rlp.h

Go to the documentation of this file.

/** \file rlp.h 

  \brief Routines for parsing, writing and accessing rules.

******************************************************************************/

#ifndef _RLP
#define _RLP

#include "nm.h"
#include "pkt.h"
#include "q.h"

#ifdef __cplusplus 
extern "C" {
#endif


/**
  * \brief  Macros to help parse formulas
  * 
  */

#define RLP_SKIP_SPACE(s) while ( isspace(*s) ) s++;
#define RLP_SKIP_TEXT(s) while ( !isspace(*s) ) s++;

#define RLP_STRNCPY_TERMINATE( dest, src, N )  strncpy( dest, src, N ); dest[N] = '\0';

#define RLP_EXTRACT_FIELD( dest, tmpPtr, linePtr, tmpbuf ) \
  tmpPtr = strpbrk( linePtr, " \t" ); \
  RLP_STRNCPY_TERMINATE( tmpbuf, linePtr, tmpPtr - linePtr ); \
  dest = strdup( tmpbuf ); \
  RLP_SKIP_TEXT( linePtr ); SKIP_SPACE( linePtr );


/**
  * \brief  Types of operators allowed in formulas.
  * 
  * The types of nodes in a formula parse tree. ID
  * is for leaf nodes, all others are internal nodes.
  * 
  */

typedef enum
{
  Rlp_List_c,
  Rlp_Undef_c,
  Rlp_Ack_c,            /* <ack> {int, only 0 and 101058054 appear in the ruleset} */
  Rlp_Byte_Jump_c,      /* <bytes_to_convert>, <offset>, relative (use offset relative to 
                   last pattern match), align (round up the number of converted bytes 
                   to the next 32-bit boundary) {4 fields used in ruleset} */
  Rlp_Byte_Test_c,      /* <bytes_to_convert>, <operator>, <value>, <offset>, string, dec, 
                   relative, little {several others, but only these occur in practise */
  Rlp_Content_c,        /* [!] "<content string>" */
  Rlp_Depth_c,          /* <depth> {int, few occur in ruleset} */
  Rlp_Distance_c,       /* <byte count> {int, very few in ruleset } */
  Rlp_Dsize_c,          /* [<>]<number>[<><number>] {used to see payload size, none are checks 
                   on > and <} */
  Rlp_Flags_c,          /* [!:*:+]<FSRPAU120>[, <FSPRAU120>] {in ruleset, !, *, never occur, and + 
                   only occurs in A+, S+, and U+ } */
  Rlp_Fragbits_c,       /* [+-*]<[MDR]> {in ruleset, only M M+ MD and R appear} */
  Rlp_Icmp_Id_c,        /* <number> {int, few values appear in ruleset} */
  Rlp_Icmp_Seq_c,       /* <number> {int, only one (0) appears in ruleset} */
  Rlp_Icode_c,          /* [<>]<number>[<><number>] {only individual numbers appears in practise, 
                   each of 0-15} */
  Rlp_Id_c,         /* <number> {checks ip id field for specific value, 13170 242 3868 39426 413 
                   666 678 is the complete set} */
  Rlp_Ip_Proto_c,       /* [!><] <name or number> {only occurances are !1 !2 !47 !50 
                   !51 !6 !89 2} */
  Rlp_IpOpts_c,         /* <rr|eol|nop|ts|sec|lsrr|ssrr|satid|any> {ruleset has rr, lsrr, ssrr, lsrre - 
                   last must be a typo? } */
  Rlp_Itype_c,          /* [<>]<number>[<><number>] {looks for specific icmp message, 0-19, 30-40 
                   appear as singletons in ruleset} */
  Rlp_Nocase_c,         /* {no options} */
  Rlp_Offset_c,         /* <number> {used to tell where to start looking for pattern} */
  Rlp_Pcre_c,           /* <regexp> regexp in pcre format */
  Rlp_Rpc_c,            /* <app number>, [<vers number>|*], [<procedure number>|*> {SUN specific rpc 
                   services, only rpc:100009,*,* rpc:100083,*,* rpc:391029,*,* in ruleset} */
  Rlp_Sameip_c,         /* {no options, simply checks is srcip = dest ip} */
  Rlp_Seq_c,            /* <number> {int, check for tcp sequence number (0 101058054 1958810375 3868 
                   6060842 674711609 1675) are the ones appearing in the ruleset} */
  Rlp_Ttl_c,            /* [[<number>-]><=]<number> {ruleset only checks ttl:0 ttl:1 ttl:>220 } */
  Rlp_Uricontent_c,     /* [!] "<content string>" */
  Rlp_Within_c,         /* <number> {don't go more than X bytes past last match for current match} */
  Rlp_Interface_c,
  Rlp_Sample_c,
  Rlp_Tcp_c,
  Rlp_Udp_c,
  Rlp_Icmp_c,
  Rlp_Ip_c,
  Rlp_Num_c,
  Rlp_Text_c,
  Rlp_IpBlock_c,
  Rlp_PortUnion_c,
  Rlp_IpUnion_c,
  Rlp_Negation_c,
  Rlp_PortRange_c,
  Rlp_IpEntry_c,
  Rlp_Alert_c,
  Rlp_Define_c,
  Rlp_ClassOfService_c,
  Rlp_Any_c,
  Rlp_Generic_c
} Rlp_OperatorEnum_t;


