suricata/src/detect-engine-state.h

/* Copyright (C) 2007-2010 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \ingroup sigstate
 *
 * @{
 */

/**
 * \file
 *
 * \brief Data structures and function prototypes for keeping
 *        state for the detection engine.
 *
 * \author Victor Julien <victor@inliniac.net>
 */

/* On DeState and locking.
 *
 * The DeState is part of a flow, but it can't be protected by the flow lock.
 * Reason is we need to lock the DeState data for an entire detection run,
 * as we're looping through on "continued" detection and rely on only a single
 * detection instance setting it up on first run. We can't keep the entire flow
 * locked during detection for performance reasons, it would slow us down too
 * much.
 *
 * So a new lock was introduced. The only part of the process where we need
 * the flow lock is obviously when we're getting/setting the de_state ptr from
 * to the flow.
 */

#ifndef __DETECT_ENGINE_STATE_H__
#define __DETECT_ENGINE_STATE_H__

/** number of DeStateStoreItem's in one DeStateStore object */
#define DE_STATE_CHUNK_SIZE         15

#define DE_STATE_FLAG_PAYLOAD_MATCH 0x0001 /**< payload part of the sig matched */
#define DE_STATE_FLAG_URI_MATCH     0x0002 /**< uri part of the sig matched */
#define DE_STATE_FLAG_DCE_MATCH     0x0004 /**< dce payload inspection part matched */
#define DE_STATE_FLAG_HCBD_MATCH    0x0008 /**< hcbd payload inspection part matched */
#define DE_STATE_FLAG_HHD_MATCH     0x0010 /**< hhd payload inspection part matched */
#define DE_STATE_FLAG_HRHD_MATCH    0x0020 /**< hrhd payload inspection part matched */
#define DE_STATE_FLAG_HMD_MATCH     0x0040 /**< hmd payload inspection part matched */
#define DE_STATE_FLAG_HCD_MATCH     0x0080 /**< hcd payload inspection part matched */
#define DE_STATE_FLAG_HRUD_MATCH    0x0100 /**< hrud payload inspection part matched */
#define DE_STATE_FLAG_FULL_MATCH    0x0200 /**< sig already fully matched */

#define DE_STATE_FLAG_URI_INSPECT   DE_STATE_FLAG_URI_MATCH     /**< uri part of the sig inspected */
#define DE_STATE_FLAG_DCE_INSPECT   DE_STATE_FLAG_DCE_MATCH     /**< dce payload inspection part inspected */
#define DE_STATE_FLAG_HCBD_INSPECT  DE_STATE_FLAG_HCBD_MATCH    /**< hcbd payload inspection part inspected */
#define DE_STATE_FLAG_HHD_INSPECT   DE_STATE_FLAG_HHD_MATCH     /**< hhd payload inspection part inspected */
#define DE_STATE_FLAG_HRHD_INSPECT  DE_STATE_FLAG_HRHD_MATCH    /**< hrhd payload inspection part inspected */
#define DE_STATE_FLAG_HMD_INSPECT   DE_STATE_FLAG_HMD_MATCH     /**< hmd payload inspection part inspected */
#define DE_STATE_FLAG_HCD_INSPECT   DE_STATE_FLAG_HCD_MATCH     /**< hcd payload inspection part inspected */
#define DE_STATE_FLAG_HRUD_INSPECT  DE_STATE_FLAG_HRUD_MATCH    /**< hrud payload inspection part inspected */


/** per signature detection engine state */
typedef enum {
    DE_STATE_MATCH_NOSTATE = 0, /**< no state for this sig*/
    DE_STATE_MATCH_FULL,        /**< sig already fully matched */
    DE_STATE_MATCH_PARTIAL,     /**< partial state match */
    DE_STATE_MATCH_NEW,         /**< new (full) match this run */
} DeStateMatchResult;

/** \brief State storage for a single signature */
typedef struct DeStateStoreItem_ {
    SigIntId sid;   /**< Signature internal id to store the state for (16 or
                     *   32 bit depending on how SigIntId is defined). */
    uint16_t flags; /**< flags */
    SigMatch *nm;   /**< next sig match to try, or null if done */
} DeStateStoreItem;

/** \brief State store "chunk" for x number of signature */
typedef struct DeStateStore_ {
    DeStateStoreItem store[DE_STATE_CHUNK_SIZE];    /**< array of storage objects */
    struct DeStateStore_ *next;                     /**< ptr to the next array */
} DeStateStore;

/** \brief State store main object */
typedef struct DetectEngineState_ {
    DeStateStore *head; /**< signature state storage */
    DeStateStore *tail; /**< tail item of the storage list */
    SigIntId cnt;       /**< number of sigs in the storage */
    uint16_t toclient_version;
    uint16_t toserver_version;
} DetectEngineState;

void DeStateRegisterTests(void);

