HLBR: decoders/decode.c Source File

00001 #include "decode.h"
00002 #include <stdio.h>
00003 #include <string.h>
00004 #include "../engine/bits.h"
00005 #include "../engine/hlbr.h"
00006 #include "../packets/packet.h"
00007 #ifdef _SOLARIS_
00008 #include <strings.h>
00009 #endif
00010 
00011 /*************************************
00012 * include for each decoder goes here
00013 *************************************/
00014 #include "decode_interface.h"
00015 #include "decode_ethernet.h"
00016 #include "decode_ip.h"
00017 #include "decode_ip_defrag.h"
00018 #include "decode_icmp.h"
00019 #include "decode_udp.h"
00020 #include "decode_tcp.h"
00021 #include "decode_dns.h"
00022 #include "decode_arp.h"
00023 
00024 extern GlobalVars       Globals;
00025 
00026 //#define DEBUG
00027 
00031 int GetDecoderByName(char* Name)
00032 {
00033         int     i;
00034         
00035         DEBUGPATH;
00036 
00037         for (i = 0; i < Globals.NumDecoders; i++)
00038                 if (strcasecmp(Name, Globals.Decoders[i].Name)==0)
00039                         return i;
00040 
00041         return DECODER_NONE;
00042 }
00043 
00047 int InitDecoders()
00048 {
00049         int     RootDecoder;
00050 
00051         DEBUGPATH;
00052 
00053         /*************************************
00054         * init function for each decoder goes here
00055         *************************************/
00056         if (!InitDecoderInterface()) return FALSE;
00057         if (!InitDecoderEthernet()) return FALSE;
00058         if (!InitDecoderIP()) return FALSE;
00059         if (!InitDecoderIPDefrag()) return FALSE;
00060         if (!InitDecoderICMP()) return FALSE;
00061         if (!InitDecoderUDP()) return FALSE;
00062         if (!InitDecoderTCP()) return FALSE;
00063         if (!InitDecoderDNS()) return FALSE;
00064         if (!InitDecoderARP()) return FALSE;
00065 
00066         /* set the interface decoder as the root decoder */
00067         RootDecoder = GetDecoderByName("Interface");
00068         if (RootDecoder == DECODER_NONE) {
00069                 PRINTERROR("Error Decoder Interface not found\n");
00070                 return FALSE;
00071         }
00072         Globals.DecoderRoot = RootDecoder;
00073         
00074         /* for session tracking some decoders should always be active */
00075         Globals.Decoders[GetDecoderByName("IP")].Active = TRUE;
00076         Globals.Decoders[GetDecoderByName("TCP")].Active = TRUE;
00077         Globals.Decoders[GetDecoderByName("UDP")].Active = TRUE;
00078         Globals.Decoders[GetDecoderByName("ICMP")].Active = TRUE;
00079                 
00080         return TRUE;
00081 }
00082 
00086 int CreateDecoder(char* Name)
00087 {
00088         int DecoderID;
00089         
00090         DEBUGPATH;
00091 
00092         /* check to see if this name is already used */
00093         DecoderID = GetDecoderByName(Name);
00094         if (DecoderID != DECODER_NONE) {
00095                 printf("Decoder %s already exists\n", Name);
00096                 return DECODER_NONE;
00097         }
00098         
00099         DecoderID = Globals.NumDecoders;
00100         Globals.NumDecoders++;
00101         
00102         bzero(&Globals.Decoders[DecoderID], sizeof(DecoderRec));
00103         Globals.Decoders[DecoderID].ID = DecoderID;
00104         snprintf(Globals.Decoders[DecoderID].Name, MAX_NAME_LEN, Name);
00105         
00106         DBG( PRINTERROR2("Allocated Decoder \"%s\" at number %i\n",Name, DecoderID) );
00107         
00108         return DecoderID;
00109 }
00110 
00117 int DecoderAddTest(int DecoderID, int TestID)
00118 {
00119         TestRec*        Test;
00120         DecoderRec*     Decoder;
00121         TestRec*        This;
00122 
00123         DEBUGPATH;
00124 
00125         Test = &Globals.Tests[TestID];
00126         Decoder = &Globals.Decoders[DecoderID];
00127         
00128         if (!Decoder->Tests) {