/**
  * \brief  Node structure - basically a cons list
  * 
  * An Rlp formula is just a node struct.
  */

struct Rlp_Node_t
{
  Rlp_OperatorEnum_t type;
  struct Rlp_Node_t *lchild;
  struct Rlp_Node_t *rchild;
};

typedef struct Rlp_Node_t Rlp_Formula_t;


typedef util_attrib_val_t Rlp_RuleComponent_t;


/**
  * \brief  Struct to represent a single int entry
  * 
  * Struct to represent a single int entry
  * 
  */


struct RlpIntAttribute_t
{
  int intEntry;
};

typedef struct RlpIntAttribute_t Rlp_IntAttribute_t;


/**
  * \brief  Sampling threshold.
  * 
  */

struct Rlp_SampleAttribute_t
{
  double threshold;
};

typedef struct Rlp_SampleAttribute_t Rlp_SampleAttribute_t;

/**
  * \brief  Interface to check against.
  * 
  */

struct Rlp_IfAttribute_t
{
  char *ifName;
  Pkt_LibPcap_t *interface;
};

typedef struct Rlp_IfAttribute_t Rlp_IfAttribute_t;


/**
  * \brief  TCP ack value  to check against.
  * 
  * TCP ack value to check against. Single number.
  * 
  * Implementation [2 mins - scanf call
  * 
  */


struct Rlp_AckAttribute_t
{
  u_int32_t ackValue;
};

typedef struct Rlp_AckAttribute_t Rlp_AckAttribute_t;

/** \brief  Byte jump operation.
  
  Byte jump operation.  Grab some number of bytes, 
  convert them to their numeric representation, 
  jump the doe_ptr up that many bytes.  
  
  All Examples: 
  <pre>
  byte_jump:4,12,relative,align 
  byte_jump:4,20,relative,align
  byte_jump:4,4,relative,align 
  </pre>
  
  Format
 
<pre>
    byte_jump: <bytes_to_convert>, <offset>
    [, [relative],[big],[little],[string],[hex],[dec],[oct],[align]] 
</pre>
    
  * Implementation: two scanfs for the num bytes and offset, then scanf strings setting
  * the relative, big, little, string, etc. - 5 mins
  * 
  */


struct Rlp_ByteJumpAttribute_t
{
  int bytesToConvert;
  int offset;
  bool relative;
  bool useLittleEndian;     // default is big endian
  bool isString;        // data is stored in string packet format
  bool isHex;           // converted string data is represented in hex
  bool isDec;           // converted string data is represented in decimal
  bool isOct;           // converted string data is represented in oct
  bool doAlign;         // convert the number of converted bytes upto the next 32-bit bndry
};

typedef struct Rlp_ByteJumpAttribute_t Rlp_ByteJumpAttribute_t;


/** \brief  Byte test operation.
 
  Byte test operation.  Test a byte field against
  a specific value (with operator).  
  
  All Examples: 
  <pre>
  byte_test:1,>,6,2
  byte_test:1,>,7,1
  byte_test:2,>,1024,0,relative,little
  byte_test:4,>,100,20,relative
  byte_test:4,>,1000,28,relative
  byte_test:4,>,1024,20,relative
  byte_test:4,>,128,20,relative
  byte_test:4,>,128,8,relative
  byte_test:4,>,512,16,relative
  byte_test:4,>,512,240,relative
  byte_test:5,>,256,0,string,dec,relative 
  </pre>
  
  Format

<pre>
    byte_test: <bytes_to_convert>, <operator>, <value>, <offset> \
    [, [relative],[big],[little],[string],[hex],[dec],[oct]
</pre>
    
  */


struct Rlp_ByteTestAttribute_t
{
  int bytesToConvert;
  char check;       // can be one of '<' , '>' , '=' , '!'
  int value;            // value to test the converted value against
  int offset;           // number of bytes into the payload to being processing
  bool relative;        // use an offset relative to the last pattern match
  bool useLittleEndian;     // default is big endian
  bool isString;        // data is stored in string packet format
  bool isHex;           // converted string data is represented in hex
  bool isDec;           // converted string data is represented in decimal
  bool isOct;           // converted string data is represented in oct
};

typedef struct Rlp_ByteTestAttribute_t Rlp_ByteTestAttribute_t;


/**
  * \brief  Content to test for.
  * 
  This test is case sensitive. 
  
