diff options
Diffstat (limited to 'framework/src/suricata/src/detect-engine-state.h')
-rw-r--r-- | framework/src/suricata/src/detect-engine-state.h | 244 |
1 files changed, 0 insertions, 244 deletions
diff --git a/framework/src/suricata/src/detect-engine-state.h b/framework/src/suricata/src/detect-engine-state.h deleted file mode 100644 index c8944cff..00000000 --- a/framework/src/suricata/src/detect-engine-state.h +++ /dev/null @@ -1,244 +0,0 @@ -/* Copyright (C) 2007-2013 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \ingroup sigstate - * - * @{ - */ - -/** - * \file - * - * \brief Data structures and function prototypes for keeping - * state for the detection engine. - * - * \author Victor Julien <victor@inliniac.net> - * \author Anoop Saldanha <anoopsaldanha@gmail.com> - */ - -/* On DeState and locking. - * - * The DeState is part of a flow, but it can't be protected by the flow lock. - * Reason is we need to lock the DeState data for an entire detection run, - * as we're looping through on "continued" detection and rely on only a single - * detection instance setting it up on first run. We can't keep the entire flow - * locked during detection for performance reasons, it would slow us down too - * much. - * - * So a new lock was introduced. The only part of the process where we need - * the flow lock is obviously when we're getting/setting the de_state ptr from - * to the flow. - */ - -#ifndef __DETECT_ENGINE_STATE_H__ -#define __DETECT_ENGINE_STATE_H__ - -#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH 0 -#define DETECT_ENGINE_INSPECT_SIG_MATCH 1 -#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH 2 -#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILESTORE 3 - -/** number of DeStateStoreItem's in one DeStateStore object */ -#define DE_STATE_CHUNK_SIZE 15 - -/* per sig flags */ -#define DE_STATE_FLAG_URI_INSPECT (1) -#define DE_STATE_FLAG_HRUD_INSPECT (1 << 1) -#define DE_STATE_FLAG_HCBD_INSPECT (1 << 2) -#define DE_STATE_FLAG_HSBD_INSPECT (1 << 3) -#define DE_STATE_FLAG_HHD_INSPECT (1 << 4) -#define DE_STATE_FLAG_HRHD_INSPECT (1 << 5) -#define DE_STATE_FLAG_HHHD_INSPECT (1 << 6) -#define DE_STATE_FLAG_HRHHD_INSPECT (1 << 7) -#define DE_STATE_FLAG_HUAD_INSPECT (1 << 8) -#define DE_STATE_FLAG_HMD_INSPECT (1 << 9) -#define DE_STATE_FLAG_HCD_INSPECT (1 << 10) -#define DE_STATE_FLAG_HSMD_INSPECT (1 << 11) -#define DE_STATE_FLAG_HSCD_INSPECT (1 << 12) -#define DE_STATE_FLAG_FILE_TC_INSPECT (1 << 13) -#define DE_STATE_FLAG_FILE_TS_INSPECT (1 << 14) -#define DE_STATE_FLAG_FULL_INSPECT (1 << 15) -#define DE_STATE_FLAG_SIG_CANT_MATCH (1 << 16) -#define DE_STATE_FLAG_DNSQUERYNAME_INSPECT (1 << 17) -#define DE_STATE_FLAG_APP_EVENT_INSPECT (1 << 18) -#define DE_STATE_FLAG_MODBUS_INSPECT (1 << 19) -#define DE_STATE_FLAG_HRL_INSPECT (1 << 20) -#define DE_STATE_FLAG_FD_SMTP_INSPECT (1 << 21) -#define DE_STATE_FLAG_DNSREQUEST_INSPECT (1 << 22) -#define DE_STATE_FLAG_DNSRESPONSE_INSPECT (1 << 23) -#define DE_STATE_FLAG_TEMPLATE_BUFFER_INSPECT (1 << 24) - -/* state flags */ -#define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001 -#define DETECT_ENGINE_STATE_FLAG_FILE_TC_NEW 0x0002 -#define DETECT_ENGINE_STATE_FLAG_FILE_TS_NEW 0x0004 - -/* We have 2 possible state values to be used by ContinueDetection() while - * trying to figure if we have fresh state to install or not. - * - * For tx based alprotos, we don't need to indicate the below values on a - * per sig basis, but for non-tx based alprotos we do, since we might have - * new alstate coming in, and some sigs might have already matchced in - * de_state and ContinueDetection needs to inform the detection filter that - * it no longer needs to inspect this sig, since ContinueDetection would - * handle it. - * - * Wrt tx based alprotos, if we have a new tx available apart from the one - * currently being inspected(and also added to de_state), we continue with - * the HAS_NEW_STATE