/src/detect-engine-state.h
C Header | 167 lines | 86 code | 21 blank | 60 comment | 0 complexity | f39055f6ab546ccdd49b075a4bded5be MD5 | raw file
1/* Copyright (C) 2007-2011 Open Information Security Foundation 2 * 3 * You can copy, redistribute or modify this Program under the terms of 4 * the GNU General Public License version 2 as published by the Free 5 * Software Foundation. 6 * 7 * This program is distributed in the hope that it will be useful, 8 * but WITHOUT ANY WARRANTY; without even the implied warranty of 9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 * GNU General Public License for more details. 11 * 12 * You should have received a copy of the GNU General Public License 13 * version 2 along with this program; if not, write to the Free Software 14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 15 * 02110-1301, USA. 16 */ 17 18/** 19 * \ingroup sigstate 20 * 21 * @{ 22 */ 23 24/** 25 * \file 26 * 27 * \brief Data structures and function prototypes for keeping 28 * state for the detection engine. 29 * 30 * \author Victor Julien <victor@inliniac.net> 31 */ 32 33/* On DeState and locking. 34 * 35 * The DeState is part of a flow, but it can't be protected by the flow lock. 36 * Reason is we need to lock the DeState data for an entire detection run, 37 * as we're looping through on "continued" detection and rely on only a single 38 * detection instance setting it up on first run. We can't keep the entire flow 39 * locked during detection for performance reasons, it would slow us down too 40 * much. 41 * 42 * So a new lock was introduced. The only part of the process where we need 43 * the flow lock is obviously when we're getting/setting the de_state ptr from 44 * to the flow. 45 */ 46 47#ifndef __DETECT_ENGINE_STATE_H__ 48#define __DETECT_ENGINE_STATE_H__ 49 50/** number of DeStateStoreItem's in one DeStateStore object */ 51#define DE_STATE_CHUNK_SIZE 15 52 53/* per stored sig flags */ 54#define DE_STATE_FLAG_PAYLOAD_MATCH 1 /**< payload part of the sig matched */ 55#define DE_STATE_FLAG_URI_MATCH 1 << 1 /**< uri part of the sig matched */ 56#define DE_STATE_FLAG_DCE_MATCH 1 << 2 /**< dce payload inspection part matched */ 57#define DE_STATE_FLAG_HCBD_MATCH 1 << 3 /**< hcbd payload inspection part matched */ 58#define DE_STATE_FLAG_HSBD_MATCH 1 << 4 /**< hcbd payload inspection part matched */ 59#define DE_STATE_FLAG_HHD_MATCH 1 << 5 /**< hhd payload inspection part matched */ 60#define DE_STATE_FLAG_HRHD_MATCH 1 << 6 /**< hrhd payload inspection part matched */ 61#define DE_STATE_FLAG_HMD_MATCH 1 << 7 /**< hmd payload inspection part matched */ 62#define DE_STATE_FLAG_HCD_MATCH 1 << 8 /**< hcd payload inspection part matched */ 63#define DE_STATE_FLAG_HRUD_MATCH 1 << 9 /**< hrud payload inspection part matched */ 64#define DE_STATE_FLAG_FILE_TC_MATCH 1 << 10 65#define DE_STATE_FLAG_FILE_TS_MATCH 1 << 11 66#define DE_STATE_FLAG_FULL_MATCH 1 << 12 /**< sig already fully matched */ 67#define DE_STATE_FLAG_SIG_CANT_MATCH 1 << 13 /**< signature has no chance of matching */ 68#define DE_STATE_FLAG_HSMD_MATCH 1 << 14 /**< hsmd payload inspection part matched */ 69#define DE_STATE_FLAG_HSCD_MATCH 1 << 15 /**< hscd payload inspection part matched */ 70#define DE_STATE_FLAG_HUAD_MATCH 1 << 16 /**< huad payload inspection part matched */ 71#define DE_STATE_FLAG_HHHD_MATCH 1 << 17 /**< hhhd payload inspection part matched */ 72#define DE_STATE_FLAG_HRHHD_MATCH 1 << 18 /**< hrhhd payload inspection part matched */ 73 74#define DE_STATE_FLAG_URI_INSPECT DE_STATE_FLAG_URI_MATCH /**< uri part of the sig inspected */ 75#define DE_STATE_FLAG_DCE_INSPECT DE_STATE_FLAG_DCE_MATCH /**< dce payload inspection part inspected */ 76#define DE_STATE_FLAG_HCBD_INSPECT DE_STATE_FLAG_HCBD_MATCH /**< hcbd payload inspection part inspected */ 77#define DE_STATE_FLAG_HSBD_INSPECT DE_STATE_FLAG_HSBD_MATCH /**< hsbd payload inspection part inspected */ 78#define DE_STATE_FLAG_HHD_INSPECT DE_STATE_FLAG_HHD_MATCH /**< hhd payload inspection part inspected */ 79#define