 The option data for the content keyword is somewhat complex; it can contain mixed
 text and binary data. 
 
The binary data is generally enclosed within the pipe (|)
character and represented as bytecode.  Bytecode represents binary data as
hexadecimal numbers and is a good shorthand method for describing complex
binary data. 

Multiple content rules can be specified in one rule. This allows rules to 
be tailored for less false positives. 

The following characters must be escaped inside a content rule: : ; \ " 

If the rule is preceded by a !, the alert will be triggered on 
packets that do not contain this content. 

This is useful when writing rules that want to alert on packets
that do not match a certain pattern 

Examples:

  <pre>
    alert tcp any any -> 192.168.1.0/24 143 (content:"|90C8 C0FF FFFF|/bin/sh"; msg:"IMAP buffer overflow!";)  # illustrates mixed bytecode and test
    
    alert tcp any any -> 192.168.1.0/24 21 (content: !"GET"; depth: 3; nocase; dsize: >100; msg: "Long Non-Get FTP command!";) # illustrates negation 
    </pre>
    
  Implementation need to split the byte code non bytecode - keep a array
  of individual strings.  then de-escape the escaped chars,
  stitch together on the regular strings, convert the
  bytecodes, join together.  
  
 How is escaped 0 dealt with? it must be byte code, since otherwise
 the original string would be broken. 30mins
*/



struct Rlp_ContentAttribute_t
{
  util_byte_array_t *byteArray;
  bool negated;
};

typedef struct Rlp_ContentAttribute_t Rlp_ContentAttribute_t;


/**
  * \brief  Sets maximum search depth for the content pattern match
  * to search from beginning of region.
  * 
  * Sets maximum search depth for the content pattern match
  * to search from beginning of region.
  * 
  * Example: alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-bin/phf"; offset: 3; depth: 22; msg: "CGI-PHF access";) 
  * 
  * Implementation [ 2mins - just a scanf
  * 
  */


struct Rlp_DepthAttribute_t
{
  int depth;
};

typedef struct Rlp_DepthAttribute_t Rlp_DepthAttribute_t;


/**
  * \brief  Look for at least N bytes between pattern matches using content.
  * 
  * Look for at least N bytes between pattern matches using content.
  * 
  * The rule listed below maps to a regular expression of ABCDE.{1}EFGH
  * 
  <pre>
  alert tcp any any -> any any (content: "2 Patterns"; content: "ABCDE"; content: "EFGH"; distance: 1;) 
  </pre>
  
  * Implementation: 2mins - just a scanf
  * 
  */


struct Rlp_DistanceAttribute_t
{
  int byteCount;
};

typedef struct Rlp_DistanceAttribute_t Rlp_DistanceAttribute_t;


/**
  * \brief  The dsize option is used to test the packet payload size. 
  * It may be set to any value, plus use the greater than/less than signs to
  * indicate ranges and limits.
  * 
  * For example, if you know that a certain
  * service has a buffer of a certain size, you can set this option to watch
  * for attempted buffer overflows. It has the added advantage of being a much
  * faster way to test for a buffer overflow than a payload content check.
  * This can also be used to check a range of values. For example, dsize:
  * 400<>500 will return all the packets from 400 to 500 bytes in their
  * payload section.
  * 
  * These checks always will return false on a stream
  * rebuilt packet. 
  * 
  * Format dsize: \[<>\]<number>\[<><number>]\ 
  * (The > and < operators are optional)
  * 
  * In all the rules I saw, the size checks were equal, <, or >:
  * 
  * Some examples:
  * 
  <pre>
  dsize: 0
  dsize: 20
  dsize: < 25
  dsize: <5
  dsize: >1
  dsize: >1000
  dsize: >800
  dsize:0
  dsize:1
  dsize:10
  dsize:>1023
  dsize:>1092
  </pre>
  * 
  * Implementation [ 5 mins - just a test if numeric, scanf once or twice
  * 
  */


struct Rlp_DsizeAttribute_t
{
  bool greaterThan;
  bool lessThan;
  int dsize;
};

typedef struct Rlp_DsizeAttribute_t Rlp_DsizeAttribute_t;


/**
  * \brief  Possible ack flag values.
  * 
  * Possible ack flag values.  A flag check may be
  * 0, 1, or don't care.
  * 
  */


typedef enum
{
  zero_c,
  one_c,
  X_c
} Rlp_FlagType_t;



