decoders/decode.h File Reference

#include "../config.h"
#include "../engine/hlbr.h"

Go to the source code of this file.

Defines

#define DECODER_NONE   -1

Functions

int InitDecoders ()
int GetDecoderByName (char *Name)
int CreateDecoder (char *Name)
int DecoderAddTest (int DecoderID, int TestID)
int DecoderAddDecoder (int ParentDecoderID, int ChildDecoderID)
int DecoderAddModule (int DecoderID, int ModuleID)
int Decode (int DecoderID, int PacketSlot)
int DecoderSetDependency (int DecoderID, int TestID)
int GetDataByID (int PacketSlot, int DecoderID, void **data)


Define Documentation

#define DECODER_NONE   -1

Definition at line 7 of file decode.h.

Referenced by BindTestToDecoder(), CreateDecoder(), GetDecoderByName(), InitDecoderARP(), InitDecoderDNS(), InitDecoderEthernet(), InitDecoderICMP(), InitDecoderInterface(), InitDecoderIP(), InitDecoderIPDefrag(), InitDecoders(), InitDecoderTCP(), InitDecoderTCPStream(), InitDecoderUDP(), InitMacFilter(), InitRouteBNS(), InitRouteBroadcast(), InitRouteDIP(), InitRouteSIP(), and ParseDecoderLine().


Function Documentation

int CreateDecoder ( char *  Name  ) 

Allocate a decoder

Definition at line 86 of file decode.c.

References DBG, DEBUGPATH, DECODER_NONE, global_vars::Decoders, GetDecoderByName(), Globals, decoder_rec::ID, MAX_NAME_LEN, decoder_rec::Name, global_vars::NumDecoders, and PRINTERROR2.

Referenced by InitDecoderARP(), InitDecoderDNS(), InitDecoderEthernet(), InitDecoderICMP(), InitDecoderInterface(), InitDecoderIP(), InitDecoderIPDefrag(), InitDecoderTCP(), InitDecoderTCPStream(), and InitDecoderUDP().

int Decode ( int  DecoderID,
int  PacketSlot 
)

Apply a decoder (and child decoders, rules, and modules) to a packet. This is one of the main functions responsible for everything HLBR does; the other is ProcessPacket(). Decode will travel down the decoder tree, starting at the given decoder, and applying the child decoders, as well as tests and modules.

Returns:
FALSE if an error occurs (but not if a child decoder fails)
Remarks:
Basically this is what Decode does:
  • Gets the function for the requested decoder (DecodeFunc) and applies it; the data produced by this function will be accessible by a pointer in the corresponding DecoderData structure (every packet have an array of DecoderData structs so the decoders can put their data there).
  • If the decoder generated data: applies all tests linked to this decoder (see BindTestToDecoder() ), and then run the linked modules (currently not used in HLBR).
  • If the decoder did NOT generate data: mark all rules (packet_rec::RuleBits) that depend on this decoder as inactive (that means, didn't match the packet), without testing them, and leaves
  • Then, test if all rules were already tested (RuleBits), and if so, leaves (there is no need to apply more decoders)
  • Traverse the list of child decoders, calling them with this same function

Note that the actions defined in the configuration aren't executed here. They're executed by ProcessPacket(), after calling Decode().

Definition at line 259 of file decode.c.

References module_rec::Active, test_rec::Active, decoder_rec::Active, BitFieldIsEmpty(), decoder_rec::Children, decoder_data::Data, DBG, DEBUGPATH, Decode(), decoder_rec::DecodeFunc, decoder_data::DecoderID, packet_rec::DecoderInfo, global_vars::Decoders, decoder_rec::DependencyMask, FALSE, Globals, decoder_rec::ID, MAX_DECODER_DEPTH, module_rec::ModuleFunc, decoder_rec::Modules, decoder_rec::Name, module_rec::Next, test_rec::Next, decoder_rec::NextChild, NotAndBitFields(), packet_rec::NumDecoderData, global_vars::NumRules, global_vars::Packets, PRINTERROR, PRINTERROR1, packet_rec::RuleBits, test_rec::TestFunc, test_rec::TestNodes, decoder_rec::Tests, and TRUE.

Referenced by Decode(), and ProcessPacket().

int DecoderAddDecoder ( int  ParentDecoderID,
int  ChildDecoderID 
)

Add a decoder to another decoder Link a decoder to a previous created decoder, so it's called after it. Example: the TCP decoder should be linked to the IP decoder

Returns:
TRUE if decoder was added succesfully, otherwise FALSE

Definition at line 158 of file decode.c.

References decoder_rec::Children, DEBUGPATH, global_vars::Decoders, FALSE, Globals, decoder_rec::ID, decoder_rec::NextChild, decoder_rec::Parent, PRINTERROR2, and TRUE.

Referenced by InitDecoderARP(), InitDecoderDNS(), InitDecoderEthernet(), InitDecoderICMP(), InitDecoderIP(), InitDecoderIPDefrag(), InitDecoderTCP(), InitDecoderTCPStream(), and InitDecoderUDP().

int DecoderAddModule ( int  DecoderID,
int  ModuleID 
)

Add a new module to a decoder Modules are linked to decoders, so they're called after the decoder finishes its job.

