http://www.cppblog.com/iniwf/archive/2012/05/18/77468.html
SnortMain
-SnortInit
--RegisterPreprocessors 注册处理函数
--RegisterRuleOptions
---SetupPatternMatch
----RegisterRuleOption("content", PayloadSearchInit, NULL, OPT_TYPE_DETECTION, NULL);
-----fpl = AddOptFuncToList(CheckANDPatternMatch, otn);
--ParseSnortConf 如果“配置文件”不为空,则执行此函数
---sfPolicyAdd 按照文件名,添加一个tSfPolicy。
---sfSetDefaultPolicy 对应有policy_id,设置为default的policy_id。
---ParseConfigFile
----ParseRule
规则头由RuleTreeNode(RTN)结构表示
-----ProcessIP 解析IP
-----ParsePortList 端口
-----ProcessHeadNode 设置规则头的匹配函数
------SetupRTNFuncList
-------PortToFunc 端口检查函数挂入RuleFpList链表
-------AddrToFunc IP检查挂入RuleFpList链表
-------AddRuleFuncToList(RuleListEnd, rtn); 最后挂一个RuleListEnd
规则选项由OptTreeNode(OTN)表示
-----ParseRuleOptions
------GetOTN
--ParseRules
---ParseConfigFile,同上
---PortTablesFinish
----finish_portlist_table
--fpCreateFastPacketDetection
---fpCreatePortGroups
----fpCreatePortObject2PortGroup
-----fpAddPortGroupRule 按照端口组,添加规则
------fpFinishPortGroupRule
-------mpseAddPatternWithSnortConfig
-----fpFinishPortGroup
------mpsePrepPatternsWithSnortConf 按照端口组,编译规则AC状态机
-------acsmCompileWithSnortConf
--------pmx_create_tree 生成以detection_option_tree_root_t为根的树。节点为detection_option_tree_node_t
------otn_create_tree(otn, &pg->pgNonContentTree); 把无content的规则加入状态树。
-SnortStartThreads
--ReloadConfigThread
---ReloadConfig
----ParseSnortConf,同上
----ParseRules 同上
-PacketLoop
--PacketCallback
---ProcessPacket
----Preprocess
-----Detect
------fpEvalPacket
-------fpEvalHeaderTcp
--------prmFindRuleGroupTcp 找端口group
---------prmFindRuleGroup
--------fpEvalHeaderSW
---------mpseSearch
----------rule_tree_match 特征匹配后,做精确匹配
-----------detection_option_tree_evaluate
------------detection_option_node_evaluate
-------------CheckANDPatternMatch,uniSearchCI或uniSearch
--------fpFinalSelectEvent
OTN存储在hash表中
RTN独立存储,和OTN关联;多个OTN可能对应同一个RTN。
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any -------------------------------- 存储到RTN中
(msg:"DELETED BROWSER-PLUGINS Microsoft Internet Explorer RDS.Dataspace ActiveX object code execution attempt";
flow:to_client,established; file_data;
content:"BD96C556-65A3-11D0-983A-00C04FC29E36"; fast_pattern:only; ---------------------------- 对应一个PMD
content:"Shell.application"; nocase;
pcre:"/(\w+)\s*?\x3D\s*?document\x2Ecreateelement.*?\1\x2EsetAttribute.*?BD96C556-65A3-11D0-983A-00C04FC29E36.*?\1\x2EcreateObject\x28[\x22\x27]Shell\x2EApplication/smi";
reference:bugtraq,17462;
reference:cve,2006-0003;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-014;
classtype:attempted-user;
sid:21081;
rev:9;) ------------------------ 整个存储到OTN中
typedef struct _PatternMatchData
{
int offset; /* pattern search start offset */
int depth; /* pattern search depth */
int distance; /* offset to start from based on last match */
u_int within; /* this pattern must be found
within X bytes of last match*/
int8_t offset_var; /* byte_extract variable indices for offset, */
int8_t depth_var; /* depth, distance, within */
int8_t distance_var;
int8_t within_var;
int rawbytes; /* Search the raw bytes rather than any decoded app
buffer */
int replace_depth; /* >=0 is offset to start of replace */
int nocase; /* Toggle case insensitity */
int use_doe; /* Use the doe_ptr for relative pattern searching */
HTTP_BUFFER http_buffer;/* Index of the URI buffer */
int buffer_func; /* buffer function CheckAND or CheckUri */
u_int pattern_size; /* size of app layer pattern */
u_int replace_size; /* size of app layer replace pattern */
char *replace_buf; /* app layer pattern to replace with */
char *pattern_buf; /* app layer pattern to match on */
int (*search)(const char *, int, struct _PatternMatchData *); /* search function */
int *skip_stride; /* B-M skip array */
int *shift_stride; /* B-M shift array */
u_int pattern_max_jump_size; /* Maximum distance we can jump to search for
* this pattern again. */
OptFpList *fpl; /* Pointer to the OTN FPList for this pattern */