/**
  * \brief  Test the TCP flags for a match
  * 
  * Test the TCP flags for a match. 
  * 
  * There are actually 9 flags variables
  <pre>
    F FIN (LSB in TCP Flags byte) 
    S SYN 
    R RST 
    P PSH 
    A ACK 
    U URG 
    2 Reserved bit 2 
    1 Reserved bit 1 (MSB in TCP Flags byte) 
    0 No TCP Flags Set 
    </pre>
  * 
  * There are also logical operators that can be used to specify matching
  * criteria for the indicated flags: 
  * 
  * + ALL flag, match on all specified flags plus any others 
  * * ANY flag, match on any of the specified flags 
  * ! NOT flag, match if the specified flags aren't set in the packet 
  * 
  * The reserved bits can be used to detect unusual behavior, such as IP stack
  * fingerprinting attempts or other suspicious activity. 
  * 
  * A SYN-FIN scan detection rule: 
  * 
  * alert any any -> 192.168.1.0/24 any (flags: SF,12; msg: "Possible SYN FIN
  * scan";)
  * 
  * To handle writing rules for session initiation packets such as ECN 
  * where a SYN packet is sent with the previously reserved bits 12 set, 
  * an option mask may be specified. A rule could check for a 
  * flags value of S,12 if one wishes to find syn packets
  * regardless of the values of the reserved bits. 
  * 
  * Format flags: <flag values>[,mask value];
  * 
  * This is the entire list:
 
 <pre>
    flags:0
    flags:A
    flags:A+
    flags:F
    flags:FPU
    flags:PA
    flags:PA12
    flags:S
    flags:S+
    flags:SF12
    flags:SFU12
    flags:SA
    flags:SF
    flags:SFP
    flags:SFPU
    flags:SRAFPU
    flags:U+ 
    </pre>
    
  */


struct Rlp_FlagsAttribute_t
{
  Rlp_FlagType_t F;
  Rlp_FlagType_t S;
  Rlp_FlagType_t R;
  Rlp_FlagType_t P;
  Rlp_FlagType_t A;
  Rlp_FlagType_t U;
  Rlp_FlagType_t r_2;
  Rlp_FlagType_t r_1;
  Rlp_FlagType_t noFlagsSet;
};

typedef struct Rlp_FlagsAttribute_t Rlp_FlagsAttribute_t;


/**
  * \brief  This rule inspects the fragment and reserved bits in the IP
  * header. 
  * 
  * There are three bits that can be checked, the Reserved Bit (RB),
  * More Fragments (MF) bit, and the Don't Fragment (DF) bit.
  * 
  * This rule inspects the fragment and reserved bits in the IP
  * header. There are three bits that can be checked, the Reserved Bit (RB),
  * More Fragments (MF) bit, and the Don't Fragment (DF) bit. 
  * 
  * These bits can be checked in a variety of combinations. Use the following values to indicate specific bits: 
  * 
  - R: Reserved Bit 
  - D: DF bit 
  - M: MF bit 
  
 You can also use modifiers to indicate logical match criteria for the
 specified bits:
 
  <pre>
  + ALL flag, match on specified bits plus any others 
  - ANY flag, match if any of the specified bits are set 
  ! NOT flag, match if the specified bits are not set 
    
  alert tcp !$HOME_NET any -> $HOME_NET any (fragbits: R+; msg: "Reserved bit set!";)
  </pre>

  */


struct Rlp_FragbitsAttribute_t
{
  Rlp_FlagType_t RB;
  Rlp_FlagType_t MF;
  Rlp_FlagType_t DF;
};

typedef struct Rlp_FragbitsAttribute_t Rlp_FragbitsAttribute_t;


/**
  * \brief  The icmp_id option examines an ICMP ECHO packet's ICMP ID
  * number for a specific value. 
  * 
  * This is useful because some covert channel programs use static ICMP 
  * fields when they communicate. This particular plugin was developed to 
  * enable the stacheldraht detection rules written by Max Vision, 
  * but it is certainly useful for detection of a number of potential 
  * attacks.  
  * 
  * The icmp_id option examines an ICMP ECHO packet's ICMP ID
  * number for a specific value. 
  * 
  * This is useful because some covert channel programs use static ICMP 
  * fields when they communicate. This particular plugin was developed to 
  * enable the stacheldraht detection rules written by Max Vision, 
  * but it is certainly useful for detection of a number of potential 
  * attacks. 
  * 
  * All uses:
  <pre>
    
    icmp_id:0
    icmp_id:1000
    icmp_id:456
    icmp_id:51201
    icmp_id:666
    icmp_id:667
    icmp_id:668
    icmp_id:669
    icmp_id:123
    icmp_id:6666
    icmp_id:6667
    icmp_id:9015
    </pre>
    
  */


struct Rlp_IcmpIdAttribute_t
{
  int icmpId;
};

typedef struct Rlp_IcmpIdAttribute_t Rlp_IcmpIdAttribute_t;

