HLBR: decoders/decode.c File Reference

int CreateDecoder ( char * Name )

Allocate a decoder

Definition at line 86 of file decode.c.

References DBG, DEBUGPATH, DECODER_NONE, global_vars::Decoders, GetDecoderByName(), Globals, decoder_rec::ID, MAX_NAME_LEN, decoder_rec::Name, global_vars::NumDecoders, and PRINTERROR2.

Referenced by InitDecoderARP(), InitDecoderDNS(), InitDecoderEthernet(), InitDecoderICMP(), InitDecoderInterface(), InitDecoderIP(), InitDecoderIPDefrag(), InitDecoderTCP(), InitDecoderTCPStream(), and InitDecoderUDP().

int Decode	(	int	DecoderID,
		int	PacketSlot
	)

Apply a decoder (and child decoders, rules, and modules) to a packet. This is one of the main functions responsible for everything HLBR does; the other is ProcessPacket(). Decode will travel down the decoder tree, starting at the given decoder, and applying the child decoders, as well as tests and modules.

Returns:: FALSE if an error occurs (but not if a child decoder fails)

Remarks:

Basically this is what Decode does:

Gets the function for the requested decoder (DecodeFunc) and applies it; the data produced by this function will be accessible by a pointer in the corresponding DecoderData structure (every packet have an array of DecoderData structs so the decoders can put their data there).
If the decoder generated data: applies all tests linked to this decoder (see BindTestToDecoder() ), and then run the linked modules (currently not used in HLBR).
If the decoder did NOT generate data: mark all rules (packet_rec::RuleBits) that depend on this decoder as inactive (that means, didn't match the packet), without testing them, and leaves
Then, test if all rules were already tested (RuleBits), and if so, leaves (there is no need to apply more decoders)
Traverse the list of child decoders, calling them with this same function

Note that the actions defined in the configuration aren't executed here. They're executed by ProcessPacket(), after calling Decode().

Definition at line 259 of file decode.c.

References decoder_rec::Active, test_rec::Active, module_rec::Active, BitFieldIsEmpty(), decoder_rec::Children, decoder_data::Data, DBG, DEBUGPATH, Decode(), decoder_rec::DecodeFunc, decoder_data::DecoderID, packet_rec::DecoderInfo, global_vars::Decoders, decoder_rec::DependencyMask, FALSE, Globals, decoder_rec::ID, MAX_DECODER_DEPTH, module_rec::ModuleFunc, decoder_rec::Modules, decoder_rec::Name, test_rec::Next, module_rec::Next, decoder_rec::NextChild, NotAndBitFields(), packet_rec::NumDecoderData, global_vars::NumRules, global_vars::Packets, PRINTERROR, PRINTERROR1, packet_rec::RuleBits, test_rec::TestFunc, test_rec::TestNodes, decoder_rec::Tests, and TRUE.

Referenced by Decode(), and ProcessPacket().

int DecoderAddDecoder	(	int	ParentDecoderID,
		int	ChildDecoderID
	)

Add a decoder to another decoder Link a decoder to a previous created decoder, so it's called after it. Example: the TCP decoder should be linked to the IP decoder

Returns:: TRUE if decoder was added succesfully, otherwise FALSE

Definition at line 158 of file decode.c.

References decoder_rec::Children, DEBUGPATH, global_vars::Decoders, FALSE, Globals, decoder_rec::ID, decoder_rec::NextChild, decoder_rec::Parent, PRINTERROR2, and TRUE.

Referenced by InitDecoderARP(), InitDecoderDNS(), InitDecoderEthernet(), InitDecoderICMP(), InitDecoderIP(), InitDecoderIPDefrag(), InitDecoderTCP(), InitDecoderTCPStream(), and InitDecoderUDP().

int DecoderAddModule	(	int	DecoderID,
		int	ModuleID
	)

Add a new module to a decoder Modules are linked to decoders, so they're called after the decoder finishes its job.

Returns:: TRUE if module was added succesfully, otherwise FALSE

Definition at line 199 of file decode.c.

References DEBUGPATH, module_rec::DecoderID, global_vars::Decoders, FALSE, Globals, module_rec::ID, global_vars::Modules, decoder_rec::Modules, module_rec::Next, PRINTERROR2, and TRUE.

int DecoderAddTest	(	int	DecoderID,
		int	TestID
	)

Add a new test to a decoder Each test defined in the rules files is read in the appropriate struct and then linked to the corresponding decoder struct.

Returns:: TRUE if test was added succesfully, otherwise FALSE

Definition at line 117 of file decode.c.

References DEBUGPATH, test_rec::DecoderID, global_vars::Decoders, FALSE, Globals, test_rec::ID, test_rec::Next, PRINTERROR2, global_vars::Tests, decoder_rec::Tests, and TRUE.

