/**
* \brief Gets the classtype from the corresponding hash table stored
* in the Detection Engine Context's class conf ht, given the
* classtype name.
*
* \param ct_name Pointer to the classtype name that has to be looked up.
* \param de_ctx Pointer to the Detection Engine Context.
*
* \retval lookup_ct_info Pointer to the SCClassConfClasstype instance from
* the hash table on success; NULL on failure.
*/
SCClassConfClasstype *SCClassConfGetClasstype(const char *ct_name,
DetectEngineCtx *de_ctx)
{
SCClassConfClasstype *ct_info = SCClassConfAllocClasstype(0, ct_name, NULL,
0);
if (ct_info == NULL)
return NULL;
SCClassConfClasstype *lookup_ct_info = HashTableLookup(de_ctx->class_conf_ht,
ct_info, 0);
SCClassConfDeAllocClasstype(ct_info);
return lookup_ct_info;
}
/**
* \test Check if the classtype info from the classification.config file have
* been loaded into the hash table.
*/
int SCClassConfTest06(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
SCClassConfClasstype *ct = NULL;
int result = 1;
if (de_ctx == NULL)
return 0;
SCClassConfGenerateInValidDummyClassConfigFD02();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
if (de_ctx->class_conf_ht == NULL)
return 0;
result = (de_ctx->class_conf_ht->count == 3);
ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "not-suspicious", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "bamboola1", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "bamboola1", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "BAMBOolA1", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "unkNOwn", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test Check if the classtype info from the invalid classification.config file
* have not been loaded into the hash table, and cross verify to check
* that the hash table contains no classtype data.
*/
int SCClassConfTest05(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
SCClassConfClasstype *ct = NULL;
int result = 1;
if (de_ctx == NULL)
return 0;
SCClassConfGenerateInValidDummyClassConfigFD03();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
if (de_ctx->class_conf_ht == NULL)
return 0;
result = (de_ctx->class_conf_ht->count == 0);
ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "unKnoWn", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "bamboo", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "bad-unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "BAD-UNKnOWN", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "bed-unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \brief Parses a line from the classification file and adds it to Classtype
* hash table in DetectEngineCtx, i.e. DetectEngineCtx->class_conf_ht.
*
* \param rawstr Pointer to the string to be parsed.
* \param index Relative index of the string to be parsed.
* \param de_ctx Pointer to the Detection Engine Context.
*
* \retval 0 On success.
* \retval -1 On failure.
*/
int SCClassConfAddClasstype(char *rawstr, uint8_t index, DetectEngineCtx *de_ctx)
{
const char *ct_name = NULL;
const char *ct_desc = NULL;
const char *ct_priority_str = NULL;
int ct_priority = 0;
uint8_t ct_id = index;
SCClassConfClasstype *ct_new = NULL;
SCClassConfClasstype *ct_lookup = NULL;
#define MAX_SUBSTRINGS 30
int ret = 0;
int ov[MAX_SUBSTRINGS];
ret = pcre_exec(regex, regex_study, rawstr, strlen(rawstr), 0, 0, ov, 30);
if (ret < 0) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid Classtype in "
"classification.config file");
goto error;
}
/* retrieve the classtype name */
ret = pcre_get_substring((char *)rawstr, ov, 30, 1, &ct_name);
if (ret < 0) {
SCLogInfo("pcre_get_substring() failed");
goto error;
}
/* retrieve the classtype description */
ret = pcre_get_substring((char *)rawstr, ov, 30, 2, &ct_desc);
if (ret < 0) {
SCLogInfo("pcre_get_substring() failed");
goto error;
}
/* retrieve the classtype priority */
ret = pcre_get_substring((char *)rawstr, ov, 30, 3, &ct_priority_str);
if (ret < 0) {
SCLogInfo("pcre_get_substring() failed");
goto error;
}
if (ct_priority_str == NULL) {
goto error;
}
ct_priority = atoi(ct_priority_str);
/* Create a new instance of the parsed Classtype string */
ct_new = SCClassConfAllocClasstype(ct_id, ct_name, ct_desc, ct_priority);
if (ct_new == NULL)
goto error;
/* Check if the Classtype is present in the HashTable. In case it's present
* ignore it, as it is a duplicate. If not present, add it to the table */
ct_lookup = HashTableLookup(de_ctx->class_conf_ht, ct_new, 0);
if (ct_lookup == NULL) {
if (HashTableAdd(de_ctx->class_conf_ht, ct_new, 0) < 0)
SCLogDebug("HashTable Add failed");
} else {
SCLogDebug("Duplicate classtype found inside classification.config");
if (ct_new->classtype_desc) SCFree(ct_new->classtype_desc);
if (ct_new->classtype) SCFree(ct_new->classtype);
SCFree(ct_new);
}
if (ct_name) SCFree((char *)ct_name);
if (ct_desc) SCFree((char *)ct_desc);
if (ct_priority_str) SCFree((char *)ct_priority_str);
return 0;
error:
if (ct_name) SCFree((char *)ct_name);
if (ct_desc) SCFree((char *)ct_desc);
if (ct_priority_str) SCFree((char *)ct_priority_str);
return -1;
}