/**
  * \brief   The icmp_id option examines an ICMP ECHO packet's ICMP
  * sequence field for a specific value. 
  * 
  * This is useful because some covertchannel programs use 
  * static ICMP fields when they communicate.  This particular 
  * plugin was developed to enable the stacheldraht detection
  * rules written by Max Vision, but it is certainly useful for detection
  * of a number of potential attacks. (And yes, I know the info for this field
  * is almost identical to the icmp_id description, it's practically the same
  * damn thing!) 
  * 
  * The icmp_id option examines an ICMP ECHO packet's ICMP
  * sequence field for a specific value. 
  * 
  * This is useful because some covertchannel programs use 
  * static ICMP fields when they communicate.  This particular 
  * plugin was developed to enable the stacheldraht detection
  * rules written by Max Vision, but it is certainly useful for detection
  * of a number of potential attacks. (And yes, I know the info for this field
  * is almost identical to the icmp_id description, it's practically the same
  * damn thing!)
  * 
  * All uses:
  * icmp_seq: 0
  * icmp_seq:0
  * 
  */



struct Rlp_IcmpSeqAttribute_t
{
  int seqValue;
};

typedef struct Rlp_IcmpSeqAttribute_t Rlp_IcmpSeqAttribute_t;


/**
  * \brief  itype rule, just set a numeric value in here and 
  * Detect any traffic using that ICMP code value. 
  * 
  * Out of range values can also be set to detect suspicious traffic.
  * 
  * full set of values checked: 
  * 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 30 31 32 33 34 35 36 39 40
  * 
  */


struct Rlp_IcodeAttribute_t
{
  int icode;
};

typedef struct Rlp_IcodeAttribute_t Rlp_IcodeAttribute_t;


/** \brief Differnet types of ip options */

typedef enum
{
  Rlp_unassigned_c,
  Rlp_rr_c,
  Rlp_eol_c,
  Rlp_nop_c,
  Rlp_ts_c,
  Rlp_sec_c,
  Rlp_lsrr_c,
  Rlp_lsrre_c,
  Rlp_ssrr_c,
  Rlp_satid_c
} Rlp_IpOpts_t;


/**
  * \brief  Ip options 
  *
  * If IP options are present in a packet, this option will 
  * search for a specific option in use, such as source routing. 
  * 
  * If IP options are present in a packet, this 
  * option will search for a specific option in use, such as source routing. 
  * 
  * Valid arguments to this option are:
  * 
  * rr - Record route 
  * eol - End of list 
  * nop - No op 
  * ts - Time Stamp 
  * sec - IP security option 
  * lsrr - Loose source routing 
  * ssrr - Strict source routing 
  * satid - Stream identifier
  * 
  * The most frequently watched for IP options are strict and loose source
  * routing which aren't used in any widespread internet applications. Only a
  * single option may be specified per rule. 
  * 
  * all uses of ipopt:
  * 
  * ipopts: rr
  * ipopts: ssrr
  * ipopts:lsrr
  * ipopts:lsrre
  * 
  */


struct Rlp_IpOptsAttribute_t
{
  Rlp_IpOpts_t ipOpt;
};


/** \brief Struct for IP options checking */

typedef struct Rlp_IpOptsAttribute_t Rlp_IpOptsAttribute_t;


/**
  * \brief  Check the ip proto field.
  */


struct Rlp_IpProtoAttribute_t
{
  bool lessThan;
  bool greaterThan;
  bool negated;
  int value;
};

typedef struct Rlp_IpProtoAttribute_t Rlp_IpProtoAttribute_t;


/**
  * \brief  This option keyword is used to test for an exact
  * match in the IP header fragment ID field.
  * 
  * This option keyword is used to test for an exact
  * match in the IP header fragment ID field. 
  * 
  * Some hacking tools (and other programs) set this field 
  * specifically for various purposes, for example
  * the value 31337 is very popular with some hackers. This can be turned
  * against them by putting a simple rule in place to test for this and some
  * other hacker numbers. 
  * 
  * full range of checks:
  * 
  * id: 39426
  * id: 413
  * id: 666
  * id: 678
  * id:13170
  * id:242
  * id:3868
  *
  * Checks for id are syntactically identical to 
  * ip_proto checks, so we can reuse the same structure.
  */

typedef Rlp_IpProtoAttribute_t Rlp_IdAttribute_t;


/**
  * \brief  This rule tests the value of the ICMP type field. It is set
  * using the numeric value of this field. 
  * 
  * This rule tests the value of the ICMP type field. It is set
  * using the numeric value of this field. 
  * 
  * It should be noted that the values can be set out of range to detect invalid
  * ICMP type values that are sometimes used in denial of service and flooding
  * attacks. 
  * 
  * All uses:
  * 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 30 31 32 33 34 35 36 39 40
  * 
  */

struct Rlp_ItypeAttribute_t
{
  int itype;
};

typedef struct Rlp_ItypeAttribute_t Rlp_ItypeAttribute_t;


