Azinix

Evl_ContentMgr_t Struct Reference

A stucture for evaluating L7 rules. More...

#include <evl.h>


Data Fields

int numStrings
st_tablestringToId
st_tableidToString
array_tidToRules
array_tstringArray
array_tmaxLengthArray
array_tmaxLengthStringsArray


Detailed Description

A stucture for evaluating L7 rules.

Basically, we're going to be passed in an array of Rlp_Formula_t's each with some (maybe none) content checks.

We need to be able to seperate the checks that have no content checks - there 156 distinct rules (one repeated), focusing on


  	icmp 255.255.255.0/24 any -> HN any ( itype: 0; dsize: >1; )
  	icmp 3.3.3.3/32 any -> EN any ( itype: 0; icmp_id: 666; )
  	icmp any any -> any any ( itype: 3; icode: 10; )
  	icmp any any -> any any ( itype: 3; icode: 13; )
  	icmp any any -> any any ( itype: 3; icode: 9; )
  	icmp EN any -> HN any ( dsize: 0; itype: 8; )
  	icmp EN any -> HN any ( dsize: >800; )
  	icmp EN any -> HN any ( dsize:8; itype:8; )
  	icmp EN any -> HN any ( dsize:8; itype:8; id:13170; )
  	icmp EN any -> HN any ( id: 666; dsize: 0; itype: 8; icmp_id: 666 ; icmp_seq: 0; )
  	icmp EN any -> HN any ( ipopts: rr; itype: 0; )
  	icmp EN any -> HN any ( itype: 0; )
  	icmp EN any -> HN any ( itype: 0; icmp_id: 456; icmp_seq: 0; )
  	icmp EN any -> HN any ( itype: 0; icmp_id: 51201; icmp_seq: 0; )
  	icmp EN any -> HN any ( itype: 0; icode: 0; )
  	icmp EN any -> HN any ( itype: 1; )
  	icmp EN any -> HN any (itype:10; )
  	icmp EN any -> HN any ( itype: 10; icode: 0; )
  	icmp EN any -> HN any ( itype: 11; )
  	icmp EN any -> HN any ( itype: 11; icode: 0; )
  	icmp EN any -> HN any ( itype: 11; icode: 1; )
  	icmp EN any -> HN any ( itype: 12; )
  	icmp EN any -> HN any ( itype: 12; icode: 0; )
  	icmp EN any -> HN any ( itype: 12; icode: 1; )
  	icmp EN any -> HN any ( itype: 12; icode: 2; )
  	icmp EN any -> HN any ( itype: 13; )
  	icmp EN any -> HN any ( itype: 13; icode: 0; )
  	icmp EN any -> HN any ( itype: 14; )
  	icmp EN any -> HN any ( itype: 14; icode: 0; )
  	icmp EN any -> HN any ( itype: 15; )
  	icmp EN any -> HN any ( itype: 15; icode: 0; )
  	icmp EN any -> HN any ( itype: 17; )
  	icmp EN any -> HN any ( itype: 17; icode: 0; )
  	icmp EN any -> HN any ( itype: 18; )
  	icmp EN any -> HN any ( itype: 19; )
  	icmp EN any -> HN any ( itype: 19; icode: 0; )
  	icmp EN any -> HN any ( itype: 1; icode: 0; )
  	icmp EN any -> HN any ( itype: 2; )
  	icmp EN any -> HN any ( itype: 2; icode: 0; )
  	icmp EN any -> HN any ( itype: 3; )
  	icmp EN any -> HN any ( itype: 30; )
  	icmp EN any -> HN any ( itype: 30; icode: 0; )
  	icmp EN any -> HN any ( itype: 31; )
  	icmp EN any -> HN any ( itype: 31; icode: 0; )
  	icmp EN any -> HN any ( itype: 32; )
  	icmp EN any -> HN any ( itype: 32; icode: 0; )
  	icmp EN any -> HN any ( itype: 33; )
  	icmp EN any -> HN any ( itype: 33; icode: 0; )
  	icmp EN any -> HN any ( itype: 34; )
  	icmp EN any -> HN any ( itype: 34; icode: 0; )
  	icmp EN any -> HN any ( itype: 35; )
  	icmp EN any -> HN any ( itype: 35; icode: 0; )
  	icmp EN any -> HN any ( itype: 36; )
  	icmp EN any -> HN any ( itype: 36; icode: 0; )
  	icmp EN any -> HN any ( itype: 39; )
  	icmp EN any -> HN any ( itype: 39; icode: 0; )
  	icmp EN any -> HN any ( itype: 3; icode: 0; )
  	icmp EN any -> HN any ( itype: 3; icode: 1; )
  	icmp EN any -> HN any ( itype: 3; icode:11; )
  	icmp EN any -> HN any ( itype: 3; icode: 12; )
  	icmp EN any -> HN any ( itype: 3; icode: 14; )
  	icmp EN any -> HN any ( itype: 3; icode: 15; )
  	icmp EN any -> HN any ( itype: 3; icode: 2; )
  	icmp EN any -> HN any ( itype: 3; icode: 3; )
  	icmp EN any -> HN any ( itype: 3; icode:4; )
  	icmp EN any -> HN any ( itype: 3; icode: 5; )
  	icmp EN any -> HN any ( itype: 3; icode: 6; )
  	icmp EN any -> HN any ( itype: 3; icode: 7; )
  	icmp EN any -> HN any ( itype: 3; icode: 8; )
  	icmp EN any -> HN any ( itype: 4; )
  	icmp EN any -> HN any ( itype: 40; )
  	icmp EN any -> HN any ( itype: 40; icode: 0; )
  	icmp EN any -> HN any ( itype: 40; icode: 1; )
  	icmp EN any -> HN any ( itype: 40; icode: 2; )
  	icmp EN any -> HN any ( itype: 40; icode: 3; )
  	icmp EN any -> HN any ( itype: 4; icode: 0; )
  	icmp EN any -> HN any ( itype: 5; )
  	icmp EN any -> HN any (itype:5;icode:0; )
  	icmp EN any -> HN any (itype:5;icode:1; )
  	icmp EN any -> HN any ( itype: 5; icode: 2; )
  	icmp EN any -> HN any ( itype: 5; icode: 3; )
  	icmp EN any -> HN any ( itype: 6; )
  	icmp EN any -> HN any ( itype: 6; icode: 0; )
  	icmp EN any -> HN any ( itype: 7; )
  	icmp EN any -> HN any ( itype: 7; icode: 0; )
  	icmp EN any -> HN any ( itype: 8; )
  	icmp EN any -> HN any ( itype: 8; icmp_id: 0; icmp_seq: 0; dsize:4; )
  	icmp EN any -> HN any ( itype: 8; icode: 0; )
  	icmp EN any -> HN any (itype:9; )
  	icmp EN any -> HN any ( itype: 9; icode: 0; )
  	icmp EN any -> HN any (ttl:1;itype:8; )
  	icmp HN any -> EN any ( itype: 16; )
  	icmp HN any -> EN any ( itype: 16; icode: 0; )
  	icmp HN any -> EN any ( itype: 18; icode: 0; )


