sp_pattern_match.c

该源码是用C语言编写的,实现网络入侵检测系统的功能

/*
** Copyright (C) 1998,1999,2000,2001 Martin Roesch <roesch@clark.net>
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/

/* $Id: sp_pattern_match.c,v 1.8 2001/01/13 07:31:14 roesch Exp $ */
#include "sp_pattern_match.h"

extern int file_line;

int list_file_line;     /* current line being processed in the list
                 * file */

void SetupPatternMatch()
{
    RegisterPlugin("content", PayloadSearchInit);
    RegisterPlugin("content-list", PayloadSearchListInit);
    RegisterPlugin("offset", PayloadSearchOffset);
    RegisterPlugin("depth", PayloadSearchDepth);
    RegisterPlugin("nocase", PayloadSearchNocase);
    RegisterPlugin("regex", PayloadSearchRegex);

#ifdef DEBUG
    printf("Plugin: PatternMatch Initialized!\n");
#endif
}


void PayloadSearchListInit(char *data, OptTreeNode * otn, int protocol)
{
    char *sptr;
    char *eptr;


#ifdef DEBUG
    printf("In PayloadSearchListInit()\n");
#endif

    /* content-list can appear separately in rules */
    NewNode(otn);

    /* get the path/file name from the data */
    while(isspace((int) *data))
        data++;

    /* grab everything between the starting " and the end one */
    sptr = index(data, '"');
    eptr = strrchr(data, '"');

    if(sptr != NULL && eptr != NULL)
    {
        /* increment past the first quote */
        sptr++;

        /* zero out the second one */
        *eptr = 0;
    }
    else
    {
        sptr = data;
    }

    /* read the content keywords from the list file */
    ParseContentListFile(sptr, otn, protocol);


    /* link the plugin function in to the current OTN */
    AddOptFuncToList(CheckORPatternMatch, otn);

    return;
}


void PayloadSearchInit(char *data, OptTreeNode * otn, int protocol)
{
#ifdef DEBUG
    printf("In PayloadSearchInit()\n");
#endif

    /* whack a new node onto the list */
    NewNode(otn);

    /* set up the pattern buffer */
    ParsePattern(data, otn);

    /* link the plugin function in to the current OTN */
    AddOptFuncToList(CheckANDPatternMatch, otn);

#ifdef DEBUG
    printf("OTN function PatternMatch Added to rule!\n");
#endif
}



void PayloadSearchOffset(char *data, OptTreeNode * otn, int protocol)
{
    PatternMatchData *idx;

#ifdef DEBUG
    printf("In PayloadSearch()\n");
#endif

    idx = otn->ds_list[PLUGIN_PATTERN_MATCH];

    if(idx == NULL)
    {
        FatalError("ERROR Line %d => Please place \"content\" rules before depth, nocase or offset modifiers.\n", file_line);
    }
    while(idx->next != NULL)
        idx = idx->next;

    while(isspace((int) *data))
        data++;
    idx->offset = atoi(data);

#ifdef DEBUG
    printf("Pattern offset = %d\n", idx->offset);
#endif

    return;
}



void PayloadSearchDepth(char *data, OptTreeNode * otn, int protocol)
{
    PatternMatchData *idx;

    idx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH];

    if(idx == NULL)
    {
        FatalError("ERROR Line %d => Please place \"content\" rules before depth, nocase or offset modifiers.\n", file_line);
    }
    while(idx->next != NULL)
        idx = idx->next;

    while(isspace((int) *data))
        data++;
    idx->depth = atoi(data);

#ifdef DEBUG
    printf("Pattern offset = %d\n", idx->offset);
#endif

    return;
}



void PayloadSearchNocase(char *data, OptTreeNode * otn, int protocol)
{
    PatternMatchData *idx;
    int i;

    idx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH];

    if(idx == NULL)
    {
        FatalError("ERROR Line %d => Please place \"content\" rules before depth, nocase or offset modifiers.\n", file_line);
    }
    while(idx->next != NULL)
        idx = idx->next;

    idx->search = mSearchCI;

    i = idx->pattern_size;

    while(--i >= 0)
        idx->pattern_buf[i] = toupper((unsigned char) idx->pattern_buf[i]);

    free(idx->skip_stride);
    idx->skip_stride = make_skip(idx->pattern_buf, idx->pattern_size);

    free(idx->shift_stride);
    idx->shift_stride = make_shift(idx->pattern_buf, idx->pattern_size);

    return;
}



void PayloadSearchRegex(char *data, OptTreeNode * otn, int protocol)
{
    PatternMatchData *idx;
    int i;

    idx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH];

    if(idx == NULL)
    {
        FatalError("ERROR Line %d => Please place \"content\" rules before depth, nocase or offset modifiers.\n", file_line);
    }
    while(idx->next != NULL)
        idx = idx->next;

