Go to the source code of this file.
Data Structures | |
| struct | yfHookMetaData |
| Exported from the plugin to tell YAF about its export data & interface version. More... | |
Macros | |
| #define | YAF_HOOK_INTERFACE_VERSION 6 |
| HOOKS Plugin Version. | |
Functions | |
| gboolean | yfHookPacket (yfFlowKey_t *key, const uint8_t *pkt, size_t caplen, uint32_t iplen, yfTCPInfo_t *tcpinfo, yfL2Info_t *l2info) |
| Function called to do processing on each packet as it comes in. | |
| void | yfHookFlowPacket (yfFlow_t *flow, yfFlowVal_t *val, const uint8_t *pkt, size_t caplen, uint32_t iplen, yfTCPInfo_t *tcpinfo, yfL2Info_t *l2info) |
| Similar to yfHookPacket but also given yfFlowVal_t struct for processing per flow direction. | |
| void | yfHookValidateFlowTab (void **yfctx, uint32_t max_payload, gboolean uniflow, gboolean silkmode, gboolean applabelmode, gboolean entropymode, gboolean fingerprintmode, gboolean fpExportMode, gboolean udp_max_payload, uint16_t udp_uniflow_port) |
| Validation function to make sure the plugin can and should operate based on the flowtable options. | |
| gboolean | yfHookFlowClose (yfFlow_t *flow) |
| Called upon flow close to do any necessary plugin processing upon flow close. | |
| void | yfHookFlowAlloc (yfFlow_t *flow, void **yfctx) |
| Allow plugins to allocate flow state information for each flow captured by yaf at the time of flow creation. | |
| void | yfHookFlowFree (yfFlow_t *flow) |
| Frees all memory associated with the flow state in all of the attached plugins. | |
| fbInfoElement_t * | yfHookGetInfoModel (void) |
| Returns the IPFIX info model aggregated for all plugins. | |
| gboolean | yfHookGetTemplate (fbSession_t *session) |
| Gets the IPFIX info model template for the export data from all the plugins and turns it into a single template to return. | |
| gboolean | yfHookFlowWrite (fbSubTemplateMultiList_t *rec, fbSubTemplateMultiListEntry_t *stml, yfFlow_t *flow, GError **err) |
| called by yfWriteFlow to add the data from all registered plugins to the outgoing IPFIX record | |
| gboolean | yfHookAddNewHook (const char *hookName, const char *hookOpts, const char *hookConf, void **yfctx, GError **err) |
| Adds another hook (plugin) into yaf. | |
| uint8_t | yfHookGetTemplateCount (yfFlow_t *flow) |
| Returns the amount of templates to add to the SubtemplateMultiList from all plugins hooked. | |
| void | yfHookFreeLists (yfFlow_t *flow) |
| Sends control back to the plugin to free any BasicLists, SubTemplateLists, or SubTemplateMultiLists that may have been used in it's added templates. | |
| const struct yfHookMetaData * | ypGetMetaData (void) |
| gboolean | ypHookPacket (yfFlowKey_t *key, const uint8_t *pkt, size_t caplen, uint32_t iplen, yfTCPInfo_t *tcpinfo, yfL2Info_t *l2info) |
| void | ypFlowPacket (void *yfHookConext, yfFlow_t *flow, yfFlowVal_t *val, const uint8_t *pkt, size_t caplen, uint32_t iplen, yfTCPInfo_t *tcpinfo, yfL2Info_t *l2info) |
| gboolean | ypFlowClose (void *yfHookConext, yfFlow_t *flow) |
| void | ypFlowAlloc (void **yfHookConext, yfFlow_t *flow, void *yfctx) |
| void | ypFlowFree (void *yfHookConext, yfFlow_t *flow) |
| gboolean | ypFlowWrite (void *yfHookConext, fbSubTemplateMultiList_t *rec, fbSubTemplateMultiListEntry_t *stml, yfFlow_t *flow, GError **err) |
| fbInfoElement_t * | ypGetInfoModel (void) |
| gboolean | ypGetTemplate (fbSession_t *session) |
| void | ypSetPluginOpt (const char *pluginOpt, void *yfctx) |
| void | ypSetPluginConf (const char *pluginConf, void **yfctx) |
| gboolean | ypValidateFlowTab (void *yfctx, uint32_t max_payload, gboolean uniflow, gboolean silkmode, gboolean applabelmode, gboolean entropymode, gboolean fingerprintmode, gboolean fpExportMode, gboolean udp_max_payload, uint16_t udp_uniflow_port, GError **err) |
| uint8_t | ypGetTemplateCount (void *yfHookConext, yfFlow_t *flow) |
| void | ypFreeLists (void *yfHookConext, yfFlow_t *flow) |
Detailed Description
Processing hook interface for YAF.
VERSION 3 - REQUIRES FIXBUF 1.0
The plugin must implement all of the following functions:
ypGetMetaData - returns the version, max export bytes, applabel enabled
ypHookPacket - called by yfFlowPBuf()
ypFlowPacket - called by yfFlowPBuf() and yfAppLabelFlow() when called by yfAppLabelFlow - the last 3 parameters are 0
ypFlowClose - called by yfFlowClose()
ypFlowAlloc - called by yfFlowGetNode()
ypFlowFree - called by yfFlowFree()
ypFlowWrite - called by yfWriteFlow()
ypGetInfoModel - called by yfInfoModel() - this should not be used for v.3
ypGetTemplate - called by yfInitExporterSession()
ypSetPluginOpt - called by yfHookAddNewHook()
ypSetPluginConf - called by yfHookAddNewHook()
ypScanPayload - if Application labeling is enabled, called by app plugins
ypValidateFlowTab - called by yfFlowTabAlloc()
ypGetTemplateCount - called by yfWriteFlow()
ypFreeLists - called by yfWriteFlow()
Function Documentation
◆ yfHookAddNewHook()
| gboolean yfHookAddNewHook | ( | const char * | hookName, |
| const char * | hookOpts, | ||
| const char * | hookConf, | ||
| void ** | yfctx, | ||
| GError ** | err ) |
Adds another hook (plugin) into yaf.
