Software Engineering Institute | Carnegie Mellon©
CERT NetSA Security Suite
Monitoring for Large-Scale Networks

YAF

Documentation

YAF

  • Documentation
  • Downloads
  • Main Page
  • Data Structures
  • Files
  • File List
  • Globals

yafhooks.h

Go to the documentation of this file.
00001 /*
00002  ** yafhooks.h
00003  ** YAF Active Flow Table Plugin Interface
00004  **
00005  ** ------------------------------------------------------------------------
00006  ** Copyright (C) 2007-2011 Carnegie Mellon University. All Rights Reserved.
00007  ** ------------------------------------------------------------------------
00008  ** Authors: Brian Trammell
00009  ** ------------------------------------------------------------------------
00010  ** @OPENSOURCE_HEADER_START@
00011  ** Use of the YAF system and related source code is subject to the terms 
00012  ** of the following licenses:
00013  ** 
00014  ** GNU Public License (GPL) Rights pursuant to Version 2, June 1991
00015  ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013
00016  ** 
00017  ** NO WARRANTY
00018  ** 
00019  ** ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER 
00020  ** PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY 
00021  ** PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN 
00022  ** "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY 
00023  ** KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT 
00024  ** LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, 
00025  ** MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE 
00026  ** OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT, 
00027  ** SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY 
00028  ** TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF 
00029  ** WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES. 
00030  ** LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF 
00031  ** CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON 
00032  ** CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE 
00033  ** DELIVERABLES UNDER THIS LICENSE.
00034  ** 
00035  ** Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie 
00036  ** Mellon University, its trustees, officers, employees, and agents from 
00037  ** all claims or demands made against them (and any related losses, 
00038  ** expenses, or attorney's fees) arising out of, or relating to Licensee's 
00039  ** and/or its sub licensees' negligent use or willful misuse of or 
00040  ** negligent conduct or willful misconduct regarding the Software, 
00041  ** facilities, or other rights or assistance granted by Carnegie Mellon 
00042  ** University under this License, including, but not limited to, any 
00043  ** claims of product liability, personal injury, death, damage to 
00044  ** property, or violation of any laws or regulations.
00045  ** 
00046  ** Carnegie Mellon University Software Engineering Institute authored 
00047  ** documents are sponsored by the U.S. Department of Defense under 
00048  ** Contract F19628-00-C-0003. Carnegie Mellon University retains 
00049  ** copyrights in all material produced under this contract. The U.S. 
00050  ** Government retains a non-exclusive, royalty-free license to publish or 
00051  ** reproduce these documents, or allow others to do so, for U.S. 
00052  ** Government purposes only pursuant to the copyright license under the 
00053  ** contract clause at 252.227.7013.
00054  ** 
00055  ** @OPENSOURCE_HEADER_END@
00056  ** ------------------------------------------------------------------------
00057  */
00058 
00065 /*
00066 
00067 Design notes:
00068 
00069 1. For now, it is okay for the yfhook facility to only support a single hook.
00070 
00071 5. Each hook needs to know when a flow is flushed, so that it can make the
00072 per-flow export fields available.
00073 
00074 6. Each hook needs to be able to hand YAF an export template for its fields.
00075 These fields will appear in every exported record; a facility for NULLs MUST
00076 be provided by the hook's representation.
00077 
00078 */
00079 
00080 #ifndef _YAF_HOOKS_H_
00081 #define _YAF_HOOKS_H_
00082 
00083 #include <yaf/autoinc.h>
00084 #include <yaf/decode.h>
00085 #include <yaf/yafcore.h>
00086 #include <yaf/yaftab.h>
00087 #if YAF_ENABLE_APPLABEL
00088 #include <pcre.h>
00089 #endif
00090 
00091 
00092 #define YAF_HOOK_INTERFACE_VERSION 2
00093 
00095 struct yfHookMetaData {
00097     uint8_t version;
00099     uint32_t exportDataSize;
00101     uint8_t requireAppLabel;
00102 };
00103 
00104 
00109 gboolean            yfHookPacket (
00110     yfFlowKey_t * key,
00111     const uint8_t * pkt,
00112     size_t caplen,
00113     uint16_t iplen,
00114     yfTCPInfo_t * tcpinfo,
00115     yfL2Info_t * l2info);
00116 
00121 void                yfHookFlowPacket (
00122     yfFlow_t * flow,
00123     yfFlowVal_t * val,
00124     const uint8_t *pkt,
00125     size_t caplen,
00126     uint16_t iplen,
00127     yfTCPInfo_t * tcpinfo,
00128     yfL2Info_t * l2info);
00143 void                yfHookValidateFlowTab (
00144     uint32_t        max_payload,
00145     gboolean        uniflow,
00146     gboolean        silkmode,
00147     gboolean        applabelmode,
00148     gboolean        entropymode,
00149     gboolean        fingerprintmode,
00150     gboolean        fpExportMode,
00151     gboolean        udp_max_payload,
00152     uint16_t        udp_uniflow_port);
00153 
00160 gboolean            yfHookFlowClose (
00161     yfFlow_t * flow);
00162 
00173 void                yfHookFlowAlloc (
00174     yfFlow_t * flow);
00175 
00183 void                yfHookFlowFree (
00184     yfFlow_t * flow);
00185 
00192 fbInfoElement_t    *yfHookGetInfoModel (
00193     void);
00194 
00204 fbInfoElementSpec_t *yfHookGetTemplate (
00205     void);
00206 
00216 gboolean            yfWriteFlowHook (
00217     void *rec,
00218     size_t rec_sz,
00219     yfFlow_t * flow,
00220     GError ** err);
00221 
00235 gboolean            yfHookAddNewHook (
00236     const char *hookName,
00237     const char *hookOpts,
00238     GError ** err);
00239 
00240 
00241 #if YAF_ENABLE_APPLABEL
00242 
00246 void yfHookScanPayload (
00247     yfFlow_t *flow,
00248     const uint8_t *pkt,
00249     size_t caplen,
00250     pcre *expression,
00251     uint16_t offset,
00252     uint16_t elementID,
00253     uint16_t applabel);
00254 
00255 #endif
00256 
00257 
00258 #endif
© 2006-2011 Carnegie Mellon University