1 /** 2 * @file templates.h 3 * 4 * contains all the templates the mediator needs to collect/export 5 * 6 ** ------------------------------------------------------------------------ 7 ** Copyright (C) 2012-2017 Carnegie Mellon University. All Rights Reserved. 8 ** ------------------------------------------------------------------------ 9 ** Authors: Emily Sarneso 10 ** ------------------------------------------------------------------------ * 11 * @OPENSOURCE_HEADER_START@ 12 * Use of this (and related) source code is subject to the terms 13 * of the following licenses: 14 * 15 * GNU Public License (GPL) Rights pursuant to Version 2, June 1991 16 * Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013 17 * 18 * 19 * This material is based upon work funded and supported by 20 * the Department of Defense under Contract FA8721-05-C-0003 with 21 * Carnegie Mellon University for the operation of the Software Engineering 22 * Institue, a federally funded research and development center. Any opinions, 23 * findings and conclusions or recommendations expressed in this 24 * material are those of the author(s) and do not 25 * necessarily reflect the views of the United States 26 * Department of Defense. 27 * 28 * NO WARRANTY 29 * 30 * THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE 31 * MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY 32 * MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED 33 * AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF 34 * FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS 35 * OBTAINED FROM THE USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY 36 * DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM 37 * PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. 38 * 39 * This material has been approved for public release and unlimited 40 * distribution. 41 * 42 * Carnegie Mellon®, CERT® and CERT Coordination Center® are 43 * registered marks of Carnegie Mellon University. 44 * 45 * DM-0001877 46 * 47 * Carnegie Mellon University retains 48 * copyrights in all material produced under this contract. The U.S. 49 * Government retains a non-exclusive, royalty-free license to publish or 50 * reproduce these documents, or allow others to do so, for U.S. 51 * Government purposes only pursuant to the copyright license under the 52 * contract clause at 252.227.7013. 53 * 54 * Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie 55 * Mellon University, its trustees, officers, employees, and agents from 56 * all claims or demands made against them (and any related losses, 57 * expenses, or attorney's fees) arising out of, or relating to Licensee's 58 * and/or its sub licensees' negligent use or willful misuse of or 59 * negligent conduct or willful misconduct regarding the Software, 60 * facilities, or other rights or assistance granted by Carnegie Mellon 61 * University under this License, including, but not limited to, any 62 * claims of product liability, personal injury, death, damage to 63 * property, or violation of any laws or regulations. 64 * 65 * @OPENSOURCE_HEADER_END@ 66 */ 67 68 #ifndef MD_CONF 69 #define MD_CONF 70 71 #include "mediator_ctx.h" 72 #if HAVE_OPENSSL 73 #include <openssl/md5.h> 74 #include <openssl/sha.h> 75 #endif 76 77 /* Special dimensions */ 78 #define YTF_TOTAL 0x0001 79 #define YTF_PAD 0x0002 80 #define YTF_REV 0x0010 81 #define YTF_TCP 0x0020 82 #define YTF_DAGIF 0x0040 83 #define YTF_DELTA 0x0080 84 #define YTF_LIST 0x0100 85 #define YTF_IP4 0x0200 86 #define YTF_IP6 0x0400 87 #define YTF_MPLS 0x0004 88 89 #define MD_LAST_SEEN 0x0002 90 #define MD_DNSRR_FULL 0x0002 91 #define MD_DNS_AREC 0x0004 92 #define MD_DNS_OREC 0x0008 93 #define MD_DEDUP_SSL 0x0002 94 95 /* YAF TID's */ 96 #define YAF_SILK_FLOW_TID 0xB000 97 #define YAF_STAT_OPTN_FLOW_TID 0xD000 98 #define YAF_TOMBSTONE_FLOW_TID 0xD001 99 #define YAF_TOMBSTONE_ACCESS_TID 0xD002 100 #define YAF_ENTROPY_FLOW_TID 0xC002 101 #define YAF_TCP_FLOW_TID 0xC003 102 #define YAF_MAC_FLOW_TID 0xC004 103 #define YAF_STATS_FLOW_TID 0xC005 104 #define YAF_P0F_FLOW_TID 0xC006 105 #define YAF_HTTP_FLOW_TID 0xC600 106 #define YAF_FPEXPORT_FLOW_TID 0xC007 107 #define YAF_PAYLOAD_FLOW_TID 0xC008 108 #define YAF_MPTCP_FLOW_TID 0xC009 109 #define YTF_BIF 0xFF0F 110 #define YAF_IRC_FLOW_TID 0xC200 111 #define YAF_POP3_FLOW_TID 0xC300 112 #define YAF_TFTP_FLOW_TID 0xC400 113 #define YAF_SLP_FLOW_TID 0xC500 114 #define YAF_FTP_FLOW_TID 0xC700 115 #define YAF_IMAP_FLOW_TID 0xC800 116 #define YAF_RTSP_FLOW_TID 0xC900 117 #define YAF_SIP_FLOW_TID 0xCA00 118 #define YAF_SMTP_FLOW_TID 0xCB00 119 #define YAF_SSH_FLOW_TID 0xCC00 120 #define YAF_NNTP_FLOW_TID 0xCD00 121 #define YAF_DNS_FLOW_TID 0xCE00 122 #define YAF_DNSQR_FLOW_TID 0xCF00 123 #define YAF_DNSA_FLOW_TID 0xCE01 124 #define YAF_DNSAAAA_FLOW_TID 0xCE02 125 #define YAF_DNSCN_FLOW_TID 0xCE03 126 #define YAF_DNSMX_FLOW_TID 0xCE04 127 #define YAF_DNSNS_FLOW_TID 0xCE05 128 #define YAF_DNSPTR_FLOW_TID 0xCE06 129 #define YAF_DNSTXT_FLOW_TID 0xCE07 130 #define YAF_DNSSRV_FLOW_TID 0xCE08 131 #define YAF_DNSSOA_FLOW_TID 0xCE09 132 #define YAF_SSL_FLOW_TID 0xCE0A 133 #define YAF_SSL_CERT_FLOW_TID 0xCE0B 134 #define YAF_NEW_SSL_FLOW_TID 0xCA0A 135 #define SM_INTSSL_FLOW_TID 0xDA0A 136 #define YAF_NEW_SSL_CERT_TID 0xCA0B 137 #define SM_INTCERT_FLOW_TID 0xDA0B 138 #define YAF_SSL_SUBCERT_TID 0xCE14 139 #define YAF_MYSQL_FLOW_TID 0xCE0C 140 #define YAF_MYSQLTXT_FLOW_TID 0xCE0D 141 #define YAF_DNSDS_FLOW_TID 0xCE0E 142 #define YAF_DNSRRSIG_FLOW_TID 0xCE0F 143 #define YAF_DNSNSEC_FLOW_TID 0xCE11 144 #define YAF_DNSKEY_FLOW_TID 0xCE12 145 #define YAF_DNSNSEC3_FLOW_TID 0xCE13 146 #define YAF_DHCP_FLOW_TID 0xC201 147 #define YAF_DNP3_FLOW_TID 0xC202 148 #define YAF_DNP3_REC_FLOW_TID 0xC203 149 #define YAF_MODBUS_FLOW_TID 0xC204 150 #define YAF_ENIP_FLOW_TID 0xC205 151 #define YAF_RTP_FLOW_TID 0xC206 152 #define YAF_FULL_CERT_TID 0xC207 153 #define YAF_DHCP_OP_TID 0xC208 154 #define MD_DNS_OUT 0xCEE0 155 #define MD_DNS_FULL 0xCEEF 156 #define MD_DNSRR 0xC0C1 157 #define UDP_FORCE 0x1F 158 #define MD_SSL_TID 0xDAAF 159 #define MD_DEDUP_TID 0xDAA8 160 #define MD_DEDUP_FULL 0xDAAA 161 162 #define MD_ERROR_DOMAIN g_quark_from_string("MediatorError") 163 /* Template Issue - Not Critical*/ 164 #define MD_ERROR_TMPL 1 165 /* IO Error - Critical */ 166 #define MD_ERROR_IO 2 167 /* Setup Error */ 168 #define MD_ERROR_SETUP 3 169 /* memory problem */ 170 #define MD_ERROR_MEM 4 171 /* Error to ignore */ 172 #define MD_ERROR_NODROP 5 173 /* silk record */ 174 175 /* MD specific names */ 176 #define MD_LAST_SEEN_NAME "last_seen" 177 #define MD_DNS_AREC_NAME "dns_arec" 178 #define MD_DNS_OREC_NAME "dns_orec" 179 #define MD_DNSRR_FULL_NAME "dnsrr_full" 180 #define MD_DEDUP_SSL_NAME "dedup_ssl" 181 182 /* also defined in yafcore.c, should consider pulling from YAF */ 183 #define YTF_TOTAL_NAME "total" 184 #define YTF_REV_NAME "rev" 185 #define YTF_DELTA_NAME "delta" 186 #define YTF_IP6_NAME "ip6" 187 #define YTF_IP4_NAME "ip4" 188 #define YTF_DAGIF_NAME "dagif" 189 #define YTF_MPLS_NAME "mpls" 190 191 /* not defined in YAF, should consider including in YAF */ 192 #define YTF_TCP_NAME "tcp" 193 #define YTF_PAD_NAME "pad" 194 #define YTF_LIST_NAME "list" 195 196 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 197 /* Full DNS flow record */ 198 typedef struct md_dns_st { 199 uint64_t flowStartMilliseconds; 200 uint64_t flowEndMilliseconds; 201 uint32_t sourceIPv4Address; 202 uint32_t dnsTTL; 203 uint16_t rrtype; 204 uint16_t