Snort AI preprocessor module: spp

Go to the documentation of this file.
00001 /*
00002  * =====================================================================================
00003  *
00004  *       Filename:  spp_ai.h
00005  *
00006  *    Description:  Header file for the preprocessor
00007  *
00008  *        Version:  1.0
00009  *        Created:  30/07/2010 15:47:12
00010  *       Revision:  none
00011  *       Compiler:  gcc
00012  *
00013  *         Author:  BlackLight (http://0x00.ath.cx), <blacklight@autistici.org>
00014  *        Licence:  GNU GPL v.3
00015  *        Company:  DO WHAT YOU WANT CAUSE A PIRATE IS FREE, YOU ARE A PIRATE!
00016  *
00017  * =====================================================================================
00018  */
00019 
00020 #ifndef _SPP_AI_H
00021 #define _SPP_AI_H
00022 
00023 #include        "sf_snort_packet.h"
00024 #include        "sf_dynamic_preprocessor.h"
00025 #include        "uthash.h"
00026 
00027 #define         PRIVATE                 static
00028 
00029 #define         DEFAULT_HASH_CLEANUP_INTERVAL           300
00030 #define         DEFAULT_STREAM_EXPIRE_INTERVAL          300
00031 #define         DEFAULT_ALERT_CLUSTERING_INTERVAL               3600
00032 #define         DEFAULT_ALERT_LOG_FILE                          "/var/log/snort/alert"
00033 #define         DEFAULT_CLUSTER_LOG_FILE                        "/var/log/snort/cluster_alert"
00034 
00035 extern DynamicPreprocessorData _dpd;
00036 typedef unsigned char   uint8_t;
00037 typedef unsigned short  uint16_t;
00038 typedef unsigned int    uint32_t;
00039 
00040 typedef enum { false, true } BOOL;
00041 
00042 typedef enum {
00043         none, src_addr, dst_addr, src_port, dst_port, CLUSTER_TYPES
00044 } cluster_type;
00045 
00046 /* Each stream in the hash table is identified by the couple (src_ip, dst_port) */
00047 struct pkt_key
00048 {
00049         uint32_t src_ip;
00050         uint16_t dst_port;
00051 };
00052 
00053 /* Identifier of a packet in a stream */
00054 struct pkt_info
00055 {
00056         struct pkt_key    key;             /* Key of the packet (src_ip, dst_port) */
00057         time_t            timestamp;        /* Timestamp */
00058         SFSnortPacket*    pkt;             /* Reference to SFSnortPacket containing packet's information */
00059         struct pkt_info*  next;                    /* Pointer to the next packet in the stream */
00060         BOOL              observed;         /* Flag set if the packet is observed, i.e. associated to a security alert */
00061         UT_hash_handle    hh;                 /* Make the struct 'hashable' */
00062 };
00063 
00064 /* Data type containing the configuration of the module */
00065 typedef struct
00066 {
00067         unsigned long hashCleanupInterval;
00068         unsigned long streamExpireInterval;
00069         unsigned long alertClusteringInterval;
00070         char          alertfile[1024];
00071         char          clusterfile[1024];
00072 } AI_config;
00073 
00074 /* Data type for hierarchies used for clustering */
00075 typedef struct _hierarchy_node
00076 {
00077         cluster_type            type;
00078         char                    label[256];
00079         int                     min_val;
00080         int                     max_val;
00081         int                     nchildren;
00082         struct _hierarchy_node  *parent;
00083         struct _hierarchy_node  **children;
00084 } hierarchy_node;
00085 
00086 /* Data type for Snort alerts */
00087 typedef struct _AI_snort_alert  {
00088         /* Identifiers of the alert */
00089         unsigned int    gid;
00090         unsigned int    sid;
00091         unsigned int    rev;
00092 
00093         /* Snort priority, description,
00094          * classification and timestamp
00095          * of the alert */
00096         unsigned short  priority;
00097         char            *desc;
00098         char            *classification;
00099         time_t          timestamp;
00100 
00101         /* IP header information */
00102         uint8_t         tos;
00103         uint16_t        iplen;
00104         uint16_t        id;
00105         uint8_t         ttl;
00106         uint8_t         ipproto;
00107         uint32_t        src_addr;
00108         uint32_t        dst_addr;
00109 
00110         /* TCP header information */
00111         uint16_t        src_port;
00112         uint16_t        dst_port;
00113         uint32_t        sequence;
00114         uint32_t        ack;
00115         uint8_t         tcp_flags;
00116         uint16_t        window;
00117         uint16_t        tcplen;
00118 
00119         /* Reference to the TCP stream
00120          * associated to the alert, if any */
00121         struct pkt_info *stream;
00122 
00123         /* Pointer to the next alert in
00124          * the log, if any*/
00125         struct _AI_snort_alert *next;
00126 
00127         /* Hierarchies for addresses and ports,
00128          * if the clustering algorithm is used */
00129         hierarchy_node  *h_node[CLUSTER_TYPES];
00130 
00131         /* If the clustering algorithm is used,
00132          * we also count how many alerts this
00133          * single alert groups */
00134         unsigned int    grouped_alarms_count;
00135 } AI_snort_alert;
00136 
00137 int                preg_match ( const char*, char*, char***, int* );
00138 
00139 void*              AI_hashcleanup_thread ( void* );
00140 void*              AI_alertparser_thread ( void* );
00141 
00142 void               AI_pkt_enqueue ( SFSnortPacket* );
00143 void               AI_set_stream_observed ( struct pkt_key key );
00144 void               AI_hierarchies_build ( AI_config*, hierarchy_node**, int );
00145 
00146 struct pkt_info*   AI_get_stream_by_key ( struct pkt_key );
00147 AI_snort_alert*    AI_get_alerts ( void );
00148 void               AI_free_alerts ( AI_snort_alert *node );
00149 
00150 #endif  /* _SPP_AI_H */
00151