that it will be useful, 00010 ** but WITHOUT ANY WARRANTY; without even the implied warranty of 00011 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00012 ** GNU General Public License for more details. 00013 ** 00014 ** You should have received a copy of the GNU General Public License 00015 ** along with this program; if not, write to the Free Software 00016 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 00017 */ 00018 00019 /* $Id$ */ 00020 #ifndef __RULES_H__ 00021 #define __RULES_H__ 00022 00023 00024 #ifdef HAVE_CONFIG_H 00025 #include "config.h" 00026 #endif 00027 00028 #include "event.h" 00029 #include "decode.h" 00030 #include "signature.h" 00031 #include "parser/IpAddrSet.h" 00032 #include "spo_plugbase.h" 00033 00034 #ifdef SUNOS 00035 #define INADDR_NONE -1 00036 #endif 00037 00038 #ifdef SOLARIS 00039 #define INADDR_NONE -1 00040 #endif 00041 00042 #define RULE_LOG 0 00043 #define RULE_PASS 1 00044 #define RULE_ALERT 2 00045 #define RULE_VAR 3 00046 #define RULE_INCLUDE 4 00047 #define RULE_PREPROCESS 5 00048 #define RULE_OUTPUT 6 00049 #define RULE_ACTIVATE 7 00050 #define RULE_DYNAMIC 8 00051 #define RULE_CONFIG 9 00052 #define RULE_DECLARE 10 00053 #define RULE_THRESHOLD 11 00054 #define RULE_SUPPRESS 12 00055 #define RULE_UNKNOWN 13 00056 #define RULE_DROP 14 00057 #define RULE_SDROP 15 00058 #define RULE_REJECT 16 00059 #define RULE_REJECTBOTH 17 00060 #define RULE_REJECTSRC 18 00061 #define RULE_REJECTDST 19 00062 #define RULE_REINJECT 20 00063 00064 #define EXCEPT_SRC_IP 0x01 00065 #define EXCEPT_DST_IP 0x02 00066 #define ANY_SRC_PORT 0x04 00067 #define ANY_DST_PORT 0x08 00068 #define ANY_FLAGS 0x10 00069 #define EXCEPT_SRC_PORT 0x20 00070 #define EXCEPT_DST_PORT 0x40 00071 #define BIDIRECTIONAL 0x80 00072 #define ANY_SRC_IP 0x100 00073 #define ANY_DST_IP 0x200 00074 00075 #define EXCEPT_IP 0x01 00076 00077 #define R_FIN 0x01 00078 #define R_SYN 0x02 00079 #define R_RST 0x04 00080 #define R_PSH 0x08 00081 #define R_ACK 0x10 00082 #define R_URG 0x20 00083 #define R_RES2 0x40 00084 #define R_RES1 0x80 00085 00086 #define MODE_EXIT_ON_MATCH 0 00087 #define MODE_FULL_SEARCH 1 00088 00089 #define CHECK_SRC 0x01 00090 #define CHECK_DST 0x02 00091 #define INVERSE 0x04 00092 00093 #define SESSION_PRINTABLE 1 00094 #define SESSION_ALL 2 00095 00096 #define RESP_RST_SND 0x01 00097 #define RESP_RST_RCV 0x02 00098 #define RESP_BAD_NET 0x04 00099 #define RESP_BAD_HOST 0x08 00100 #define RESP_BAD_PORT 0x10 00101 00102 #define MODE_EXIT_ON_MATCH 0 00103 #define MODE_FULL_SEARCH 1 00104 00105 #define SRC 0 00106 #define DST 1 00107 00108 #ifndef PARSERULE_SIZE 00109 #define PARSERULE_SIZE 8192 00110 #endif 00111 00112 /* D A T A S T R U C T U R E S *********************************************/ 00113 /* I'm forward declaring the rules structures so that the function 00114 pointer lists can reference them internally */ 00115 00116 struct _OptTreeNode; /* forward declaration of OTN data struct */ 00117 struct _RuleTreeNode; /* forward declaration of RTN data struct */ 00118 struct _ListHead; /* forward decleartion of ListHead data struct */ 00119 00120 /* function pointer list for rule head nodes */ 00121 typedef struct _RuleFpList 00122 { 00123 /* context data for this test */ 00124 void *context; 00125 00126 /* rule check function pointer */ 00127 int (*RuleHeadFunc)(Packet *, struct _RuleTreeNode *, struct _RuleFpList *); 00128 00129 /* pointer to the next rule function node */ 00130 struct _RuleFpList *next; 00131 } RuleFpList; 00132 00133 /* same as the rule header FP list */ 00134 typedef struct _OptFpList 00135 { 00136 /* context data for this test */ 00137 void *context; 00138 00139 int (*OptTestFunc)(Packet *, struct _OptTreeNode *, struct _OptFpList *); 00140 00141 struct _OptFpList *next; 00142 00143 } OptFpList; 00144 00145 typedef struct _RspFpList 00146 { 00147 int (* ResponseFunc)(Packet *, struct _RspFpList *); 00148 void *params; /* params for the plugin.. type defined by plugin */ 00149 struct _RspFpList *next; 00150 } RspFpList; 00151 00152 00153 00154 typedef struct _TagData 00155 { 00156 int tag_type; /* tag type (session/host) */ 00157 int tag_seconds; /* number of "seconds" units to tag for */ 00158 int tag_packets; /* number of "packets" units to tag for */ 00159 int tag_bytes; /* number of "type" units to tag for */ 00160 int tag_metric; /* (packets | seconds | bytes) units */ 00161 int tag_direction; /* source or dest, used for