-
Notifications
You must be signed in to change notification settings - Fork 0
/
detection_common_mpse.c
executable file
·363 lines (308 loc) · 8.83 KB
/
detection_common_mpse.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
#include <detection/common/detection_com.h>
#include <detection/common/detection_mod.h>
#include <detection/common/detection_pub.h>
//#include <detection/common/detection_config.h>
//#include <detection/detect/detection_detect_pub.h>
#include <detection/common/detection_mod.h>
#include <detection/common/detection_debug.h>
#include <detection/common/detection_common_mem.h>
#include <detection/common/detection_common_mpse.h>
//#include <detection/common/detection_common_bitopfuncs.h>
#include <detection/common/detection_common_bnfasearch.h>
#include <detection/common/detection_common_ksearch.h>
#include <detection/common/detection_common_acsmx2.h>
#include <detection/common/detection_common_acsmx.h>
typedef struct stMpseStruct {
ULONG ulMethod;
VOID * pvObj;
ULONG ulVerbose;
ULLONG ullBcnt;
CHAR cIncGlobalCounter;
} DETECTION_MPSE_S;
/* *
* @note 创建多模式匹配数据结构
* we do not care about the value of ulMethod, becasue we always set it to be DETECTION_COMMON_MPSE_AC_BNFA
* @param
* @retval
* @see
*
***
***
***
***
*/
VOID * Detection_Common_MpseNew( ULONG ulMethod, ULONG ulUseGobalCounterFlag,VOID (*pvFuncUserFree)(VOID *p))
{
DETECTION_MPSE_S * pstMpse= NULL;
pstMpse = (DETECTION_MPSE_S*)Detection_GlobalMalloc( sizeof(DETECTION_MPSE_S) ,DETECTION_MEM_TAG);
if( pstMpse == NULL ) return NULL;
pstMpse->ulMethod = ulMethod;
pstMpse->ulVerbose = 0;
pstMpse->pvObj = NULL;
pstMpse->ullBcnt = 0;
pstMpse->cIncGlobalCounter = ulUseGobalCounterFlag;
pstMpse->pvObj=Detection_Common_BnfaNew(pvFuncUserFree);
if(pstMpse->pvObj)
((DETECTION_BNFA_S*)(pstMpse->pvObj))->ulBnfaMethod = 1;
if( pstMpse->pvObj == NULL )
{
Detection_GlobalFree(pstMpse);
pstMpse = NULL;
}
return (VOID *)pstMpse;
}
/* *
* @note 设置检测优化使能标志位
* @param pvVoid:模式匹配数据结构
* ulFlag:标志位
*
* @retval
* @see
*
***
***
***
***
*/
VOID Detection_Common_MpseSetOpt( VOID * pvVoid, ULONG ulFlag )
{
DETECTION_MPSE_S * pstMpse = (DETECTION_MPSE_S*)pvVoid;
if (pstMpse == NULL)
return;
switch( pstMpse->ulMethod )
{
case DETECTION_COMMON_MPSE_AC_BNFA_Q:
case DETECTION_COMMON_MPSE_AC_BNFA:
if (pstMpse->pvObj)
Detection_Common_BnfaSetOpt((DETECTION_BNFA_S*)pstMpse->pvObj,ulFlag);
break;
default:
break;
}
}
VOID Detection_Common_MpseFree( VOID * pvVoid )
{
DETECTION_MPSE_S * pstMpse = (DETECTION_MPSE_S*)pvVoid;
if (pstMpse == NULL)
return;
switch( pstMpse->ulMethod )
{
case DETECTION_COMMON_MPSE_AC_BNFA:
case DETECTION_COMMON_MPSE_AC_BNFA_Q:
if (pstMpse->pvObj)