flag, while if we don't have a new tx, we set - * NO_NEW_STATE, to avoid getting the sig reinspected for the already - * inspected tx. */ -#define DE_STATE_MATCH_HAS_NEW_STATE 0x00 -#define DE_STATE_MATCH_NO_NEW_STATE 0x80 - -/* TX BASED (inspect engines) */ - -typedef struct DeStateStoreItem_ { - uint32_t flags; - SigIntId sid; -} DeStateStoreItem; - -typedef struct DeStateStore_ { - DeStateStoreItem store[DE_STATE_CHUNK_SIZE]; - struct DeStateStore_ *next; -} DeStateStore; - -typedef struct DetectEngineStateDirection_ { - DeStateStore *head; - DeStateStore *tail; - SigIntId cnt; - uint16_t filestore_cnt; - uint8_t flags; -} DetectEngineStateDirection; - -typedef struct DetectEngineState_ { - DetectEngineStateDirection dir_state[2]; -} DetectEngineState; - -/* FLOW BASED (AMATCH) */ - -typedef struct DeStateStoreFlowRule_ { - SigMatch *nm; - uint32_t flags; - SigIntId sid; -} DeStateStoreFlowRule; - -typedef struct DeStateStoreFlowRules_ { - DeStateStoreFlowRule store[DE_STATE_CHUNK_SIZE]; - struct DeStateStoreFlowRules_ *next; -} DeStateStoreFlowRules; - -typedef struct DetectEngineStateDirectionFlow_ { - DeStateStoreFlowRules *head; - DeStateStoreFlowRules *tail; - SigIntId cnt; - uint8_t flags; -} DetectEngineStateDirectionFlow; - -typedef struct DetectEngineStateFlow_ { - DetectEngineStateDirectionFlow dir_state[2]; -} DetectEngineStateFlow; - -/** - * \brief Alloc a DetectEngineState object. - * - * \retval Alloc'd instance of DetectEngineState. - */ -DetectEngineState *DetectEngineStateAlloc(void); - -/** - * \brief Frees a DetectEngineState object. - * - * \param state DetectEngineState instance to free. - */ -void DetectEngineStateFree(DetectEngineState *state); -void DetectEngineStateFlowFree(DetectEngineStateFlow *state); - -/** - * \brief Check if a flow already contains(newly updated as well) de state. - * - * \param f Pointer to the flow. - * \param alversino The alversion to check against de_state's. - * \param direction Direction to check. 0 - ts, 1 - tc. - * - * \retval 1 Has state. - * \retval 0 Has no state. - */ -int DeStateFlowHasInspectableState(Flow *f, AppProto alproto, uint8_t alversion, uint8_t flags); - -/** - * \brief Match app layer sig list against app state and store relevant match - * information. - * - * \param tv Pointer to the threadvars. - * \param de_ctx DetectEngineCtx instance. - * \param det_ctx DetectEngineThreadCtx instance. - * \param s Pointer to the signature. - * \param f Pointer to the flow. - * \param flags Flags. - * \param alproto App protocol. - * \param alversion Current app layer version. - * - * \retval >= 0 An integer value indicating the no of matches. - */ -int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, - Signature *s, Packet *p, Flow *f, uint8_t flags, - AppProto alproto, uint8_t alversion); - -/** - * \brief Continue DeState detection of the signatures stored in the state. - * - * \param tv Pointer to the threadvars. - * \param de_ctx DetectEngineCtx instance. - * \param det_ctx DetectEngineThreadCtx instance. - * \param f Pointer to the flow. - * \param flags Flags. - * \param alproto App protocol. - * \param alversion Current app layer version. - */ -void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, - Packet *p, Flow *f, uint8_t flags, - AppProto alproto, uint8_t alversion); - -/** - * \brief Update the inspect id. - * - * \param f unlocked flow - * \param flags direction and disruption flags - */ -void DeStateUpdateInspectTransactionId(Flow *f, const uint8_t flags); - -/** - * \brief Reset a DetectEngineState state. - * - * \param state Pointer to the state(LOCKED). - * \param direction Direction flags - STREAM_TOSERVER or STREAM_TOCLIENT. - */ -void DetectEngineStateReset(DetectEngineStateFlow *state, uint8_t direction); - -void DetectEngineStateResetTxs(Flow *f); - -void DeStateRegisterTests(void); - -#endif /* __DETECT_ENGINE_STATE_H__ */ - -/** - * @} - */ |