Azinix

rlp.h File Reference

Routines for parsing, writing and accessing rules. More...

#include "nm.h"
#include "pkt.h"
#include "q.h"

Go to the source code of this file.

Data Structures

struct  Rlp_Node_t
 Node structure - basically a cons list. More...
struct  RlpIntAttribute_t
 Struct to represent a single int entry. More...
struct  Rlp_SampleAttribute_t
 Sampling threshold. More...
struct  Rlp_IfAttribute_t
 Interface to check against. More...
struct  Rlp_AckAttribute_t
 TCP ack value to check against. More...
struct  Rlp_ByteJumpAttribute_t
 Byte jump operation. More...
struct  Rlp_ByteTestAttribute_t
 Byte test operation. More...
struct  Rlp_ContentAttribute_t
 Content to test for. More...
struct  Rlp_DepthAttribute_t
 Sets maximum search depth for the content pattern match to search from beginning of region. More...
struct  Rlp_DistanceAttribute_t
 Look for at least N bytes between pattern matches using content. More...
struct  Rlp_DsizeAttribute_t
 The dsize option is used to test the packet payload size. It may be set to any value, plus use the greater than/less than signs to indicate ranges and limits. More...
struct  Rlp_FlagsAttribute_t
 Test the TCP flags for a match. More...
struct  Rlp_FragbitsAttribute_t
 This rule inspects the fragment and reserved bits in the IP header. More...
struct  Rlp_IcmpIdAttribute_t
 The icmp_id option examines an ICMP ECHO packet's ICMP ID number for a specific value. More...
struct  Rlp_IcmpSeqAttribute_t
 The icmp_id option examines an ICMP ECHO packet's ICMP sequence field for a specific value. More...
struct  Rlp_IcodeAttribute_t
 itype rule, just set a numeric value in here and Detect any traffic using that ICMP code value. More...
struct  Rlp_IpOptsAttribute_t
 Ip options. More...
struct  Rlp_IpProtoAttribute_t
 Check the ip proto field. More...
struct  Rlp_ItypeAttribute_t
 This rule tests the value of the ICMP type field. It is set using the numeric value of this field. More...
struct  Rlp_NocaseAttribute_t
 The nocase option is used to deactivate case sensitivity in a content rule. More...
struct  Rlp_OffsetAttribute_t
 The offset rule option is used as a modifier to rules using the content option keyword. More...
struct  Rlp_RpcAttribute_t
 This option looks at RPC requests and automatically decodes the application, procedure, and program version, indicating success when all three variables are matched. More...
struct  Rlp_SameIpAttribute_t
 Check if source and dest ip are the same. More...
struct  Rlp_SeqAttribute_t
 This rule option refers to the TCP sequence number. More...
struct  Rlp_TtlAttribute_t
 This rule option is used to set a specific time-to-live value to test against. More...
struct  Rlp_WithinAttribute_t
 The within keyword is a content modifier that makes sure that at least N bytes are between pattern matches. More...
struct  Rlp_ContentCheckAttribute_t
 Struct for checking a content type rule. More...
struct  Rlp_PcreAttribute_t
 Struct for pcre checking. More...
struct  Rlp_L7Check_t
 A struct for holding the content tests on a formula. More...
struct  Rlp_L4Check_t
 A struct for holding the layer 4 check on a formula. More...
struct  Rlp_Action_t
 Struct encoding the action to be taken. More...