00129                 Decoder->Tests = Test;
00130                 return TRUE;
00131         }
00132         
00133         /* check to see if it's already bound */
00134         This = Decoder->Tests;
00135         while (1) {
00136                 if (This->ID==Test->ID) {
00137                         PRINTERROR2("Test %d already bound to decoder %d\n", TestID, DecoderID);
00138                         return FALSE;
00139                 }
00140                 if (!This->Next)
00141                         break;
00142                 This = This->Next;
00143         }
00144         
00145         This->Next = Test;
00146         
00147         Test->DecoderID = DecoderID;
00148 
00149         return TRUE;
00150 }
00151 
00158 int DecoderAddDecoder(int ParentDecoderID, int ChildDecoderID)
00159 {
00160         DecoderRec*     Child;
00161         DecoderRec*     Parent;
00162         DecoderRec*     This;
00163 
00164         DEBUGPATH;
00165 
00166         Parent = &Globals.Decoders[ParentDecoderID];
00167         Child = &Globals.Decoders[ChildDecoderID];
00168         Child->Parent = Parent;
00169                 
00170         if (!Parent->Children) {
00171                 Parent->Children = Child;
00172                 return TRUE;
00173         }
00174         
00175         /* check to see if it's already bound */
00176         This = Parent->Children;
00177         while (1) {
00178                 if (This->ID == Child->ID) {
00179                         PRINTERROR2("Decoder %d already bound to decoder %d\n", ChildDecoderID, ParentDecoderID);
00180                         return FALSE;
00181                 }
00182                 if (!This->NextChild)
00183                         break;
00184                 This = This->NextChild;
00185         }
00186         
00187         This->NextChild = Child;
00188 
00189         return TRUE;
00190 
00191 }
00192 
00199 int DecoderAddModule(int DecoderID, int ModuleID)
00200 {
00201         ModuleRec*      Module;
00202         DecoderRec*     Decoder;
00203         ModuleRec*      This;
00204 
00205         DEBUGPATH;
00206 
00207         Module = &Globals.Modules[ModuleID];
00208         Decoder = &Globals.Decoders[DecoderID];
00209         
00210         if (!Decoder->Modules) {
00211                 Decoder->Modules = Module;
00212                 return TRUE;
00213         }
00214         
00215         /* check to see if it's already bound */
00216         This = Decoder->Modules;
00217         while (1) {
00218                 if (This->ID == Module->ID){
00219                         PRINTERROR2("Module %d already bound to decoder %d\n", ModuleID, DecoderID);
00220                         return FALSE;
00221                 }
00222                 if (!This->Next)
00223                         break;
00224                 This = This->Next;
00225         }
00226         
00227         This->Next = Module;
00228         
00229         Module->DecoderID = DecoderID;
00230 
00231         return TRUE;
00232 }
00233 
00234 
00259 int Decode(int DecoderID, int PacketSlot)
00260 {
00261         TestRec*        test;
00262         ModuleRec*      module;
00263         DecoderRec*     child;
00264         PacketRec*      p;
00265 
00266         DEBUGPATH;
00267 
00268         /* Don't go there if we don't need to */
00269         /* If decoder isn't active (isn't used by any rule) 
00270            it won't be called */
00271         if (!Globals.Decoders[DecoderID].Active)
00272                 return TRUE;
00273 
00274         DBG( PRINTERROR1("Applying decoder %s\n", Globals.Decoders[DecoderID].Name) );
00275 
00276         p = &Globals.Packets[PacketSlot];
00277 
00278         if (p->NumDecoderData == MAX_DECODER_DEPTH) {
00279                 PRINTERROR("Out of room for decoders for this packet\n");
00280                 return FALSE;
00281         }
00282         
00283         /* apply this decoder */