Detection_Common_BnfaFree((DETECTION_BNFA_S*)pstMpse->pvObj);
Detection_GlobalFree(pstMpse);
return;
case DETECTION_COMMON_MPSE_AC:
if (pstMpse->pvObj)
Detection_Common_AcsmFree((DETECTION_ACSM_S *)pstMpse->pvObj);
Detection_GlobalFree(pstMpse);
return;
case DETECTION_COMMON_MPSE_ACF:
case DETECTION_COMMON_MPSE_ACF_Q:
case DETECTION_COMMON_MPSE_ACS:
case DETECTION_COMMON_MPSE_ACB:
case DETECTION_COMMON_MPSE_ACSB:
if (pstMpse->pvObj)
Detection_Common_AcsmFree2((DETECTION_ACSM2_S *)pstMpse->pvObj);
Detection_GlobalFree(pstMpse);
return;
case DETECTION_COMMON_MPSE_LOWMEM:
case DETECTION_COMMON_MPSE_LOWMEM_Q:
if (pstMpse->pvObj)
Detection_Common_KTrieDelete((DETECTION_KTRIE_S *)pstMpse->pvObj);
Detection_GlobalFree(pstMpse);
return;
default:
return;
}
}
/* *
* @note 添加模式字符串
* @param pvVoid:模式匹配数据结构
* P:模式字符串所在的buf
* ulM:模式字符串长度
* ulOffset:模式字符串起点
* ulNoCase:大小写不敏感
* ulDepth:模式字符串长度
* pvID:模式匹配数据
* ulIID:规则结点ID
* @retval
* @see
*
***
***
***
***
*/
ULONG Detection_Common_MpseAddPattern ( VOID * pvVoid, VOID * P, ULONG ulM,
ULONG ulNoCase,LONG lOffset, LONG lDepth, VOID* pvID, ULONG ulIID )
{
DETECTION_MPSE_S * pstMpse = (DETECTION_MPSE_S*)pvVoid;
switch( pstMpse->ulMethod )
{
case DETECTION_COMMON_MPSE_AC_BNFA:
case DETECTION_COMMON_MPSE_AC_BNFA_Q:
return Detection_Common_BnfaAddPattern( (DETECTION_BNFA_S*)pstMpse->pvObj, (UCHAR *)P, ulM,
ulNoCase, pvID );
case DETECTION_COMMON_MPSE_AC:
return Detection_Common_AcsmAddPattern( (DETECTION_ACSM_S*)pstMpse->pvObj, (UCHAR *)P, ulM,
ulNoCase, lOffset, lDepth, pvID, ulIID );
case DETECTION_COMMON_MPSE_ACF:
case DETECTION_COMMON_MPSE_ACF_Q:
case DETECTION_COMMON_MPSE_ACS:
case DETECTION_COMMON_MPSE_ACB:
case DETECTION_COMMON_MPSE_ACSB:
return Detection_Common_AcsmAddPattern2( (DETECTION_ACSM2_S*)pstMpse->pvObj, (UCHAR *)P, ulM,
ulNoCase, lOffset, lDepth, pvID, ulIID );
case DETECTION_COMMON_MPSE_LOWMEM:
case DETECTION_COMMON_MPSE_LOWMEM_Q:
return Detection_Common_KTrieAddPattern( (DETECTION_KTRIE_S *)pstMpse->pvObj, (UCHAR *)P, ulM,
ulNoCase, pvID );
default:
return 1;
}
}
/* *
* @note 编译模式匹配状态机
* @param pvVoid:模式匹配数据结构
* @retval
* @see
*
***
***
***
***
*/
ULONG Detection_Common_MpsePrepPatterns ( VOID * pvVoid)
{
ULONG retv=0;
DETECTION_MPSE_S * pstMpse = (DETECTION_MPSE_S*)pvVoid;
switch( pstMpse->ulMethod )
{
case DETECTION_COMMON_MPSE_AC_BNFA:
case DETECTION_COMMON_MPSE_AC_BNFA_Q:
retv = Detection_Common_BnfaCompile( (DETECTION_BNFA_S*) pstMpse->pvObj);
break;
case DETECTION_COMMON_MPSE_AC:
retv = Detection_Common_AcsmCompile( (DETECTION_ACSM_S*) pstMpse->pvObj);
break;
case DETECTION_COMMON_MPSE_ACF:
case DETECTION_COMMON_MPSE_ACF_Q:
case DETECTION_COMMON_MPSE_ACS:
case DETECTION_COMMON_MPSE_ACB:
case DETECTION_COMMON_MPSE_ACSB:
retv = Detection_Common_AcsmCompile2( (DETECTION_ACSM2_S*) pstMpse->pvObj);
break;
case DETECTION_COMMON_MPSE_LOWMEM:
case DETECTION_COMMON_MPSE_LOWMEM_Q:
return Detection_Common_KTrieCompile( (DETECTION_KTRIE_S *)pstMpse->pvObj);
default:
retv = 1;
break;
}
return retv;
}
/* *
* @note 打印状态机信息
* @param
* @retval
* @see
*
***
***
***
***
*/
ULONG Detection_Common_MpsePrintInfo( VOID *pvVoid )
{
DETECTION_MPSE_S * pstMpse = (DETECTION_MPSE_S*)pvVoid;
switch( pstMpse->ulMethod )
{
case DETECTION_COMMON_MPSE_AC_BNFA:
case DETECTION_COMMON_MPSE_AC_BNFA_Q:
Detection_Common_BnfaPrintInfo( (DETECTION_BNFA_S*) pstMpse->pvObj );
break;
case DETECTION_COMMON_MPSE_AC:
return Detection_Common_AcsmPrintDetailInfo( (DETECTION_ACSM_S*) pstMpse->pvObj );
case DETECTION_COMMON_MPSE_ACF:
case DETECTION_COMMON_MPSE_ACF_Q:
case DETECTION_COMMON_MPSE_ACS:
case DETECTION_COMMON_MPSE_ACB:
case DETECTION_COMMON_MPSE_ACSB:
return Detection_Common_AcsmPrintDetailInfo2( (DETECTION_ACSM2_S*) pstMpse->pvObj );
default:
return 1;
}
return 0;
}
/* *
* @note 打印状态机信息
* @param
* @retval
* @see
*
***
***
***
***
*/
ULONG Detection_Common_MpsePrintSummary(ULONG ulExecID )
{
Detection_Common_AcsmPrintSummaryInfo2(ulExecID);
Detection_Common_BnfaPrintSummary(ulExecID);
if( Detection_Common_KTrieMemUsed() )
{
ULONG x;
x = Detection_Common_KTrieMemUsed();
DETECTION_PARSER_DEBUG(DETECTION_DEBUGTYPE_PROCESS,"[ LowMem Search-Method Memory Used : %lu %s ]\n",
(x > 1024) ? x/1024 : x,
(x > 1024) ? "MBytes" : "KBytes" );
}
return 0;
}
/* *
* @note 多模式匹配
* @param pvVoid:模式匹配数据结构
* pucKey:待匹配的字符串
* ulLen:待匹配的长度
* plFuncAction:匹配成功后的动作
* pvData:保存匹配结果
* plCurrentState:当前状态
* @retval
* 0: no match
* >0: AppProtId value of matched rule
* @see
*
***
***
***
***
*/
DETECTION_SIGINFO_S * Detection_Common_MpseSearch(VOID *pvVoid, const UCHAR *pucKey, ULONG ulLen,
DETECTION_SIGINFO_S * (*plFuncAction )(VOID* pvId, ULONG ulIndex, VOID *pvData),
VOID *pvData, LONG *plCurrentState )
{
DETECTION_MPSE_S * pstMpse = (DETECTION_MPSE_S*)pvVoid;
DETECTION_SIGINFO_S *ret = NULL;
pstMpse->ullBcnt += ulLen;
ret = Detection_Common_BnfaSearch( (DETECTION_BNFA_S*) pstMpse->pvObj, (UCHAR *)pucKey, ulLen, plFuncAction, pvData, 0 /* start-state */, plCurrentState );
return ret;
}
/* *
* @note 获取模式个数
* @param
* @retval 模式个数
* @see
*
***
***
***
***
*/
ULONG Detection_Common_MpseGetPatternCount(VOID *pvVoid)
{
DETECTION_MPSE_S * pstMpse = (DETECTION_MPSE_S*)pvVoid;
/*pstMpse->ulMethod == DETECTION_COMMON_MPSE_AC_BNFA*/
return Detection_Common_BnfaPatternCount((DETECTION_BNFA_S *)pstMpse->pvObj);
}