DeStateStore *DeStateStoreAlloc(void);
void DeStateStoreFree(DeStateStore *);
void DetectEngineStateReset(DetectEngineState *state);

DetectEngineState *DetectEngineStateAlloc(void);
void DetectEngineStateFree(DetectEngineState *);

//void DeStateSignatureAppend(DetectEngineState *, Signature *, SigMatch *, char);

int DeStateFlowHasState(Flow *, uint8_t, uint16_t);

int DeStateDetectStartDetection(ThreadVars *, DetectEngineCtx *,
        DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *,
        uint16_t, uint16_t);

int DeStateDetectContinueDetection(ThreadVars *, DetectEngineCtx *,
        DetectEngineThreadCtx *, Flow *, uint8_t, void *, uint16_t,
        uint16_t);

const char *DeStateMatchResultToString(DeStateMatchResult);
int DeStateUpdateInspectTransactionId(Flow *, char);

#endif /* __DETECT_ENGINE_STATE_H__ */

/**
 * @}
 */
GPL and Copyright header updates. 15 years ago			`/* Copyright (C) 2007-2010 Open Information Security Foundation`
			`*`
			`* You can copy, redistribute or modify this Program under the terms of`
			`* the GNU General Public License version 2 as published by the Free`
			`* Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* version 2 along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA`
			`* 02110-1301, USA.`
			`*/`
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124. 15 years ago
doc: create doxygen group for state detection. 14 years ago			`/**`
			`* \ingroup sigstate`
			`*`
			`* @{`
			`*/`

First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124. 15 years ago			`/**`
			`* \file`
			`*`
			`* \brief Data structures and function prototypes for keeping`
			`* state for the detection engine.`
			`*`
			`* \author Victor Julien <victor@inliniac.net>`
			`*/`

			`/* On DeState and locking.`
			`*`
			`* The DeState is part of a flow, but it can't be protected by the flow lock.`
			`* Reason is we need to lock the DeState data for an entire detection run,`
			`* as we're looping through on "continued" detection and rely on only a single`
			`* detection instance setting it up on first run. We can't keep the entire flow`
			`* locked during detection for performance reasons, it would slow us down too`
			`* much.`
			`*`
			`* So a new lock was introduced. The only part of the process where we need`
			`* the flow lock is obviously when we're getting/setting the de_state ptr from`
			`* to the flow.`
			`*/`

			`#ifndef __DETECT_ENGINE_STATE_H__`
			`#define __DETECT_ENGINE_STATE_H__`

			`/** number of DeStateStoreItem's in one DeStateStore object */`
Add a app layer state and stateful detection engine counter that makes sure the stateful inspection is only done when the state changes. 14 years ago			`#define DE_STATE_CHUNK_SIZE 15`
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124. 15 years ago
fast pattern support for http_cookie. Also support relative modifiers 15 years ago			`#define DE_STATE_FLAG_PAYLOAD_MATCH 0x0001 /*< payload part of the sig matched /`
			`#define DE_STATE_FLAG_URI_MATCH 0x0002 /*< uri part of the sig matched /`
			`#define DE_STATE_FLAG_DCE_MATCH 0x0004 /*< dce payload inspection part matched /`
			`#define DE_STATE_FLAG_HCBD_MATCH 0x0008 /*< hcbd payload inspection part matched /`
			`#define DE_STATE_FLAG_HHD_MATCH 0x0010 /*< hhd payload inspection part matched /`
			`#define DE_STATE_FLAG_HRHD_MATCH 0x0020 /*< hrhd payload inspection part matched /`
			`#define DE_STATE_FLAG_HMD_MATCH 0x0040 /*< hmd payload inspection part matched /`
			`#define DE_STATE_FLAG_HCD_MATCH 0x0080 /*< hcd payload inspection part matched /`
support for http_raw_uri keyword + mpm engine 14 years ago			`#define DE_STATE_FLAG_HRUD_MATCH 0x0100 /*< hrud payload inspection part matched /`
			`#define DE_STATE_FLAG_FULL_MATCH 0x0200 /*< sig already fully matched /`
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124. 15 years ago
Clean up stateful detection code. 14 years ago			`#define DE_STATE_FLAG_URI_INSPECT DE_STATE_FLAG_URI_MATCH /*< uri part of the sig inspected /`
			`#define DE_STATE_FLAG_DCE_INSPECT DE_STATE_FLAG_DCE_MATCH /*< dce payload inspection part inspected /`
			`#define DE_STATE_FLAG_HCBD_INSPECT DE_STATE_FLAG_HCBD_MATCH /*< hcbd payload inspection part inspected /`
			`#define DE_STATE_FLAG_HHD_INSPECT DE_STATE_FLAG_HHD_MATCH /*< hhd payload inspection part inspected /`
			`#define DE_STATE_FLAG_HRHD_INSPECT DE_STATE_FLAG_HRHD_MATCH /*< hrhd payload inspection part inspected /`
			`#define DE_STATE_FLAG_HMD_INSPECT DE_STATE_FLAG_HMD_MATCH /*< hmd payload inspection part inspected /`
			`#define DE_STATE_FLAG_HCD_INSPECT DE_STATE_FLAG_HCD_MATCH /*< hcd payload inspection part inspected /`
			`#define DE_STATE_FLAG_HRUD_INSPECT DE_STATE_FLAG_HRUD_MATCH /*< hrud payload inspection part inspected /`


