suricata/src/util-mpm.h

/* Copyright (c) 2008 Victor Julien <victor@inliniac.net> */

#ifndef __UTIL_MPM_H__
#define __UTIL_MPM_H__

#define MPM_ENDMATCH_SINGLE     0x01    /**< A single match is sufficient. No
                                             depth, offset, etc settings. */
#define MPM_ENDMATCH_OFFSET     0x02    /**< has offset setting */
#define MPM_ENDMATCH_DEPTH      0x04    /**< has depth setting */
#define MPM_ENDMATCH_NOSEARCH   0x08    /**< if this matches, no search is
                                             required (for this pattern) */

#define HASHSIZE_LOWEST         2048    /**< Lowest hash size for the multi
                                             pattern matcher algorithms */
#define HASHSIZE_LOW            4096    /**< Low hash size for the multi
                                             pattern matcher algorithms */
#define HASHSIZE_MEDIUM         8192    /**< Medium hash size for the multi
                                             pattern matcher algorithms */
#define HASHSIZE_HIGH           16384   /**< High hash size for the multi
                                             pattern matcher algorithms */
#define HASHSIZE_HIGHEST        32768   /**< Highest hash size for the multi
                                             pattern matcher algorithms */
#define HASHSIZE_MAX            65536   /**< Max hash size for the multi
                                             pattern matcher algorithms */
#define BLOOMSIZE_LOW           512     /*<* Low bloomfilter size for the multi
                                            pattern matcher algorithms */
#define BLOOMSIZE_MEDIUM        1024    /**< Medium bloomfilter size for the multi
                                             pattern matcher algorithms */
#define BLOOMSIZE_HIGH          2048    /**< High bloomfilter size for the multi
                                             pattern matcher algorithms */
enum {
    MPM_NOTSET = 0,

    MPM_WUMANBER,
    MPM_B2G,
#ifdef __SC_CUDA_SUPPORT__
    MPM_B2G_CUDA,
#endif
    MPM_B3G,

    /* table size */
    MPM_TABLE_SIZE,
};

/* Data structures */
typedef struct MpmEndMatch_ {
    uint32_t id;        /**< pattern id storage */
    uint16_t depth;
    uint16_t offset;
    struct MpmEndMatch_ *next;
    SigIntId sig_id;    /**< sig callback stuff -- internal id */
    uint8_t flags;
} MpmEndMatch;

typedef struct MpmMatchBucket_ {
    uint32_t len;
} MpmMatchBucket;

typedef struct MpmThreadCtx_ {
    void *ctx;

    uint32_t memory_cnt;
    uint32_t memory_size;
} MpmThreadCtx;

/** \brief helper structure for the pattern matcher engine. The Pattern Matcher
 *         thread has this and passes a pointer to it to the pattern matcher.
 *         The actual pattern matcher will fill the structure. */
typedef struct PatternMatcherQueue_ {
    uint32_t *sig_id_array; /* array with internal sig id's that had a
                               pattern match. These will be inspected
                               futher by the detection engine. */
    uint32_t sig_id_array_cnt;
    uint8_t *sig_bitarray;
    uint32_t searchable; /* counter of the number of matches that
                            require a search-followup */
} PatternMatcherQueue;

typedef struct MpmCtx_ {
    void *ctx;
    uint16_t mpm_type;

    uint32_t memory_cnt;
    uint32_t memory_size;

    uint32_t endmatches;

    uint32_t pattern_cnt;       /* unique patterns */
    uint32_t total_pattern_cnt; /* total patterns added */

    uint16_t minlen;
    uint16_t maxlen;
} MpmCtx;

/** pattern is case insensitive */
#define MPM_PATTERN_FLAG_NOCASE     0x01
/** pattern is negated */
#define MPM_PATTERN_FLAG_NEGATED    0x02
/** pattern has a depth setting */
#define MPM_PATTERN_FLAG_DEPTH      0x04
/** pattern has an offset setting */
#define MPM_PATTERN_FLAG_OFFSET     0x08

typedef struct MpmTableElmt_ {
    char *name;
    uint8_t max_pattern_length;
    void (*InitCtx)(struct MpmCtx_ *, int);
    void (*InitThreadCtx)(struct MpmCtx_ *, struct MpmThreadCtx_ *, uint32_t);
    void (*DestroyCtx)(struct MpmCtx_ *);
    void (*DestroyThreadCtx)(struct MpmCtx_ *, struct MpmThreadCtx_ *);

