int CursorInfoInitialize(Rule *rule, CursorInfo *cursor)
{
void *memoryLocation;
/* Initialize byte_extract pointers */
if (cursor->offset_refId)
{
if (!rule->ruleData)
{
DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n",
cursor->offset_refId, rule->info.genID, rule->info.sigID);
}
memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, cursor->offset_refId);
if (memoryLocation)
{
cursor->offset_location = memoryLocation;
}
else
{
DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n",
cursor->offset_refId, rule->info.genID, rule->info.sigID);
}
}
return 0;
}
int DynamicElementInitialize(Rule *rule, DynamicElement *element)
{
void *memoryLocation;
if (!rule->ruleData)
{
DynamicEngineFatalMessage("Runtime rule data location '%s' for rule [%d:%d] is unknown\n",
element->refId, rule->info.genID, rule->info.sigID);
}
switch (element->dynamicType)
{
case DYNAMIC_TYPE_INT_REF:
memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, element->refId);
if (memoryLocation)
{
element->data.dynamicInt = memoryLocation;
}
else
{
element->data.dynamicInt = NULL;
DynamicEngineFatalMessage("Runtime rule data location '%s' for rule [%d:%d] is unknown\n",
element->refId, rule->info.genID, rule->info.sigID);
//return -1;
}
break;
case DYNAMIC_TYPE_INT_STATIC:
default:
/* nothing to do, its static */
break;
}
return 0;
}
/* Initialize a byteExtract structure. */
int ByteExtractInitialize(Rule *rule, ByteExtract *extractData)
{
int ret = 0;
void *memoryLocation;
if (rule->ruleData == NULL)
{
/* Initialize the hash table */
/* XXX: 3 rows ought to suffice for now... */
/* 3 rows,
* 0 bytes key size (ie, its a string),
* user provided keys,
* free func -- data is pointer to int
*/
rule->ruleData = (void *)sfghash_new(3, 0, 1, free);
}
memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, extractData->refId);
if (memoryLocation)
{
/* Cannot re-use refId */
DynamicEngineFatalMessage("Cannot re-use ByteExtract location '%s' for rule [%d:%d]\n",
extractData->refId, rule->info.genID, rule->info.sigID);
//return -1;
}
memoryLocation = calloc(sizeof(u_int32_t), 1);
if (memoryLocation == NULL)
{
DynamicEngineFatalMessage("Failed to allocate memory\n");
}
ret = sfghash_add((SFGHASH*)rule->ruleData, extractData->refId, memoryLocation);
if (ret != SFGHASH_OK)
{
free(memoryLocation);
/* Some error, couldn't allocate hash entry */
return -2;
}
extractData->memoryLocation = memoryLocation;
return 0;
}
HBM_STATIC
HBM_STRUCT * hbm_prep(unsigned char * pat, int m, int nocase)
{
HBM_STRUCT *p;
p = (HBM_STRUCT*)malloc(sizeof(HBM_STRUCT));
if (!p)
{
DynamicEngineFatalMessage("Failed to allocate memory for pattern matching.");
}
if( !hbm_prepx( p, pat, m, nocase) )
{
DynamicEngineFatalMessage("Error initializing pattern matching. Check arguments.");
}
return p;
}
/* Zlib-specific init function */
static inline decompress_state_t * SnortDecompressInitZlib(compression_type_t type)
{
decompress_state_t *state = calloc(1, sizeof(decompress_state_t) );
z_stream *zlib_stream = calloc(1, sizeof(z_stream) );
if (state == NULL || zlib_stream == NULL)
DynamicEngineFatalMessage("Unable to allocate memory in SnortDecompressInitZlib()\n");
/* Setup Zlib memory management callbacks */
zlib_stream->zalloc = NULL;
zlib_stream->zfree = NULL;
zlib_stream->opaque = NULL;
/* Fill out state object */
state->type = type;
state->lib_info = (void *) zlib_stream;
/* Can't call inflateInit() until there's some data */
state->flags |= SNORT_ZLIB_INIT_NEEDED;
return state;
}
/*
* Initialize Boyer-Moore-Horspool data for single pattern comparisons
*
* returns: 0 -> success
* !0 -> error,failed
*/
int BoyerContentSetup(Rule *rule, ContentInfo *content)
{
void *memoryLocation;
/* XXX: need to precompile the B-M stuff */
if( !content->patternByteForm || !content->patternByteFormLength )
return 0;
content->boyer_ptr = hbm_prep(content->patternByteForm,
content->patternByteFormLength,
content->flags & CONTENT_NOCASE);
if( !content->boyer_ptr )
{
/* error doing compilation. */
_ded.errMsg("Failed to setup pattern match for dynamic rule [%d:%d]\n",
rule->info.genID, rule->info.sigID);
return -1;
}
/* Initialize byte_extract pointers */
if (content->offset_refId)
{
if (!rule->ruleData)
{
DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n",
content->offset_refId, rule->info.genID, rule->info.sigID);
}
memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, content->offset_refId);
if (memoryLocation)
{
content->offset_location = memoryLocation;
}
else
{
DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n",
content->offset_refId, rule->info.genID, rule->info.sigID);
}
}
if (content->depth_refId)
{
if (!rule->ruleData)
{
DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n",
content->depth_refId, rule->info.genID, rule->info.sigID);
}
memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, content->depth_refId);
if (memoryLocation)
