Order the signatures based on certain rule parameters like actions, flowbits, flowvar, pktvar, priority etc

16 years ago · f658ffbc9c
parent 4cc24fe463
commit f658ffbc9c
8 changed files with 1606 additions and 1 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -28,6 +28,7 @@ flow-bit.c flow-bit.h \
 pkt-var.c pkt-var.h \
 host.c host.h \
 detect.c detect.h \
+detect-engine-sigorder.c detect-engine-sigorder.h \
 detect-engine.c detect-engine.h \
 detect-isdataat.c detect-isdataat.h \
 detect-window.c detect-window.h \
--- a/src/detect-engine-sigorder.c
+++ b/src/detect-engine-sigorder.c
--- a/src/detect-engine-sigorder.h
+++ b/src/detect-engine-sigorder.h
@ -0,0 +1,59 @@
+/** Copyright (c) 2009 Open Information Security Foundation.
+ *  \author Anoop Saldanha <poonaatsoc@gmail.com>
+ */
+
+#ifndef __DETECT_ENGINE_SIGORDER_H__
+#define __DETECT_ENGINE_SIGORDER_H__
+
+/**
+ * \brief Different kinds of helper data that can be used by the signature
+ *        ordering module.  Used by the "user" field in SCSigSignatureWrapper
+ */
+typedef enum{
+    SC_RADIX_USER_DATA_FLOWBITS,
+    SC_RADIX_USER_DATA_FLOWVAR,
+    SC_RADIX_USER_DATA_PKTVAR,
+    SC_RADIX_USER_DATA_MAX
+} SCRadixUserDataType;
+
+/**
+ * \brief Signature wrapper used by signature ordering module while ordering
+ *        signatures
+ */
+typedef struct SCSigSignatureWrapper_ {
+    /* the wrapped signature */
+    Signature *sig;
+
+    /* used as the lower limit SCSigSignatureWrapper that is used by the next
+     * ordering function, which will order the incoming Sigwrapper after this
+     * (min) wrapper */
+    struct SCSigSignatureWrapper_ *min;
+    /* used as the upper limit SCSigSignatureWrapper that is used by the next
+     * ordering function, which will order the incoming Sigwrapper below this
+     * (max) wrapper */
+    struct SCSigSignatureWrapper_ *max;
+
+    /* user data that is to be associated with this sigwrapper */
+    int **user;
+
+    struct SCSigSignatureWrapper_ *next;
+    struct SCSigSignatureWrapper_ *prev;
+} SCSigSignatureWrapper;
+
+/**
+ * \brief Structure holding the signature ordering function used by the
+ *        signature ordering module
+ */
+typedef struct SCSigOrderFunc_ {
+    /* Pointer to the Signature Ordering function */
+    void (*FuncPtr)(DetectEngineCtx *, SCSigSignatureWrapper *);
+
+    struct SCSigOrderFunc_ *next;
+} SCSigOrderFunc;
+
+void SCSigOrderSignatures(DetectEngineCtx *);
+void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *);
+void SCSigRegisterSignatureOrderingTests(void);
+void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *);
+
+#endif /* __DETECT_ENGINE_SIGORDER_H__ */
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@ -6,6 +6,7 @@
 #include "flow.h"

 #include "detect-parse.h"
+#include "detect-engine-sigorder.h"

 #include "detect-engine-siggroup.h"
 #include "detect-engine-address.h"
@ -55,6 +56,7 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) {
    SigGroupHeadMpmUriHashFree(de_ctx);
    SigGroupHeadSPortHashFree(de_ctx);
    SigGroupHeadDPortHashFree(de_ctx);
+    SCSigSignatureOrderingModuleCleanup(de_ctx);
    DetectPortSpHashFree(de_ctx);
    DetectPortDpHashFree(de_ctx);

--- a/src/detect-pktvar.c
+++ b/src/detect-pktvar.c
@ -198,7 +198,7 @@ int DetectPktvarSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char
    if (sm == NULL)
        goto error;

-    sm->type = DETECT_FLOWVAR;
+    sm->type = DETECT_PKTVAR;
    sm->ctx = (void *)cd;

    SigMatchAppend(s,m,sm);
--- a/src/detect.c
+++ b/src/detect.c
@ -49,6 +49,7 @@
 #include "detect-flowbits.h"
 #include "detect-csum.h"
 #include "detect-stream_size.h"
+#include "detect-engine-sigorder.h"

 #include "action-globals.h"
 #include "tm-modules.h"
@ -239,6 +240,10 @@ int SigLoadSignatures (DetectEngineCtx *de_ctx, char *sig_file)
            return -1;
    }

+    SCSigRegisterSignatureOrderingFuncs(de_ctx);
+    SCSigOrderSignatures(de_ctx);
+    SCSigSignatureOrderingModuleCleanup(de_ctx);
+
    /* Setup the signature group lookup structure and
     * pattern matchers */
    SigGroupBuild(de_ctx);
--- a/src/detect.h
+++ b/src/detect.h
@ -1,6 +1,8 @@
 #ifndef __DETECT_H__
 #define __DETECT_H__

+#include <stdint.h>
+
 #include "detect-engine-proto.h"

 #include "packet-queue.h"
@ -10,6 +12,10 @@

 #define COUNTER_DETECT_ALERTS 1

+/* forward declarations for the structures from detect-engine-sigorder.h */
+struct SCSigOrderFunc_;
+struct SCSigSignatureWrapper_;
+
 /*
 * DETECT ADDRESS
 */
@ -213,6 +219,10 @@ typedef struct DetectEngineCtx_ {

    uint32_t signum;

+    /* used by the signature ordering module */
+    struct SCSigOrderFunc_ *sc_sig_order_funcs;
+    struct SCSigSignatureWrapper_ *sc_sig_sig_wrapper;
+
    /* main sigs */
    DetectEngineLookupDsize dsize_gh[DSIZE_STATES];

--- a/src/eidps.c
+++ b/src/eidps.c
@ -68,6 +68,7 @@
 #include "conf-yaml-loader.h"

 #include "runmodes.h"
+#include "detect-engine-sigorder.h"

 /*
 * we put this here, because we only use it here in main.
@ -417,6 +418,7 @@ int main(int argc, char **argv)
        ConfRegisterTests();
        TmqhFlowRegisterTests();
        FlowRegisterTests();
+        SCSigRegisterSignatureOrderingTests();
        uint32_t failed = UtRunTests();
        UtCleanup();
        if (failed) exit(EXIT_FAILURE);