Snort AI preprocessor module: spp

Go to the documentation of this file.
00001 /*
00002  * =====================================================================================
00003  *
00004  *       Filename:  spp_ai.h
00005  *
00006  *    Description:  Header file for the preprocessor
00007  *
00008  *        Version:  1.0
00009  *        Created:  30/07/2010 15:47:12
00010  *       Revision:  none
00011  *       Compiler:  gcc
00012  *
00013  *         Author:  BlackLight (http://0x00.ath.cx), <blacklight@autistici.org>
00014  *        Licence:  GNU GPL v.3
00015  *        Company:  DO WHAT YOU WANT CAUSE A PIRATE IS FREE, YOU ARE A PIRATE!
00016  *
00017  * =====================================================================================
00018  */
00019 
00020 #ifndef _SPP_AI_H
00021 #define _SPP_AI_H
00022 
00023 #ifdef  HAVE_CONFIG_H
00024 #include        "config.h"
00025 #endif
00026 
00027 #include        "sf_snort_packet.h"
00028 #include        "sf_dynamic_preprocessor.h"
00029 #include        "uthash.h"
00030 
00031 #define         PRIVATE                 static
00032 
00034 #define         DEFAULT_HASH_CLEANUP_INTERVAL           300
00035 
00037 #define         DEFAULT_STREAM_EXPIRE_INTERVAL          300
00038 
00040 #define         DEFAULT_DATABASE_INTERVAL                       30
00041 
00043 #define         DEFAULT_ALERT_CLUSTERING_INTERVAL               3600
00044 
00046 #define         DEFAULT_ALERT_CORRELATION_INTERVAL      300
00047 
00049 #define         DEFAULT_ALERT_LOG_FILE                          "/var/log/snort/alert"
00050 
00052 #define         DEFAULT_CLUSTER_LOG_FILE                        "/var/log/snort/cluster_alert"
00053 
00055 #define         DEFAULT_CORR_RULES_DIR                          "/etc/snort/corr_rules"
00056 
00058 #define         DEFAULT_CORR_ALERTS_DIR                                 "/var/log/snort/correlated_alerts"
00059 
00061 #define         DEFAULT_CORR_THRESHOLD                          0.5
00062 
00063 extern DynamicPreprocessorData _dpd;
00064 typedef unsigned char   uint8_t;
00065 typedef unsigned short  uint16_t;
00066 typedef unsigned int    uint32_t;
00067 
00068 typedef enum { false, true } BOOL;
00069 
00070 /*****************************************************************/
00072 typedef enum {
00073         none, src_addr, dst_addr, src_port, dst_port, CLUSTER_TYPES
00074 } cluster_type;
00075 /*****************************************************************/
00077 struct pkt_key
00078 {
00079         uint32_t src_ip;
00080         uint16_t dst_port;
00081 };
00082 /*****************************************************************/
00084 struct pkt_info
00085 {
00087         struct pkt_key    key;
00088 
00090         time_t            timestamp;
00091 
00093         SFSnortPacket*    pkt;
00094 
00096         struct pkt_info*  next;
00097 
00099         BOOL              observed;
00100 
00102         UT_hash_handle    hh;
00103 };
00104 /*****************************************************************/
00105 /* Data type containing the configuration of the module */
00106 typedef struct
00107 {
00109         unsigned long hashCleanupInterval;
00110 
00112         unsigned long streamExpireInterval;
00113 
00115         unsigned long alertClusteringInterval;
00116 
00118         unsigned long databaseParsingInterval;
00119 
00121         unsigned long correlationGraphInterval;
00122 
00131         double        correlationThresholdCoefficient;
00132 
00134         char          alertfile[1024];
00135 
00137         char          clusterfile[1024];
00138 
00140         char          corr_rules_dir[1024];
00141 
00143         char          corr_alerts_dir[1024];
00144 
00146         char          dbname[256];
00147 
00149         char          dbuser[256];
00150 
00152         char          dbpass[256];
00153 
00155         char          dbhost[256];
00156 } AI_config;
00157 /*****************************************************************/
00159 typedef struct _hierarchy_node
00160 {
00161         cluster_type            type;