{
content->depth_location = memoryLocation;
}
else
{
DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n",
content->depth_refId, rule->info.genID, rule->info.sigID);
}
}
return 0;
}
int ByteDataInitialize(Rule *rule, ByteData *byte)
{
void *memoryLocation=NULL;
unsigned int ii, byte_math_flag=0;
RuleOption *option;
for(ii=0;rule->options[ii] != NULL; ii++)
{
option = rule->options[ii];
if(option->optionType==OPTION_TYPE_BYTE_MATH)
byte_math_flag=1;
}
/* Initialize byte_extract pointers */
if (byte->offset_refId)
{
if (!rule->ruleData && !byte_math_var_check)
{
DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n",
byte->offset_refId, rule->info.genID, rule->info.sigID);
}
if (rule->ruleData)
memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, byte->offset_refId);
if (memoryLocation)
{
byte->offset_location = memoryLocation;
}
else
{
if (!byte_math_var_check && (strcmp(bm_variable_name,byte->offset_refId)))
{
DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n",
byte->offset_refId, rule->info.genID, rule->info.sigID);
}
}
}
if (byte->value_refId)
{
if (!rule->ruleData && !byte_math_var_check)
{
DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n",
byte->value_refId, rule->info.genID, rule->info.sigID);
}
if (rule->ruleData)
memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, byte->value_refId);
if (memoryLocation)
{
byte->value_location = memoryLocation;
}
else
{
if (!byte_math_var_check && (strcmp(bm_variable_name,byte->value_refId)))
{
DynamicEngineFatalMessage("ByteExtract or byte_math variable '%s' in rule [%d:%d] is used before it is defined.\n",
byte->value_refId, rule->info.genID, rule->info.sigID);
}
}
}
if (byte_math_flag && byte->refId && byte_math_var_check )
{
DynamicEngineFatalMessage("refId field should be NULL for other than Byte_Math options\n");
}
if (byte_math_flag && byte->refId)
{
if (bm_variable_name)
free(bm_variable_name);
bm_variable_name = strdup(byte->refId);
if (bm_variable_name)
byte_math_var_check=1;
}
byte_math_var_free(byte);
return 0;
}
/* These are contents to be used for fast pattern consideration */
static int GetDynamicContents(void *r, int type, FPContentInfo **contents)
{
Rule *rule = (Rule *)r;
RuleOption *option;
FPContentInfo *tail = NULL;
int i = 0;
int base64_buf_flag = 0;
int mime_buf_flag = 0;
if ((r == NULL) || (contents == NULL))
return -1;
*contents = NULL;
for (i = 0, option = rule->options[i];
option != NULL;
option = rule->options[++i])
{
switch(option->optionType)
{
case OPTION_TYPE_CONTENT:
{
FPContentInfo *fp_content;
ContentInfo *content = option->option_u.content;
int flags = content->flags;
switch (type)
{
case CONTENT_NORMAL:
if (!(flags & NORMAL_CONTENT_BUFS))
continue;
else if(base64_buf_flag || mime_buf_flag)
continue;
break;
case CONTENT_HTTP:
base64_buf_flag = 0;
mime_buf_flag = 0;
if (!(flags & URI_CONTENT_BUFS)
|| (!(flags & URI_FAST_PATTERN_BUFS)))
continue;
break;
default:
break; /* Just get them all */
}
fp_content = (FPContentInfo *)calloc(1, sizeof(FPContentInfo));
if (fp_content == NULL)
DynamicEngineFatalMessage("Failed to allocate memory\n");
fp_content->length = content->patternByteFormLength;
fp_content->content = (char *)malloc(fp_content->length);
if (fp_content->content == NULL)
DynamicEngineFatalMessage("Failed to allocate memory\n");
memcpy(fp_content->content, content->patternByteForm, fp_content->length);
fp_content->offset = content->offset;
fp_content->depth = content->depth;
if (content->flags & CONTENT_RELATIVE)
fp_content->is_relative = 1;
if (content->flags & CONTENT_NOCASE)
fp_content->noCaseFlag = 1;
if (content->flags & CONTENT_FAST_PATTERN)
fp_content->fp = 1;
if (content->flags & NOT_FLAG)
fp_content->exception_flag = 1;
if (content->flags & CONTENT_BUF_URI)
fp_content->uri_buffer |= CONTENT_HTTP_URI;
if (content->flags & CONTENT_BUF_HEADER)
fp_content->uri_buffer |= CONTENT_HTTP_HEADER;
if (content->flags & CONTENT_BUF_POST)
fp_content->uri_buffer |= CONTENT_HTTP_CLIENT_BODY;
/* Fast pattern only and specifying an offset and length are
* technically mutually exclusive - see
* detection-plugins/sp_pattern_match.c */
if (option->option_u.content->flags & CONTENT_FAST_PATTERN_ONLY)
{
fp_content->fp_only = 1;
}
else
{
fp_content->fp_offset = option->option_u.content->fp_offset;
fp_content->fp_length = option->option_u.content->fp_length;
}
if (tail == NULL)
*contents = fp_content;
else
tail->next = fp_content;
tail = fp_content;
}
break;
case OPTION_TYPE_BASE64_DECODE:
base64_buf_flag =1;
continue;
case OPTION_TYPE_FILE_DATA:
{
CursorInfo *cursor = option->option_u.cursor;
if (cursor->flags & BUF_FILE_DATA_MIME)
{
mime_buf_flag = 1;
continue;
}
}
break;
case OPTION_TYPE_PKT_DATA:
base64_buf_flag = 0;
mime_buf_flag = 0;
continue;
case OPTION_TYPE_BASE64_DATA:
base64_buf_flag =1;
continue;
default:
continue;
}
}
if (*contents == NULL)
return -1;
return 0;
}