/**
  * \brief  The nocase option is used to deactivate case sensitivity in
  * a content rule. 
  * 
  * The nocase option is used to deactivate case sensitivity in
  * a content rule. 
  * 
  * It is specified alone within a rule and any ASCII
  * characters that are compared to the packet payload are treated as though
  * they are either upper of lower case. 
  * 
  * alert tcp any any -> 192.168.1.0/24 21 (content:"USER root"; nocase; 
  * msg: "FTP root user access attempt";) 
  * 
  * Using a struct is unnecc, since the parse tree will contain the nocase
  * node; will remove this at some point.
  * 
  */


struct Rlp_NocaseAttribute_t
{
  bool nocase;
};

typedef struct Rlp_NocaseAttribute_t Rlp_NocaseAttribute_t;


/**
  * \brief  The offset rule option is used as a modifier to rules using
  * the content option keyword. 
  
  * This keyword modifies the starting search
  * position for the pattern match function from the beginning of the packet
  * payload.
  * 
  * The offset rule option is used as a modifier to rules using
  * the content option keyword. This keyword modifies the starting search
  * position for the pattern match function from the beginning of the packet
  * payload. 
  * 
  * It is very useful for things like CGI scan detection rules where
  * the content search string is never found in the first four bytes of the
  * payload. Care should be taken against setting the offset value too tightly
  * and potentially missing an attack! 
  * 
  * This rule option keyword cannot be used without also specifying a content rule 
  * option.
  * 
  * Example: 
  * 
  * alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-bin/phf"; offset: 3; depth: 22; msg: "CGI-PHF access";) 
  * 
  */


struct Rlp_OffsetAttribute_t
{
  int offset;
};

typedef struct Rlp_OffsetAttribute_t Rlp_OffsetAttribute_t;


/**
  * \brief  This option looks at
  * RPC requests and automatically decodes the application, procedure, and
  * program version, indicating success when all three variables are matched.
  * 
  * This option looks at
  * RPC requests and automatically decodes the application, procedure, and
  * program version, indicating success when all three variables are matched.
  * 
  * The format of the option call is application, procedure, version.
  * 
  * Wildcards are valid for both the procedure and version numbers and are
  * indicated with a *. 
  * 
  * Format: rpc: <number, [number|*], [number|*]> 
  * 
  * Example:
  * 
  * alert tcp any any -> 192.168.1.0/24 111 (rpc: 100000,*,3; msg:"RPC getport (TCP)";) 
  * 
  * alert udp any any -> 192.168.1.0/24 111 (rpc: 100000,*,3; msg:"RPC getport (UDP)";) a
  * 
  * alert udp any any -> 192.168.1.0/24 111 (rpc: 100083,*,*; msg:"RPC ttdb";) 
  * 
  * alert udp any any -> 192.168.1.0/24 111 (rpc: 100232,10,*; msg:"RPC sadmin";) 
  * 
  */


struct Rlp_RpcAttribute_t
{
  int application;
  bool anyProcedure;
  int procedure;
  bool anyVersion;
  int version;
};

typedef struct Rlp_RpcAttribute_t Rlp_RpcAttribute_t;



/**
  * \brief  Check if source and dest ip are the same.
  * 
  * Check if source and dest ip are the same. 
  * 
  * Takes no optins - should be removed as this information is implicit in the
  * parse tree.
  * 
  */


struct Rlp_SameIpAttribute_t
{
  bool sameIp;
};

typedef struct Rlp_SameIpAttribute_t Rlp_SameIpAttribute_t;


/**
  * \brief  This rule option refers to the TCP sequence number.
  * 
  * This rule option refers to the TCP sequence number.
  * 
  * Essentially, it detects if the packet has a static sequence number set,
  * and is therefore pretty much unused. It was included for the sake of
  * completeness. 
  * 
  * The above comment notwithstanding, the check is used in a number of places:
  * 
  * seq: 101058054
  * seq: 3868
  * seq: 6060842
  * seq: 674711609
  * seq:0
  * seq:1958810375
  * 
  */



struct Rlp_SeqAttribute_t
{
  u_int32_t seqValue;
};

typedef struct Rlp_SeqAttribute_t Rlp_SeqAttribute_t;


/**
  * \brief  This rule option is used to set a
  * specific time-to-live value to test against. 
  * 
  * This rule option is used to set a
  * specific time-to-live value to test against. 
  * 
  * The test it performs is only
  * successful on an exact match. This option keyword was intended for use in
  * the detection of traceroute attempts. 
  * 
  * Uses:
  * 
  * ttl: >220
  * ttl:0
  * ttl:1
  * 
  */


struct Rlp_TtlAttribute_t
{
  bool greaterThan;
  bool lessThan;
  int ttl;
};

typedef struct Rlp_TtlAttribute_t Rlp_TtlAttribute_t;


