Each dynamic detection engine library must define the following functions.
This function returns the metadata for the shared library.
This function initializes the data structure for use by the engine.
The sample code provided with Snort predefines those functions and defines the following APIs to be used by a dynamic rules library.
This is the function to iterate through each rule in the list, initialize it to setup content searches, PCRE evalution data, and register flowbits.
This is the function to iterate through each rule in the list and write a rule-stop to be used by snort to control the action of the rule (alert, log, drop, etc).
This is the function to evaluate a rule if the rule does not have its own Rule Evaluation Function. This uses the individual functions outlined below for each of the rule options and handles repetitive content issues.
Each of the functions below returns RULE_MATCH if the option matches based on the current criteria (cursor position, etc).
This function evaluates a single content for a given packet, checking for the existence of that content as delimited by ContentInfo and cursor. Cursor position is updated and returned in *cursor.
With a text rule, the with option corresponds to depth, and the distance option corresponds to offset.
This function evaluates the flow for a given packet.
This function extracts the bytes from a given packet, as specified by ByteExtract and delimited by cursor. Value extracted is stored in ByteExtract memoryLocation parameter.
This function evaluates the flowbits for a given packet, as specified by FlowBitsInfo. It will interact with flowbits used by text-based rules.
This function adjusts the cursor as delimited by CursorInfo. New cursor position is returned in *cursor. It handles bounds checking for the specified buffer and returns RULE_NOMATCH if the cursor is moved out of bounds.
It is also used by contentMatch, byteJump, and pcreMatch to adjust the cursor position after a successful match.
This function validates that the cursor is within bounds of the specified buffer.
This function compares the value to the value stored in ByteData.
This is a wrapper for extractValue() followed by checkValue().
This is a wrapper for extractValue() followed by setCursor().
This function evaluates a single pcre for a given packet, checking for the existence of the expression as delimited by PCREInfo and cursor. Cursor position is updated and returned in *cursor.
This function evaluates an ASN.1 check for a given packet, as delimited by Asn1Context and cursor.
This function evaluates the given packet's protocol headers, as specified by HdrOptCheck.
This function iterates through the SubRule of LoopInfo, as delimited by LoopInfo and cursor. Cursor position is updated and returned in *cursor.
This function evaluates the preprocessor defined option, as spepcifed by PreprocessorOption. Cursor position is updated and returned in *cursor.
This function is used to handled repetitive contents to save off a cursor position temporarily to be reset at later point.
This function is used to revert to a previously saved temporary cursor position.
|
Note:
If you decide to write you own rule evaluation function, patterns that occur more than once may result in false negatives. Take extra care to handle this situation and search for the matched pattern again if subsequent rule options fail to match. This should be done for both content and PCRE options.
|