1 /* 2 ** Copyright (C) 2010-2013 Sourcefire, Inc. 3 ** Author: Michael R. Altizer <mialtize@cisco.com> 4 ** 5 ** This program is free software; you can redistribute it and/or modify 6 ** it under the terms of the GNU General Public License Version 2 as 7 ** published by the Free Software Foundation. You may not use, modify or 8 ** distribute this program under any other version of the GNU General 9 ** Public License. 10 ** 11 ** This program is distributed in the hope that it will be useful, 12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of 13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 ** GNU General Public License for more details. 15 ** 16 ** You should have received a copy of the GNU General Public License 17 ** along with this program; if not, write to the Free Software 18 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 19 */ 20 21 #ifndef _DAQ_COMMON_H 22 #define _DAQ_COMMON_H 23 24 #include <stdint.h> 25 #include <unistd.h> 26 #ifndef WIN32 27 #include <netinet/in.h> 28 #include <sys/time.h> 29 #else 30 /* for struct timeavl */ 31 #include <winsock2.h> 32 #include <ws2tcpip.h> 33 #include <windows.h> 34 #endif 35 36 #ifndef DAQ_SO_PUBLIC 37 #if defined _WIN32 || defined __CYGWIN__ 38 # if defined DAQ_DLL 39 # ifdef __GNUC__ 40 # define DAQ_SO_PUBLIC __attribute__((dllexport)) 41 # else 42 # define DAQ_SO_PUBLIC __declspec(dllexport) 43 # endif 44 # else 45 # ifdef __GNUC__ 46 # define DAQ_SO_PUBLIC __attribute__((dllimport)) 47 # else 48 # define DAQ_SO_PUBLIC __declspec(dllimport) 49 # endif 50 # endif 51 # define DLL_LOCAL 52 #else 53 # ifdef HAVE_VISIBILITY 54 # define DAQ_SO_PUBLIC __attribute__ ((visibility("default"))) 55 # define DAQ_SO_PRIVATE __attribute__ ((visibility("hidden"))) 56 # else 57 # define DAQ_SO_PUBLIC 58 # define DAQ_SO_PRIVATE 59 # endif 60 #endif 61 #endif 62 63 #ifdef _WIN32 64 # ifdef DAQ_DLL 65 # define DAQ_LINKAGE DAQ_SO_PUBLIC 66 # else 67 # define DAQ_LINKAGE 68 # endif 69 #else 70 # define DAQ_LINKAGE DAQ_SO_PUBLIC 71 #endif 72 73 #define DAQ_SUCCESS 0 /* Success! */ 74 #define DAQ_ERROR -1 /* Generic error */ 75 #define DAQ_ERROR_NOMEM -2 /* Out of memory error */ 76 #define DAQ_ERROR_NODEV -3 /* No such device error */ 77 #define DAQ_ERROR_NOTSUP -4 /* Functionality is unsupported error */ 78 #define DAQ_ERROR_NOMOD -5 /* No module specified error */ 79 #define DAQ_ERROR_NOCTX -6 /* No context specified error */ 80 #define DAQ_ERROR_INVAL -7 /* Invalid argument/request error */ 81 #define DAQ_ERROR_EXISTS -8 /* Argument or device already exists */ 82 #define DAQ_ERROR_AGAIN -9 /* Try again */ 83 #define DAQ_READFILE_EOF -42 /* Hit the end of the file being read! */ 84 85 #define DAQ_PKT_FLAG_HW_TCP_CS_GOOD 0x000001 /* The DAQ module reports that the checksum for this packet is good. */ 86 #define DAQ_PKT_FLAG_OPAQUE_IS_VALID 0x000002 /* The DAQ module actively set the opaque value in the