int PCRESetup(Rule *rule, PCREInfo *pcreInfo)
{
const char *error;
int erroffset;
pcreInfo->compiled_expr = (void *)pcre_compile(pcreInfo->expr,
pcreInfo->compile_flags,
&error,
&erroffset,
NULL);
if (!pcreInfo->compiled_expr)
{
/* error doing compilation. */
_ded.errMsg("Failed to compile PCRE in dynamic rule [%d:%d]\n",
rule->info.genID, rule->info.sigID);
return -1;
}
else
{
pcreInfo->compiled_extra = (void *)pcre_study(pcreInfo->compiled_expr, 0, &error);
}
if (error)
{
/* error doing study. */
_ded.errMsg("Failed to study PCRE in dynamic rule [%d:%d]\n",
rule->info.genID, rule->info.sigID);
return -1;
}
return 0;
}
ENGINE_LINKAGE int base64Decode(void *p, base64DecodeData *data, const u_int8_t *cursor)
{
const u_int8_t *start;
const u_int8_t *end;
int ret;
const u_int8_t base64_encodebuf[BLEN];
u_int32_t base64_encodesize = 0;
SFSnortPacket *sp = (SFSnortPacket *) p;
ret = getBuffer(sp, CONTENT_BUF_RAW, &start, &end);
if ( ret < 0 )
{
return ret;
}
if(data->relative )
{
if(cursor)
{
start = cursor;
}
}
start = start + data->offset;
if( start > end )
return RULE_NOMATCH;
if(_ded.sfUnfold(start, end-start, (u_int8_t *)base64_encodebuf, sizeof(base64_encodebuf), &base64_encodesize) != 0)
{
return RULE_NOMATCH;
}
if (data->bytes && (base64_encodesize > data->bytes))
{
base64_encodesize = data->bytes;
}
if(_ded.sfbase64decode((u_int8_t *)base64_encodebuf, base64_encodesize, (u_int8_t *)base64decodebuf, BLEN, &base64decodesize) != 0)
{
return RULE_NOMATCH;
}
return RULE_MATCH;
}
/*
* Detect ASN1 function
*
* p: packet data structure, same as the one found in snort.
* asn1: data defined in the detection plugin for this rule option
* cursor: current position within buffer
*
* Returns:
* > 0 : match found
* = 0 : no match found
*
* Predefined constants:
* (see sf_snort_plugin_api.h for more values)
* RULE_MATCH - if asn1 specifier is found within buffer
* RULE_NOMATCH - if asn1 specifier is not found within buffer
*
*/
ENGINE_LINKAGE int detectAsn1(void *p, Asn1Context* asn1, u_int8_t *cursor)
{
/* asn1Detect returns non-zero if the options matched. */
if (_ded.asn1Detect(p, (void *) asn1, cursor))
return RULE_MATCH;
return RULE_NOMATCH;
}
/*
* Store Rule Specific session data
*
* p: packet data structure, same as the one found in snort.
* rule_data: data to store in the session
*
* Returns:
* nothing
*
*/
ENGINE_LINKAGE int storeRuleData(void *p, void *rule_data,
uint32_t sid, SessionDataFree sdf)
{
if ( _ded.setRuleData(p, rule_data, sid, sdf) != 0 )
return RULE_NOMATCH;
return RULE_MATCH;
}
/*
* Process flowbits function
*
* p: packet data structure, same as the one found in snort.
* flowBits: data defined in the detection plugin for this rule option
*
* Returns:
* > 0 : match found
* = 0 : no match found
*
* Predefined constants:
* (see sf_snort_plugin_api.h for more values)
* RULE_MATCH - if flowbit operation succeeded
* RULE_NOMATCH - if flowbit operation failed
*
*/
ENGINE_LINKAGE int processFlowbits(void *p, FlowBitsInfo *flowBits)
{
/* flowbitCheck returns non-zero if the flow bit operation succeeded. */
if (_ded.flowbitCheck(p, flowBits->operation, flowBits->id))
return RULE_MATCH;
return RULE_NOMATCH;
}
HBM_STATIC
HBM_STRUCT * hbm_prep(unsigned char * pat, int m, int nocase)
{
HBM_STRUCT *p;
p = (HBM_STRUCT*)malloc(sizeof(HBM_STRUCT));
if (!p)
{
_ded.fatalMsg("Failed to allocate memory for pattern matching.");
}
if( !hbm_prepx( p, pat, m, nocase) )
{
_ded.fatalMsg("Error initializing pattern matching. Check arguments.");
}
return p;
}
NORETURN void DynamicEngineFatalMessage(const char *format, ...)
{
char buf[STD_BUF];
va_list ap;
va_start(ap, format);
vsnprintf(buf, STD_BUF, format, ap);
va_end(ap);
buf[STD_BUF - 1] = '\0';
_ded.fatalMsg("%s", buf);
exit(1);
}
/* Evaluates the rule -- indirect interface, this will be
* called from the SpecialPurpose detection plugin as
* CheckRule (void *, void *);
*/
static int CheckRule(void *p, void *r)
{
Rule *rule = (Rule *)r;
if (!rule->initialized)
{
_ded.errMsg("Dynamic Rule [%d:%d] was not initialized properly.\n",
rule->info.genID, rule->info.sigID);
return RULE_NOMATCH;
}
ContentSetup();
/* If there is an eval func, use it, this is a 'hand-coded' rule */
if (rule->evalFunc)
return rule->evalFunc((SFSnortPacket *)p);
else
return ruleMatch(p, rule);
}
/*
* Initialize Boyer-Moore-Horspool data for single pattern comparisons
*
* returns: 0 -> success
* !0 -> error,failed
*/
int BoyerContentSetup(Rule *rule, ContentInfo *content)
{
/* XXX: need to precompile the B-M stuff */
if( !content->patternByteForm || !content->patternByteFormLength )
return 0;
content->boyer_ptr = hbm_prep(content->patternByteForm,
content->patternByteFormLength,
content->flags & CONTENT_NOCASE);
if( !content->boyer_ptr )
{
/* error doing compilation. */
_ded.errMsg("Failed to setup pattern match for dynamic rule [%d:%d]\n",
rule->info.genID, rule->info.sigID);
return -1;
}
return 0;
}
ENGINE_LINKAGE void freeRuleData(void *data)
{
_ded.freeRuleData(data);
}
ENGINE_LINKAGE void * allocRuleData(size_t size)
{
return _ded.allocRuleData(size);
}
/*
* Retrieve Rule Specific session data
*
* p: packet data structure, same as the one found in snort.
*
* Returns:
* pointer to rule specific session data, NULL if none available
*
*/
ENGINE_LINKAGE void *getRuleData(void *p, uint32_t sid)
{
return _ded.getRuleData(p, sid);
}