Software Engineering Institute | Carnegie Mellon©
CERT NetSA Security Suite
Monitoring for Large-Scale Networks

YAF

Documentation

YAF

  • Documentation
  • Downloads
  • Main Page
  • Data Structures
  • Files
  • File List
  • Globals

yafcore.h

Go to the documentation of this file.
00001 /*
00002  *
00003  ** @file yafcore.h
00004  ** YAF core I/O routines
00005  **
00006  ** ------------------------------------------------------------------------
00007  ** Copyright (C) 2006-2013 Carnegie Mellon University. All Rights Reserved.
00008  ** ------------------------------------------------------------------------
00009  ** Authors: Brian Trammell
00010  ** ------------------------------------------------------------------------
00011  ** Use of the YAF system and related source code is subject to the terms
00012  ** of the following licenses:
00013  **
00014  ** GNU Public License (GPL) Rights pursuant to Version 2, June 1991
00015  ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013
00016  **
00017  ** NO WARRANTY
00018  **
00019  ** ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER
00020  ** PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY
00021  ** PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN
00022  ** "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
00023  ** KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT
00024  ** LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE,
00025  ** MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE
00026  ** OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT,
00027  ** SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY
00028  ** TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF
00029  ** WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.
00030  ** LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF
00031  ** CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON
00032  ** CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE
00033  ** DELIVERABLES UNDER THIS LICENSE.
00034  **
00035  ** Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie
00036  ** Mellon University, its trustees, officers, employees, and agents from
00037  ** all claims or demands made against them (and any related losses,
00038  ** expenses, or attorney's fees) arising out of, or relating to Licensee's
00039  ** and/or its sub licensees' negligent use or willful misuse of or
00040  ** negligent conduct or willful misconduct regarding the Software,
00041  ** facilities, or other rights or assistance granted by Carnegie Mellon
00042  ** University under this License, including, but not limited to, any
00043  ** claims of product liability, personal injury, death, damage to
00044  ** property, or violation of any laws or regulations.
00045  **
00046  ** Carnegie Mellon University Software Engineering Institute authored
00047  ** documents are sponsored by the U.S. Department of Defense under
00048  ** Contract FA8721-05-C-0003. Carnegie Mellon University retains
00049  ** copyrights in all material produced under this contract. The U.S.
00050  ** Government retains a non-exclusive, royalty-free license to publish or
00051  ** reproduce these documents, or allow others to do so, for U.S.
00052  ** Government purposes only pursuant to the copyright license under the
00053  ** contract clause at 252.227.7013.
00054  **
00055  ** ------------------------------------------------------------------------
00056  */
00057 
00103 #ifndef _YAF_CORE_H_
00104 #define _YAF_CORE_H_
00105 
00106 #include <yaf/autoinc.h>
00107 #include <fixbuf/public.h>
00108 #include <stdlib.h>
00109 #include <math.h>
00115 #define CERT_PEN    6871
00116 
00122 #define YAF_ERROR_DOMAIN        (g_quark_from_string("certYAFError"))
00123 
00124 #define YAF_ERROR_HEADER        1
00125 
00126 #define YAF_ERROR_ARGUMENT      2
00127 
00128 #define YAF_ERROR_IO            3