Defines

#define RLP_SKIP_SPACE(s)   while ( isspace(*s) ) s++;
 Macros to help parse formulas.
#define RLP_SKIP_TEXT(s)   while ( !isspace(*s) ) s++;
#define RLP_STRNCPY_TERMINATE(dest, src, N)   strncpy( dest, src, N ); dest[N] = '\0';
#define RLP_EXTRACT_FIELD(dest, tmpPtr, linePtr, tmpbuf)

Typedefs

typedef Rlp_Node_t Rlp_Formula_t
typedef util_attrib_val_t Rlp_RuleComponent_t
typedef RlpIntAttribute_t Rlp_IntAttribute_t
typedef Rlp_SampleAttribute_t Rlp_SampleAttribute_t
typedef Rlp_IfAttribute_t Rlp_IfAttribute_t
typedef Rlp_AckAttribute_t Rlp_AckAttribute_t
typedef Rlp_ByteJumpAttribute_t Rlp_ByteJumpAttribute_t
typedef Rlp_ByteTestAttribute_t Rlp_ByteTestAttribute_t
typedef Rlp_ContentAttribute_t Rlp_ContentAttribute_t
typedef Rlp_DepthAttribute_t Rlp_DepthAttribute_t
typedef Rlp_DistanceAttribute_t Rlp_DistanceAttribute_t
typedef Rlp_DsizeAttribute_t Rlp_DsizeAttribute_t
typedef Rlp_FlagsAttribute_t Rlp_FlagsAttribute_t
typedef Rlp_FragbitsAttribute_t Rlp_FragbitsAttribute_t
typedef Rlp_IcmpIdAttribute_t Rlp_IcmpIdAttribute_t
typedef Rlp_IcmpSeqAttribute_t Rlp_IcmpSeqAttribute_t
typedef Rlp_IcodeAttribute_t Rlp_IcodeAttribute_t
typedef Rlp_IpOptsAttribute_t Rlp_IpOptsAttribute_t
 Struct for IP options checking.
typedef Rlp_IpProtoAttribute_t Rlp_IpProtoAttribute_t
typedef Rlp_IpProtoAttribute_t Rlp_IdAttribute_t
 This option keyword is used to test for an exact match in the IP header fragment ID field.
typedef Rlp_ItypeAttribute_t Rlp_ItypeAttribute_t
typedef Rlp_NocaseAttribute_t Rlp_NocaseAttribute_t
typedef Rlp_OffsetAttribute_t Rlp_OffsetAttribute_t
typedef Rlp_RpcAttribute_t Rlp_RpcAttribute_t
typedef Rlp_SameIpAttribute_t Rlp_SameIpAttribute_t
typedef Rlp_SeqAttribute_t Rlp_SeqAttribute_t
typedef Rlp_TtlAttribute_t Rlp_TtlAttribute_t
typedef Rlp_ContentAttribute_t Rlp_UriContentAttribute_t
 This rule allows searches to be matched against only the URI portion of a request.
typedef Rlp_WithinAttribute_t Rlp_WithinAttribute_t
typedef Rlp_ContentCheckAttribute_t Rlp_ContentCheck_t
typedef Rlp_ByteTestAttribute_t Rlp_ByteTestCheck_t
 Struct for checking a byte test type rule.
typedef Rlp_ByteJumpAttribute_t Rlp_ByteJumpCheck_t
 Struct for checking a byte jump type rule.
typedef Rlp_PcreAttribute_t Rlp_PcreAttribute_t
typedef Rlp_PcreAttribute_t Rlp_PcreCheck_t
typedef Rlp_L7Check_t Rlp_L7Check_t
typedef Rlp_L4Check_t Rlp_L4Check_t
typedef Rlp_Action_t Rlp_Action_t

