matcher.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

/*
* This file is part of Firestorm NIDS
* Copyright (c) 2002 Gianni Tedesco
* This program is released under the terms of the GNU GPL version 2
*
* This is the central registry of all matchers. Usually plugins
* call us when rules are commited to them.
*/
#include <stdio.h>
#include <string.h>

#include <firestorm.h>
#include <loader.h>
#include <packet.h>
#include <alert.h>
#include <signature.h>
#include <cleanup.h>
#include <string_hash.h>
#include <matcher.h>

#define MHASH_SIZE 127
struct matcher *matchers[MHASH_SIZE];

void matcher_load(void)
{
	struct plugin *p;
	proc_matcher_load fn;
	static struct matcher_api mapi={
		.size=sizeof(mapi),
		.matcher_add=matcher_add,
		.template_longrange=template_longrange,
		.template_shortrange=template_shortrange,
	};

	for(p=ld_list; p; p=p->next) {
		if ( !(fn=loader_symbol(p, plugin_matcher)) )
			continue;

		loader_perror(p, "matcher", fn(&mapi));
	}
}

/* Always differ */
int null_cmp(void *p1, void *p2)
{
	return 1;
}

void null_cleanup(void *foo){}

struct matcher *matcher_find(char *name)
{
	struct matcher *m;

	for(m=matchers[string_hash(name)%MHASH_SIZE]; m; m=m->next) {
		if ( !strcmp(m->name, name) ) {
			return m;
		}
	}
	
	return NULL;
}

/* We get passed an array of matcher structures, terminated
 * by a NULL element. Add them all to the list */
int matcher_add(struct matcher *m)
{
	int ret=0;
	u_int32_t h;
	
	if ( !m )
		return 0;

next:
	if ( !m->name || !m->validate )
		return ret;

	h=string_hash(m->name)%MHASH_SIZE;

	if ( m->compare==MCMP_SR ) {
		m->compare=template_cmp_sr;
	}else if ( m->compare==MCMP_LR ) {
		m->compare=template_cmp_lr;
	}else if ( m->compare==NULL ) {
		m->compare=null_cmp;
	}

	if ( m->cleanup==MATCHER_FREE ) {
		m->cleanup=template_ptr;
	}else if ( !m->cleanup ) {
		m->cleanup=null_cleanup;
	}

	m->next=matchers[h];
	matchers[h]=m;

	ret++;
	m++;
	goto next;
}