00129 
00130 #define YAF_ERROR_IPFIX         4
00131 
00132 #define YAF_ERROR_IMPL          5
00133 
00134 #define YAF_ERROR_INTERNAL      6
00135 
00136 #define YAF_ERROR_LIMIT         7
00137 
00138 #define YAF_ERROR_EOF           8
00139 
00140 #define YAF_ERROR_ALIGNMENT         9
00141 
00142 #define YAF_ERROR_PACKET_PAYLOAD    10
00143 
00144 
00145 
00150 #define YAF_FLOW_ACTIVE         0
00151 
00152 #define YAF_END_IDLE            1
00153 
00154 #define YAF_END_ACTIVE          2
00155 
00156 #define YAF_END_CLOSED          3
00157 
00158 #define YAF_END_FORCED          4
00159 
00160 #define YAF_END_RESOURCE        5
00161 
00162 #define YAF_END_UDPFORCE        0x1F
00163 
00164 #define YAF_SAME_SIZE           0x01
00165 
00166 #define YAF_OUT_OF_SEQUENCE     0x02
00167 
00168 #define YAF_FRAG_ACTIVE         0x03
00169 
00170 #define YAF_FRAG_PASSIVE        0x04
00171 
00172 #define YAF_END_MASK            0x7F
00173 
00175 #define YAF_ENDF_ISCONT         0x80
00176 
00178 #define YAF_IP_ICMP             1
00179 
00180 #define YAF_IP_TCP              6
00181 
00182 #define YAF_IP_UDP              17
00183 
00187 #define YFP_IPTCPHEADER_SIZE    128
00188 
00189 #define ETHERNET_MAC_ADDR_LENGTH 6
00190 
00191 #define YAF_MAX_HOOKS            4
00192 
00195 #define YAF_HOOKS_MAX_EXPORT    1500
00196 
00197 #define YAF_MAX_PKT_BOUNDARY    25
00198 
00199 #define YAF_PCAP_MAX            5000000
00200 
00204 typedef struct yfFlowKey_st {
00206     uint16_t            sp;
00208     uint16_t            dp;
00210     uint8_t             proto;
00212     uint8_t             version;
00214     uint16_t            vlanId;
00218     #if YAF_ENABLE_DAG_SEPARATE_INTERFACES || YAF_ENABLE_NAPATECH_SEPARATE_INTERFACES || YAF_ENABLE_BIVIO
00219     uint8_t             netIf;
00220     #endif
00221 
00222     union {
00223         struct {
00225             uint32_t    sip;
00227             uint32_t    dip;
00228         }               v4;
00229         struct {
00231             uint8_t     sip[16];
00233             uint8_t     dip[16];
00234         }               v6;
00235     }                   addr;
00236 } yfFlowKey_t;
00237 
00241 typedef struct yfFlowStats_st {
00243     uint64_t iaarray[10];
00245     uint16_t pktsize[10];
00247     uint64_t payoct;
00249     uint64_t ltime;
00251     uint32_t tcpurgct;
00253     uint32_t smallpktct;
00255     uint32_t nonemptypktct;
00257     uint32_t largepktct;
00259     uint32_t aitime;
00261     uint16_t firstpktsize;
00263     uint16_t maxpktsize;
00264 } yfFlowStats_t;
00265 
00270 typedef struct yfFlowVal_st {
00272     uint64_t    oct;
00274     uint64_t    pkt;
00275 #   if YAF_ENABLE_PAYLOAD
00276 
00277     uint32_t    paylen;
00279     uint8_t     *payload;
00281     size_t      *paybounds;
00282 #   endif
00283 
00284     uint32_t    isn;
00286     uint16_t    first_pkt_size;
00288     uint16_t    attributes;
00290     uint8_t     iflags;
00292     uint8_t     uflags;
00293 #   if YAF_ENABLE_BIVIO
00294     uint8_t     netIf;
00295 #   endif
00296 #   if YAF_ENABLE_ENTROPY
00297 
00298     uint8_t     entropy;
00300     uint8_t     entpad[7];
00301 #   endif
00302 #   if YAF_ENABLE_P0F
00303 
00304     const char  *osname;
00306     const char  *osver;
00308     uint8_t     fuzzyMatch;
00310     uint8_t     fuzzyPad[7];
00312     char        *osFingerPrint;
00313 #   endif
00314 #   if YAF_ENABLE_FPEXPORT
00315 
00316     uint32_t    firstPacketLen;
00318     uint32_t    secondPacketLen;
00320     uint8_t     *firstPacket;
00322     uint8_t     *secondPacket;
00323 #   endif
00324 
00325     yfFlowStats_t stats;
00326 } yfFlowVal_t;
00327 
00328 
00335 typedef struct yfFlow_st {
00337     uint64_t        stime;
00339     uint64_t        etime;
00340 #ifdef YAF_ENABLE_HOOKS
00341 
00345     void            *hfctx[YAF_MAX_HOOKS];
00346 #endif
00347      /*
