网络入侵检测系统之Suricata(六)--规则加载模块代码详解

Suricata规则加载流程图

IP规则解析：

1. 支持可配的ip形式：

! 1.1.1.1 Every IP address but 1.1.1.1 ![1.1.1.1, 1.1.1.2] Every IP address but 1.1.1.1 and 1.1.1.2 $HOME_NET Your setting of HOME_NET in yaml [$EXTERNAL_NET, !$HOME_NET] EXTERNAL_NET and not HOME_NET [10.0.0.0/24, !10.0.0.5] 10.0.0.0/24 except for 10.0.0.5 [..., [....]] [..., ![.....]]

你甚至可以这么玩

/*[[1.2.3.4,[2.3.4.5,[3.4.5.6,4.5.6.7]]],4.3.2.1,

[10.10.10.10,[11.11.11.11,[12.12.12.12,13.13.13.13]]]]");

2. 重叠地址拆分，排序

[10.0.0.0/8,10.10.10.10 ]

->

[10.0.0.0~10.10.10.10.9 10.10.10.10 10.10.10.11 ~ 10.255.255.255]

head->next->next->next

3. 合并正地址和非地址

[2001::/3,!3000::/5]

->

{ "2000::", "2fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff" }->next

{ "3800::", "3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff" } };

4. 校验string addr

[a, !b] 能这么配的前提是，a包含b

!any

>255等不符合ip形式

端口解析：

1.端口支持范围

[80, 81, 82] port 80, 81 and 82 [80: 82] Range from 80 till 82 [1024: ] From 1024 till the highest port-number !80 Every port but 80 [80:100,!99] Range from 80 till 100 but 99 excluded [1:80,![2,4]] Range from 1-80, except ports 2 and 4 [.., [..,..]] ![0:100,1000:3000]

2. 重叠端口拆分

[80:88， 85:100]

{port = 80, port2 = 84)->next{port = 85, port2 = 88}->next

{port = 89, port2 = 100}

3. 合并正反地址

4. 校验string port

[80:!80]

端口号过大

端口超范围

端口范围，first > sec

[a, !b] 能这么配的前提是，a包含b