DAQ packet header. */ 87 #define DAQ_PKT_FLAG_NOT_FORWARDING 0x000004 /* The DAQ module will not be actively forwarding this packet 88 regardless of the verdict (e.g, Passive or Inline Tap interfaces). */ 89 #define DAQ_PKT_FLAG_PRE_ROUTING 0x000008 /* The packet is being routed via us but packet modifications 90 (MAC and TTL) have not yet been made. */ 91 #define DAQ_PKT_FLAG_SSL_DETECTED 0x000010 /* Packet is ssl client hello */ 92 #define DAQ_PKT_FLAG_SSL_SHELLO 0x000020 /* Packet is ssl server hello */ 93 #define DAQ_PKT_FLAG_SSL_SERVER_KEYX 0x000040 /* Packet is ssl server keyx */ 94 #define DAQ_PKT_FLAG_SSL_CLIENT_KEYX 0x000080 /* Packet is ssl client keyx */ 95 #define DAQ_PKT_FLAG_IGNORE_VLAN 0x000100 /* Ignore vlan tags in the packet */ 96 #define DAQ_PKT_FLAG_REAL_ADDRESSES 0x000200 /* The real address values in the header are valid */ 97 #define DAQ_PKT_FLAG_REAL_SIP_V6 0x000400 /* The real source address is IPv6 */ 98 #define DAQ_PKT_FLAG_REAL_DIP_V6 0x000800 /* The real destination address is IPv6 */ 99 #define DAQ_PKT_FLAG_FLOWID_IS_VALID 0x001000 /* The DAQ module actively set the flow ID value in the DAQ packet header. */ 100 #define DAQ_PKT_FLAG_LOCALLY_DESTINED 0x002000 /* The packet is destined for local delivery */ 101 #define DAQ_PKT_FLAG_LOCALLY_ORIGINATED 0x004000 /* The packet was originated locally */ 102 #define DAQ_PKT_FLAG_SCRUBBED_TCP_OPTS 0x008000 /* Scrubbed tcp options maybe available */ 103 #define DAQ_PKT_FLAG_HA_STATE_AVAIL 0x010000 /* HA State is availble for the flow this packet is associated with. */ 104 #define DAQ_PKT_FLAG_ERROR_PACKET 0x020000 /* Lower level reports that the packet has errors. */ 105 #define DAQ_PKT_FLAG_RETRY_PACKET 0x040000 /* Packet is from the retry queue. */ 106 #define DAQ_PKT_FLAG_TRACE_ENABLED 0x080000 /* Tracing due to packet trace or capture with trace */ 107 #define DAQ_PKT_FLAG_SIMULATED 0x100000 /* Packet is simulated/virtual */ 108 109 /* The DAQ packet header structure passed to DAQ Analysis Functions. 110 * This should NEVER be modified by user applications. */ 111 #define DAQ_PKTHDR_UNKNOWN -1 /* Ingress or Egress not known */ 112 #define DAQ_PKTHDR_FLOOD -2 /* Egress is flooding */ 113 typedef struct _daq_pkthdr 114 { 115 struct timeval ts; /* Timestamp */ 116 uint32_t caplen; /* Length of the portion present */ 117 uint32_t pktlen; /* Length of this packet (off wire) */ 118 int32_t ingress_index; /* Index of the inbound interface. */ 119 int32_t egress_index; /* Index of the outbound interface. */ 120 int32_t ingress_group; /* Index of the inbound group. */ 121 int32_t egress_group; /* Index of the outbound group. */ 122 uint32_t flags; /* Flags for the packet (DAQ_PKT_FLAG_*) */ 123 uint32_t opaque; /* Opaque context value from the DAQ module or underlying hardware. 