  	ip 63.251.224.177 any -> HN any ( )
  	ip any any -> 216.80.99.202 any ( )
  	ip any any -> any any ( sameip; )
  	ip EN any -> HN any ( fragbits:MD; )
  	ip EN any -> HN any ( fragbits:M; dsize: < 25; )
  	ip EN any -> HN any ( fragbits: M; dsize:408; )
  	ip EN any -> HN any ( fragbits:R; )
  	ip EN any -> HN any ( ipopts:lsrr; )
  	ip EN any -> HN any ( ipopts:lsrre; )
  	ip EN any -> HN any ( ipopts: ssrr ; )
  	ip EN any -> HN any ( ip_proto:>134; )
  	ip EN any -> HN any ( ip_proto:!1; ip_proto:!2; ip_proto:!6; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89; )
  	ip EN any -> HN any ( ttl:0; )


  	tcp 255.255.255.0/24 any -> HN any ( flags:A+; dsize: >1; )
  	tcp any any -> 212.146.0.34 1963 ( )
  	tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any ( flags:S+; )
  	tcp EN 10101 -> HN any ( ttl: >220; ack: 0; flags: S; )
  	tcp EN 20 -> HN :1023 ( flags:S; )
  	tcp EN 53 -> HN :1023 ( flags:S; )
  	tcp EN 6000:6005 -> HN any ( )
  	tcp EN 80 -> HN 1054 ( seq: 101058054; ack: 101058054; flags: A; )
  	tcp EN any -> HN 1080 ( flags:S; )
  	tcp EN any -> HN 111 ( rpc:100009,*,*; )
  	tcp EN any -> HN 111 ( rpc:100083,*,*; )
  	tcp EN any -> HN 111 ( rpc:391029,*,*; )
  	tcp EN any -> HN 135:139 ( flags: U+; )
  	tcp EN any -> HN 15104 ( flags: S; )
  	tcp EN any -> HN 161 ( )
  	tcp EN any -> HN 162 ( )
  	tcp EN any -> HN 20432 ( flags: A+; )
  	tcp EN any -> HN 21 ( dsize:>100; )
  	tcp EN any -> HN 3128 ( flags:S; )
  	tcp EN any -> HN 3372 ( dsize:>1023; )
  	tcp EN any -> HN 617 ( dsize:>1445; )
  	tcp EN any -> HN 6789:6790 ( dsize:1; )
  	tcp EN any -> HN 705 ( )
  	tcp EN any -> HN 8080 ( flags:S; )
  	tcp EN any -> HN 80 ( flags: SF12; dsize: 0; )
  	tcp EN any -> HN any (flags:0; seq:0; ack:0; )
  	tcp EN any -> HN any (flags:A;ack:0; )
  	tcp EN any -> HN any ( flags: F; )
  	tcp EN any -> HN any (flags:FPU; )
  	tcp EN any -> HN any ( flags:S; dsize:>6; )
  	tcp EN any -> HN any (flags:SF; )
  	tcp EN any -> HN any (flags:SFPU; )
  	tcp EN any -> HN any (flags:SRAFPU; )
  	tcp EN any -> HN any ( flags:S; seq:1958810375; )
  	tcp EN any -> HN any ( id:3868; seq: 3868; flags:S; )
  	tcp EN any -> HN any ( id: 39426; flags: SF; )
  	tcp HN 7161 -> EN any ( flags:SA; )


