util-mpm_8h_source.html

/* Copyright (C) 2007-2014 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */


/**

 * \file

 *

 * \author Victor Julien <victor@inliniac.net>

 */


#ifndef SURICATA_UTIL_MPM_H

#define SURICATA_UTIL_MPM_H


#include "app-layer-protos.h"

#include "util-prefilter.h"


#define MPM_INIT_HASH_SIZE 65536


enum {

    MPM_NOTSET = 0,


    /* aho-corasick */

    MPM_AC,

    MPM_AC_KS,

    MPM_HS,

    /* table size */

    MPM_TABLE_SIZE,

};


/* Internal Pattern Index: 0 to pattern_cnt-1 */

typedef uint32_t MpmPatternIndex;


typedef struct MpmThreadCtx_ {

    void *ctx;


    uint32_t memory_cnt;

    uint32_t memory_size;


} MpmThreadCtx;


typedef struct MpmPattern_ {

    /* length of the pattern */

    uint16_t len;

    /* flags describing the pattern */

    uint8_t flags;


    /* offset into the buffer where match may start */

    uint16_t offset;


    /* offset into the buffer before which match much complete */

    uint16_t depth;


    /* holds the original pattern that was added */

    uint8_t *original_pat;

    /* case sensitive */

    uint8_t *cs;

    /* case insensitive */

    uint8_t *ci;

    /* pattern id */

    uint32_t id;


    /* sid(s) for this pattern */

    uint32_t sids_size;

    SigIntId *sids;


    struct MpmPattern_ *next;

} MpmPattern;


/* Indicates if this a global mpm_ctx.  Global mpm_ctx is the one that

 * is instantiated when we use "single".  Non-global is "full", i.e.

 * one per sgh. */

#define MPMCTX_FLAGS_GLOBAL     BIT_U8(0)

#define MPMCTX_FLAGS_NODEPTH    BIT_U8(1)

#define MPMCTX_FLAGS_CACHE_TO_DISK BIT_U8(2)


typedef struct MpmConfig_ {

    const char *cache_dir_path;

} MpmConfig;


typedef struct MpmCtx_ {

    void *ctx;

    uint8_t mpm_type;


    uint8_t flags;


    uint16_t maxdepth;


    /* unique patterns */

    uint32_t pattern_cnt;


    uint16_t minlen;

    uint16_t maxlen;


    uint32_t memory_cnt;

    uint32_t memory_size;


    uint32_t max_pat_id;


    /* hash used during ctx initialization */

    MpmPattern **init_hash;

} MpmCtx;


/* if we want to retrieve an unique mpm context from the mpm context factory

 * we should supply this as the key */

#define MPM_CTX_FACTORY_UNIQUE_CONTEXT -1


typedef struct MpmCtxFactoryItem {

    const char *name;

    MpmCtx *mpm_ctx_ts;

    MpmCtx *mpm_ctx_tc;

    int32_t id;

    int32_t sm_list;

    AppProto alproto; /**< ALPROTO_UNKNOWN is not an app item */

    struct MpmCtxFactoryItem *next;

} MpmCtxFactoryItem;


typedef struct MpmCtxFactoryContainer_ {

    MpmCtxFactoryItem *items;

    int32_t max_id;

} MpmCtxFactoryContainer;


/** pattern is case insensitive */

#define MPM_PATTERN_FLAG_NOCASE 0x01

/** pattern has a depth setting */

#define MPM_PATTERN_FLAG_DEPTH      0x04

/** pattern has an offset setting */

#define MPM_PATTERN_FLAG_OFFSET 0x08

/** the ctx uses it's own internal id instead of

 *  what is passed through the API */

#define MPM_PATTERN_CTX_OWNS_ID     0x20

#define MPM_PATTERN_FLAG_ENDSWITH   0x40


#define MPM_FEATURE_FLAG_DEPTH    BIT_U8(0)

#define MPM_FEATURE_FLAG_OFFSET   BIT_U8(1)

