Main Page | Modules | Class List | Directories | File List | Class Members | File Members | Related Pages
templates

sp_template.c

Go to the documentation of this file.
00001 /* $Id$ */
00002 /* Snort Detection Plugin Source File Template */
00003 
00004 /* sp_template 
00005  * 
00006  * Purpose:
00007  *
00008  * Detection engine plugins test an aspect of the current packet and report
00009  * their findings.  The function may be called many times per packet with 
00010  * different arguments.  These functions are acccessed from the rules file
00011  * as standard rule options.  When adding a plugin to the system, be sure to 
00012  * add the "Setup" function to the InitPlugins() function call in 
00013  * plugbase.c!
00014  *
00015  * Arguments:
00016  *   
00017  * This is the type of arguements that the detection plugin can take when
00018  * referenced as a rule option
00019  *
00020  * Effect:
00021  *
00022  * What the plugin does.  
00023  *
00024  * Comments:
00025  *
00026  * Any comments?
00027  *
00028  */
00029 
00030 #include <sys/types.h>
00031 #include <stdlib.h>
00032 #include <ctype.h>
00033 
00034 #include "rules.h"
00035 #include "decode.h"
00036 #include "plugbase.h"
00037 #include "parser.h"
00038 #include "debug.h"
00039 #include "util.h"
00040 #include "plugin_enum.h"
00041 
00042 /* 
00043  * don't forget to include the name of this file in plugbase.c! 
00044  */
00045 
00046 /* 
00047  * setup any data structs here 
00048  */
00049 typedef struct _TemplateData
00050 {
00051     /* 
00052      * your detection option data 
00053      * structure info goes here 
00054      */
00055 
00056 } TemplateData;
00057 
00058 /* function prototypes go here */
00059 static void TemplateInit(char *, OptTreeNode *, int);
00060 static void TemplateRuleParseFunction(char *, OptTreeNode *, TemplateData *);
00061 static int TemplateDetectorFunction(Packet *, struct _OptTreeNode *, 
00062         OptFpList *);
00063 
00064 /*
00065  * 
00066  * Function: SetupTemplate()
00067  *
00068  * Purpose: Generic detection engine plugin template.  Registers the
00069  *          configuration function and links it to a rule keyword.  This is
00070  *          the function that gets called from InitPlugins in plugbase.c.
00071  *
00072  * Arguments: None.
00073  *
00074  * Returns: void function
00075  *
00076  */
00077 void SetupTemplate()
00078 {
00079     /* map the keyword to an initialization/processing function */
00080     RegisterPlugin("keyword", TemplateInit);
00081 
00082     DebugMessage(DEBUG_PLUGIN,"Plugin: TemplateName Setup\n");
00083 }
00084 
00085 
00086 /*
00087  * 
00088  * Function: TemplateInit(char *, OptTreeNode *)
00089  *
00090  * Purpose: Generic rule configuration function.  Handles parsing the rule 
00091  *          information and attaching the associated detection function to
00092  *          the OTN.
00093  *
00094  * Arguments: data => rule arguments/data
00095  *            otn => pointer to the current rule option list node
00096  *
00097  * Returns: void function
00098  *
00099  */
00100 static void TemplateInit(char *data, OptTreeNode *otn, int protocol)
00101 {
00102     TemplateData *template_data;
00103     OptFpList *ofl;
00104 
00105     /* 
00106      * allocate the data structure and attach 
00107      * it to the rule's data struct list 
00108      */
00109     template_data = (TemplateData *) SnortAlloc(sizeof(TemplateData));
00110 
00111     /* 
00112      * If this is a transport layer protocol plugin, be sure to 
00113      * check that the protocol that is passed in matches the
00114      * transport layer protocol that you're using for this rule! 