Change stateful detection engine to be able to start the stateful detection separate from other sigs. Fixes bugs #213, #214, #215. 15 years ago			`/** per signature detection engine state */`
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124. 15 years ago			`typedef enum {`
Change stateful detection engine to be able to start the stateful detection separate from other sigs. Fixes bugs #213, #214, #215. 15 years ago			`DE_STATE_MATCH_NOSTATE = 0, /*< no state for this sig/`
			`DE_STATE_MATCH_FULL, /*< sig already fully matched /`
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124. 15 years ago			`DE_STATE_MATCH_PARTIAL, /*< partial state match /`
Change stateful detection engine to be able to start the stateful detection separate from other sigs. Fixes bugs #213, #214, #215. 15 years ago			`DE_STATE_MATCH_NEW, /*< new (full) match this run /`
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124. 15 years ago			`} DeStateMatchResult;`

			`/** \brief State storage for a single signature */`
			`typedef struct DeStateStoreItem_ {`
			`SigIntId sid; /**< Signature internal id to store the state for (16 or`
			`* 32 bit depending on how SigIntId is defined). */`
			`uint16_t flags; /*< flags /`
			`SigMatch nm; /< next sig match to try, or null if done /`
			`} DeStateStoreItem;`

			`/** \brief State store "chunk" for x number of signature */`
			`typedef struct DeStateStore_ {`
			`DeStateStoreItem store[DE_STATE_CHUNK_SIZE]; /*< array of storage objects /`
			`struct DeStateStore_ next; /< ptr to the next array /`
			`} DeStateStore;`

			`/** \brief State store main object */`
			`typedef struct DetectEngineState_ {`
			`DeStateStore head; /< signature state storage /`
			`DeStateStore tail; /< tail item of the storage list /`
			`SigIntId cnt; /*< number of sigs in the storage /`
Add a app layer state and stateful detection engine counter that makes sure the stateful inspection is only done when the state changes. 14 years ago			`uint16_t toclient_version;`
			`uint16_t toserver_version;`
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124. 15 years ago			`} DetectEngineState;`

			`void DeStateRegisterTests(void);`

			`DeStateStore *DeStateStoreAlloc(void);`
			`void DeStateStoreFree(DeStateStore *);`
			`void DetectEngineStateReset(DetectEngineState *state);`

			`DetectEngineState *DetectEngineStateAlloc(void);`
			`void DetectEngineStateFree(DetectEngineState *);`

Move dce payload inspection to stateful detection engine. 15 years ago			`//void DeStateSignatureAppend(DetectEngineState , Signature , SigMatch *, char);`
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124. 15 years ago
Add a app layer state and stateful detection engine counter that makes sure the stateful inspection is only done when the state changes. 14 years ago			`int DeStateFlowHasState(Flow *, uint8_t, uint16_t);`
Convert uricontent scanning to use the detect engine state. 15 years ago
			`int DeStateDetectStartDetection(ThreadVars , DetectEngineCtx ,`
Add a app layer state and stateful detection engine counter that makes sure the stateful inspection is only done when the state changes. 14 years ago			`DetectEngineThreadCtx , Signature , Flow , uint8_t, void ,`
			`uint16_t, uint16_t);`
Convert uricontent scanning to use the detect engine state. 15 years ago
			`int DeStateDetectContinueDetection(ThreadVars , DetectEngineCtx ,`
Add a app layer state and stateful detection engine counter that makes sure the stateful inspection is only done when the state changes. 14 years ago			`DetectEngineThreadCtx , Flow , uint8_t, void *, uint16_t,`
			`uint16_t);`
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124. 15 years ago
			`const char *DeStateMatchResultToString(DeStateMatchResult);`
Fix tcp connections that are reset (RST packet) not always inspecting the reassembled stream. Update transaction id code to make sure both directions of a transaction are inspected before incrementing the inspect_id. 15 years ago			`int DeStateUpdateInspectTransactionId(Flow *, char);`
First stab at creating a stateful detection engine. Stateful detection for app layer detection keywords, except uricontent. Stores it's partial results in the flow structure. Other modifications: - Generalize transaction tracking, logging and inspection. - Adapt http and dcerpc to use the new transaction handling. - Stream engine now always notifies app layer of a stream eof. This commit fixes bug #124. 15 years ago
			`#endif /* __DETECT_ENGINE_STATE_H__ */`

doc: create doxygen group for state detection. 14 years ago			`/**`
			`* @}`
			`*/`