/* Needed to be able to set the isRelative flag */
/* Set if fast pattern matcher found a content in the packet,
but the rule option specifies a negated content. Only
applies to negative contents that are not relative */
struct
{
struct timeval ts;
uint64_t packet_number;
uint32_t rebuild_flag;
} last_check;
/* For fast_pattern arguments */
uint8_t fp;
uint8_t fp_only;
uint16_t fp_offset;
uint16_t fp_length;
uint8_t exception_flag; /* search for "not this pattern" */
/* Used in ds_list - do not try to iterate after parsing a rule
* since the detection option tree will eliminate duplicates and
* the list may have missing pmds */
struct _PatternMatchData *prev; /* ptr to previous match struct */
struct _PatternMatchData *next; /* ptr to next match struct */
} PatternMatchData;
typedef struct _OptFpList
{
/* context data for this test */
void *context; ------------- 如果是content类型,存储的即是PMD.
int (*OptTestFunc)(void *option_data, Packet *p);
struct _OptFpList *next;
unsigned char isRelative;
option_type_t type;
} OptFpList;
typedef struct _RuleTreeNode
{
RuleFpList *rule_func; /* match functions.. (Bidirectional etc.. ) */ -------- 检查ip、端口等的函数链表。
int head_node_number;
RuleType type;
IpAddrSet *sip;
IpAddrSet *dip;
int proto;
PortObject * src_portobject;
PortObject * dst_portobject;
uint32_t flags; /* control flags */
/* stuff for dynamic rules activation/deactivation */
int active_flag;
int activation_counter;
int countdown;
ActivateListNode *activate_list;
#if 0
struct _RuleTreeNode *right; /* ptr to the next RTN in the list */
/** list of rule options to associate with this rule node */
OptTreeNode *down;
#endif
/**points to global parent RTN list (Drop/Alert) which contains this
* RTN.
*/
struct _ListHead *listhead;
/**reference count from otn. Multiple OTNs can reference this RTN with the same
* policy.
*/
unsigned int otnRefCount;
} RuleTreeNode;
typedef struct _OptTreeNode
{
/* plugin/detection functions go here */
OptFpList *opt_func;
RspFpList *rsp_func; /* response functions */
OutputFuncNode *outputFuncs; /* per sid enabled output functions */
/* the ds_list is absolutely essential for the plugin system to work,
it allows the plugin authors to associate "dynamic" data structures
with the rule system, letting them link anything they can come up
with to the rules list */
void *ds_list[PLUGIN_MAX]; /* list of plugin data struct pointers */ -------------------- PLUGIN_PATTERN_MATCH,存储PMD
int chain_node_number;
int evalIndex; /* where this rule sits in the evaluation sets */
int proto; /* protocol, added for integrity checks
during rule parsing */
int session_flag; /* record session data */
char *logto; /* log file in which to write packets which
match this rule*/
/* metadata about signature */
SigInfo sigInfo;
uint8_t stateless; /* this rule can fire regardless of session state */
uint8_t established; /* this rule can only fire if it is established */
uint8_t unestablished;
Event event_data;
void* detection_filter; /* if present, evaluated last, after header checks */
TagData *tag;
/* stuff for dynamic rules activation/deactivation */
int active_flag;
int activation_counter;
int countdown;
int activates;
int activated_by;
struct _OptTreeNode *OTN_activation_ptr;
struct _RuleTreeNode *RTN_activation_ptr;
struct _OptTreeNode *next;
struct _OptTreeNode *nextSoid;
/* ptr to list of RTNs (head part) */
struct _RuleTreeNode **proto_nodes;
/**number of proto_nodes. */
unsigned short proto_node_num;
uint8_t failedCheckBits;
char generated;
uint16_t longestPatternLen;
int rule_state; /* Enabled or Disabled */
#ifdef PERF_PROFILING
uint64_t ticks;
uint64_t ticks_match;
uint64_t ticks_no_match;
uint64_t checks;
uint64_t matches;
uint64_t alerts;
uint8_t noalerts;
#endif
int pcre_flag; /* PPM */
uint64_t ppm_suspend_time; /* PPM */
uint64_t ppm_disable_cnt; /*PPM */
uint32_t num_detection_opts;
/**unique index generated in ruleIndexMap.
*/
int ruleIndex;
/* List of preprocessor registered fast pattern contents */
void *preproc_fp_list;
} OptTreeNode;
/*
* Aho-Corasick State Machine Struct - one per group of pattterns
*/
typedef struct {
int acsmMaxStates;
int acsmNumStates;
ACSM_PATTERN2 * acsmPatterns; ----------- 模式链表。(第1步得到的)
acstate_t * acsmFailState;
ACSM_PATTERN2 ** acsmMatchList; ----------- 有些终止状态,即匹配成功。此处存储ACSM_PATTERN2的匹配链表。(2)
/* list of transitions in each state, this is used to build the nfa & dfa */
/* after construction we convert to sparse or full format matrix and free */
/* the transition lists */
trans_node_t ** acsmTransTable; ------------ 根据所有“模式”,得出其“转换表”。如果acsmMatchList的第N列存在终止状态,则acsmTransTable的第N列为空,添加(2)
acstate_t ** acsmNextState; ----------- 把acsmTransTable中的每列“模式”进行转换,每一列尝试压缩存储为“数组链表”。生成它之后会把acsmMatchList和acsmFailState都删掉。(3)
int acsmFormat;
int acsmSparseMaxRowNodes;
int acsmSparseMaxZcnt;
int acsmNumTrans;
int acsmAlphabetSize;
int acsmFSA;
int numPatterns; ------------- 模式个数
void (*userfree)(void *p);
void (*optiontreefree)(void **p);
void (*neg_list_free)(void **p);
PMQ q;
int sizeofstate; ------ acsmNumStates个数决定了用几个字节存储acsmNextState的每一列的每一个“模式”。
int compress_states;
}ACSM_STRUCT2;
typedef
struct _acsm_pattern2
{
struct _acsm_pattern2 *next;
unsigned char *patrn; -------- 匹配字符
unsigned char *casepatrn; -------- 大写的匹配字符
int n; ------------匹配字符的长度
int nocase;
int offset;
int depth;
int negative;
void *udata; ------------------ 为PMX,存储
int iid;
void * rule_option_tree; ------------------- build tree之后存储输出信息。为detection_option_tree_root_t *.
void * neg_list;
} ACSM_PATTERN2;
typedef struct _OptTreeNode
{
/* plugin/detection functions go here */
OptFpList *opt_func;--------包含OptFpList链表,RULE_OPTION_TYPE_CONTENT对应的OptFpList里面再包含一个PMD。
void *ds_list[PLUGIN_MAX]; /* list of plugin data struct pointers */------------- 里面包含多个链表,按类型分。如PLUGIN_PATTERN_MATCH的链表里面包含所有PMD链表。
} ----------- 一个OTN对应一个单包rule,包含所有PMD。
/* same as the rule header FP list */
typedef struct _OptFpList
{
/* context data for this test */
void *context; ----------------- 执行PMD
int (*OptTestFunc)(void *option_data, Packet *p); ------- 对应的处理回调函数,如CheckUriPatternMatch
struct _OptFpList *next; --------------- 链表
unsigned char isRelative;
option_type_t type; ---------- 执行为content类型,如RULE_OPTION_TYPE_CONTENT。
} OptFpList;