spp_ai.h
Go to the documentation of this file.
00001 /* 00002 * ===================================================================================== 00003 * 00004 * Filename: spp_ai.h 00005 * 00006 * Description: Header file for the preprocessor 00007 * 00008 * Version: 1.0 00009 * Created: 30/07/2010 15:47:12 00010 * Revision: none 00011 * Compiler: gcc 00012 * 00013 * Author: BlackLight (http://0x00.ath.cx), <blacklight@autistici.org> 00014 * Licence: GNU GPL v.3 00015 * Company: DO WHAT YOU WANT CAUSE A PIRATE IS FREE, YOU ARE A PIRATE! 00016 * 00017 * ===================================================================================== 00018 */ 00019 00020 #ifndef _SPP_AI_H 00021 #define _SPP_AI_H 00022 00023 #ifdef HAVE_CONFIG_H 00024 #include "config.h" 00025 #endif 00026 00027 #include "sf_snort_packet.h" 00028 #include "sf_dynamic_preprocessor.h" 00029 #include "uthash.h" 00030 00031 #define PRIVATE static 00032 00034 #define DEFAULT_HASH_CLEANUP_INTERVAL 300 00035 00037 #define DEFAULT_STREAM_EXPIRE_INTERVAL 300 00038 00040 #define DEFAULT_DATABASE_INTERVAL 30 00041 00043 #define DEFAULT_ALERT_CLUSTERING_INTERVAL 3600 00044 00046 #define DEFAULT_ALERT_CORRELATION_INTERVAL 300 00047 00049 #define DEFAULT_ALERT_LOG_FILE "/var/log/snort/alert" 00050 00052 #define DEFAULT_CLUSTER_LOG_FILE "/var/log/snort/cluster_alert" 00053 00055 #define DEFAULT_CORR_RULES_DIR "/etc/snort/corr_rules" 00056 00057 extern DynamicPreprocessorData _dpd; 00058 typedef unsigned char uint8_t; 00059 typedef unsigned short uint16_t; 00060 typedef unsigned int uint32_t; 00061 00062 typedef enum { false, true } BOOL; 00063 00064 /*****************************************************************/ 00066 typedef enum { 00067 none, src_addr, dst_addr, src_port, dst_port, CLUSTER_TYPES 00068 } cluster_type; 00069 /*****************************************************************/ 00071 struct pkt_key 00072 { 00073 uint32_t src_ip; 00074 uint16_t dst_port; 00075 }; 00076 /*****************************************************************/ 00078 struct pkt_info 00079 { 00081 struct pkt_key key; 00082 00084 time_t timestamp; 00085 00087 SFSnortPacket* pkt; 00088 00090 struct pkt_info* next; 00091 00093 BOOL observed; 00094 00096 UT_hash_handle hh; 00097 }; 00098 /*****************************************************************/ 00099 /* Data type containing the configuration of the module */ 00100 typedef struct 00101 { 00103 unsigned long hashCleanupInterval; 00104 00106 unsigned long streamExpireInterval; 00107 00109 unsigned long alertClusteringInterval; 00110 00112 unsigned long databaseParsingInterval; 00113 00115 unsigned long correlationGraphInterval; 00116 00118 char alertfile[1024]; 00119 00121 char clusterfile[1024]; 00122 00124 char corr_rules_dir[1024]; 00125 00127 char dbname[256]; 00128 00130 char dbuser[256]; 00131 00133 char dbpass[256]; 00134 00136 char dbhost[256]; 00137 } AI_config; 00138 /*****************************************************************/ 00140 typedef struct _hierarchy_node 00141 { 00142 cluster_type type; 00143 char label[256]; 00144 int min_val; 00145 int max_val; 00146 int nchildren; 00147 struct _hierarchy_node *parent; 00148 struct _hierarchy_node **children; 00149 } hierarchy_node; 00150 /*****************************************************************/ 00152 typedef struct 00153 { 00154 unsigned int gid; 00155 unsigned int sid; 00156 unsigned int rev; 00157 } AI_hyperalert_key; 00158 /*****************************************************************/ 00160 typedef struct 00161 { 00163 AI_hyperalert_key key; 00164 00166 char **preconds; 00167 00169 unsigned int n_preconds; 00170 00172 char **postconds; 00173 00175 unsigned int n_postconds; 00176 00178 UT_hash_handle hh; 00179 } AI_hyperalert_info; 00180 /*****************************************************************/ 00182 typedef struct _AI_snort_alert { 00183 /* Identifiers of the alert */ 00184 unsigned int gid; 00185 unsigned int sid; 00186 unsigned int rev; 00187 00188 /* Snort priority, description, 00189 * classification and timestamp 00190 * of the alert */ 00191 unsigned short priority; 00192 char *desc; 00193 char *classification; 00194 time_t timestamp; 00195 00196 /* IP header information */ 00197 uint8_t ip_tos; 00198 uint16_t ip_len; 00199 uint16_t ip_id; 00200 uint8_t ip_ttl; 00201 uint8_t ip_proto; 00202 uint32_t ip_src_addr; 00203 uint32_t ip_dst_addr; 00204 00205 /* TCP header information */ 00206 uint16_t tcp_src_port; 00207 uint16_t tcp_dst_port; 00208 uint32_t tcp_seq; 00209 uint32_t tcp_ack; 00210 uint8_t tcp_flags; 00211 uint16_t tcp_window; 00212 uint16_t tcp_len; 00213 00216 struct pkt_info *stream; 00217 00220 struct _AI_snort_alert *next; 00221 00224 hierarchy_node *h_node[CLUSTER_TYPES]; 00225 00229 unsigned int grouped_alarms_count; 00230 00233 AI_hyperalert_info *hyperalert; 00234 } AI_snort_alert; 00235 /*****************************************************************/ 00236 00237 int preg_match ( const char*, char*, char***, int* ); 00238 char* str_replace ( char *str, char *orig, char *rep ); 00239 char* str_replace_all ( char *str, char *orig, char *rep ); 00240 00241 void* AI_hashcleanup_thread ( void* ); 00242 void* AI_file_alertparser_thread ( void* ); 00243 void* AI_alert_correlation_thread ( void* ); 00244 00245 #ifdef ENABLE_DB 00246 AI_snort_alert* AI_db_get_alerts ( void ); 00247 void AI_db_free_alerts ( AI_snort_alert *node ); 00248 void* AI_db_alertparser_thread ( void* ); 00249 #endif 00250 00251 void AI_pkt_enqueue ( SFSnortPacket* ); 00252 void AI_set_stream_observed ( struct pkt_key key ); 00253 void AI_hierarchies_build ( AI_config*, hierarchy_node**, int ); 00254 void AI_free_alerts ( AI_snort_alert *node ); 00255 00256 struct pkt_info* AI_get_stream_by_key ( struct pkt_key ); 00257 AI_snort_alert* AI_get_alerts ( void ); 00258 AI_snort_alert* AI_get_clustered_alerts ( void ); 00259 00261 AI_snort_alert* (*get_alerts)(void); 00262 00263 #endif /* _SPP_AI_H */ 00264