124 Directly related to the opaque value in FlowStats. */ 125 void *priv_ptr; /* Private data pointer */ 126 uint32_t flow_id; /* Flow ID value provided from the DAQ module or underlying hardware. */ 127 uint16_t address_space_id; /* Unique ID of the address space */ 128 129 /* Real values for NAT'ed connections */ 130 struct in6_addr real_sIP; 131 struct in6_addr real_dIP; 132 uint16_t n_real_sPort; 133 uint16_t n_real_dPort; 134 } DAQ_PktHdr_t; 135 136 137 /* HA state binary blob descriptor used for DAQ_METAHDR_TYPE_HA_STATE, DAQ_MODFLOW_TYPE_HA_STATE, 138 and DAQ_QUERYFLOW_TYPE_HA_STATE. */ 139 typedef struct _daq_ha_state_data 140 { 141 uint32_t length; 142 void *data; 143 } DAQ_HA_State_Data_t; 144 145 146 /* 147 * Metapacket callback types and definitions. 148 */ 149 150 #define DAQ_METAHDR_TYPE_SOF 0 /* Start of Flow statistics */ 151 #define DAQ_METAHDR_TYPE_EOF 1 /* End of Flow statistics */ 152 #define DAQ_METAHDR_TYPE_VPN_LOGIN 2 /* VPN login info */ 153 #define DAQ_METAHDR_TYPE_VPN_LOGOUT 3 /* VPN logout info */ 154 #define DAQ_METAHDR_TYPE_HA_STATE 4 /* HA State blob */ 155 typedef struct _daq_metahdr 156 { 157 int type; /* Type */ 158 } DAQ_MetaHdr_t; 159 160 /* Flow statistics structure used for DAQ_METAHDR_TYPE_SOF and DAQ_METAHDR_TYPE_EOF. */ 161 typedef struct _flow_stats 162 { 163 int32_t ingressZone; 164 int32_t egressZone; 165 int32_t ingressIntf; 166 int32_t egressIntf; 167 /* The IP addresses should be IPv6 or IPv6 representation of IPv4 (::FFFF:<ipv4>) */ 168 uint8_t initiatorIp[16]; 169 uint8_t responderIp[16]; 170 uint16_t initiatorPort; 171 uint16_t responderPort; 172 uint32_t opaque; 173 uint64_t initiatorPkts; /* Not populated for SoF stats. */ 174 uint64_t responderPkts; /* Not populated for SoF stats. */ 175 uint64_t initiatorBytes; /* Not populated for SoF stats. */ 176 uint64_t responderBytes; /* Not populated for SoF stats. */ 177 /* QoS related variables */ 178 uint64_t initiatorPktsDropped; /* Not populated for SoF stats. */ 179 uint64_t responderPktsDropped; /* Not populated for SoF stats. */ 180 uint64_t initiatorBytesDropped; /* Not populated for SoF stats. */ 181 uint64_t responderBytesDropped; /* Not populated for SoF stats. */ 182 uint8_t isQoSAppliedOnSrcIntf; /* Not populated for SoF stats. */ 183 struct timeval sof_timestamp; 184 struct timeval eof_timestamp; /* Not populated for SoF stats. */ 185 uint16_t vlan_tag; 186 uint16_t address_space_id; 187 uint8_t protocol; 188 } Flow_Stats_t, *Flow_Stats_p; 189 190 /* VPN session type used by DAQ_VPN_Login_Info_t for DAQ_METAHDR_TYPE_VPN_LOGIN. */ 191 typedef enum { 192 NP_IDFW_VPN_SESSION_TYPE_UNKNOWN = 0, 193 NP_IDFW_VPN_SESSION_TYPE_RA_IKEV1 = 1, 194 NP_IDFW_VPN_SESSION_TYPE_RA_IKEV2 = 2, 195 NP_IDFW_VPN_SESSION_TYPE_RA_SSLVPN = 3, 196 NP_IDFW_VPN_SESSION_TYPE_RA_SSLVPN_CLIENTLESS = 4, 197 NP_IDFW_VPN_SESSION_TYPE_LAN2LAN_IKEV1 = 5, 198 NP_IDFW_VPN_SESSION_TYPE_LAN2LAN_IKEV2 = 6, 199 NP_IDFW_VPN_SESSION_TYPE_MAX, 200 } np_idfw_vpn_session_type_t; 201 202 /* VPN logout info used for DAQ_VPN_Login_Info_t and DAQ_METAHDR_TYPE_VPN_LOGOUT. */ 203 typedef struct _daq_vpn_info 204 { 205 uint8_t ip[16]; 206 uint32_t id; 207 } DAQ_VPN_Info_t, *DAQ_VPN_Info_p; 208 209 /* VPN login info used for DAQ_METAHDR_TYPE_VPN_LOGIN. */ 210 #define DAQ_VPN_INFO_MAX_USER_NAME_LEN 256 211 typedef struct _daq_vpn_login_info 212 { 213 DAQ_VPN_Info_t info; 214 uint32_t os; 215 np_idfw_vpn_session_type_t type; 216 char user[DAQ_VPN_INFO_MAX_USER_NAME_LEN + 1]; 217 } DAQ_VPN_Login_Info_t, *DAQ_VPN_Login_Info_p; 218 219 /* 220 * Flow modification definitions. 221 */ 222 223 #define DAQ_MODFLOW_TYPE_OPAQUE 1 224 #define DAQ_MODFLOW_TYPE_HA_STATE 2 225 #define DAQ_MODFLOW_TYPE_SET_QOS_ID 3 226 #define DAQ_MODFLOW_TYPE_PKT_TRACE 4 /* To send verdict reason and trace data */ 227 #define DAQ_MODFLOW_TYPE_VER_REASON 5 /* To send verdict reason only */ 228 #define DAQ_MODFLOW_TYPE_PRESERVE_FLOW 6 /* Keep passing packets if Snort goes down */ 229 typedef struct _daq_modflow 230 { 231 int type; 232 uint32_t length; 233 const void *value; 234 } DAQ_ModFlow_t; 235 236 /* Packet tracing information used for DAQ_MODFLOW_TYPE_PKT_TRACE. */ 237 typedef struct _daq_modflowpkttrace 238 { 239 uint8_t vreason; 240 uint32_t pkt_trace_data_len; 241 uint8_t *pkt_trace_data; 242 } DAQ_ModFlowPktTrace_t; 243 244 245 /* 246 * Flow querying definitions. 247 */ 248 249 #define DAQ_QUERYFLOW_TYPE_TCP_SCRUBBED_SYN 1 250 #define DAQ_QUERYFLOW_TYPE_TCP_SCRUBBED_SYN_ACK 2 251 #define DAQ_QUERYFLOW_TYPE_HA_STATE 3 252 typedef struct _daq_queryflow 253 { 254 int type; 255 uint32_t length; 256 void *value; 257 } DAQ_QueryFlow_t; 258 259 /* TCP option flags used by DAQ_TCP_Opts_t. */ 260 typedef enum 261 { 262 DAQ_TCP_OPTS_MSS_CHANGED = 0x01, 263 DAQ_TCP_OPTS_WIN_SCALE_CHANGED = 0x02, 264 DAQ_TCP_OPTS_SACK_CHANGED = 0x04, 265 DAQ_TCP_OPTS_TS_CHANGED = 0x08, 266 } DAQ_TCP_Opts_flags_t; 267 268 /* This structure contains TCP options before modification by the underlying 269 hardware. It is used for DAQ_QUERYFLOW_TYPE_TCP_SCRUBBED_SYN and 270 DAQ_QUERYFLOW_TYPE_TCP_SCRUBBED_SYN_ACK. */ 271 typedef struct daq_tcp_opts_t_ 272 { 273 uint8_t flags; 274 uint8_t window_scale; 275 uint16_t mss; 276 uint8_t window_scale_position; 277 uint8_t ts_position; 278 uint8_t mss_position; 279 uint8_t sack_ok_position; 280 uint32_t ts_value; 281 } DAQ_TCP_Opts_t; 282 283 284 /* Packet verdicts returned by DAQ_Analysis_Func_t callbacks. */ 285 typedef enum { 286 DAQ_VERDICT_PASS, /* Pass the packet. */ 287 DAQ_VERDICT_BLOCK, /* Block the packet. */ 288 DAQ_VERDICT_REPLACE, /* Pass a packet that has been modified in-place. (No resizing allowed!) */ 289 DAQ_VERDICT_WHITELIST, /* Pass the packet and fastpath all future packets in the same flow systemwide. */ 290 DAQ_VERDICT_BLACKLIST, /* Block the packet and block all future packets in the same flow systemwide. */ 291 DAQ_VERDICT_IGNORE, /* Pass the packet and fastpath all future packets in the same flow for this application. */ 292 DAQ_VERDICT_RETRY, /* Hold the packet briefly and resend it to Snort while Snort waits for external response. 