00115      */
00116 
00117     /* 
00118      * any other initialization of this plugin should be performed here
00119      */
00120 
00121     /* 
00122      * this is where the keyword arguments are processed and 
00123      * placed into the rule option's data structure 
00124      */
00125     TemplateRuleParseFunction(data, otn, template_data);
00126 
00127     /* 
00128      * finally, attach the option's detection function 
00129      * to the rule's detect function pointer list 
00130      *
00131      * AddOptFuncToList returns a pointer to the node in
00132      * the function pointer list where the detector function
00133      * is linked into the detection engine, we will grab the 
00134      * pointer to this node so that we can assign the
00135      * config data for this rule option to the functional
00136      * node's context pointer
00137      */
00138     ofl = AddOptFuncToList(TemplateDetectorFunction, otn);
00139 
00140     /*
00141      * this is where we set the functional node's context pointer
00142      * so that the plugin can find the data to test the network 
00143      * traffic against
00144      */
00145     ofl->context = (void *) template_data;
00146 }
00147 
00148 
00149 
00150 /*
00151  * 
00152  * Function: TemplateRuleParseFunction(char *, OptTreeNode *)
00153  *
00154  * Purpose: This is the function that is used to process the option keyword's
00155  *          arguments and attach them to the rule's data structures.
00156  *
00157  * Arguments: data => argument data
00158  *            otn => pointer to the current rule's OTN
00159  *            td => pointer to the configuration storage struct
00160  *
00161  * Returns: void function
00162  *
00163  */
00164 static void TemplateRuleParseFunction(
00165         char *data, 
00166         OptTreeNode *otn, 
00167         TemplateData *td)
00168 {
00169     /* 
00170      * manipulate the option arguments here 
00171      */
00172 
00173     /* 
00174      * see the code in src/detection_plugins for examples of parsing Snort
00175      * rule options
00176      */
00177 
00178     /* 
00179      * set the final option arguments here 
00180      */
00181 }
00182 
00183 
00184 /*
00185  * 
00186  * Function: TemplateDetectorFunction(char *, OptTreeNode *, OptFpList *)
00187  *
00188  * Purpose: Use this function to perform the particular detection routine
00189  *          that this rule keyword is supposed to encompass.
00190  *
00191  * Arguments: data => argument data
00192  *            otn => pointer to the current rule's OTN
00193  *            fp_list => pointer to the function pointer list current node
00194  *
00195  * Returns: If the detection test fails, this function *must* return a zero!
00196  *          On success, it calls the next function in the detection list 
00197  *
00198  */
00199 static int TemplateDetectorFunction(
00200         Packet *p, 
00201         struct _OptTreeNode *otn, 
00202         OptFpList *fp_list)
00203 {
00204     TemplateData *td;   /* ptr to the detection option's data */
00205 
00206     /*
00207      * Try to make this function as quick as possible, the faster the 
00208      * detection plugins are, the less packet loss the program will 
00209      * experience!  Avoid doing things like declaring variables or 
00210      * anything other than just doing the test and moving on...
00211      */
00212 
00213     /* 
00214      * get the current option's context data
00215      */
00216     td = (TemplateData *) fp_list->context;
00217 
00218     /* 
00219      * your detection function tests go here 
00220      */
00221     if (the_test_is_successful)
00222     {
00223         /* call the next function in the function list recursively */
00224         /* THIS CALL *MUST* BE IN THE PLUGIN, OTHERWISE YOU WILL BREAK
00225            SNORT'S DETECTION ENGINE!!! */
00226         return fp_list->next->OptTestFunc(p, otn, fp_list->next);
00227     }
00228 #ifdef DEBUG
00229     else
00230     {
00231         /* 
00232          * you can put debug comments here or not 
00233          */
00234         DebugMessage(DEBUG_PLUGIN,"No match\n");
00235     }
00236 #endif
00237 
00238     /* 
00239      * if the test isn't successful, this function *must* return 0 
00240      */
00241     return 0;
00242 }
Generated on Sun May 14 14:51:20 2006 by  doxygen 1.4.2