Returns:
TRUE if module was added succesfully, otherwise FALSE

Definition at line 199 of file decode.c.

References DEBUGPATH, module_rec::DecoderID, global_vars::Decoders, FALSE, Globals, module_rec::ID, decoder_rec::Modules, global_vars::Modules, module_rec::Next, PRINTERROR2, and TRUE.

int DecoderAddTest ( int  DecoderID,
int  TestID 
)

Add a new test to a decoder Each test defined in the rules files is read in the appropriate struct and then linked to the corresponding decoder struct.

Returns:
TRUE if test was added succesfully, otherwise FALSE

Definition at line 117 of file decode.c.

References DEBUGPATH, test_rec::DecoderID, global_vars::Decoders, FALSE, Globals, test_rec::ID, test_rec::Next, PRINTERROR2, decoder_rec::Tests, global_vars::Tests, and TRUE.

Referenced by BindTestToDecoder().

int DecoderSetDependency ( int  DecoderID,
int  TestID 
)

Definition at line 338 of file decode.c.

References global_vars::Decoders, decoder_rec::DependencyMask, FALSE, Globals, global_vars::NumRules, SetBit(), and TRUE.

Referenced by TestAddNode().

int GetDataByID ( int  PacketSlot,
int  DecoderID,
void **  data 
)

Get a particular decoder's data record, given its number Searches through the DecoderInfo array of DecoderData structs, looking for one that have the decoder number (DecoderID)

Returns:
FALSE if it fails (pointer to DecoderData in data parameter)

Definition at line 356 of file decode.c.

References decoder_data::Data, DBG, DEBUGPATH, decoder_data::DecoderID, packet_rec::DecoderInfo, FALSE, Globals, NULL, packet_rec::NumDecoderData, global_vars::Packets, PRINTERROR1, and TRUE.

Referenced by ApplyMessage(), AssignSessionTCP(), BNSAction(), DecodeARP(), DecodeDNS(), DecodeICMP(), DecodeIP(), DecodeIPDefrag(), DecodeTCP(), DecodeTCPStream(), DecodeUDP(), HandleARPPacket(), HandleIPPacket(), ProcessPacket(), RebuildPacket(), RouteARP(), RouteBNS(), RouteBroadcast(), RouteDIP(), RouteMacFilter(), RouteSIP(), RouteSIPAction(), TestIPDst(), TestIPSrc(), TestIPTTL(), TestTCPDst(), TestTCPDstOld(), TestTCPFlags(), TestUDPDst(), and TestUDPSrc().

int GetDecoderByName ( char *  Name  ) 

Given a Decoder's name, return its ID

Definition at line 31 of file decode.c.

References DEBUGPATH, DECODER_NONE, global_vars::Decoders, Globals, decoder_rec::Name, and global_vars::NumDecoders.

Referenced by ApplyMessage(), BindTestToDecoder(), CreateDecoder(), InitActionBNS(), InitActionRouteSIP(), InitDecoderARP(), InitDecoderDNS(), InitDecoderEthernet(), InitDecoderICMP(), InitDecoderIP(), InitDecoderIPDefrag(), InitDecoders(), InitDecoderTCP(), InitDecoderTCPStream(), InitDecoderUDP(), InitMacFilter(), InitRouteBNS(), InitRouteBroadcast(), InitRouteDIP(), InitRouteSIP(), InitSession(), InitTestEthernetDst(), InitTestEthernetSrc(), InitTestEthernetType(), InitTestICMPCode(), InitTestICMPType(), InitTestInterfaceName(), InitTestIPCheck(), InitTestIPDst(), InitTestIPProto(), InitTestIPSrc(), InitTestIPTTL(), InitTestTCPContent(), InitTestTCPDst(), InitTestTCPFlags(), InitTestTCPListContent(), InitTestTCPListNoCase(), InitTestTCPNoCase(), InitTestTCPOffset(), InitTestTCPPort(), InitTestTCPRegExp(), InitTestTCPSrc(), InitTestUDPContent(), InitTestUDPDst(), InitTestUDPNoCase(), InitTestUDPRegExp(), InitTestUDPSrc(), and ParseDecoderLine().

int InitDecoders (  ) 

Set up the initial decoder tree

Definition at line 47 of file decode.c.

References decoder_rec::Active, DEBUGPATH, DECODER_NONE, global_vars::DecoderRoot, global_vars::Decoders, FALSE, GetDecoderByName(), Globals, InitDecoderARP(), InitDecoderDNS(), InitDecoderEthernet(), InitDecoderICMP(), InitDecoderInterface(), InitDecoderIP(), InitDecoderIPDefrag(), InitDecoderTCP(), InitDecoderUDP(), PRINTERROR, and TRUE.

Referenced by main().


Generated on Sat Jul 7 23:33:10 2007 for HLBR by  doxygen 1.5.2