293 Drop any new packets received on that flow while holding before sending them to Snort. */ 294 MAX_DAQ_VERDICT 295 } DAQ_Verdict; 296 297 typedef DAQ_Verdict (*DAQ_Analysis_Func_t)(void *user, const DAQ_PktHdr_t *hdr, const uint8_t *data); 298 typedef int (*DAQ_Meta_Func_t)(void *user, const DAQ_MetaHdr_t *hdr, const uint8_t *data); 299 300 typedef enum { 301 DAQ_MODE_PASSIVE, 302 DAQ_MODE_INLINE, 303 DAQ_MODE_READ_FILE, 304 MAX_DAQ_MODE 305 } DAQ_Mode; 306 307 #define DAQ_CFG_PROMISC 0x01 308 309 typedef struct _daq_dict_entry DAQ_Dict; 310 311 typedef struct _daq_config 312 { 313 char *name; /* Name of the interface(s) or file to be opened */ 314 int snaplen; /* Maximum packet capture length */ 315 unsigned timeout; /* Read timeout for acquire loop in milliseconds (0 = unlimited) */ 316 DAQ_Mode mode; /* Module mode (DAQ_MODE_*) */ 317 uint32_t flags; /* Other configuration flags (DAQ_CFG_*) */ 318 DAQ_Dict *values; /* Dictionary of arbitrary key[:value] string pairs. */ 319 char *extra; /* Miscellaneous configuration data to be passed to the DAQ module */ 320 } DAQ_Config_t; 321 322 typedef enum { 323 DAQ_STATE_UNINITIALIZED, 324 DAQ_STATE_INITIALIZED, 325 DAQ_STATE_STARTED, 326 DAQ_STATE_STOPPED, 327 DAQ_STATE_UNKNOWN, 328 MAX_DAQ_STATE 329 } DAQ_State; 330 331 typedef struct _daq_stats 332 { 333 uint64_t hw_packets_received; /* Packets received by the hardware */ 334 uint64_t hw_packets_dropped; /* Packets dropped by the hardware */ 335 uint64_t packets_received; /* Packets received by this instance */ 336 uint64_t packets_filtered; /* Packets filtered by this instance's BPF */ 337 uint64_t packets_injected; /* Packets injected by this instance */ 338 uint64_t verdicts[MAX_DAQ_VERDICT]; /* Counters of packets handled per-verdict. */ 339 } DAQ_Stats_t; 340 341 #define DAQ_DP_TUNNEL_TYPE_NON_TUNNEL 0 342 #define DAQ_DP_TUNNEL_TYPE_GTP_TUNNEL 1 343 #define DAQ_DP_TUNNEL_TYPE_MPLS_TUNNEL 2 344 #define DAQ_DP_TUNNEL_TYPE_OTHER_TUNNEL 3 345 346 typedef struct _DAQ_DP_key_t { 347 uint16_t src_af; /* AF_INET or AF_INET6 */ 348 uint16_t dst_af; /* AF_INET or AF_INET6 */ 349 union { 350 struct in_addr src_ip4; 351 struct in6_addr src_ip6; 352 } sa; 353 union { 354 struct in_addr dst_ip4; 355 struct in6_addr dst_ip6; 356 } da; 357 uint8_t protocol; /* TCP or UDP (IPPROTO_TCP or IPPROTO_UDP )*/ 358 uint16_t src_port; /* TCP/UDP source port */ 359 uint16_t dst_port; /* TCP/UDP destination port */ 360 uint16_t address_space_id; /* Address Space ID */ 361 uint16_t tunnel_type; /* Tunnel type */ 362 uint16_t vlan_id; /* VLAN ID */ 363 uint16_t vlan_cnots; 364 } DAQ_DP_key_t; 365 366 typedef struct _DAQ_Data_Channel_Params_t 367 { 368 unsigned flags; /* DAQ_DATA_CHANNEL_* flags*/ 