Enumerations

enum  Rlp_OperatorEnum_t {
  Rlp_List_c, Rlp_Undef_c, Rlp_Ack_c, Rlp_Byte_Jump_c,
  Rlp_Byte_Test_c, Rlp_Content_c, Rlp_Depth_c, Rlp_Distance_c,
  Rlp_Dsize_c, Rlp_Flags_c, Rlp_Fragbits_c, Rlp_Icmp_Id_c,
  Rlp_Icmp_Seq_c, Rlp_Icode_c, Rlp_Id_c, Rlp_Ip_Proto_c,
  Rlp_IpOpts_c, Rlp_Itype_c, Rlp_Nocase_c, Rlp_Offset_c,
  Rlp_Pcre_c, Rlp_Rpc_c, Rlp_Sameip_c, Rlp_Seq_c,
  Rlp_Ttl_c, Rlp_Uricontent_c, Rlp_Within_c, Rlp_Interface_c,
  Rlp_Sample_c, Rlp_Tcp_c, Rlp_Udp_c, Rlp_Icmp_c,
  Rlp_Ip_c, Rlp_Num_c, Rlp_Text_c, Rlp_IpBlock_c,
  Rlp_PortUnion_c, Rlp_IpUnion_c, Rlp_Negation_c, Rlp_PortRange_c,
  Rlp_IpEntry_c, Rlp_Alert_c, Rlp_Define_c, Rlp_ClassOfService_c,
  Rlp_Any_c, Rlp_Generic_c
}
 Types of operators allowed in formulas. More...
enum  Rlp_FlagType_t { zero_c, one_c, X_c }
 Possible ack flag values. More...
enum  Rlp_IpOpts_t {
  Rlp_unassigned_c, Rlp_rr_c, Rlp_eol_c, Rlp_nop_c,
  Rlp_ts_c, Rlp_sec_c, Rlp_lsrr_c, Rlp_lsrre_c,
  Rlp_ssrr_c, Rlp_satid_c
}
 Differnet types of ip options. More...
enum  Rlp_L7CheckType_t {
  Rlp_L7UndefCheck_c, Rlp_L7ContentCheck_c, Rlp_L7UriContentCheck_c, Rlp_L7ByteJumpCheck_c,
  Rlp_L7ByteTestCheck_c, Rlp_L7PcreCheck_c
}
 Possible types of L7 checks. More...
enum  Rlp_ActionEnum_t {
  Rlp_ActionUnassigned_c, Rlp_ActionDrop_c, Rlp_ActionRoute_c, Rlp_ActionQueue_c,
  Rlp_ActionUscript_c, Rlp_ActionUcode_c
}
 Enum for the different possible actions for a packet. More...