    idx->search = mSearchREG;

    i = idx->pattern_size;

    while(--i >= 0)
        idx->pattern_buf[i] = toupper((unsigned char) idx->pattern_buf[i]);

    free(idx->skip_stride);
    idx->skip_stride = make_skip(idx->pattern_buf, idx->pattern_size);

    free(idx->shift_stride);
    idx->shift_stride = make_shift(idx->pattern_buf, idx->pattern_size);

    return;
}




void NewNode(OptTreeNode * otn)
{
    PatternMatchData *idx;

    idx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH];

    if(idx == NULL)
    {
        if((otn->ds_list[PLUGIN_PATTERN_MATCH] = (PatternMatchData *) calloc(sizeof(PatternMatchData), sizeof(char))) == NULL)
        {
            FatalError("ERROR => sp_pattern_match NewNode() calloc failed!\n");
        }
    }
    else
    {
        idx = otn->ds_list[PLUGIN_PATTERN_MATCH];

        while(idx->next != NULL)
            idx = idx->next;

        if((idx->next = (PatternMatchData *) calloc(sizeof(PatternMatchData), sizeof(char))) == NULL)
        {
            FatalError("ERROR => sp_pattern_match NewNode() calloc failed!\n");
        }
    }
}



/****************************************************************************
 *
 * Function: ParsePattern(char *)
 *
 * Purpose: Process the application layer patterns and attach them to the
 *          appropriate rule.  My god this is ugly code.
 *
 * Arguments: rule => the pattern string
 *
 * Returns: void function
 *
 ***************************************************************************/
void ParsePattern(char *rule, OptTreeNode * otn)
{
    unsigned char tmp_buf[2048];

    /* got enough ptrs for you? */
    char *start_ptr;
    char *end_ptr;
    char *idx;
    char *dummy_idx;
    char *dummy_end;
    char hex_buf[9];
    u_int dummy_size = 0;
    u_int size;
    int hexmode = 0;
    int hexsize = 0;
    int pending = 0;
    int cnt = 0;
    int literal = 0;
    PatternMatchData *ds_idx;

    /* clear out the temp buffer */
    bzero(tmp_buf, 2048);

    /* find the start of the data */
    start_ptr = index(rule, '"');

    if(start_ptr == NULL)
    {
        FatalError("ERROR Line %d => Content data needs to be enclosed in quotation marks (\")!\n", file_line);
    }
    /* move the start up from the beggining quotes */
    start_ptr++;

    /* find the end of the data */
    end_ptr = strrchr(start_ptr, '"');

    if(end_ptr == NULL)
    {
        FatalError("ERROR Line %d => Content data needs to be enclosed in quotation marks (\")!\n", file_line);
    }
    /* set the end to be NULL */
    *end_ptr = 0;

    /* how big is it?? */
    size = end_ptr - start_ptr;

    /* uh, this shouldn't happen */
    if(size <= 0)
    {
        FatalError("ERROR Line %d => Bad pattern length!\n", file_line);
    }
    /* set all the pointers to the appropriate places... */
    idx = start_ptr;

    /* set the indexes into the temp buffer */
    dummy_idx = tmp_buf;
    dummy_end = (dummy_idx + size);

    /* why is this buffer so small? */
    bzero(hex_buf, 9);
    memset(hex_buf, '0', 8);

    /* BEGIN BAD JUJU..... */
    while(idx < end_ptr)
    {
#ifdef DEBUG
        printf("processing char: %c\n", *idx);
#endif
        switch(*idx)
        {
            case '|':
#ifdef DEBUG
                printf("Got bar... ");
#endif
                if(!literal)
                {
#ifdef DEBUG
                    printf("not in literal mode... ");
#endif
                    if(!hexmode)
                    {
#ifdef DEBUG
                        printf("Entering hexmode\n");
#endif
                        hexmode = 1;
                    }
                    else
                    {
#ifdef DEBUG
                        printf("Exiting hexmode\n");
#endif
                        hexmode = 0;
                    }

                    if(hexmode)
                        hexsize = 0;
                }
                else
                {
#ifdef DEBUG
                    printf("literal set, Clearing\n");
#endif
                    literal = 0;
                    tmp_buf[dummy_size] = start_ptr[cnt];
                    dummy_size++;
                }

                break;

            case '\\':
#ifdef DEBUG
                printf("Got literal char... ");
#endif
                if(!literal)
                {
#ifdef DEBUG
                    printf("Setting literal\n");
#endif
                    literal = 1;
                }
                else
                {
#ifdef DEBUG
                    printf("Clearing literal\n");
#endif
                    tmp_buf[dummy_size] = start_ptr[cnt];
                    literal = 0;
                    dummy_size++;
                }

                break;

            default: