Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

snf_HeaderFinder.hpp 5.3KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889
  1. // snf_HeaderFinder.hpp
  2. // Copyright (C) 2007 - 2020 ARM Research Labs, LLC.
  3. // See www.armresearch.com for the copyright terms.
  4. //
  5. // SNF Header Finder used for identifying headers in a message. A header match
  6. // is defined by the name of the header, it's ordinal, and some string that is
  7. // contained in that header. If the pattern is matched then one or more bits
  8. // are set in a 32 bit status flag. Usually, one bit at a time. Other matchers
  9. // that intend to set the same bits as are already set are turned off to save
  10. // cycles.
  11. //
  12. // The initial implementation of this engine is for turning off GBUdb learning
  13. // when one of the defined headers is matched. Other uses are likely to be
  14. // developed. This engine will have to evolve as that occurrs.
  15. //
  16. // The evaluation of the status flag is defined by the application.
  17. #pragma once
  18. #include <string>
  19. #include <set>
  20. #include <map>
  21. #include <vector>
  22. struct HeaderFinderPattern { // Input pattern for header finder.
  23. std::string Header; // Header name to match.
  24. int Ordinal; // Which instance to match.
  25. int Context; // Context link (for pairing patterns).
  26. std::string Contains; // What to find in the header.
  27. unsigned long int Directive; // What directive to present.
  28. HeaderFinderPattern(): // When constructing a finder parttern
  29. Header(""),Ordinal(0),Context(0),Contains(""),Directive(0){} // initialize it like this.
  30. HeaderFinderPattern(const HeaderFinderPattern& P); // Copy constructor.
  31. void clear(); // Do this to make fresh and clean.
  32. HeaderFinderPattern& operator=(const HeaderFinderPattern& R); // Assignment operator.
  33. const bool operator<(const HeaderFinderPattern& R) const; // Comparator for set<> living.
  34. };
  35. typedef std::set<HeaderFinderPattern> HeaderDirectiveSet; // Convenient set typedef.
  36. typedef std::set<HeaderFinderPattern>::iterator HeaderDirectiveIterator; // Convenient iterator typedef.
  37. typedef std::map<const std::string, int> NameOrdinalMap; // Header Ordinal Count Map.
  38. // Upon construction the HeaderFinder scans the headers for matching directives
  39. // and leaves the composite results ready for inspection via the () operator.
  40. // UnfoldHeaders() strips and unfolds the headers then passes them to
  41. // MatchHeaders() which tracks the ordinals for matching directives and passes
  42. // those headers to CheckContent() to see if the required patterns are found.
  43. // CheckContent() then updates the Directives if the appropriate content is
  44. // found.
  45. class snfScanData; // Yes, this does exist.
  46. class HeaderFinder { // Header Finder Object.
  47. private:
  48. snfScanData* ScanData; // Scanner control data.
  49. const HeaderDirectiveSet& HeaderDirectives; // Handle for the directives/patterns.
  50. const unsigned char* Bfr; // Message buffer.
  51. const int Len; // Message length.
  52. std::vector<bool> ImpossibleBytes; // Cache of known impossible bytes.
  53. unsigned long int Directives; // Composite result given this message.
  54. std::set<int> ActivatedContexts; // Set of activated contexts.
  55. NameOrdinalMap Ordinals; // Map of current header ordinals.
  56. void CheckContent(std::string& Header, const HeaderFinderPattern& P); // Check for a match in the header.
  57. void MatchHeaders(std::string& Header); // Check that the header matches.
  58. bool ByteIsImpossible(unsigned char b); // Is b not first byte of any pattern?
  59. void UnfoldHeaders(); // Unfold and check headers.
  60. public:
  61. HeaderFinder( // The constructor reads the message.
  62. snfScanData* EngineScanData, // -- Scanner control data ptr.
  63. const HeaderDirectiveSet& Patterns, // -- this is the set of patterns.
  64. const unsigned char* MessageBuffer, // -- this is the message buffer.
  65. const int MessageLength // -- this is the length of the buffer.
  66. );
  67. const unsigned long int operator()() const; // How to read the composite directives.
  68. std::string EstablishedSourceIP; // Source IP from directive if any.
  69. };