From 7a6d4b57f0d74f5d83bae0da11083c87fe834e6e Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 1 Jun 2010 15:59:08 +0200 Subject: [PATCH] Add support for class id in classification code. Submitted by firnsy@securixlive.com, thanks. --- src/detect-classtype.c | 3 +- src/detect-engine-alert.c | 2 ++ src/detect.h | 3 ++ src/util-classification-config.c | 51 ++++++++++++++++++-------------- src/util-classification-config.h | 7 +++-- 5 files changed, 40 insertions(+), 26 deletions(-) diff --git a/src/detect-classtype.c b/src/detect-classtype.c index d5226e7a3d..6e4b4a3297 100644 --- a/src/detect-classtype.c +++ b/src/detect-classtype.c @@ -131,7 +131,7 @@ static inline const char *DetectClasstypeParseRawString(char *rawstr) static inline SCClassConfClasstype *DetectClasstypeGetClasstypeInfo(const char *ct_name, DetectEngineCtx *de_ctx) { - SCClassConfClasstype *ct_info = SCClassConfAllocClasstype(ct_name, NULL, + SCClassConfClasstype *ct_info = SCClassConfAllocClasstype(0, ct_name, NULL, 0); SCClassConfClasstype *lookup_ct_info = HashTableLookup(de_ctx->class_conf_ht, ct_info, 0); @@ -171,6 +171,7 @@ static int DetectClasstypeSetup(DetectEngineCtx *de_ctx, Signature *s, char *raw /* if we have retrieved the classtype, assign the message to be displayed * for this Signature by fast.log, if a Packet matches this Signature */ + s->class = ct->classtype_id; s->class_msg = ct->classtype_desc; /* if a priority keyword has appeared before the classtype, s->prio would diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index 51ab53710a..085064dd00 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -97,6 +97,7 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p) p->alerts.alerts[p->alerts.cnt].rev = s->rev; p->alerts.alerts[p->alerts.cnt].prio = s->prio; p->alerts.alerts[p->alerts.cnt].msg = s->msg; + p->alerts.alerts[p->alerts.cnt].class = s->class; p->alerts.alerts[p->alerts.cnt].class_msg = s->class_msg; p->alerts.alerts[p->alerts.cnt].references = s->references; } else { @@ -120,6 +121,7 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p) p->alerts.alerts[i].rev = s->rev; p->alerts.alerts[i].prio = s->prio; p->alerts.alerts[i].msg = s->msg; + p->alerts.alerts[i].class = s->class; p->alerts.alerts[i].class_msg = s->class_msg; p->alerts.alerts[i].references = s->references; } diff --git a/src/detect.h b/src/detect.h index 731449d103..cf04fa91a4 100644 --- a/src/detect.h +++ b/src/detect.h @@ -232,6 +232,9 @@ typedef struct Signature_ { uint8_t nchunk_groups; /**< Internal chunk grp id (for splitted patterns) */ char *msg; + /** classification id **/ + uint8_t class; + /** classification message */ char *class_msg; diff --git a/src/util-classification-config.c b/src/util-classification-config.c index e5ae37bbc7..85e5add416 100644 --- a/src/util-classification-config.c +++ b/src/util-classification-config.c @@ -188,17 +188,19 @@ static char *SCClassConfStringToLowercase(const char *str) * hash table in DetectEngineCtx, i.e. DetectEngineCtx->class_conf_ht. * * \param rawstr Pointer to the string to be parsed. + * \param index Relative index of the string to be parsed. * \param de_ctx Pointer to the Detection Engine Context. * * \retval 0 On success. * \retval -1 On failure. */ -int SCClassConfAddClasstype(char *rawstr, DetectEngineCtx *de_ctx) +int SCClassConfAddClasstype(char *rawstr, uint8_t index, DetectEngineCtx *de_ctx) { const char *ct_name = NULL; const char *ct_desc = NULL; const char *ct_priority_str = NULL; int ct_priority = 0; + uint8_t ct_id = index; SCClassConfClasstype *ct_new = NULL; SCClassConfClasstype *ct_lookup = NULL; @@ -238,7 +240,7 @@ int SCClassConfAddClasstype(char *rawstr, DetectEngineCtx *de_ctx) ct_priority = atoi(ct_priority_str); /* Create a new instance of the parsed Classtype string */ - ct_new = SCClassConfAllocClasstype(ct_name, ct_desc, ct_priority); + ct_new = SCClassConfAllocClasstype(ct_id, ct_name, ct_desc, ct_priority); if (ct_new == NULL) goto error; @@ -307,12 +309,14 @@ static int SCClassConfIsLineBlankOrComment(char *line) void SCClassConfParseFile(DetectEngineCtx *de_ctx) { char line[1024]; + uint8_t i = 1; while (fgets(line, sizeof(line), fd) != NULL) { if (SCClassConfIsLineBlankOrComment(line)) continue; - SCClassConfAddClasstype(line, de_ctx); + SCClassConfAddClasstype(line, i, de_ctx); + i++; } #ifdef