Functions

Rlp_Formula_tcar (Rlp_Formula_t *)
 LISP car function.
Rlp_Formula_tcdr (Rlp_Formula_t *)
 LISP cdr function.
Rlp_Formula_tcons (Rlp_Formula_t *, Rlp_Formula_t *)
Rlp_Formula_tnew_node (Rlp_OperatorEnum_t, Rlp_Formula_t *, Rlp_Formula_t *)
 Allocate a new node.
Rlp_Action_tRlp_AllocActionStruct ()
 Allocate an acction struct.
Rlp_Action_tRlp_CreateActionFromRawText (char *rawFormula)
 Create an action struct from raw text.
void Rlp_ActionPrint (Rlp_Action_t *action)
 Print an action structure.
Rlp_L4Check_tRlp_AllocL4CheckStruct ()
 Allocate an L4 check struct.
Rlp_L4Check_tRlp_CreateL4CheckFromRawFormula (char *rawFormula)
 Create an l4 check struct from a raw formula.
Rlp_Formula_tRlp_ComputeIpFormulaFromString (char *ipString)
 Parse a raw string representing a set of IP addresses into an Rlp_Formula_t.
u_int32_t Rlp_DotToInt (char *dotString)
 Convert a string in dotted decimal notation to an unsigned 32 bit int.
Rlp_Formula_tRlp_ComputePortFormulaFromString (char *portString)
 Parse a raw string representing a set of ports into an Rlp_Formula_t.
array_tRlp_BuildContentCheckArrayFromL7Formula (Rlp_Formula_t *aL7Formula)
 Walk an L7 formula, build the list of checks.
int Rlp_FreeL7CheckArray (array_t *L7CheckArray)
 Free an array containing content check structs.
Rlp_Formula_tmake2eltlist (Rlp_Formula_t *a, Rlp_Formula_t *b)
 List is always a list node with right child another list node or nil.
int node_print (Rlp_Formula_t *a)
 print node
char * Rlp_ConvertParseTreeToText (Rlp_Formula_t *aFormula)
 Convert a rule parse tree to a formula text string.
int Rlp_PrintFormulaTree (Rlp_Formula_t *aFormula)
 Print a rule parse tree.
void Rlp_FormulaFree (Rlp_Formula_t *aFormula)
 Free a parse tree.
Rlp_Formula_tRlp_CreateParseTreeFromText (char *text)
 Create a parse tree for an L7 formula from raw text of formula.
Rlp_Formula_tRlp_CreateParseTreeFromAttribValuePairArray (array_t *aRule)
 Create a parse tree from a L7 formula that is presented as an array of (attribute,value) pairs.
int Rlp_ParsedRulePrint (Rlp_Formula_t *aTree)
 Print a parse tree.
util_byte_array_tRlp_ByteCodeToByteArray (char *byteCode)
 Convert byte code to a byte array.
int Rlp_NodePrint (Rlp_Formula_t *entry)
 Print a node, which is assumed to be an entry in a parse tree.
array_tRlp_TestReadL7FormulasFromFile (char *fileName)
 Read a bunch of L7 formulas from a file, return them in an array.
char * Rlp_GetL4ComponentFromRawRule (char *rawRule)
 Get the L4 text from a rule.
char * Rlp_GetL7ComponentFromRawRule (char *rawRule)
 Get the L7 text from a rule.
char * Rlp_GetActionComponentFromRawRule (char *rawRule)
 Get the action component from a rule.
int Rlp_FreeArrayOfStrings (array_t *stringArray)
 Free an array_t and the strings in it.
st_tableRlp_L7CheckGetContentChecks (array_t *L7CheckArray)
 Return a hash containing all the content checks for in the given rule.
void Rlp_TestParseContent (char *fileName)
 Code to test parsing of content.
int Rlp_UpdateDefineTable (st_table *aTable, char *anEntry)
 Adds a mapping from a macro name to definition.
array_tRlp_L7StringParse (char *l7Rule)
 Parse a string encoding a Layer 7 formula.

Detailed Description

Routines for parsing, writing and accessing rules.

Definition in file rlp.h.

Define Documentation

#define RLP_EXTRACT_FIELD ( dest,
tmpPtr,
linePtr,
tmpbuf   ) 

Value:

tmpPtr = strpbrk( linePtr, " \t" ); \
  RLP_STRNCPY_TERMINATE( tmpbuf, linePtr, tmpPtr - linePtr ); \
  dest = strdup( tmpbuf ); \
  RLP_SKIP_TEXT( linePtr ); SKIP_SPACE( linePtr );

Definition at line 29 of file rlp.h.

#define RLP_SKIP_SPACE (  )     while ( isspace(*s) ) s++;

Macros to help parse formulas.

Definition at line 24 of file rlp.h.

#define RLP_SKIP_TEXT (  )     while ( !isspace(*s) ) s++;

Definition at line 25 of file rlp.h.

#define RLP_STRNCPY_TERMINATE ( dest,
src,
 )     strncpy( dest, src, N ); dest[N] = '\0';

Definition at line 27 of file rlp.h.

Typedef Documentation

typedef struct Rlp_AckAttribute_t Rlp_AckAttribute_t

Definition at line 183 of file rlp.h.

typedef struct Rlp_Action_t Rlp_Action_t

Definition at line 1226 of file rlp.h.

typedef struct Rlp_ByteJumpAttribute_t Rlp_ByteJumpAttribute_t

Definition at line 224 of file rlp.h.

typedef Rlp_ByteJumpAttribute_t Rlp_ByteJumpCheck_t

Struct for checking a byte jump type rule.

Struct for checking a byte jump type rule. It's the same as the byte jump attribute struct, since the information is contained already in a parsed form.