369 unsigned timeout_ms;/* timeout of the data channel in milliseconds */ 370 unsigned length; /* [Future] length of the data associated with the data channel */ 371 uint8_t* data; /* [Future] opaque data blob to return with the data channel */ 372 } DAQ_Data_Channel_Params_t; 373 374 /* DAQ module data channel flags */ 375 #define DAQ_DATA_CHANNEL_FLOAT 0x01 /* the data channel can float to a different snort */ 376 #define DAQ_DATA_CHANNEL_ALLOW_MULTIPLE 0x02 /* allow multiple connections to use the same data channel entry */ 377 #define DAQ_DATA_CHANNEL_PERSIST 0x04 /* data channel entry persists even if control channel terminates */ 378 379 /* DAQ module type flags */ 380 #define DAQ_TYPE_FILE_CAPABLE 0x01 /* can read from a file */ 381 #define DAQ_TYPE_INTF_CAPABLE 0x02 /* can open live interfaces */ 382 #define DAQ_TYPE_INLINE_CAPABLE 0x04 /* can form an inline bridge */ 383 #define DAQ_TYPE_MULTI_INSTANCE 0x08 /* can be instantiated multiple times */ 384 #define DAQ_TYPE_NO_UNPRIV 0x10 /* can not run unprivileged */ 385 386 /* DAQ module capability flags */ 387 #define DAQ_CAPA_NONE 0x00000000 /* no capabilities */ 388 #define DAQ_CAPA_BLOCK 0x00000001 /* can block packets */ 389 #define DAQ_CAPA_REPLACE 0x00000002 /* can replace/modify packet data (up to the original data size) */ 390 #define DAQ_CAPA_INJECT 0x00000004 /* can inject packets */ 391 #define DAQ_CAPA_WHITELIST 0x00000008 /* can whitelist flows */ 392 #define DAQ_CAPA_BLACKLIST 0x00000010 /* can blacklist flows */ 393 #define DAQ_CAPA_UNPRIV_START 0x00000020 /* can call start() without root privileges */ 394 #define DAQ_CAPA_BREAKLOOP 0x00000040 /* can call breakloop() to break acquisition loop */ 395 #define DAQ_CAPA_BPF 0x00000080 /* can call set_filter() to establish a BPF */ 396 #define DAQ_CAPA_DEVICE_INDEX 0x00000100 /* can consistently fill the device_index field in DAQ_PktHdr */ 397 #define DAQ_CAPA_INJECT_RAW 0x00000200 /* injection of raw packets (no layer-2 headers) */ 398 #define DAQ_CAPA_RETRY 0x00000400 /* resend packet to Snort after brief delay. */ 399 #define DAQ_CAPA_DECODE_GTP 0x00000800 /* decodes and tracks flows within GTP. */ 400 #define DAQ_CAPA_DECODE_TEREDO 0x00001000 /* decodes and tracks flows within Teredo. */ 401 #define DAQ_CAPA_DECODE_GRE 0x00002000 /* decodes and tracks flows within GRE. */ 402 #define DAQ_CAPA_DECODE_4IN4 0x00004000 /* decodes and tracks flows of IPv4 within IPv4. */ 403 #define DAQ_CAPA_DECODE_6IN4 0x00008000 /* decodes and tracks flows of IPv6 within IPv4. */ 404 #define DAQ_CAPA_DECODE_4IN6 0x00010000 /* decodes and tracks flows of IPv4 within IPv6. */ 405 #define DAQ_CAPA_DECODE_6IN6 0x00020000 /* decodes and tracks flows of IPv6 within IPv6. */ 406 #define DAQ_CAPA_DECODE_MPLS 0x00040000 /* decodes and tracks flows within MPLS. */ 407 408 typedef struct _daq_module DAQ_Module_t; 409 410 #endif /* _DAQ_COMMON_H */ 411