UNITTESTS @@ -334,7 +338,8 @@ void SCClassConfParseFile(DetectEngineCtx *de_ctx) * \retval ct Pointer to the new instance of SCClassConfClasstype on success; * NULL on failure. */ -SCClassConfClasstype *SCClassConfAllocClasstype(const char *classtype, +SCClassConfClasstype *SCClassConfAllocClasstype(uint8_t classtype_id, + const char *classtype, const char *classtype_desc, int priority) { @@ -358,6 +363,7 @@ SCClassConfClasstype *SCClassConfAllocClasstype(const char *classtype, exit(EXIT_FAILURE); } + ct->classtype_id = classtype_id; ct->priority = priority; return ct; @@ -672,27 +678,27 @@ int SCClassConfTest04(void) result = (de_ctx->class_conf_ht->count == 3); - ct = SCClassConfAllocClasstype("unknown", NULL, 0); + ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("unKnoWn", NULL, 0); + ct = SCClassConfAllocClasstype(0, "unKnoWn", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("bamboo", NULL, 0); + ct = SCClassConfAllocClasstype(0, "bamboo", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("bad-unknown", NULL, 0); + ct = SCClassConfAllocClasstype(0, "bad-unknown", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("BAD-UNKnOWN", NULL, 0); + ct = SCClassConfAllocClasstype(0, "BAD-UNKnOWN", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("bed-unknown", NULL, 0); + ct = SCClassConfAllocClasstype(0, "bed-unknown", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL); SCClassConfDeAllocClasstype(ct); @@ -724,31 +730,30 @@ int SCClassConfTest05(void) result = (de_ctx->class_conf_ht->count == 0); - ct = SCClassConfAllocClasstype("unknown", NULL, 0); + ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("unKnoWn", NULL, 0); + ct = SCClassConfAllocClasstype(0, "unKnoWn", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("bamboo", NULL, 0); + ct = SCClassConfAllocClasstype(0, "bamboo", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("bad-unknown", NULL, 0); + ct = SCClassConfAllocClasstype(0, "bad-unknown", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("BAD-UNKnOWN", NULL, 0); + ct = SCClassConfAllocClasstype(0, "BAD-UNKnOWN", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("bed-unknown", NULL, 0); + ct = SCClassConfAllocClasstype(0, "bed-unknown", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL); SCClassConfDeAllocClasstype(ct); - DetectEngineCtxFree(de_ctx); return result; @@ -776,27 +781,27 @@ int SCClassConfTest06(void) result = (de_ctx->class_conf_ht->count == 3); - ct = SCClassConfAllocClasstype("unknown", NULL, 0); + ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("not-suspicious", NULL, 0); + ct = SCClassConfAllocClasstype(0, "not-suspicious", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("bamboola1", NULL, 0); + ct = SCClassConfAllocClasstype(0, "bamboola1", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("bamboola1", NULL, 0); + ct = SCClassConfAllocClasstype(0, "bamboola1", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("BAMBOolA1", NULL, 0); + ct = SCClassConfAllocClasstype(0, "BAMBOolA1", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL); SCClassConfDeAllocClasstype(ct); - ct = SCClassConfAllocClasstype("unkNOwn", NULL, 0); + ct = SCClassConfAllocClasstype(0, "unkNOwn", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL); SCClassConfDeAllocClasstype(ct); diff --git a/src/util-classification-config.h b/src/util-classification-config.h index 5f6b2dadcd..03fe03a9ce 100644 --- a/src/util-classification-config.h +++ b/src/util-classification-config.h @@ -28,6 +28,9 @@ * \brief Container for a Classtype from the Classification.config file. */ typedef struct SCClassConfClasstype_ { + /* The index of the classification within classification.confg */ + uint8_t classtype_id; + /* The classtype name. This is the primary key for a Classification. */ char *classtype; @@ -39,8 +42,8 @@ typedef struct SCClassConfClasstype_ { int priority; } SCClassConfClasstype; -SCClassConfClasstype *SCClassConfAllocClasstype(const char *, const char *, - int); +SCClassConfClasstype *SCClassConfAllocClasstype(uint8_t, const char *, + const char *, int); void SCClassConfDeAllocClasstype(SCClassConfClasstype *); void SCClassConfLoadClassficationConfigFile(DetectEngineCtx *); void SCClassConfRegisterTests(void);