From 2278df1493e064c197913e49b5d1935942d83448 Mon Sep 17 00:00:00 2001
From: daniel <daniel@planethacker.net>
Date: Tue, 6 May 2025 16:57:32 -0700
Subject: initial import

---
 include/av_rules.h | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 include/av_rules.h

(limited to 'include/av_rules.h')

diff --git a/include/av_rules.h b/include/av_rules.h
new file mode 100644
index 0000000..8e55a54
--- /dev/null
+++ b/include/av_rules.h
@@ -0,0 +1,86 @@
+#pragma once
+
+#include <stddef.h>
+#include <stdbool.h>
+#include <stdint.h>
+
+#define MAX_RULE_CONDITIONS   16
+#define MAX_RULES            128
+#define MAX_PATTERNS         512
+#define MAX_MATCH_OFFSETS     64
+#define PATTERN_TABLE_SIZE  1024
+
+typedef struct {
+    const char *id;
+    uint8_t *bytes;
+    size_t len;
+
+    size_t match_offsets[MAX_MATCH_OFFSETS];
+    size_t match_count;
+} pattern_t;
+
+/* typedef struct { */
+/*     const char *id; */
+/*     pattern_t *entry; */
+/* } pattern_bucket_t; */
+
+typedef struct pattern_bucket {
+	const char *id;
+	pattern_t *entry;
+	struct pattern_bucket *next;
+} pattern_bucket_t;
+
+//pattern_bucket_t *buckets[PATTERN_TABLE_SIZE];
+
+typedef struct {
+    pattern_t patterns[MAX_PATTERNS];
+    size_t count;
+
+    pattern_bucket_t *buckets[PATTERN_TABLE_SIZE];
+} pattern_table_t;
+
+
+typedef enum {
+	RULE_BLOCK,
+	RULE_ALLOW,
+	RULE_QUARANTINE,
+	RULE_INFORMATIONAL
+} rule_action_t;
+
+typedef enum {
+	COND_TYPE_REQUIRED, // and
+	COND_TYPE_OPTIONAL, // or
+	COND_TYPE_NEGATED   // not
+} condition_type_t;
+
+typedef struct {
+	const char       *pattern_id;
+	size_t            offset;
+	bool              has_offset;
+	condition_type_t  type;
+} rule_condition_t;
+
+typedef struct {
+	const char       *id;
+	rule_action_t     action;
+	rule_condition_t  conditions[MAX_RULE_CONDITIONS];
+	size_t            condition_count;
+} rule_t;
+
+typedef struct {
+	rule_t rules[MAX_RULES];
+	size_t rule_count;
+	pattern_table_t patterns;
+} rule_set_t;
+
+
+pattern_t *pattern_table_find(pattern_table_t *table, const char *id);
+int pattern_table_add(pattern_table_t *table, const char *id, const uint8_t *bytes, size_t len);
+void pattern_table_clear_matches(pattern_table_t *table);
+void pattern_table_free(pattern_table_t *table);
+
+int load_rules(const char *path, rule_set_t *out_ruleset);
+rule_action_t parse_action(const char *s);
+bool evaluate_rule(const rule_t *rule, pattern_table_t *patterns);
+void dump_rule(const rule_t *r);
+void free_rules(rule_set_t *rules);
-- 
cgit v1.2.3