Software Engineering Institute | Carnegie Mellon©
CERT NetSA Security Suite
Monitoring for Large-Scale Networks

YAF

Documentation

YAF

  • Documentation
  • Downloads
  • Main Page
  • Data Structures
  • Files
  • File List
  • Globals

yafcore.h

Go to the documentation of this file.
00001 /*
00002  *
00003  ** @file yafcore.h
00004  ** YAF core I/O routines
00005  **
00006  ** ------------------------------------------------------------------------
00007  ** Copyright (C) 2006-2012 Carnegie Mellon University. All Rights Reserved.
00008  ** ------------------------------------------------------------------------
00009  ** Authors: Brian Trammell
00010  ** ------------------------------------------------------------------------
00011  ** Use of the YAF system and related source code is subject to the terms
00012  ** of the following licenses:
00013  **
00014  ** GNU Public License (GPL) Rights pursuant to Version 2, June 1991
00015  ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013
00016  **
00017  ** NO WARRANTY
00018  **
00019  ** ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER
00020  ** PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY
00021  ** PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN
00022  ** "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
00023  ** KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT
00024  ** LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE,
00025  ** MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE
00026  ** OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT,
00027  ** SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY
00028  ** TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF
00029  ** WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.
00030  ** LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF
00031  ** CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON
00032  ** CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE
00033  ** DELIVERABLES UNDER THIS LICENSE.
00034  **
00035  ** Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie
00036  ** Mellon University, its trustees, officers, employees, and agents from
00037  ** all claims or demands made against them (and any related losses,
00038  ** expenses, or attorney's fees) arising out of, or relating to Licensee's
00039  ** and/or its sub licensees' negligent use or willful misuse of or
00040  ** negligent conduct or willful misconduct regarding the Software,
00041  ** facilities, or other rights or assistance granted by Carnegie Mellon
00042  ** University under this License, including, but not limited to, any
00043  ** claims of product liability, personal injury, death, damage to
00044  ** property, or violation of any laws or regulations.
00045  **
00046  ** Carnegie Mellon University Software Engineering Institute authored
00047  ** documents are sponsored by the U.S. Department of Defense under
00048  ** Contract FA8721-05-C-0003. Carnegie Mellon University retains
00049  ** copyrights in all material produced under this contract. The U.S.
00050  ** Government retains a non-exclusive, royalty-free license to publish or
00051  ** reproduce these documents, or allow others to do so, for U.S.
00052  ** Government purposes only pursuant to the copyright license under the
00053  ** contract clause at 252.227.7013.
00054  **
00055  ** ------------------------------------------------------------------------
00056  */
00057 
00103 #ifndef _YAF_CORE_H_
00104 #define _YAF_CORE_H_
00105 
00106 #include <yaf/autoinc.h>
00107 #include <fixbuf/public.h>
00108 
00109 
00115 #define CERT_PEN    6871
00116 
00122 #define YAF_ERROR_DOMAIN        (g_quark_from_string("certYAFError"))
00123 
00124 #define YAF_ERROR_HEADER        1
00125 
00126 #define YAF_ERROR_ARGUMENT      2
00127 
00128 #define YAF_ERROR_IO            3
00129 
00130 #define YAF_ERROR_IPFIX         4
00131 
00132 #define YAF_ERROR_IMPL          5
00133 
00134 #define YAF_ERROR_INTERNAL      6
00135 
00136 #define YAF_ERROR_LIMIT         7
00137 
00138 #define YAF_ERROR_EOF           8
00139 
00140 #define YAF_ERROR_ALIGNMENT         9
00141 
00142 #define YAF_ERROR_PACKET_PAYLOAD    10
00143 
00144 
00145 
00150 #define YAF_FLOW_ACTIVE         0
00151 
00152 #define YAF_END_IDLE            1
00153 
00154 #define YAF_END_ACTIVE          2
00155 
00156 #define YAF_END_CLOSED          3
00157 
00158 #define YAF_END_FORCED          4
00159 
00160 #define YAF_END_RESOURCE        5
00161 
00162 #define YAF_END_UDPFORCE        0x1F
00163 
00164 #define YAF_SAME_SIZE           0x01
00165 
00166 #define YAF_OUT_OF_SEQUENCE     0x02
00167 
00168 #define YAF_END_MASK            0x7F
00169 
00171 #define YAF_ENDF_ISCONT         0x80
00172 
00174 #define YAF_IP_ICMP             1
00175 
00176 #define YAF_IP_TCP              6
00177 
00178 #define YAF_IP_UDP              17
00179 
00183 #define YFP_IPTCPHEADER_SIZE    128
00184 
00185 #define ETHERNET_MAC_ADDR_LENGTH 6
00186 
00187 #define YAF_MAX_HOOKS            4
00188 
00191 #define YAF_HOOKS_MAX_EXPORT    256
00192 
00193 #define YAF_MAX_PKT_BOUNDARY    25
00194 
00195 #define YAF_PCAP_MAX            5000000
00196 
00200 typedef struct yfFlowKey_st {
00202     uint16_t            sp;
00204     uint16_t            dp;
00206     uint8_t             proto;
00208     uint8_t             version;
00210     uint16_t            vlanId;
