spp_ai.h
Go to the documentation of this file.
00001 /* 00002 * ===================================================================================== 00003 * 00004 * Filename: spp_ai.h 00005 * 00006 * Description: Header file for the preprocessor 00007 * 00008 * Version: 1.0 00009 * Created: 30/07/2010 15:47:12 00010 * Revision: none 00011 * Compiler: gcc 00012 * 00013 * Author: BlackLight (http://0x00.ath.cx), <blacklight@autistici.org> 00014 * Licence: GNU GPL v.3 00015 * Company: DO WHAT YOU WANT CAUSE A PIRATE IS FREE, YOU ARE A PIRATE! 00016 * 00017 * ===================================================================================== 00018 */ 00019 00020 #ifndef _SPP_AI_H 00021 #define _SPP_AI_H 00022 00023 #ifdef HAVE_CONFIG_H 00024 #include "config.h" 00025 #endif 00026 00027 #include "sf_snort_packet.h" 00028 #include "sf_dynamic_preprocessor.h" 00029 #include "uthash.h" 00030 00031 #define PRIVATE static 00032 00034 #define DEFAULT_HASH_CLEANUP_INTERVAL 300 00035 00037 #define DEFAULT_STREAM_EXPIRE_INTERVAL 300 00038 00040 #define DEFAULT_DATABASE_INTERVAL 30 00041 00043 #define DEFAULT_ALERT_CLUSTERING_INTERVAL 3600 00044 00046 #define DEFAULT_ALERT_CORRELATION_INTERVAL 300 00047 00049 #define DEFAULT_ALERT_LOG_FILE "/var/log/snort/alert" 00050 00052 #define DEFAULT_CLUSTER_LOG_FILE "/var/log/snort/cluster_alert" 00053 00055 #define DEFAULT_CORR_RULES_DIR "/etc/snort/corr_rules" 00056 00057 extern DynamicPreprocessorData _dpd; 00058 typedef unsigned char uint8_t; 00059 typedef unsigned short uint16_t; 00060 typedef unsigned int uint32_t; 00061 00062 typedef enum { false, true } BOOL; 00063 00065 typedef enum { 00066 none, src_addr, dst_addr, src_port, dst_port, CLUSTER_TYPES 00067 } cluster_type; 00068 00070 struct pkt_key 00071 { 00072 uint32_t src_ip; 00073 uint16_t dst_port; 00074 }; 00075 00077 struct pkt_info 00078 { 00080 struct pkt_key key; 00081 00083 time_t timestamp; 00084 00086 SFSnortPacket* pkt; 00087 00089 struct pkt_info* next; 00090 00092 BOOL observed; 00093 00095 UT_hash_handle hh; 00096 }; 00097 00098 /* Data type containing the configuration of the module */ 00099 typedef struct 00100 { 00102 unsigned long hashCleanupInterval; 00103 00105 unsigned long streamExpireInterval; 00106 00108 unsigned long alertClusteringInterval; 00109 00111 unsigned long databaseParsingInterval; 00112 00114 unsigned long correlationGraphInterval; 00115 00117 char alertfile[1024]; 00118 00120 char clusterfile[1024]; 00121 00123 char corr_rules_dir[1024]; 00124 00126 char dbname[256]; 00127 00129 char dbuser[256]; 00130 00132 char dbpass[256]; 00133 00135 char dbhost[256]; 00136 } AI_config; 00137 00138 /* Data type for hierarchies used for clustering */ 00139 typedef struct _hierarchy_node 00140 { 00141 cluster_type type; 00142 char label[256]; 00143 int min_val; 00144 int max_val; 00145 int nchildren; 00146 struct _hierarchy_node *parent; 00147 struct _hierarchy_node **children; 00148 } hierarchy_node; 00149 00151 typedef struct _AI_snort_alert { 00152 /* Identifiers of the alert */ 00153 unsigned int gid; 00154 unsigned int sid; 00155 unsigned int rev; 00156 00157 /* Snort priority, description, 00158 * classification and timestamp 00159 * of the alert */ 00160 unsigned short priority; 00161 char *desc; 00162 char *classification; 00163 time_t timestamp; 00164 00165 /* IP header information */ 00166 uint8_t ip_tos; 00167 uint16_t ip_len; 00168 uint16_t ip_id; 00169 uint8_t ip_ttl; 00170 uint8_t ip_proto; 00171 uint32_t ip_src_addr; 00172 uint32_t ip_dst_addr; 00173 00174 /* TCP header information */ 00175 uint16_t tcp_src_port; 00176 uint16_t tcp_dst_port; 00177 uint32_t tcp_seq; 00178 uint32_t tcp_ack; 00179 uint8_t tcp_flags; 00180 uint16_t tcp_window; 00181 uint16_t tcp_len; 00182 00183 /* Reference to the TCP stream 00184 * associated to the alert, if any */ 00185 struct pkt_info *stream; 00186 00187 /* Pointer to the next alert in 00188 * the log, if any*/ 00189 struct _AI_snort_alert *next; 00190 00191 /* Hierarchies for addresses and ports, 00192 * if the clustering algorithm is used */ 00193 hierarchy_node *h_node[CLUSTER_TYPES]; 00194 00195 /* If the clustering algorithm is used, 00196 * we also count how many alerts this 00197 * single alert groups */ 00198 unsigned int grouped_alarms_count; 00199 } AI_snort_alert; 00200 00201 int preg_match ( const char*, char*, char***, int* ); 00202 00203 void* AI_hashcleanup_thread ( void* ); 00204 void* AI_file_alertparser_thread ( void* ); 00205 void* AI_alert_correlation_thread ( void* ); 00206 00207 #ifdef ENABLE_DB 00208 AI_snort_alert* AI_db_get_alerts ( void ); 00209 void AI_db_free_alerts ( AI_snort_alert *node ); 00210 void* AI_db_alertparser_thread ( void* ); 00211 #endif 00212 00213 void AI_pkt_enqueue ( SFSnortPacket* ); 00214 void AI_set_stream_observed ( struct pkt_key key ); 00215 void AI_hierarchies_build ( AI_config*, hierarchy_node**, int ); 00216 void AI_free_alerts ( AI_snort_alert *node ); 00217 00218 struct pkt_info* AI_get_stream_by_key ( struct pkt_key ); 00219 AI_snort_alert* AI_get_alerts ( void ); 00220 AI_snort_alert* AI_get_clustered_alerts ( void ); 00221 00223 AI_snort_alert* (*get_alerts)(void); 00224 00225 #endif /* _SPP_AI_H */ 00226
