blob: 8e55a54f7c049585285ba7a24312b6186b27eacb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
#pragma once
#include <stddef.h>
#include <stdbool.h>
#include <stdint.h>
#define MAX_RULE_CONDITIONS 16
#define MAX_RULES 128
#define MAX_PATTERNS 512
#define MAX_MATCH_OFFSETS 64
#define PATTERN_TABLE_SIZE 1024
typedef struct {
const char *id;
uint8_t *bytes;
size_t len;
size_t match_offsets[MAX_MATCH_OFFSETS];
size_t match_count;
} pattern_t;
/* typedef struct { */
/* const char *id; */
/* pattern_t *entry; */
/* } pattern_bucket_t; */
typedef struct pattern_bucket {
const char *id;
pattern_t *entry;
struct pattern_bucket *next;
} pattern_bucket_t;
//pattern_bucket_t *buckets[PATTERN_TABLE_SIZE];
typedef struct {
pattern_t patterns[MAX_PATTERNS];
size_t count;
pattern_bucket_t *buckets[PATTERN_TABLE_SIZE];
} pattern_table_t;
typedef enum {
RULE_BLOCK,
RULE_ALLOW,
RULE_QUARANTINE,
RULE_INFORMATIONAL
} rule_action_t;
typedef enum {
COND_TYPE_REQUIRED, // and
COND_TYPE_OPTIONAL, // or
COND_TYPE_NEGATED // not
} condition_type_t;
typedef struct {
const char *pattern_id;
size_t offset;
bool has_offset;
condition_type_t type;
} rule_condition_t;
typedef struct {
const char *id;
rule_action_t action;
rule_condition_t conditions[MAX_RULE_CONDITIONS];
size_t condition_count;
} rule_t;
typedef struct {
rule_t rules[MAX_RULES];
size_t rule_count;
pattern_table_t patterns;
} rule_set_t;
pattern_t *pattern_table_find(pattern_table_t *table, const char *id);
int pattern_table_add(pattern_table_t *table, const char *id, const uint8_t *bytes, size_t len);
void pattern_table_clear_matches(pattern_table_t *table);
void pattern_table_free(pattern_table_t *table);
int load_rules(const char *path, rule_set_t *out_ruleset);
rule_action_t parse_action(const char *s);
bool evaluate_rule(const rule_t *rule, pattern_table_t *patterns);
void dump_rule(const rule_t *r);
void free_rules(rule_set_t *rules);
|