/**
  * \brief  This rule allows searches to be matched
  * against only the URI portion of a request. 
  * 
  * This rule allows searches to be matched
  * against only the URI portion of a request. 
  * 
  * This allows rules to search only the request portion of an attack 
  * without false alerts from server data files. For a description of 
  * the parameters to this function, see the content rule options.
  * 
  */

typedef Rlp_ContentAttribute_t Rlp_UriContentAttribute_t;


/**
  * \brief  The within keyword is a content modifier that makes sure
  * that at least N bytes are between pattern matches.
  * 
  * The within keyword is a content modifier that makes sure
  * that atleast N bytes are between pattern matches. 
  * 
  * It's designed to be used in conjunction with the distance rule option. 
  * The rule listed below contrains the
  * search to not go past 10 bytes past the ABCDE match. 
  * 
  * alert tcp any any -> any any (content: "2 Patterns"; content:
  * "ABCDE"; content: "EFGH"; within: 10;) 
  * 
  * The within tells the matching to look for an EFGH starting no more than
  * 10 bytes after the first char of the ABCDE.
  * 
  * With nested withins e.g., foo W bar W xyz, the semantics is that 
  * on a foo, if a bar is matched then the overall match holds just in case
  * the xyz matches on the FIRST matched bar; if it doesn't then we don;t go further
  * till the within range.
  * 
  */



struct Rlp_WithinAttribute_t
{
  int within;
};

typedef struct Rlp_WithinAttribute_t Rlp_WithinAttribute_t;

/**
  * \brief  Possible types of L7 checks.
  * 
  * Possible  types of L7 checks.
  * 
  */


typedef enum
{
  Rlp_L7UndefCheck_c,
  Rlp_L7ContentCheck_c,
  Rlp_L7UriContentCheck_c,
  Rlp_L7ByteJumpCheck_c,
  Rlp_L7ByteTestCheck_c,
  Rlp_L7PcreCheck_c
} Rlp_L7CheckType_t;


/**
  * \brief  Struct for checking a content type rule
  * 
  * Struct for checking a content type rule
  * 
  */


struct Rlp_ContentCheckAttribute_t
{
  bool nocase;
  int depth;
  int offset;
  int distance;
  int within;
  util_byte_array_t *content;
  bool negated;
};

typedef struct Rlp_ContentCheckAttribute_t Rlp_ContentCheck_t;

/**
  * \brief  Struct for checking a byte test type rule.
  * 
  * Struct for checking a byte test type rule. It's the
  * same as the byte test attribute struct, since the
  * information is contained already in a parsed form.
  * 
  */


typedef Rlp_ByteTestAttribute_t Rlp_ByteTestCheck_t;

/**
  * \brief  Struct for checking a byte jump type rule.
  * 
  * Struct for checking a byte jump type rule. It's the
  * same as the byte jump attribute struct, since the
  * information is contained already in a parsed form.
  * 
  */


typedef Rlp_ByteJumpAttribute_t Rlp_ByteJumpCheck_t;

/**
  * \brief  Struct for pcre checking
  * 
  * 
  */

struct Rlp_PcreAttribute_t
{
  char *reText;
  pcre *re;
  pcre_extra *pe;
};

typedef struct Rlp_PcreAttribute_t Rlp_PcreAttribute_t;

typedef Rlp_PcreAttribute_t Rlp_PcreCheck_t;


/**
  * \brief  A struct for holding the content tests on a formula
  * 
  * A struct for holding the content tests on a formula. Poorly
  * named, since the byte jump is actually the amount to 
  * advance the stream pointer by.
  * 
  */


struct Rlp_L7Check_t
{
  Rlp_L7CheckType_t type;
  union
  {
    Rlp_ContentCheck_t *contentCheck;
    Rlp_ByteTestCheck_t *byteTestCheck;
    Rlp_ByteJumpCheck_t *byteJumpCheck;
    Rlp_PcreCheck_t *pcreCheck;
  } entryData;
};

typedef struct Rlp_L7Check_t Rlp_L7Check_t;

/**
  * \brief  A struct for holding the layer 4 check on a formula
  * 
  * A struct for holding the layer 4 check on the formula. Poorly
  * named, since the optional content checks enclosed in parens
  * also check layer 3/4 information.
  * 
  */


struct Rlp_L4Check_t
{
  char *typeString;
  Rlp_OperatorEnum_t type;
  char *srcIpString;
  Rlp_Formula_t *srcIp;
  char *srcPortString;
  Rlp_Formula_t *srcPort;
  char *destIpString;
  Rlp_Formula_t *destIp;
  char *destPortString;
  Rlp_Formula_t *destPort;
};

typedef struct Rlp_L4Check_t Rlp_L4Check_t;