host tagging */ 00162 } TagData; 00163 00164 00165 typedef struct _OptTreeNode 00166 { 00167 /* plugin/detection functions go here */ 00168 OptFpList *opt_func; 00169 RspFpList *rsp_func; /* response functions */ 00170 OutputFuncNode *outputFuncs; /* per sid enabled output functions */ 00171 00172 /* the ds_list is absolutely essential for the plugin system to work, 00173 it allows the plugin authors to associate "dynamic" data structures 00174 with the rule system, letting them link anything they can come up 00175 with to the rules list */ 00176 void *ds_list[64]; /* list of plugin data struct pointers */ 00177 00178 int chain_node_number; 00179 00180 int type; /* what do we do when we match this rule */ 00181 int evalIndex; /* where this rule sits in the evaluation sets */ 00182 00183 int proto; /* protocol, added for integrity checks 00184 during rule parsing */ 00185 struct _RuleTreeNode *proto_node; /* ptr to head part... */ 00186 int session_flag; /* record session data */ 00187 00188 char *logto; /* log file in which to write packets which 00189 match this rule*/ 00190 /* metadata about signature */ 00191 SigInfo sigInfo; 00192 00193 u_int8_t stateless; /* this rule can fire regardless of session state */ 00194 u_int8_t established; /* this rule can only fire if it is established */ 00195 u_int8_t unestablished; 00196 00197 Event event_data; 00198 00199 TagData *tag; 00200 00201 /* stuff for dynamic rules activation/deactivation */ 00202 int active_flag; 00203 int activation_counter; 00204 int countdown; 00205 int activates; 00206 int activated_by; 00207 00208 u_int8_t threshold_type; /* type of threshold we're watching */ 00209 u_int32_t threshold; /* number of events between alerts */ 00210 u_int32_t window; /* number of seconds before threshold times out */ 00211 00212 struct _OptTreeNode *OTN_activation_ptr; 00213 struct _RuleTreeNode *RTN_activation_ptr; 00214 00215 struct _OptTreeNode *next; 00216 struct _RuleTreeNode *rtn; 00217 00218 } OptTreeNode; 00219 00220 00221 00222 typedef struct _ActivateList 00223 { 00224 int activated_by; 00225 struct _ActivateList *next; 00226 } ActivateList; 00227 00228 00229 #if 0 /* RELOCATED to parser/IpAddrSet.h */ 00230 typedef struct _IpAddrSet 00231 { 00232 u_int32_t ip_addr; /* IP addr */ 00233 u_int32_t netmask; /* netmask */ 00234 u_int8_t addr_flags; /* flag for normal/exception processing */ 00235 00236 struct _IpAddrSet *next; 00237 } IpAddrSet; 00238 #endif /* RELOCATED to parser/IpAddrSet.h */ 00239 00240 typedef struct _RuleTreeNode 00241 { 00242 RuleFpList *rule_func; /* match functions.. (Bidirectional etc.. ) */ 00243 00244 int head_node_number; 00245 00246 int type; 00247 00248 IpAddrSet *sip; 00249 IpAddrSet *dip; 00250 00251 int not_sp_flag; /* not source port flag */ 00252 00253 u_short hsp; /* hi src port */ 00254 u_short lsp; /* lo src port */ 00255 00256 int not_dp_flag; /* not dest port flag */ 00257 00258 u_short hdp; /* hi dest port */ 00259 u_short ldp; /* lo dest port */ 00260 00261 u_int32_t flags; /* control flags */ 00262 00263 /* stuff for dynamic rules activation/deactivation */ 00264 int active_flag; 00265 int activation_counter; 00266 int countdown; 00267 ActivateList *activate_list; 00268 00269 struct _RuleTreeNode *right; /* ptr to the next RTN in the list */ 00270 00271 OptTreeNode *down; /* list of rule options to associate with this 00272 rule node */ 00273 struct _ListHead *listhead; 00274 00275 } RuleTreeNode; 00276 00277 struct _RuleListNode; 00278 00279 typedef struct _ListHead 00280 { 00281 RuleTreeNode *IpList; 00282 RuleTreeNode *TcpList; 00283 RuleTreeNode *UdpList; 00284 RuleTreeNode *IcmpList; 00285 struct _OutputFuncNode *LogList; 00286 struct _OutputFuncNode *AlertList; 00287 struct _RuleListNode *ruleListNode; 00288 } ListHead; 00289 00290 typedef struct _RuleListNode 00291 { 00292 ListHead *RuleList; /* The rule list associated with this node */ 00293 int mode; /* the rule mode */ 00294 int rval; /* 0 == no detection, 1 == detection event */ 00295 int evalIndex; /* eval index for this rule set */ 00296 char *name; /* name of this rule list (for debugging) */ 00297 struct _RuleListNode *next; /* the next RuleListNode */ 00298 } RuleListNode; 00299 00300 struct VarEntry 00301 { 00302 char *name; 00303 char *value; 00304 unsigned char flags; 00305 #define VAR_STATIC 1 00306 struct VarEntry *prev; 00307 struct VarEntry *next; 00308 }; 00309 00310 #endif /* __RULES_H__ */
1.4.2