Initial commit of Snort post-dissector.

This dissector allows Snort to process all of the packets passed to Wireshark, and for the alerts to be shown in the protocol tree. It is also possible to set the source of alerts to be packet comments. Change-Id: I6e0a50d3418001cbac2d185639adda2553a40de8 Reviewed-on: https://code.wireshark.org/review/18848 Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
author: Martin Mathieson <martin.r.mathieson@googlemail.com> 2016-11-16 12:33:09 -0800
committer: Martin Mathieson <martin.r.mathieson@googlemail.com> 2016-11-23 23:15:24 +0000
commit: 28fb531cdd96ea1bbd48c6907a60f444ec2415a2 (patch)
tree: 9f672ef2cc7a4ad7e2371fb1466f9fa76233e943 /epan/dissectors/snort-config.h
parent: 24f7b93dc12577b5d9d72ff4f3fe786b65c517a1 (diff)
1 files changed, 194 insertions, 0 deletions
diff --git a/epan/dissectors/snort-config.h b/epan/dissectors/snort-config.h
new file mode 100644
index 0000000000..ec0c23c761
--- /dev/null
+++ b/epan/dissectors/snort-config.h
@@ -0,0 +1,194 @@
+/* snort-config.h
+ *
+ * Copyright 2016, Martin Mathieson
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+
+#include <glib.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifndef SNORT_CONFIG_H
+#define SNORT_CONFIG_H
+
+/************************************************************************/
+/* Rule related data types                                              */
+
+typedef enum content_type_t {
+    Content,
+    UriContent,
+    Pcre
+} content_type_t;
+
+/* Content (within an alert/rule) */
+typedef struct content_t {
+    /* Details as parsed from rule */
+    content_type_t content_type;
+
+    char     *str;
+    gboolean negation;        /* i.e. pattern must not appear */
+    gboolean nocase;          /* when set, do case insensitive match */
+
+    gboolean offset_set;  /* Where to start looking within packet. -65535 -> 65535 */
+    gint     offset;
+
+    guint    depth;       /* How far to look into packet.  Can't be 0 */
+
+    gboolean distance_set;
+    gint     distance;    /* Same as offset but relative to last match. -65535 -> 65535 */
+
+    guint    within;      /* Most bytes from end of previous match. Max 65535 */
+
+    gboolean fastpattern; /* Is most distinctive content in rule */
+
+    /* http preprocessor modifiers */
+    gboolean http_method;
+    gboolean http_client_body;
+    gboolean http_cookie;
+
+    /* Pattern converted into bytes for matching against packet */
+    guchar   *binary_str;
+    gboolean translated;
+    guint    translated_length;
+} content_t;
+
+/* This is to keep track of a variable referenced by a rule */
+typedef struct used_variable_t {
+    char *name;
+    char *value;
+} used_variable_t;
+
+/* The collection of variables referenced by a rule */
+typedef struct relevant_vars_t {
+    gboolean relevant_vars_set;
+
+    #define MAX_RULE_PORT_VARS 6
+    guint num_port_vars;
+    used_variable_t port_vars[MAX_RULE_PORT_VARS];
+
+    #define MAX_RULE_IP_VARS 6
+    guint num_ip_vars;
+    used_variable_t ip_vars[MAX_RULE_IP_VARS];
+
+} relevant_vars_t;
+
+
+/* This is purely the information parsed from the config */
+typedef struct Rule_t {
+
+    char *rule_string;             /* The whole rule as read from the rule file */
+    char *file;                    /* Name of the rule file */
+    guint line_number;             /* Line number of rule within rule file */
+
+    char *msg;                     /* Description of the rule */
+    char *classtype;
+    guint32 sid, rev;
+
+    char *protocol;
+
+    /* content strings to match on */
+    unsigned int number_contents;
+#define MAX_CONTENT_ENTRIES 30
+    content_t    contents[MAX_CONTENT_ENTRIES];
+
+    /* Keep this pointer so can update attributes as parse modifier options */
+    content_t    *last_added_content;
+
+    /* References describing the rule */
+    unsigned int number_references;
+#define MAX_REFERENCE_ENTRIES 20
+    char         *references[MAX_REFERENCE_ENTRIES];
+
+    relevant_vars_t relevant_vars;
+
+    /* Statistics */
+    guint matches_seen;
+} Rule_t;
+
+
+
+/* Whole global snort config as learned by parsing config files */
+typedef struct SnortConfig_t
+{
+    /* Variables (var, ipvar, portvar) */
+    GHashTable *vars;
+    GHashTable *ipvars;
+    GHashTable *portvars;
+
+    char     *rule_path;
+    gboolean rule_path_is_absolute;
+
+    /* (sid -> Rule_t*) table */
+    GHashTable *rules;
+    /* Reference (web .link) prefixes */
+    GHashTable *references_prefixes;
+
+    /* Statistics (that may be reset) */
+    guint stat_rules_files;
+    guint stat_rules;
+    guint stat_alerts_detected;
+
+} SnortConfig_t;
+
+
+/*************************************************************************************/
+/* API functions                                                                     */
+void create_config(SnortConfig_t **snort_config, const char *snort_config_file);
+void delete_config(SnortConfig_t **snort_config);
+
+/* Look up rule by SID */
+Rule_t *get_rule(SnortConfig_t *snort_config, guint32 sid);
+void rule_set_alert(SnortConfig_t *snort_config, Rule_t *rule, guint *global_match_number, guint *rule_match_number);
+
+/* Debug only */
+void rule_print(Rule_t *rule);
+
+/* IP and port vars */
+void rule_set_relevant_vars(SnortConfig_t *snort_config, Rule_t *rule);
+
+/* Substitute prefix (from reference.config) into reference string */
+char *expand_reference(SnortConfig_t *snort_config, char *reference);
+
+/* Rule stats */
+void get_global_rule_stats(SnortConfig_t *snort_config, unsigned int sid,
+                           unsigned int *number_rules_files, unsigned int *number_rules,
+                           unsigned int *alerts_detected, unsigned int *this_rule_alerts_detected);
+void reset_global_rule_stats(SnortConfig_t *snort_config);
+
+/* Expanding a content field string to the expected binary bytes */
+guint content_convert_to_binary(content_t *content);
+
+#endif
+
+/*
+ * Editor modelines  -  http://www.wireshark.org/tools/modelines.html
+ *
+ * Local variables:
+ * c-basic-offset: 4
+ * tab-width: 8
+ * indent-tabs-mode: nil
+ * End:
+ *
+ * vi: set shiftwidth=4 tabstop=8 expandtab:
+ * :indentSize=4:tabSize=8:noTabs=true:
+ */
author	Martin Mathieson <martin.r.mathieson@googlemail.com>	2016-11-16 12:33:09 -0800
committer	Martin Mathieson <martin.r.mathieson@googlemail.com>	2016-11-23 23:15:24 +0000
commit	28fb531cdd96ea1bbd48c6907a60f444ec2415a2 (patch)
tree	9f672ef2cc7a4ad7e2371fb1466f9fa76233e943 /epan/dissectors/snort-config.h
parent	24f7b93dc12577b5d9d72ff4f3fe786b65c517a1 (diff)