Definition at line 1099 of file rlp.h.

typedef struct Rlp_ByteTestAttribute_t Rlp_ByteTestAttribute_t

Definition at line 271 of file rlp.h.

typedef Rlp_ByteTestAttribute_t Rlp_ByteTestCheck_t

Struct for checking a byte test type rule.

Struct for checking a byte test type rule. It's the same as the byte test attribute struct, since the information is contained already in a parsed form.

Definition at line 1087 of file rlp.h.

typedef struct Rlp_ContentAttribute_t Rlp_ContentAttribute_t

Definition at line 323 of file rlp.h.

typedef struct Rlp_ContentCheckAttribute_t Rlp_ContentCheck_t

Definition at line 1075 of file rlp.h.

typedef struct Rlp_DepthAttribute_t Rlp_DepthAttribute_t

Definition at line 345 of file rlp.h.

typedef struct Rlp_DistanceAttribute_t Rlp_DistanceAttribute_t

Definition at line 369 of file rlp.h.

typedef struct Rlp_DsizeAttribute_t Rlp_DsizeAttribute_t

Definition at line 422 of file rlp.h.

typedef struct Rlp_FlagsAttribute_t Rlp_FlagsAttribute_t

Definition at line 522 of file rlp.h.

typedef struct Rlp_Node_t Rlp_Formula_t

Definition at line 120 of file rlp.h.

typedef struct Rlp_FragbitsAttribute_t Rlp_FragbitsAttribute_t

Definition at line 563 of file rlp.h.

typedef struct Rlp_IcmpIdAttribute_t Rlp_IcmpIdAttribute_t

Definition at line 610 of file rlp.h.

typedef struct Rlp_IcmpSeqAttribute_t Rlp_IcmpSeqAttribute_t

Definition at line 648 of file rlp.h.

typedef struct Rlp_IcodeAttribute_t Rlp_IcodeAttribute_t

Definition at line 668 of file rlp.h.

typedef Rlp_IpProtoAttribute_t Rlp_IdAttribute_t

This option keyword is used to test for an exact match in the IP header fragment ID field.

This option keyword is used to test for an exact match in the IP header fragment ID field.

Some hacking tools (and other programs) set this field specifically for various purposes, for example the value 31337 is very popular with some hackers. This can be turned against them by putting a simple rule in place to test for this and some other hacker numbers.

full range of checks:

id: 39426 id: 413 id: 666 id: 678 id:13170 id:242 id:3868

Checks for id are syntactically identical to ip_proto checks, so we can reuse the same structure.

Definition at line 776 of file rlp.h.

typedef struct Rlp_IfAttribute_t Rlp_IfAttribute_t

Definition at line 165 of file rlp.h.

typedef struct RlpIntAttribute_t Rlp_IntAttribute_t

Definition at line 139 of file rlp.h.

typedef struct Rlp_IpOptsAttribute_t Rlp_IpOptsAttribute_t

Struct for IP options checking.

Definition at line 730 of file rlp.h.

typedef struct Rlp_IpProtoAttribute_t Rlp_IpProtoAttribute_t

Definition at line 746 of file rlp.h.

typedef struct Rlp_ItypeAttribute_t Rlp_ItypeAttribute_t

Definition at line 800 of file rlp.h.

typedef struct Rlp_L4Check_t Rlp_L4Check_t

Definition at line 1167 of file rlp.h.

typedef struct Rlp_L7Check_t Rlp_L7Check_t

Definition at line 1141 of file rlp.h.

typedef struct Rlp_NocaseAttribute_t Rlp_NocaseAttribute_t

Definition at line 828 of file rlp.h.

typedef struct Rlp_OffsetAttribute_t Rlp_OffsetAttribute_t

Definition at line 864 of file rlp.h.

typedef struct Rlp_PcreAttribute_t Rlp_PcreAttribute_t

Definition at line 1114 of file rlp.h.

typedef Rlp_PcreAttribute_t Rlp_PcreCheck_t

Definition at line 1116 of file rlp.h.