00284         p->DecoderInfo[p->NumDecoderData].Data = Globals.Decoders[DecoderID].DecodeFunc(PacketSlot);
00285         if (p->DecoderInfo[p->NumDecoderData].Data) {
00286                 p->DecoderInfo[p->NumDecoderData].DecoderID = DecoderID;
00287                 p->NumDecoderData++;
00288                 
00289                 /* apply the tests for this decoder */
00290                 test = Globals.Decoders[DecoderID].Tests;
00291                 while (test) {
00292                         if (test->Active)
00293                                 if (test->TestFunc)
00294                                         test->TestFunc(PacketSlot, test->TestNodes);
00295                         test = test->Next;
00296                 }
00297                 
00298                 /* apply the modules */
00299                 module = Globals.Decoders[DecoderID].Modules;
00300                 while (module) {
00301                         if (module->Active)
00302                                 if (module->ModuleFunc)
00303                                         module->ModuleFunc(PacketSlot);
00304                         module = module->Next;
00305                 }
00306         } else {        /* no DecoderData generated by this decoder */
00307                 /* mark all the rules that depend on this decoder 
00308                    as inactive */
00309                 NotAndBitFields(p->RuleBits, Globals.Decoders[DecoderID].DependencyMask, p->RuleBits, Globals.NumRules);
00310                 return TRUE;
00311         }               
00312         
00313         /* check to see if there are any rules left */
00314         if (!BitFieldIsEmpty(p->RuleBits, Globals.NumRules)) {
00315                 DBG( PRINTERROR("There are rules left\n") );
00316         } else {
00317                 DBG( PRINTERROR("All rules have been eliminated\n") );
00318                 return TRUE;
00319         }
00320 
00321         /*apply the bound decoders*/
00322         child = Globals.Decoders[DecoderID].Children;
00323         while (child) {
00324                 if (!Decode(child->ID, PacketSlot)) {
00325                         PRINTERROR1("Decoder %s failed\n", child->Name);
00326                 }
00327                 child = child->NextChild;
00328         }       
00329         
00330         return TRUE;
00331 }
00332 
00333 /****************************************************
00334 * Add a dependency to the decoder
00335 * If a decoder fails, all the dependencies fail also
00336 * Used for fast pruning
00337 ****************************************************/
00338 int DecoderSetDependency(int DecoderID, int TestID)
00339 {
00340 #ifdef DEBUGPATH
00341         printf("In DecoderSetDependency\n");
00342 #endif
00343         
00344         if (TestID > Globals.NumRules) return FALSE;
00345         
00346         SetBit(Globals.Decoders[DecoderID].DependencyMask, Globals.NumRules, TestID, 1);
00347         return TRUE;
00348 }
00349 
00356 int GetDataByID(int PacketSlot, int DecoderID, void** data)
00357 {
00358         int             i;
00359         PacketRec*      p;
00360 
00361         DEBUGPATH;
00362 
00363         p = &Globals.Packets[PacketSlot];
00364 
00365         for (i = p->NumDecoderData-1; i >= 0; i--) {
00366                 if (p->DecoderInfo[i].DecoderID == DecoderID) {
00367                         if (!p->DecoderInfo[i].Data) {
00368                                 PRINTERROR1("Decoder Data %i was NULL\n", DecoderID);
00369                                 *data = NULL;
00370                                 return FALSE;
00371                         } else {
00372                                 *data = p->DecoderInfo[i].Data;
00373                                 return TRUE;
00374                         }
00375                 }
00376         }
00377 
00378         DBG( PRINTERROR1("Decoder Data %i not found\n",DecoderID) );
00379         
00380         return FALSE;
00381 }