DE_STATE_FLAG_HRHD_INSPECT DE_STATE_FLAG_HRHD_MATCH /**< hrhd payload inspection part inspected */ 80#define DE_STATE_FLAG_HMD_INSPECT DE_STATE_FLAG_HMD_MATCH /**< hmd payload inspection part inspected */ 81#define DE_STATE_FLAG_HCD_INSPECT DE_STATE_FLAG_HCD_MATCH /**< hcd payload inspection part inspected */ 82#define DE_STATE_FLAG_HRUD_INSPECT DE_STATE_FLAG_HRUD_MATCH /**< hrud payload inspection part inspected */ 83#define DE_STATE_FLAG_FILE_TC_INSPECT DE_STATE_FLAG_FILE_TC_MATCH 84#define DE_STATE_FLAG_FILE_TS_INSPECT DE_STATE_FLAG_FILE_TS_MATCH 85#define DE_STATE_FLAG_HSMD_INSPECT DE_STATE_FLAG_HSMD_MATCH /**< hsmd payload inspection part inspected */ 86#define DE_STATE_FLAG_HSCD_INSPECT DE_STATE_FLAG_HSCD_MATCH /**< hscd payload inspection part inspected */ 87#define DE_STATE_FLAG_HUAD_INSPECT DE_STATE_FLAG_HUAD_MATCH /**< huad payload inspection part inspected */ 88#define DE_STATE_FLAG_HHHD_INSPECT DE_STATE_FLAG_HHHD_MATCH /**< hhhd payload inspection part inspected */ 89#define DE_STATE_FLAG_HRHHD_INSPECT DE_STATE_FLAG_HRHHD_MATCH /**< hrhhd payload inspection part inspected */ 90 91/* state flags */ 92#define DE_STATE_FILE_STORE_DISABLED 0x0001 93#define DE_STATE_FILE_TC_NEW 0x0002 94#define DE_STATE_FILE_TS_NEW 0x0004 95 96/** per signature detection engine state */ 97typedef enum { 98 DE_STATE_MATCH_NOSTATE = 0, /**< no state for this sig*/ 99 DE_STATE_MATCH_FULL, /**< sig already fully matched */ 100 DE_STATE_MATCH_PARTIAL, /**< partial state match */ 101 DE_STATE_MATCH_NEW, /**< new (full) match this run */ 102 DE_STATE_MATCH_NOMATCH, /**< not a match */ 103} DeStateMatchResult; 104 105/** \brief State storage for a single signature */ 106typedef struct DeStateStoreItem_ { 107 SigIntId sid; /**< Signature internal id to store the state for (16 or 108 * 32 bit depending on how SigIntId is defined). */ 109 uint32_t flags; /**< flags */ 110 SigMatch *nm; /**< next sig match to try, or null if done */ 111} DeStateStoreItem; 112 113/** \brief State store "chunk" for x number of signature */ 114typedef struct DeStateStore_ { 115 DeStateStoreItem store[DE_STATE_CHUNK_SIZE]; /**< array of storage objects */ 116 struct DeStateStore_ *next; /**< ptr to the next array */ 117#ifdef __tile__ 118 struct DeStateStore_ *pool_next; /**< ptr to the next array */ 119#endif 120} DeStateStore; 121 122/** \brief State store main object */ 123typedef struct DetectEngineState_ { 124 DeStateStore *head; /**< signature state storage */ 125 DeStateStore *tail; /**< tail item of the storage list */ 126 SigIntId cnt; /**< number of sigs in the storage */ 127 uint16_t toclient_version; /**< app layer state "version" inspected 128 * last in to client direction */ 129 uint16_t toserver_version; /**< app layer state "version" inspected 130 * last in to server direction */ 131 uint16_t toclient_filestore_cnt;/**< number of sigs with filestore that 132 * cannot match in to client direction. */ 133 uint16_t toserver_filestore_cnt;/**< number of sigs with filestore that 134 * cannot match in to server direction. */ 135 uint16_t flags; 136#ifdef __tile__ 137 struct DetectEngineState_ *pool_next; 138#endif 139} DetectEngineState; 140 141void DeStateRegisterTests(void); 142 143//static DeStateStore *DeStateStoreAlloc(void); 144//static void DeStateStoreFree(DeStateStore *); 145void DetectEngineStateReset(DetectEngineState *state); 146 147//DetectEngineState *DetectEngineStateAlloc(void); 148void DetectEngineStateFree(DetectEngineState *); 149 150int DeStateFlowHasState(Flow *, uint8_t, uint16_t); 151 152int DeStateDetectStartDetection(ThreadVars *, DetectEngineCtx *, 153 DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *, 154 uint16_t, uint16_t); 155 156int DeStateDetectContinueDetection(ThreadVars *, DetectEngineCtx *, 157 DetectEngineThreadCtx *, Flow *, uint8_t, void *, uint16_t, 158 uint16_t); 159 160const char *DeStateMatchResultToString(DeStateMatchResult); 161int DeStateUpdateInspectTransactionId(Flow *, char); 162 163#endif /* __DETECT_ENGINE_STATE_H__ */ 164 165/** 166 * @} 167 */