snort规则解析



1. Snort的规则共有五个分类：alert, log, pass, activate, dynamic；

typedef struct _RuleListNode

{

   ListHead *RuleList;          /* The rule list associated with this node */

   int mode;                 /* therule mode */

   int rval;                   /* 0== no detection, 1 == detection event */

   int evalIndex;              /*eval index for this rule set */

   char *name;               /* nameof this rule list (for debugging)  */

   struct _RuleListNode *next;   /*the next RuleListNode */

} RuleListNode;

 

首层链表即根据五个动作连成的一维链表。

 

二．每种动作又按照协议来分，于是就有第二层数据结构：

typedef struct _ListHead

{

   RuleTreeNode *IpList;

   RuleTreeNode *TcpList;

   RuleTreeNode *UdpList;

   RuleTreeNode *IcmpList;

   struct _OutputFuncNode *LogList;

   struct _OutputFuncNode *AlertList;

   struct _RuleListNode *ruleListNode;

} ListHead;

 

 

三．除了动作、协议外还有地址、端口、数据流方向，又形成第三层数据结构（RTN）：

typedef struct _RuleTreeNode

{

 

   RuleFpList *rule_func; /* match functions.. (Bidirectional etc.. ) */

   int head_node_number;

   int type;

   IpAddrSet *sip;

   IpAddrSet *dip;

   int not_sp_flag;    /* not sourceport flag */

   u_short hsp;        /* hi src port */

   u_short lsp;        /* lo srcport */

   int not_dp_flag;    /* not destport flag */

   u_short hdp;        /* hi destport */

   u_short ldp;        /* lo destport */

u_int32_tflags;    /* control flags */

 

   /* stuff for dynamic rules activation/deactivation */

   int active_flag;

   int activation_counter;

   int countdown;

ActivateList*activate_list;

 

   struct _RuleTreeNode*right; /* ptr to the next RTN in thelist */

   OptTreeNode *down;   /*list of rule options to associate with this

                           rule node */

   struct _ListHead *listhead;

} RuleTreeNode;

 

Right组成这一层的RTN节点；

Down组成第四层数据节点，规则节点选项；

 

四．规则选项的结构定义OTN

typedef struct _OptTreeNode

{

   /* plugin/detection functions go here */

   OptFpList *opt_func;

   RspFpList *rsp_func; /* responsefunctions */

   OutputFuncNode *outputFuncs; /* per sid enabled output functions */

 

   /* the ds_list is absolutely essential for the plugin system to work,

      it allows the plugin authors to associate "dynamic" datastructures

      with the rule system, letting them link anything they can come up

      with to the rules list */

   void *ds_list[64];  /* list ofplugin data struct pointers */

 

   int chain_node_number;

 

   int type;           /* what do wedo when we match this rule */

   int evalIndex;      /* where thisrule sits in the evaluation sets */

                  

   int proto;          /* protocol,added for integrity checks

                           during rule parsing*/

   struct _RuleTreeNode *proto_node; /* ptr to head part... */

   int session_flag;   /* recordsession data */

 

   char *logto;        /* log filein which to write packets which

                           match this rule*/

   /* metadata about signature */

   SigInfo sigInfo;

 

   u_int8_t stateless; /* this rulecan fire regardless of session state */

   u_int8_t established; /* this rule can only fire if it is established */

   u_int8_t unestablished;

 

   Event event_data;

   TagData *tag;

   /* stuff for dynamic rules activation/deactivation */

   int active_flag;

   int activation_counter;

   int countdown;

   int activates;

   int activated_by;

   u_int8_t threshold_type;  /* type of threshold we're watching */

   u_int32_t threshold;      /*number of events between alerts */

   u_int32_t window;       /* numberof seconds before threshold times out */

   struct _OptTreeNode *OTN_activation_ptr; /*SetLinks(Activation.TcpList,Dynamic.TcpList)*/

   struct _RuleTreeNode *RTN_activation_ptr;

   struct _OptTreeNode *next;

   struct _RuleTreeNode *rtn;

   struct _OptTreeNode *nextSoid;

   u_int8_t failedCheckBits;

   int rule_state; /* Enabled or Disabled */

#ifdef PERF_PROFILING

   UINT64 ticks;

   UINT64 ticks_match;

   UINT64 ticks_no_match;

   u_int32_t checks;

   u_int32_t matches;

   u_int32_t alerts;

   u_int8_t noalerts;

#endif

} OptTreeNode;