#define MPM_FEATURE_FLAG_ENDSWITH BIT_U8(2)


typedef struct MpmTableElmt_ {

    const char *name;

    void (*InitCtx)(struct MpmCtx_ *);

    void (*InitThreadCtx)(struct MpmCtx_ *, struct MpmThreadCtx_ *);

    void (*DestroyCtx)(struct MpmCtx_ *);

    void (*DestroyThreadCtx)(struct MpmCtx_ *, struct MpmThreadCtx_ *);


    MpmConfig *(*ConfigInit)(void);

    void (*ConfigDeinit)(MpmConfig **);

    void (*ConfigCacheDirSet)(MpmConfig *, const char *dir_path);


    /** function pointers for adding patterns to the mpm ctx.

     *

     *  \param mpm_ctx Mpm context to add the pattern to

     *  \param pattern pointer to the pattern

     *  \param pattern_len length of the pattern in bytes

     *  \param offset pattern offset setting

     *  \param depth pattern depth setting

     *  \param pid pattern id

     *  \param sid signature _internal_ id

     *  \param flags pattern flags

     */

    int  (*AddPattern)(struct MpmCtx_ *, uint8_t *, uint16_t, uint16_t, uint16_t, uint32_t, SigIntId, uint8_t);

    int  (*AddPatternNocase)(struct MpmCtx_ *, uint8_t *, uint16_t, uint16_t, uint16_t, uint32_t, SigIntId, uint8_t);

    int (*Prepare)(MpmConfig *, struct MpmCtx_ *);

    int (*CacheRuleset)(MpmConfig *);

    /** \retval cnt number of patterns that matches: once per pattern max. */

    uint32_t (*Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t);

    void (*PrintCtx)(struct MpmCtx_ *);

    void (*PrintThreadCtx)(struct MpmThreadCtx_ *);

#ifdef UNITTESTS

    void (*RegisterUnittests)(void);

#endif

    uint8_t feature_flags;

} MpmTableElmt;


extern MpmTableElmt mpm_table[MPM_TABLE_SIZE];

extern uint8_t mpm_default_matcher;


struct DetectEngineCtx_;


int32_t MpmFactoryRegisterMpmCtxProfile(

        struct DetectEngineCtx_ *, const char *, const int, const AppProto);

void MpmFactoryReClaimMpmCtx(const struct DetectEngineCtx_ *, MpmCtx *);

MpmCtx *MpmFactoryGetMpmCtxForProfile(const struct DetectEngineCtx_ *, int32_t, int);

void MpmFactoryDeRegisterAllMpmCtxProfiles(struct DetectEngineCtx_ *);

int32_t MpmFactoryIsMpmCtxAvailable(const struct DetectEngineCtx_ *, const MpmCtx *);


void MpmTableSetup(void);

void MpmRegisterTests(void);


void MpmInitCtx(MpmCtx *mpm_ctx, uint8_t matcher);

void MpmInitThreadCtx(MpmThreadCtx *mpm_thread_ctx, uint16_t);

void MpmDestroyThreadCtx(MpmThreadCtx *mpm_thread_ctx, const uint16_t matcher);


int MpmAddPatternCS(struct MpmCtx_ *mpm_ctx, uint8_t *pat, uint16_t patlen,

                    uint16_t offset, uint16_t depth,

                    uint32_t pid, SigIntId sid, uint8_t flags);

int MpmAddPatternCI(struct MpmCtx_ *mpm_ctx, uint8_t *pat, uint16_t patlen,

                    uint16_t offset, uint16_t depth,

                    uint32_t pid, SigIntId sid, uint8_t flags);


void MpmFreePattern(MpmCtx *mpm_ctx, MpmPattern *p);


int MpmAddPattern(MpmCtx *mpm_ctx, uint8_t *pat, uint16_t patlen,

                            uint16_t offset, uint16_t depth, uint32_t pid,

                            SigIntId sid, uint8_t flags);


#endif /* SURICATA_UTIL_MPM_H */