typedef struct Rlp_RpcAttribute_t Rlp_RpcAttribute_t

Definition at line 905 of file rlp.h.

typedef util_attrib_val_t Rlp_RuleComponent_t

Definition at line 123 of file rlp.h.

typedef struct Rlp_SameIpAttribute_t Rlp_SameIpAttribute_t

Definition at line 925 of file rlp.h.

typedef struct Rlp_SampleAttribute_t Rlp_SampleAttribute_t

Definition at line 152 of file rlp.h.

typedef struct Rlp_SeqAttribute_t Rlp_SeqAttribute_t

Definition at line 955 of file rlp.h.

typedef struct Rlp_TtlAttribute_t Rlp_TtlAttribute_t

Definition at line 985 of file rlp.h.

typedef Rlp_ContentAttribute_t Rlp_UriContentAttribute_t

This rule allows searches to be matched against only the URI portion of a request.

This rule allows searches to be matched against only the URI portion of a request.

This allows rules to search only the request portion of an attack without false alerts from server data files. For a description of the parameters to this function, see the content rule options.

Definition at line 1001 of file rlp.h.

typedef struct Rlp_WithinAttribute_t Rlp_WithinAttribute_t

Definition at line 1035 of file rlp.h.

Enumeration Type Documentation

enum Rlp_ActionEnum_t

Enum for the different possible actions for a packet.

Enumerator:
Rlp_ActionUnassigned_c 
Rlp_ActionDrop_c 
Rlp_ActionRoute_c 
Rlp_ActionQueue_c 
Rlp_ActionUscript_c 
Rlp_ActionUcode_c 

Definition at line 1181 of file rlp.h.

enum Rlp_FlagType_t

Possible ack flag values.

Possible ack flag values. A flag check may be 0, 1, or don't care.

Enumerator:
zero_c 
one_c 
X_c 

Definition at line 434 of file rlp.h.

enum Rlp_IpOpts_t

Differnet types of ip options.

Enumerator:
Rlp_unassigned_c 
Rlp_rr_c 
Rlp_eol_c 
Rlp_nop_c 
Rlp_ts_c 
Rlp_sec_c 
Rlp_lsrr_c 
Rlp_lsrre_c 
Rlp_ssrr_c 
Rlp_satid_c 

Definition at line 673 of file rlp.h.

enum Rlp_L7CheckType_t

Possible types of L7 checks.

Possible types of L7 checks.

Enumerator:
Rlp_L7UndefCheck_c 
Rlp_L7ContentCheck_c 
Rlp_L7UriContentCheck_c 
Rlp_L7ByteJumpCheck_c 
Rlp_L7ByteTestCheck_c 
Rlp_L7PcreCheck_c 

Definition at line 1045 of file rlp.h.

enum Rlp_OperatorEnum_t

Types of operators allowed in formulas.

The types of nodes in a formula parse tree. ID is for leaf nodes, all others are internal nodes.

Enumerator:
Rlp_List_c 
Rlp_Undef_c 
Rlp_Ack_c 
Rlp_Byte_Jump_c 
Rlp_Byte_Test_c 
Rlp_Content_c 
Rlp_Depth_c 
Rlp_Distance_c 
Rlp_Dsize_c 
Rlp_Flags_c 
Rlp_Fragbits_c 
Rlp_Icmp_Id_c 
Rlp_Icmp_Seq_c 
Rlp_Icode_c 
Rlp_Id_c 
Rlp_Ip_Proto_c 
Rlp_IpOpts_c 
Rlp_Itype_c 
Rlp_Nocase_c 
Rlp_Offset_c 
Rlp_Pcre_c 
Rlp_Rpc_c 
Rlp_Sameip_c 
Rlp_Seq_c 
Rlp_Ttl_c 
Rlp_Uricontent_c 
Rlp_Within_c 
Rlp_Interface_c 
Rlp_Sample_c 
Rlp_Tcp_c 
Rlp_Udp_c 
Rlp_Icmp_c 
Rlp_Ip_c 
Rlp_Num_c 
Rlp_Text_c 
Rlp_IpBlock_c 
Rlp_PortUnion_c 
Rlp_IpUnion_c 
Rlp_Negation_c 
Rlp_PortRange_c 
Rlp_IpEntry_c 
Rlp_Alert_c 
Rlp_Define_c 
Rlp_ClassOfService_c 
Rlp_Any_c 
Rlp_Generic_c 

Definition at line 44 of file rlp.h.