- Parameters
-
hookName the file name of the plugin to load hookOpts a string of command line options for the plugin to process hookConf the config file for the plugin yfctx pointer to the yaf ctx which contains configuration specifics for this instance of yaf err the error value that gets set if this call didn't work
- Returns
- TRUE if plugin loaded fine, other FALSE
◆ yfHookFlowAlloc()
| void yfHookFlowAlloc | ( | yfFlow_t * | flow, |
| void ** | yfctx ) |
Allow plugins to allocate flow state information for each flow captured by yaf at the time of flow creation.
- Parameters
-
flow the pointer to the flow context state structure, but more importantly contains the array of pointers (hfctx) which hold the plugin context state yfctx pointer to the yaf ctx which contains configuration specifics for this instance of yaf
◆ yfHookFlowClose()
| gboolean yfHookFlowClose | ( | yfFlow_t * | flow | ) |
Called upon flow close to do any necessary plugin processing upon flow close.
- Parameters
-
flow
- Returns
- TRUE or FALSE upon error
◆ yfHookFlowFree()
| void yfHookFlowFree | ( | yfFlow_t * | flow | ) |
Frees all memory associated with the flow state in all of the attached plugins.
- Parameters
-
flow - a pointer to the flow context structure
◆ yfHookFlowPacket()
| void yfHookFlowPacket | ( | yfFlow_t * | flow, |
| yfFlowVal_t * | val, | ||
| const uint8_t * | pkt, | ||
| size_t | caplen, | ||
| uint32_t | iplen, | ||
| yfTCPInfo_t * | tcpinfo, | ||
| yfL2Info_t * | l2info ) |
Similar to yfHookPacket but also given yfFlowVal_t struct for processing per flow direction.
- Parameters
-
flow pointer to yfFlow_t val pointer to yfFlowVal_t struct pkt pointer to pkt data caplen size of pkt data iplen tcpinfo l2info
◆ yfHookFlowWrite()
| gboolean yfHookFlowWrite | ( | fbSubTemplateMultiList_t * | rec, |
| fbSubTemplateMultiListEntry_t * | stml, | ||
| yfFlow_t * | flow, | ||
| GError ** | err ) |
called by yfWriteFlow to add the data from all registered plugins to the outgoing IPFIX record
- Parameters
-
rec outgoing subTemplateMultiList stml Current entry of subTemplateMultiList flow pointer to the flow context structure err Error
◆ yfHookFreeLists()
| void yfHookFreeLists | ( | yfFlow_t * | flow | ) |
Sends control back to the plugin to free any BasicLists, SubTemplateLists, or SubTemplateMultiLists that may have been used in it's added templates.
- Parameters
-
flow
◆ yfHookGetInfoModel()
| fbInfoElement_t * yfHookGetInfoModel | ( | void | ) |
Returns the IPFIX info model aggregated for all plugins.
- Returns
- pointer to an array of fbInfoElement_t that contains the sum of the IPFIX IE's from all active plugins
◆ yfHookGetTemplate()
| gboolean yfHookGetTemplate | ( | fbSession_t * | session | ) |
Gets the IPFIX info model template for the export data from all the plugins and turns it into a single template to return.
It caches the results so that future queries are a lot faster. It can validate the cached result if the numer of plugins registered changes.
- Parameters
-
session pointer to an array of fbInfoElementSpec_t structures that describes the info model template
◆ yfHookGetTemplateCount()
| uint8_t yfHookGetTemplateCount | ( | yfFlow_t * | flow | ) |
Returns the amount of templates to add to the SubtemplateMultiList from all plugins hooked.
- Parameters
-
flow
- Returns
- number of templates to add to SubTemplateMultiList in yaf
◆ yfHookPacket()
| gboolean yfHookPacket | ( | yfFlowKey_t * | key, |
| const uint8_t * | pkt, | ||
| size_t | caplen, | ||
| uint32_t | iplen, | ||
| yfTCPInfo_t * | tcpinfo, | ||
| yfL2Info_t * | l2info ) |
Function called to do processing on each packet as it comes in.
- Parameters
-
key pointer to flowkey pkt pointer to pkt data caplen size of pkt data iplen tcpinfo l2info
- Returns
- TRUE if pkt processing should continue, FALSE if not
◆ yfHookValidateFlowTab()
| void yfHookValidateFlowTab | ( | void ** | yfctx, |
| uint32_t | max_payload, | ||
| gboolean | uniflow, | ||
| gboolean | silkmode, | ||
| gboolean | applabelmode, | ||
| gboolean | entropymode, | ||
| gboolean | fingerprintmode, | ||
| gboolean | fpExportMode, | ||
| gboolean | udp_max_payload, | ||
| uint16_t | udp_uniflow_port ) |
Validation function to make sure the plugin can and should operate based on the flowtable options.
- Parameters
-
yfctx pointer to the yaf ctx which contains configuration specifics max_payload value uniflow silkmode applabelmode entropymode fingerprintmode p0f finger printing mode fpExportMode handshake header export mode udp_max_payload concatenate udp payloads similar to TCP udp_uniflow_port export all udp packets if have this src or dst port
