signature.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

/*
* This file is part of firesorm NIDS
* Copyright (c) 2002 Gianni Tedesco
* This program is released under the terms of the GNU GPL version 2
*
* 	This little stub is the signature engine. We construct rule objects
* 	and pass them on to the relevent backends. The real work is then
* 	done inside the decode plugins. The functions here are intended for
* 	parser plugins.
*/
#include <stdlib.h>
#include <string.h>
#include <cleanup.h>
#include <packet.h>
#include <alert.h>
#include <signature.h>
#include <decode.h>

unsigned int signature_count=0;

void signature_killtmp(struct criteria *c, int km)
{
	struct criteria *foo, *bar;

	for(foo=c; foo;) {
		bar=foo;
		foo=foo->next;

		if ( bar->args)
			free(bar->args);

		if ( km && bar->modifier )
			signature_killtmp(bar->modifier, 0);

		free(bar->crit);
		free(bar);
	}
}

struct rule *signature_rule(char *rlm)
{
	struct rule *ret;

	if ( !(ret=calloc(1, sizeof(*ret))) ) {
		cperror("calloc");
	}

	if ( !(ret->protocol=decode_proto(rlm)) ) {
		free(ret);
		return NULL;
	}

	return ret;
}

void signature_abort(struct rule *r)
{
	if ( !r ) return;

	/* Target/alert stuff */
	if ( r->alert.alert ) free(r->alert.alert);
	signature_killtmp(r->criteria, 1);
	free(r);
}

/* Add a modifier to a rule */
int signature_modifier(struct rule *r, int n, char *c, char *val)
{
	struct criteria *m;

	if ( !r ) return 0;
	if ( !c ) return 0;
	if ( !r->protocol ) return 0;
	if ( !r->crit_end ) return 0;

	if ( !(m=calloc(1, sizeof(*m))) )
		cperror("calloc");

	if ( !(m->crit=strdup(c)) )
		cperror("strdup");

	if ( val && !(m->args=strdup(val)) )
		cperror("strdup");

	m->negate=n ? 1 : 0;
	m->next=r->crit_end->modifier;
	r->crit_end->modifier=m;

	return 1;
}

/* Add a critieria to a rule */
int signature_criteria(struct rule *r, int n, char *c, char *val)
{
	struct criteria *crit;

	if ( !r ) return 0;
	if ( !c ) return 0;
	if ( !r->protocol ) return 0;

	/* Copy all the data */
	if ( !(crit=calloc(1, sizeof(*crit))) )
		cperror("calloc");

	if ( !(crit->crit=strdup(c)) )
		cperror("strdup");

	if ( val && !(crit->args=strdup(val)) )
		cperror("strdup");

	crit->negate=n ? 1 : 0;

	/* Thwack it on the end of the list */
	crit->next=NULL;
	if ( !r->criteria ) {
		r->criteria=crit;
		r->crit_end=crit;
	}else{
		r->crit_end->next=crit;
		r->crit_end=crit;
	}

	r->num_criteria++;
	return 1;
}

int signature_alert(struct rule *r,
	char *text,
	u_int32_t sid,
	u_int32_t rev,
	unsigned long rate,
	unsigned long burst,
	u_int8_t prio)
{
	if ( !r ) return 0;

	/* Set the text */
	if ( !(r->alert.alert=strdup(text)) )
		cperror("strdup");

	r->alert.sid=sid;
	r->alert.rev=rev;
	r->alert.priority=prio;

	r->alert.t.toks=0;
	r->alert.t.last_msg=0;
	r->alert.t.missed=0;
	r->alert.t.cost=rate;
	r->alert.t.burst=rate*burst;
	return 1;
}

int signature_commit(struct rule *r)
{
	if ( !r ) return 0;
	if ( !r->protocol ) return 0;
	if ( !r->protocol->sig_add ) return 0;

	if ( r->protocol->sig_add(r) ) {
		signature_killtmp(r->criteria, 1);
		free(r);
		signature_count++;
		return 1;
	}else return 0;
}