Referenced by BindTestToDecoder().

int DecoderSetDependency	(	int	DecoderID,
		int	TestID
	)

Definition at line 338 of file decode.c.

References global_vars::Decoders, decoder_rec::DependencyMask, FALSE, Globals, global_vars::NumRules, SetBit(), and TRUE.

Referenced by TestAddNode().

int GetDataByID	(	int	PacketSlot,
		int	DecoderID,
		void **	data
	)

Get a particular decoder's data record, given its number Searches through the DecoderInfo array of DecoderData structs, looking for one that have the decoder number (DecoderID)

Returns:: FALSE if it fails (pointer to DecoderData in data parameter)

Definition at line 356 of file decode.c.

References decoder_data::Data, DBG, DEBUGPATH, decoder_data::DecoderID, packet_rec::DecoderInfo, FALSE, Globals, NULL, packet_rec::NumDecoderData, global_vars::Packets, PRINTERROR1, and TRUE.

Referenced by ApplyMessage(), AssignSessionTCP(), BNSAction(), DecodeARP(), DecodeDNS(), DecodeICMP(), DecodeIP(), DecodeIPDefrag(), DecodeTCP(), DecodeTCPStream(), DecodeUDP(), HandleARPPacket(), HandleIPPacket(), ProcessPacket(), RebuildPacket(), RouteARP(), RouteBNS(), RouteBroadcast(), RouteDIP(), RouteMacFilter(), RouteSIP(), RouteSIPAction(), TestIPDst(), TestIPSrc(), TestIPTTL(), TestTCPDst(), TestTCPDstOld(), TestTCPFlags(), TestUDPDst(), and TestUDPSrc().

int GetDecoderByName ( char * Name )

Given a Decoder's name, return its ID

Definition at line 31 of file decode.c.

References DEBUGPATH, DECODER_NONE, global_vars::Decoders, Globals, decoder_rec::Name, and global_vars::NumDecoders.

Referenced by ApplyMessage(), BindTestToDecoder(), CreateDecoder(), InitActionBNS(), InitActionRouteSIP(), InitDecoderARP(), InitDecoderDNS(), InitDecoderEthernet(), InitDecoderICMP(), InitDecoderIP(), InitDecoderIPDefrag(), InitDecoders(), InitDecoderTCP(), InitDecoderTCPStream(), InitDecoderUDP(), InitMacFilter(), InitRouteBNS(), InitRouteBroadcast(), InitRouteDIP(), InitRouteSIP(), InitSession(), InitTestEthernetDst(), InitTestEthernetSrc(), InitTestEthernetType(), InitTestICMPCode(), InitTestICMPType(), InitTestInterfaceName(), InitTestIPCheck(), InitTestIPDst(), InitTestIPProto(), InitTestIPSrc(), InitTestIPTTL(), InitTestTCPContent(), InitTestTCPDst(), InitTestTCPFlags(), InitTestTCPListContent(), InitTestTCPListNoCase(), InitTestTCPNoCase(), InitTestTCPOffset(), InitTestTCPPort(), InitTestTCPRegExp(), InitTestTCPSrc(), InitTestUDPContent(), InitTestUDPDst(), InitTestUDPNoCase(), InitTestUDPRegExp(), InitTestUDPSrc(), and ParseDecoderLine().

int InitDecoders ( )

Set up the initial decoder tree

Definition at line 47 of file decode.c.

References decoder_rec::Active, DEBUGPATH, DECODER_NONE, global_vars::DecoderRoot, global_vars::Decoders, FALSE, GetDecoderByName(), Globals, InitDecoderARP(), InitDecoderDNS(), InitDecoderEthernet(), InitDecoderICMP(), InitDecoderInterface(), InitDecoderIP(), InitDecoderIPDefrag(), InitDecoderTCP(), InitDecoderUDP(), PRINTERROR, and TRUE.

Referenced by main().

GlobalVars Globals

Definition at line 41 of file hlbr.c.

decoders/decode.c File Reference

Functions

Variables

Function Documentation

Variable Documentation


Functions
int	GetDecoderByName (char *Name)
int	InitDecoders ()
int	CreateDecoder (char *Name)
int	DecoderAddTest (int DecoderID, int TestID)
int	DecoderAddDecoder (int ParentDecoderID, int ChildDecoderID)
int	DecoderAddModule (int DecoderID, int ModuleID)
int	Decode (int DecoderID, int PacketSlot)
int	DecoderSetDependency (int DecoderID, int TestID)
int	GetDataByID (int PacketSlot, int DecoderID, void **data)
Variables
GlobalVars	Globals