Function Documentation

Rlp_Formula_t* car ( Rlp_Formula_t  ) 

LISP car function.

Definition at line 57 of file rlpNode.c.

Rlp_Formula_t* cdr ( Rlp_Formula_t  ) 

LISP cdr function.

Definition at line 66 of file rlpNode.c.

Rlp_Formula_t* cons ( Rlp_Formula_t ,
Rlp_Formula_t  
)

Rlp_Formula_t* make2eltlist ( Rlp_Formula_t a,
Rlp_Formula_t b 
)

List is always a list node with right child another list node or nil.

Definition at line 37 of file rlpNode.c.

Rlp_Formula_t* new_node ( Rlp_OperatorEnum_t  ,
Rlp_Formula_t ,
Rlp_Formula_t  
)

Allocate a new node.

Definition at line 17 of file rlpNode.c.

int node_print ( Rlp_Formula_t a  ) 

print node

Definition at line 75 of file rlpNode.c.

void Rlp_ActionPrint ( Rlp_Action_t action  ) 

Print an action structure.

Definition at line 162 of file rlpAct.c.

Rlp_Action_t* Rlp_AllocActionStruct (  ) 

Allocate an acction struct.

AutomaticStart

Definition at line 17 of file rlpAct.c.

Rlp_L4Check_t* Rlp_AllocL4CheckStruct (  ) 

Allocate an L4 check struct.

Initialize entries to NIL, which indicates an any in that field

Definition at line 33 of file rlpL4.c.

array_t* Rlp_BuildContentCheckArrayFromL7Formula ( Rlp_Formula_t aL7Formula  ) 

Walk an L7 formula, build the list of checks.

Definition at line 25 of file rlpL7.c.

util_byte_array_t* Rlp_ByteCodeToByteArray ( char *  byteCode  ) 

Convert byte code to a byte array.

Input assumed to be in hex, with possible whitespace.

Definition at line 1522 of file rlpUtil.c.

Rlp_Formula_t* Rlp_ComputeIpFormulaFromString ( char *  ipString  ) 

Parse a raw string representing a set of IP addresses into an Rlp_Formula_t.

Parse a raw string representing a set of IP addresses into an Rlp_Formula_t. String is suppoed to be from the following grammar:

  !(foo) | !foo | foo,bar | IP/mask | IP |  DEFINE

Note: we should not have whitespace anywhere.

There is exactly one string in the ruleset that looks like [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8]. For now, we're going to treat it by simply removing the leading and trailing brackets using the clearBrackets function call.

Definition at line 216 of file rlpL4.c.

Rlp_Formula_t* Rlp_ComputePortFormulaFromString ( char *  portString  ) 

Parse a raw string representing a set of ports into an Rlp_Formula_t.

Parse a raw string representing a set of ports into an Rlp_Formula_t. String is supposed to be from the following grammar:

  !foo | 10:100  | 10: | :100 | DEFINE

Note: we should not have whitespace anywhere.

Definition at line 458 of file rlpL4.c.

char* Rlp_ConvertParseTreeToText ( Rlp_Formula_t aFormula  ) 

Convert a rule parse tree to a formula text string.

Definition at line 43 of file rlpUtil.c.

Rlp_Action_t* Rlp_CreateActionFromRawText ( char *  rawFormula  ) 

Create an action struct from raw text.