    /** function pointers for adding patterns to the mpm ctx.
     *
     *  \param mpm_ctx Mpm context to add the pattern to
     *  \param pattern pointer to the pattern
     *  \param pattern_len length of the pattern in bytes
     *  \param offset pattern offset setting
     *  \param depth pattern depth setting
     *  \param pid pattern id
     *  \param sid signature _internal_ id
     *  \param flags pattern flags
     */
    int  (*AddPattern)(struct MpmCtx_ *, uint8_t *, uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, uint8_t);
    int  (*AddPatternNocase)(struct MpmCtx_ *, uint8_t *, uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, uint8_t);
    int  (*Prepare)(struct MpmCtx_ *);
    uint32_t (*Search)(struct MpmCtx_ *, struct MpmThreadCtx_ *, PatternMatcherQueue *, uint8_t *, uint16_t);
    void (*Cleanup)(struct MpmThreadCtx_ *);
    void (*PrintCtx)(struct MpmCtx_ *);
    void (*PrintThreadCtx)(struct MpmThreadCtx_ *);
    void (*RegisterUnittests)(void);
    uint8_t flags;
} MpmTableElmt;

MpmTableElmt mpm_table[MPM_TABLE_SIZE];

int PmqSetup(PatternMatcherQueue *, uint32_t);
void PmqReset(PatternMatcherQueue *);
void PmqCleanup(PatternMatcherQueue *);
void PmqFree(PatternMatcherQueue *);

MpmEndMatch *MpmAllocEndMatch (MpmCtx *);
void MpmEndMatchFreeAll(MpmCtx *mpm_ctx, MpmEndMatch *em);

void MpmTableSetup(void);
void MpmRegisterTests(void);

/** Return the max pattern length of a Matcher type given as arg */
int32_t MpmMatcherGetMaxPatternLength(uint16_t);

int MpmVerifyMatch(MpmThreadCtx *, PatternMatcherQueue *, MpmEndMatch *, uint16_t, uint16_t);
void MpmInitCtx (MpmCtx *mpm_ctx, uint16_t matcher, int module_handle);
void MpmInitThreadCtx(MpmThreadCtx *mpm_thread_ctx, uint16_t, uint32_t);
uint32_t MpmGetHashSize(const char *);
uint32_t MpmGetBloomSize(const char *);

#endif /* __UTIL_MPM_H__ */
Initial add of the files. 17 years ago			`/* Copyright (c) 2008 Victor Julien <victor@inliniac.net> */`

			`#ifndef __UTIL_MPM_H__`
			`#define __UTIL_MPM_H__`

pattern matcher options support 16 years ago			`#define MPM_ENDMATCH_SINGLE 0x01 /**< A single match is sufficient. No`
			`depth, offset, etc settings. */`
			`#define MPM_ENDMATCH_OFFSET 0x02 /*< has offset setting /`
			`#define MPM_ENDMATCH_DEPTH 0x04 /*< has depth setting /`
			`#define MPM_ENDMATCH_NOSEARCH 0x08 /**< if this matches, no search is`
			`required (for this pattern) */`

			`#define HASHSIZE_LOWEST 2048 /**< Lowest hash size for the multi`
			`pattern matcher algorithms */`
			`#define HASHSIZE_LOW 4096 /**< Low hash size for the multi`
			`pattern matcher algorithms */`
			`#define HASHSIZE_MEDIUM 8192 /**< Medium hash size for the multi`
			`pattern matcher algorithms */`
			`#define HASHSIZE_HIGH 16384 /**< High hash size for the multi`
			`pattern matcher algorithms */`
			`#define HASHSIZE_HIGHEST 32768 /**< Highest hash size for the multi`
			`pattern matcher algorithms */`
			`#define HASHSIZE_MAX 65536 /**< Max hash size for the multi`
			`pattern matcher algorithms */`
			`#define BLOOMSIZE_LOW 512 /< Low bloomfilter size for the multi`
			`pattern matcher algorithms */`
			`#define BLOOMSIZE_MEDIUM 1024 /**< Medium bloomfilter size for the multi`
			`pattern matcher algorithms */`
			`#define BLOOMSIZE_HIGH 2048 /**< High bloomfilter size for the multi`
			`pattern matcher algorithms */`
Initial add of the files. 17 years ago			`enum {`
- Fix pattern matchers b2g and b3g not being able to deal with a single pattern of the max pattern length (32 bytes by default). - Fix the setting of the correct pattern matcher when it was set in the detection ctx. - Add tests for the fixes. 16 years ago			`MPM_NOTSET = 0,`