00214     #if YAF_ENABLE_DAG_SEPARATE_INTERFACES || YAF_ENABLE_NAPATECH_SEPARATE_INTERFACES
00215     uint8_t             netIf;
00216     #endif
00217 
00218     union {
00219         struct {
00221             uint32_t    sip;
00223             uint32_t    dip;
00224         }               v4;
00225         struct {
00227             uint8_t     sip[16];
00229             uint8_t     dip[16];
00230         }               v6;
00231     }                   addr;
00232 } yfFlowKey_t;
00233 
00234 
00239 typedef struct yfFlowVal_st {
00241     uint64_t    oct;
00243     uint64_t    pkt;
00244 #   if YAF_ENABLE_PAYLOAD
00245 
00246     uint32_t    paylen;
00248     uint8_t     *payload;
00250     size_t      *paybounds;
00251 #   endif
00252 
00253     uint32_t    isn;
00255     uint16_t    first_pkt_size;
00257     uint16_t    attributes;
00259     uint8_t     iflags;
00261     uint8_t     uflags;
00262 #   if YAF_ENABLE_ENTROPY
00263 
00264     uint8_t     entropy;
00266     uint8_t     entpad[7];
00267 #   endif
00268 #   if YAF_ENABLE_P0F
00269 
00270     const char  *osname;
00272     const char  *osver;
00274     uint8_t     fuzzyMatch;
00276     uint8_t     fuzzyPad[7];
00278     char        *osFingerPrint;
00279 #   endif
00280 #   if YAF_ENABLE_FPEXPORT
00281 
00282     uint32_t    firstPacketLen;
00284     uint32_t    secondPacketLen;
00286     uint8_t     *firstPacket;
00288     uint8_t     *secondPacket;
00289 
00290 #   endif
00291 
00292 } yfFlowVal_t;
00293 
00294 
00301 typedef struct yfFlow_st {
00303     uint64_t        stime;
00305     uint64_t        etime;
00306 #ifdef YAF_ENABLE_HOOKS
00307 
00311     void            *hfctx[YAF_MAX_HOOKS];
00312 #endif
00313 
00317     int32_t         rdtime;
00318 #if YAF_ENABLE_APPLABEL
00319 
00320     uint16_t        appLabel;
00321 #endif
00322 
00323     uint8_t         reason;
00325     uint8_t         pcap_serial;
00327     uint8_t         sourceMacAddr[ETHERNET_MAC_ADDR_LENGTH];
00329     uint8_t         destinationMacAddr[ETHERNET_MAC_ADDR_LENGTH];
00331     uint8_t         pcap_file_no;
00333     pcap_dumper_t   *pcap;
00335     yfFlowVal_t     val;
00337     yfFlowVal_t     rval;
00339     yfFlowKey_t     key;
00340 } yfFlow_t;
00341 
00350 void yfAlignmentCheck(void);
00351 
00352 
00361 void yfFlowPrepare(
00362     yfFlow_t          *flow);
00363 
00371 void yfFlowCleanup(
00372     yfFlow_t          *flow);
00373 
00385 fBuf_t *yfWriterForFile(
00386     const char              *path,
00387     uint32_t                domain,
00388     GError                  **err);
00389 
00403 fBuf_t *yfWriterForFP(
00404     FILE                    *fp,
00405     uint32_t                domain,
00406     GError                  **err);
00407 
00417 fBuf_t *yfWriterForSpec(
00418     fbConnSpec_t            *spec,
00419     uint32_t                domain,
00420     GError                  **err);
00421 
00422 
00423 #ifdef HAVE_SPREAD
00424 
00436 fBuf_t *yfWriterForSpread(
00437     fbSpreadParams_t       *params,
00438     uint32_t               domain,
00439     uint16_t               *spreadGroupIndex,
00440     GError                 **err);
00441 
00442 #endif /* HAVE_SPREAD */
00443 
00458 gboolean yfWriteStatsFlow(
00459     void *yfContext,
00460     uint32_t pcap_drop,
00461     GTimer *timer,
00462     GError **err);
00463 
00476 gboolean yfWriteFlow(
00477     void                *yfContext,
00478     yfFlow_t            *flow,
00479     GError              **err);
00480 
00493 gboolean yfWriterClose(
00494     fBuf_t          *fbuf,
00495     gboolean        flush,
00496     GError          **err);
00497 
00502 void yfWriterExportPayload(
00503         gboolean                        payload_mode);
00504 
00509 void yfWriterExportMappedV6(
00510         gboolean                        map_mode);
00511 
00524 fBuf_t *yfReaderForFP(
00525     fBuf_t          *fbuf,
00526     FILE            *fp,
00527     GError          **err);
00528 
00545 fbListener_t *yfListenerForSpec(
00546     fbConnSpec_t        *spec,
00547     fbListenerAppInit_fn    appinit,
00548     fbListenerAppFree_fn    appfree,
00549     GError              **err);
00550 
00566 gboolean yfReadFlow(
00567     fBuf_t          *fbuf,
00568     yfFlow_t        *flow,
00569     GError          **err);
00570 
00589 gboolean yfReadFlowExtended(
00590     fBuf_t                  *fbuf,
00591     yfFlow_t                *flow,
00592     GError                  **err);
00593 
00601 void yfPrintString(
00602     GString             *rstr,
00603     yfFlow_t            *flow);
00604 
00613 void yfPrintDelimitedString(
00614     GString                 *rstr,
00615     yfFlow_t                *flow,
00616     gboolean                yaft_mac);
00617 
00627 gboolean yfPrint(
00628     FILE                *out,
00629     yfFlow_t            *flow,
00630     GError              **err);
00631 
00642 gboolean yfPrintDelimited(
00643     FILE                *out,
00644     yfFlow_t            *flow,
00645     gboolean            yaft_mac,
00646     GError              **err);
00647 
00657 void yfPrintColumnHeaders(
00658         FILE           *out,
00659         gboolean       yaft_mac,
00660         GError         **err);
00661 
00662 #if YAF_ENABLE_HOOKS
00663 
00668 fbInfoModel_t *yfDPIInfoModel();
00669 #endif
00670 
00671 
00672 
00673 #endif
© 2006-2012 Carnegie Mellon University