Raw text could be 

  drop;
  queue:foo;  class:1;
  dest:0;
  tcl-ext:puts "ouch";

Definition at line 50 of file rlpAct.c.

Rlp_L4Check_t* Rlp_CreateL4CheckFromRawFormula ( char *  rawFormula  ) 

Create an l4 check struct from a raw formula.

Definition at line 52 of file rlpL4.c.

Rlp_Formula_t* Rlp_CreateParseTreeFromAttribValuePairArray ( array_t aRule  ) 

Create a parse tree from a L7 formula that is presented as an array of (attribute,value) pairs.

Returns NIL if the array is of length 0, otherwise list has as many entries as the array has members.

Definition at line 575 of file rlpUtil.c.

Rlp_Formula_t* Rlp_CreateParseTreeFromText ( char *  text  ) 

Create a parse tree for an L7 formula from raw text of formula.

Definition at line 553 of file rlpUtil.c.

u_int32_t Rlp_DotToInt ( char *  dotString  ) 

Convert a string in dotted decimal notation to an unsigned 32 bit int.

Definition at line 414 of file rlpL4.c.

void Rlp_FormulaFree ( Rlp_Formula_t aFormula  ) 

Free a parse tree.

Definition at line 479 of file rlpUtil.c.

int Rlp_FreeArrayOfStrings ( array_t stringArray  ) 

Free an array_t and the strings in it.

Definition at line 2013 of file rlpUtil.c.

int Rlp_FreeL7CheckArray ( array_t L7CheckArray  ) 

Free an array containing content check structs.

Definition at line 99 of file rlpL7.c.

char* Rlp_GetActionComponentFromRawRule ( char *  rawRule  ) 

Get the action component from a rule.

The assumption is that the rule consists of layer 4 string, layer 7 string, which is enclosed in parens, and then action string. The right parens symbol should NOT appear in the action string.

Definition at line 1979 of file rlpUtil.c.

char* Rlp_GetL4ComponentFromRawRule ( char *  rawRule  ) 

Get the L4 text from a rule.

Definition at line 1910 of file rlpUtil.c.

char* Rlp_GetL7ComponentFromRawRule ( char *  rawRule  ) 

Get the L7 text from a rule.

Definition at line 1940 of file rlpUtil.c.

st_table* Rlp_L7CheckGetContentChecks ( array_t L7CheckArray  ) 

Return a hash containing all the content checks for in the given rule.

We're passing in an array containing Rlp_L7Check_t entries - these are all the L7 checks in the corresponding rule.

Definition at line 2034 of file rlpUtil.c.

array_t* Rlp_L7StringParse ( char *  l7Rule  ) 

Parse a string encoding a Layer 7 formula.

String is assumed to be well-formed. Returns an array_t of rule components, which are attibute-value pairs.

Definition at line 29 of file rlpParse.c.

int Rlp_NodePrint ( Rlp_Formula_t entry  ) 

Print a node, which is assumed to be an entry in a parse tree.

Definition at line 1621 of file rlpUtil.c.

int Rlp_ParsedRulePrint ( Rlp_Formula_t aTree  ) 

Print a parse tree.

Definition at line 777 of file rlpUtil.c.

int Rlp_PrintFormulaTree ( Rlp_Formula_t aFormula  ) 

Print a rule parse tree.

Definition at line 335 of file rlpUtil.c.

void Rlp_TestParseContent ( char *  fileName  ) 

Code to test parsing of content.

Definition at line 2061 of file rlpUtil.c.

array_t* Rlp_TestReadL7FormulasFromFile ( char *  fileName  ) 

Read a bunch of L7 formulas from a file, return them in an array.

Definition at line 1880 of file rlpUtil.c.

int Rlp_UpdateDefineTable ( st_table aTable,
char *  anEntry 
)

Adds a mapping from a macro name to definition.

Typically anEntry will be "var foo 192.168.1.1" We will add "foo" to the table, and map it to "192.168.1.1"

Definition at line 2116 of file rlpUtil.c.