00348      * Reverse flow delta start time in milliseconds. Equivalent to initial
00349      * packet round-trip time; useful for decomposing biflows into uniflows.
00350      */
00351     int32_t         rdtime;
00352 #if YAF_ENABLE_APPLABEL
00353 
00354     uint16_t        appLabel;
00355 #endif
00356 
00357     uint8_t         reason;
00359     uint8_t         pcap_serial;
00361     uint8_t         sourceMacAddr[ETHERNET_MAC_ADDR_LENGTH];
00363     uint8_t         destinationMacAddr[ETHERNET_MAC_ADDR_LENGTH];
00365     uint8_t         pcap_file_no;
00367     pcap_dumper_t   *pcap;
00369     uint8_t         pktdir;
00371     yfFlowVal_t     val;
00373     yfFlowVal_t     rval;
00375     yfFlowKey_t     key;
00376 } yfFlow_t;
00377 
00386 void yfAlignmentCheck(void);
00387 
00388 
00397 void yfFlowPrepare(
00398     yfFlow_t          *flow);
00399 
00407 void yfFlowCleanup(
00408     yfFlow_t          *flow);
00409 
00421 fBuf_t *yfWriterForFile(
00422     const char              *path,
00423     uint32_t                domain,
00424     GError                  **err);
00425 
00439 fBuf_t *yfWriterForFP(
00440     FILE                    *fp,
00441     uint32_t                domain,
00442     GError                  **err);
00443 
00453 fBuf_t *yfWriterForSpec(
00454     fbConnSpec_t            *spec,
00455     uint32_t                domain,
00456     GError                  **err);
00457 
00458 
00459 #ifdef HAVE_SPREAD
00460 
00472 fBuf_t *yfWriterForSpread(
00473     fbSpreadParams_t       *params,
00474     uint32_t               domain,
00475     uint16_t               *spreadGroupIndex,
00476     GError                 **err);
00477 
00478 #endif /* HAVE_SPREAD */
00479 
00494 gboolean yfWriteStatsFlow(
00495     void *yfContext,
00496     uint32_t pcap_drop,
00497     GTimer *timer,
00498     GError **err);
00499 
00512 gboolean yfWriteFlow(
00513     void                *yfContext,
00514     yfFlow_t            *flow,
00515     GError              **err);
00516 
00529 gboolean yfWriterClose(
00530     fBuf_t          *fbuf,
00531     gboolean        flush,
00532     GError          **err);
00533 
00538 void yfWriterExportPayload(
00539         gboolean                        payload_mode);
00540 
00545 void yfWriterExportMappedV6(
00546         gboolean                        map_mode);
00547 
00560 fBuf_t *yfReaderForFP(
00561     fBuf_t          *fbuf,
00562     FILE            *fp,
00563     GError          **err);
00564 
00581 fbListener_t *yfListenerForSpec(
00582     fbConnSpec_t        *spec,
00583     fbListenerAppInit_fn    appinit,
00584     fbListenerAppFree_fn    appfree,
00585     GError              **err);
00586 
00602 gboolean yfReadFlow(
00603     fBuf_t          *fbuf,
00604     yfFlow_t        *flow,
00605     GError          **err);
00606 
00625 gboolean yfReadFlowExtended(
00626     fBuf_t                  *fbuf,
00627     yfFlow_t                *flow,
00628     GError                  **err);
00629 
00637 void yfPrintString(
00638     GString             *rstr,
00639     yfFlow_t            *flow);
00640 
00649 void yfPrintDelimitedString(
00650     GString                 *rstr,
00651     yfFlow_t                *flow,
00652     gboolean                yaft_mac);
00653 
00663 gboolean yfPrint(
00664     FILE                *out,
00665     yfFlow_t            *flow,
00666     GError              **err);
00667 
00678 gboolean yfPrintDelimited(
00679     FILE                *out,
00680     yfFlow_t            *flow,
00681     gboolean            yaft_mac,
00682     GError              **err);
00683 
00693 void yfPrintColumnHeaders(
00694         FILE           *out,
00695         gboolean       yaft_mac,
00696         GError         **err);
00697 
00698 #if YAF_ENABLE_HOOKS
00699 
00704 fbInfoModel_t *yfDPIInfoModel();
00705 #endif
00706 
00707 
00708 
00709 #endif
© 2006-2013 Carnegie Mellon University