00162         char                    label[256];
00163         int                     min_val;
00164         int                     max_val;
00165         int                     nchildren;
00166         struct _hierarchy_node  *parent;
00167         struct _hierarchy_node  **children;
00168 } hierarchy_node;
00169 /*****************************************************************/
00171 typedef struct
00172 {
00173         unsigned int gid;
00174         unsigned int sid;
00175         unsigned int rev;
00176 } AI_hyperalert_key;
00177 /*****************************************************************/
00179 typedef struct
00180 {
00182         AI_hyperalert_key  key;
00183 
00185         char               **preconds;
00186 
00188         unsigned int       n_preconds;
00189 
00191         char               **postconds;
00192 
00194         unsigned int       n_postconds;
00195 
00197         UT_hash_handle     hh;
00198 } AI_hyperalert_info;
00199 /*****************************************************************/
00201 typedef struct _AI_snort_alert  {
00202         /* Identifiers of the alert */
00203         unsigned int    gid;
00204         unsigned int    sid;
00205         unsigned int    rev;
00206 
00207         /* Snort priority, description,
00208          * classification and timestamp
00209          * of the alert */
00210         unsigned short  priority;
00211         char            *desc;
00212         char            *classification;
00213         time_t          timestamp;
00214 
00215         /* IP header information */
00216         uint8_t         ip_tos;
00217         uint16_t        ip_len;
00218         uint16_t        ip_id;
00219         uint8_t         ip_ttl;
00220         uint8_t         ip_proto;
00221         uint32_t        ip_src_addr;
00222         uint32_t        ip_dst_addr;
00223 
00224         /* TCP header information */
00225         uint16_t        tcp_src_port;
00226         uint16_t        tcp_dst_port;
00227         uint32_t        tcp_seq;
00228         uint32_t        tcp_ack;
00229         uint8_t         tcp_flags;
00230         uint16_t        tcp_window;
00231         uint16_t        tcp_len;
00232 
00235         struct pkt_info *stream;
00236 
00239         struct _AI_snort_alert *next;
00240 
00243         hierarchy_node  *h_node[CLUSTER_TYPES];
00244 
00248         unsigned int    grouped_alarms_count;
00249 
00252         AI_hyperalert_info  *hyperalert;
00253 
00254         /* 'Parent' correlated alert in the chain,
00255          * if any*/
00256         struct _AI_snort_alert  *previous_correlated;
00257 
00260         struct _AI_snort_alert  **derived_alerts;
00261 
00263         unsigned int        n_derived_alerts;
00264 } AI_snort_alert;
00265 /*****************************************************************/
00266 
00267 int                preg_match ( const char*, char*, char***, int* );
00268 char*              str_replace ( char *str, char *orig, char *rep );
00269 char*              str_replace_all ( char *str, char *orig, char *rep );
00270 
00271 void*              AI_hashcleanup_thread ( void* );
00272 void*              AI_file_alertparser_thread ( void* );
00273 void*              AI_alert_correlation_thread ( void* );
00274 
00275 #ifdef  HAVE_LIBMYSQLCLIENT
00276 AI_snort_alert*    AI_db_get_alerts ( void );
00277 void               AI_db_free_alerts ( AI_snort_alert *node );
00278 void*              AI_db_alertparser_thread ( void* );
00279 #endif
00280 
00281 void               AI_pkt_enqueue ( SFSnortPacket* );
00282 void               AI_set_stream_observed ( struct pkt_key key );
00283 void               AI_hierarchies_build ( AI_config*, hierarchy_node**, int );
00284 void               AI_free_alerts ( AI_snort_alert *node );
00285 
00286 struct pkt_info*   AI_get_stream_by_key ( struct pkt_key );
00287 AI_snort_alert*    AI_get_alerts ( void );
00288 AI_snort_alert*    AI_get_clustered_alerts ( void );
00289 
00291 AI_snort_alert* (*get_alerts)(void);
00292 
00293 #endif  /* _SPP_AI_H */
00294