			`MPM_WUMANBER,`
Add implementation of the Simple BNDM 2gram pattern matcher algorithm. 17 years ago			`MPM_B2G,`
mpm b2g cuda support added 16 years ago			`#ifdef __SC_CUDA_SUPPORT__`
cuda interface 16 years ago			`MPM_B2G_CUDA,`
mpm b2g cuda support added 16 years ago			`#endif`
Add b3g 3gram BNDM pattern matcher. Fix multi queue nfq initialization. Improve speed of b2g and wumanber. 17 years ago			`MPM_B3G,`
Initial add of the files. 17 years ago
Large detection engine update. 17 years ago			`/* table size */`
Initial add of the files. 17 years ago			`MPM_TABLE_SIZE,`
			`};`

			`/* Data structures */`
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct MpmEndMatch_ {`
Further memory cleanups. Split out init only vars out of the sig group head. 16 years ago			`uint32_t id; /*< pattern id storage /`
64 bit cleanup part2 16 years ago			`uint16_t depth;`
			`uint16_t offset;`
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`struct MpmEndMatch_ *next;`
Further memory cleanups. Split out init only vars out of the sig group head. 16 years ago			`SigIntId sig_id; /*< sig callback stuff -- internal id /`
			`uint8_t flags;`
Initial add of the files. 17 years ago			`} MpmEndMatch;`

Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct MpmMatchBucket_ {`
64 bit cleanup part2 16 years ago			`uint32_t len;`
Initial add of the files. 17 years ago			`} MpmMatchBucket;`

Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct MpmThreadCtx_ {`
Initial add of the files. 17 years ago			`void *ctx;`

64 bit cleanup part2 16 years ago			`uint32_t memory_cnt;`
			`uint32_t memory_size;`
Initial add of the files. 17 years ago			`} MpmThreadCtx;`

Improvements to content keyword memory handling. First version of a simple pattern based L7 proto detection engine. Currently just works by matching a single pattern in the initial data. Implemented HTTP, SSL, MSN, JABBER, SMTP and a few more. Couple of pattern matcher cleanups. 16 years ago			`/** \brief helper structure for the pattern matcher engine. The Pattern Matcher`
			`* thread has this and passes a pointer to it to the pattern matcher.`
			`* The actual pattern matcher will fill the structure. */`
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct PatternMatcherQueue_ {`
64 bit cleanup part2 16 years ago			`uint32_t sig_id_array; / array with internal sig id's that had a`
Improvements to content keyword memory handling. First version of a simple pattern based L7 proto detection engine. Currently just works by matching a single pattern in the initial data. Implemented HTTP, SSL, MSN, JABBER, SMTP and a few more. Couple of pattern matcher cleanups. 16 years ago			`pattern match. These will be inspected`
			`futher by the detection engine. */`
64 bit cleanup part2 16 years ago			`uint32_t sig_id_array_cnt;`
			`uint8_t *sig_bitarray;`
			`uint32_t searchable; /* counter of the number of matches that`
Remove all search code from the pattern matchers, cleanup mpm api, remove unused http code, more cleanups. 16 years ago			`require a search-followup */`
big update 17 years ago			`} PatternMatcherQueue;`

Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct MpmCtx_ {`
Initial add of the files. 17 years ago			`void *ctx;`
Get rid of global mpm_ctx. 16 years ago			`uint16_t mpm_type;`
Initial add of the files. 17 years ago
64 bit cleanup part2 16 years ago			`uint32_t memory_cnt;`
			`uint32_t memory_size;`
Initial add of the files. 17 years ago
64 bit cleanup part2 16 years ago			`uint32_t endmatches;`
Initial add of the files. 17 years ago
64 bit cleanup part2 16 years ago			`uint32_t pattern_cnt; /* unique patterns */`
			`uint32_t total_pattern_cnt; /* total patterns added */`
Initial add of the files. 17 years ago
Remove all references to the scan phase from the pattern matchers and it's api. 16 years ago			`uint16_t minlen;`
			`uint16_t maxlen;`
Initial add of the files. 17 years ago			`} MpmCtx;`