// #endif // include the structs


// #ifdef _INCLUDE_PROTOTYPES


/**
  * \brief  Enum for the different possible actions for a packet.
  * 
  */

typedef enum
{
  Rlp_ActionUnassigned_c,
//  Rlp_ActionLog_c,
//  Rlp_ActionAlert_c,
  Rlp_ActionDrop_c,
//  Rlp_ActionEncrypt_c,
//  Rlp_ActionDecrypt_c,
//  Rlp_ActionCompress_c,
//  Rlp_ActionDecompress_c,
  Rlp_ActionRoute_c,
  Rlp_ActionQueue_c,
//  Rlp_ActionUserAction_c,
  Rlp_ActionUscript_c,
  Rlp_ActionUcode_c,
} Rlp_ActionEnum_t;


/**
  * \brief  Struct encoding the action to be taken.
  * 
  */

struct Rlp_Action_t
{
  Rlp_ActionEnum_t type;

  char *dest;
  Pkt_LibNet_t *destLibnet;

  // Cryp_Aes_t *aes;

  char *queue;
  int classIndex;

  char *uscript;

  char *ucodeName;
  int (*ucodeFunction) ( void *, void *, void **, char * );
  void *ucodeFunctionState;

  // use same argument for script and function
  char *argument;
};

typedef struct Rlp_Action_t Rlp_Action_t;


extern Rlp_Formula_t *car (Rlp_Formula_t *);
extern Rlp_Formula_t *cdr (Rlp_Formula_t *);
extern Rlp_Formula_t *cons (Rlp_Formula_t *, Rlp_Formula_t *);
extern Rlp_Formula_t *new_node (Rlp_OperatorEnum_t, Rlp_Formula_t *,
                Rlp_Formula_t *);

/**AutomaticStart*************************************************************/

/*---------------------------------------------------------------------------*/
/* Extern function prototypes                                                */
/*---------------------------------------------------------------------------*/

extern Rlp_Action_t *Rlp_AllocActionStruct ();
extern Rlp_Action_t *Rlp_CreateActionFromRawText (char *rawFormula);
extern void Rlp_ActionPrint (Rlp_Action_t * action);
extern Rlp_L4Check_t *Rlp_AllocL4CheckStruct ();
extern Rlp_L4Check_t *Rlp_CreateL4CheckFromRawFormula (char *rawFormula);
extern Rlp_Formula_t *Rlp_ComputeIpFormulaFromString (char *ipString);
extern u_int32_t Rlp_DotToInt (char *dotString);
extern Rlp_Formula_t *Rlp_ComputePortFormulaFromString (char *portString);
extern array_t *Rlp_BuildContentCheckArrayFromL7Formula (Rlp_Formula_t *
                             aL7Formula);
extern int Rlp_FreeL7CheckArray (array_t * L7CheckArray);
extern Rlp_Formula_t *new_node (Rlp_OperatorEnum_t type,
                Rlp_Formula_t * lchild,
                Rlp_Formula_t * rchild);
extern Rlp_Formula_t *make2eltlist (Rlp_Formula_t * a, Rlp_Formula_t * b);
extern Rlp_Formula_t *car (Rlp_Formula_t * a);
extern Rlp_Formula_t *cdr (Rlp_Formula_t * a);
extern int node_print (Rlp_Formula_t * a);
extern char *Rlp_ConvertParseTreeToText (Rlp_Formula_t * aFormula);
extern int Rlp_PrintFormulaTree (Rlp_Formula_t * aFormula);
extern void Rlp_FormulaFree (Rlp_Formula_t * aFormula);
extern Rlp_Formula_t *Rlp_CreateParseTreeFromText (char *text);
extern Rlp_Formula_t *Rlp_CreateParseTreeFromAttribValuePairArray (array_t *
                                   aRule);
extern int Rlp_ParsedRulePrint (Rlp_Formula_t * aTree);
extern util_byte_array_t *Rlp_ByteCodeToByteArray (char *byteCode);
extern int Rlp_NodePrint (Rlp_Formula_t * entry);
extern array_t *Rlp_TestReadL7FormulasFromFile (char *fileName);
extern char *Rlp_GetL4ComponentFromRawRule (char *rawRule);
extern char *Rlp_GetL7ComponentFromRawRule (char *rawRule);
extern char *Rlp_GetActionComponentFromRawRule (char *rawRule);
extern int Rlp_FreeArrayOfStrings (array_t * stringArray);
extern st_table *Rlp_L7CheckGetContentChecks (array_t * L7CheckArray);
extern void Rlp_TestParseContent (char *fileName);
extern int Rlp_UpdateDefineTable (st_table * aTable, char *anEntry);
extern array_t *Rlp_L7StringParse (char *l7Rule);

/**AutomaticEnd***************************************************************/

#ifdef __cplusplus
}
#endif


#endif /* _RLP */