第一层结构:RuleListNode
typedef struct _RuleListNode
{
ListHead *RuleList; /* The rule list associated with this node */
int mode; /* the rule mode */
int rval; /* 0 == no detection, 1 == detection event */
int evalIndex; /* eval index for this rule set */
char *name; /* name of this rule list (for debugging) */
struct _RuleListNode *next; /* the next RuleListNode */
} RuleListNode;
数据结构RuleListNode链表代表了系统支持的规则类型,包Alert,Log,Pass,Activate,Dynamic。每链表节电又通过ListHead结构类型字段RuleList指向下面的规则链表。
第二层结构:ListHead
typedef struct _ListHead
{
RuleTreeNode *IpList;
RuleTreeNode *TcpList;
RuleTreeNode *UdpList;
RuleTreeNode *IcmpList;
struct _OutputFuncNode *LogList;
struct _OutputFuncNode *AlertList;
struct _RuleListNode *ruleListNode;
} ListHead;
数据结构ListHead中若干字段IpList , TcpList , UdpList , IcmpList等又分别指向各协议类型划分的规则链表,同时,可能有一个回指针去对应RuleListNode节点。
第三层结构:RuleTreeNode
typedef struct _RuleTreeNode
{
RuleFpList *rule_func; /* match functions.. (Bidirectional etc.. ) */
int head_node_number;
int type;
IpAddrSet *sip;
IpAddrSet *dip;
int not_sp_flag; /* not source port flag */
u_short hsp; /* hi src port */
u_short lsp; /* lo src port */
int not_dp_flag; /* not dest port flag */
u_short hdp; /* hi dest port */
u_short ldp; /* lo dest port */
u_int32_t flags; /* control flags */
/* stuff for dynamic rules activation/deactivation */
int active_flag;
int activation_counter;
int countdown;
ActivateList *activate_list;
struct _RuleTreeNode *right; /* ptr to the next RTN in the list */
OptTreeNode *down; /* list of rule options to associate with this
rule node */
struct _ListHead *listhead;
} RuleTreeNode;
最基础的数据结构包括RuleTreeNode和OptTreeNode,分别代表最基本的规则链表头和规则节
点,并分别定义。
snort三维规则链表数据结构图如下:
阅读(2576) | 评论(0) | 转发(0) |