  	udp any any -> 255.255.255.255 161 ( )
  	udp any any -> 255.255.255.255 162 ( )
  	udp EN 2140 -> HN 60000 ( )
  	udp EN 60000 -> HN 2140 ( )
  	udp EN any -> HN 111 ( rpc:100009,*,*; )
  	udp EN any -> HN 111 ( rpc:100083,*,*; )
  	udp EN any -> HN 123 ( dsize: >128; )
  	udp EN any -> HN 161 ( )
  	udp EN any -> HN 161 ( dsize:0; )
  	udp EN any -> HN 162 ( )
  	udp EN any -> HN any ( dsize: >4000; )
  	udp EN any -> HN any ( id:242; fragbits:M; )

  	The majority of the 4 checks above are EN -> HN type ; 
  	only 12 are not -

  	icmp 255.255.255.0/24 any -> HN any ( itype: 0; dsize: >1; )
  	icmp any any -> any any ( itype: 3; icode: 10; )
  	icmp any any -> any any ( itype: 3; icode: 13; )
  	icmp any any -> any any ( itype: 3; icode: 9; )
  	ip 63.251.224.177 any -> HN any ( )
  	ip any any -> 216.80.99.202 any ( )
  	ip any any -> any any ( sameip; )
  	tcp 255.255.255.0/24 any -> HN any ( flags:A+; dsize: >1; )
  	tcp any any -> 212.146.0.34 1963 ( )
  	tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any ( flags:S+; )
  	udp any any -> 255.255.255.255 161 ( )
  	udp any any -> 255.255.255.255 162 ( )

Putting aside the no-content checks for now, we need to think how to organize the checks.

Let's start by restricting our attention to a single packet rather than a flow.

The assumption is that we have got a bit-vector telling us exactly which L4 rules matches - it's N-wide, where N is the total number of rules.

For each rule, we extract the strings it checks for (will handle the negation and the case-insensitive seperately, and for uri, will have a special kill flag after the uri is done). We then have an automaton over these strings, which tells us when we've seen any one of these strings (by the id of the current state).

For each string, we have an array which ids the rules in which it appears - since it's unlikely that a string will appear in many rules (the most common strings are content:"../../" content:"|00|" content:"|00 01 86 A5|" content:"|00 01 86 B8|" content:"|00 04 93 F3|" content: "filename=" which appear 6 times each) we can just keep them in linear order in the array.

When traversing the automaton with the payload, we record strings as we see them. Whenever we hit a string, we record the offset at which we saw it, check which rules might be affected, and check them

The check for the affected rules is as follows: we see the content checks in that rule, and look at the strings that the rules refers to. We have the latest string-occurance: offset mapping, which allows us to check foo U_[10,20] bar U_[10,20] widget type checks.

We could keep all the occurence of the strings, which would allow us to check a more complex semantics, e.g., if we were looking at only the most recent occurrences, we'd miss

foo 10 chars bar 12 chars bar 2 char widget

since the second bar would get priority.

It's unlikely this is a major issue, so we'll stick to the simpler check.

Definition at line 333 of file evl.h.


Field Documentation

int Evl_ContentMgr_t::numStrings

Definition at line 335 of file evl.h.

st_table* Evl_ContentMgr_t::stringToId

Definition at line 336 of file evl.h.

st_table* Evl_ContentMgr_t::idToString

Definition at line 337 of file evl.h.

array_t* Evl_ContentMgr_t::idToRules

Definition at line 338 of file evl.h.

array_t* Evl_ContentMgr_t::stringArray

Definition at line 339 of file evl.h.

array_t* Evl_ContentMgr_t::maxLengthArray

Definition at line 340 of file evl.h.

array_t* Evl_ContentMgr_t::maxLengthStringsArray

Definition at line 341 of file evl.h.