Remove nosearch flag from pattern api and add a generic bitwise flags field. 16 years ago			`/** pattern is case insensitive */`
			`#define MPM_PATTERN_FLAG_NOCASE 0x01`
			`/** pattern is negated */`
			`#define MPM_PATTERN_FLAG_NEGATED 0x02`
			`/** pattern has a depth setting */`
			`#define MPM_PATTERN_FLAG_DEPTH 0x04`
			`/** pattern has an offset setting */`
			`#define MPM_PATTERN_FLAG_OFFSET 0x08`

Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct MpmTableElmt_ {`
Initial add of the files. 17 years ago			`char *name;`
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago			`uint8_t max_pattern_length;`
mpm b2g cuda support added 16 years ago			`void (InitCtx)(struct MpmCtx_ , int);`
64 bit cleanup part2 16 years ago			`void (InitThreadCtx)(struct MpmCtx_ , struct MpmThreadCtx_ *, uint32_t);`
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`void (DestroyCtx)(struct MpmCtx_ );`
			`void (DestroyThreadCtx)(struct MpmCtx_ , struct MpmThreadCtx_ *);`
Remove nosearch flag from pattern api and add a generic bitwise flags field. 16 years ago
			`/** function pointers for adding patterns to the mpm ctx.`
			`*`
			`* \param mpm_ctx Mpm context to add the pattern to`
			`* \param pattern pointer to the pattern`
			`* \param pattern_len length of the pattern in bytes`
			`* \param offset pattern offset setting`
			`* \param depth pattern depth setting`
			`* \param pid pattern id`
			`* \param sid signature _internal_ id`
			`* \param flags pattern flags`
			`*/`
Remove all references to the scan phase from the pattern matchers and it's api. 16 years ago			`int (AddPattern)(struct MpmCtx_ , uint8_t *, uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, uint8_t);`
			`int (AddPatternNocase)(struct MpmCtx_ , uint8_t *, uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, uint8_t);`
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`int (Prepare)(struct MpmCtx_ );`
Remove all references to the scan phase from the pattern matchers and it's api. 16 years ago			`uint32_t (Search)(struct MpmCtx_ , struct MpmThreadCtx_ , PatternMatcherQueue , uint8_t *, uint16_t);`
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`void (Cleanup)(struct MpmThreadCtx_ );`
			`void (PrintCtx)(struct MpmCtx_ );`
			`void (PrintThreadCtx)(struct MpmThreadCtx_ );`
Initial add of the files. 17 years ago			`void (*RegisterUnittests)(void);`
64 bit cleanup part2 16 years ago			`uint8_t flags;`
Initial add of the files. 17 years ago			`} MpmTableElmt;`

More cleanups. 16 years ago			`MpmTableElmt mpm_table[MPM_TABLE_SIZE];`
Improvements to content keyword memory handling. First version of a simple pattern based L7 proto detection engine. Currently just works by matching a single pattern in the initial data. Implemented HTTP, SSL, MSN, JABBER, SMTP and a few more. Couple of pattern matcher cleanups. 16 years ago
			`int PmqSetup(PatternMatcherQueue *, uint32_t);`
			`void PmqReset(PatternMatcherQueue *);`
			`void PmqCleanup(PatternMatcherQueue *);`
			`void PmqFree(PatternMatcherQueue *);`

Initial add of the files. 17 years ago			`MpmEndMatch MpmAllocEndMatch (MpmCtx );`
			`void MpmEndMatchFreeAll(MpmCtx mpm_ctx, MpmEndMatch em);`

			`void MpmTableSetup(void);`
			`void MpmRegisterTests(void);`

Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago			`/** Return the max pattern length of a Matcher type given as arg */`
			`int32_t MpmMatcherGetMaxPatternLength(uint16_t);`

Moving inline functions to the .h files, so gcc can inline them correctly 15 years ago			`int MpmVerifyMatch(MpmThreadCtx , PatternMatcherQueue , MpmEndMatch *, uint16_t, uint16_t);`
mpm b2g cuda support added 16 years ago			`void MpmInitCtx (MpmCtx *mpm_ctx, uint16_t matcher, int module_handle);`
Get rid of global mpm_ctx. 16 years ago			`void MpmInitThreadCtx(MpmThreadCtx *mpm_thread_ctx, uint16_t, uint32_t);`
pattern matcher options support 16 years ago			`uint32_t MpmGetHashSize(const char *);`
			`uint32_t MpmGetBloomSize(const char *);`
Initial add of the files. 17 years ago
			`#endif /* __UTIL_MPM_H__ */`