dnsHitCount; 205 uint8_t padding[4]; 206 fbVarfield_t rrname; 207 fbVarfield_t rrdata; 208 fbVarfield_t mapname; 209 } md_dns_t; 210 211 212 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 213 /*SSL Record */ 214 typedef struct md_ssl_st { 215 uint64_t flowStartMilliseconds; 216 uint64_t flowEndMilliseconds; 217 uint64_t observedDataTotalCount; 218 fbVarfield_t sslCertSerialNumber; 219 fbVarfield_t sslCertIssuerCommonName; 220 fbVarfield_t mapname; 221 } md_ssl_t; 222 223 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 224 typedef struct md_main_template_st { 225 uint64_t flowStartMilliseconds; 226 uint64_t flowEndMilliseconds; 227 uint64_t octetTotalCount; 228 uint64_t reverseOctetTotalCount; 229 uint64_t octetDeltaCount; 230 uint64_t reverseOctetDeltaCount; 231 uint64_t packetTotalCount; 232 uint64_t reversePacketTotalCount; 233 uint64_t packetDeltaCount; 234 uint64_t reversePacketDeltaCount; 235 236 uint8_t sourceIPv6Address[16]; 237 uint8_t destinationIPv6Address[16]; 238 239 uint32_t sourceIPv4Address; 240 uint32_t destinationIPv4Address; 241 242 uint16_t sourceTransportPort; 243 uint16_t destinationTransportPort; 244 uint16_t flowAttributes; 245 uint16_t reverseFlowAttributes; 246 247 uint8_t protocolIdentifier; 248 uint8_t flowEndReason; 249 uint16_t silkAppLabel; 250 int32_t reverseFlowDeltaMilliseconds; 251 252 uint32_t tcpSequenceNumber; 253 uint32_t reverseTcpSequenceNumber; 254 255 uint8_t initialTCPFlags; 256 uint8_t unionTCPFlags; 257 uint8_t reverseInitialTCPFlags; 258 uint8_t reverseUnionTCPFlags; 259 uint16_t vlanId; 260 uint16_t reverseVlanId; 261 262 uint32_t ingressInterface; 263 uint32_t egressInterface; 264 265 uint8_t ipClassOfService; 266 uint8_t reverseIpClassOfService; 267 uint8_t mplsTopLabelStackSection[3]; 268 uint8_t mplsLabelStackSection2[3]; 269 270 uint8_t mplsLabelStackSection3[3]; 271 uint8_t paddingOctets; 272 uint32_t observationDomainId; 273 274 uint32_t yafFlowKeyHash; 275 uint16_t nDPIL7Protocol; 276 uint16_t nDPIL7SubProtocol; 277 278 fbSubTemplateMultiList_t subTemplateMultiList; 279 280 } md_main_template_t; 281 282 283 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 284 typedef struct yaf_stats_option_st { 285 uint64_t systemInitTimeMilliseconds; 286 uint64_t exportedFlowRecordTotalCount; 287 uint64_t packetTotalCount; 288 uint64_t droppedPacketTotalCount; 289 uint64_t ignoredPacketTotalCount; 290 uint64_t notSentPacketTotalCount; 291 uint32_t expiredFragmentCount; 292 uint32_t assembledFragmentCount; 293 uint32_t flowTableFlushEvents; 294 uint32_t flowTablePeakCount; 295 uint32_t exporterIPv4Address; 296 uint32_t exportingProcessId; 297 uint32_t meanFlowRate; 298 uint32_t meanPacketRate; 299 } yaf_stats_option_t; 300 301 typedef struct yaf_tombstone_option_st { 302 uint16_t exporterConfiguredId; 303 uint16_t exporterUniqueId; 304 uint32_t tombstoneId; 305 fbSubTemplateList_t accessList; 306 } yaf_tombstone_option_t; 307 308 typedef struct yaf_tombstone_access_st { 309 uint32_t exportingProcessId; 310 uint32_t observationTimeSeconds; 311 } yaf_tombstone_access_t; 312 313 /* tpl_review: sizes OK, ie names OK, tpl name OK, added padding */ 314 typedef struct yaf_ssl_st { 315 fbBasicList_t sslCipherList; 316 uint32_t sslServerCipher; 317 uint8_t sslClientVersion; 318 uint8_t sslCompressionMethod; 319 uint8_t padding[2]; 320 } yaf_ssl_t; 321 322 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 323 typedef struct yaf_newssl_st { 324 fbBasicList_t sslCipherList; 325 uint32_t sslServerCipher; 326 uint8_t sslClientVersion; 327 uint8_t sslCompressionMethod; 328 uint16_t sslRecordVersion; 329 fbSubTemplateList_t sslCertList; 330 fbVarfield_t sslServerName; 331 } yaf_newssl_t; 332 333 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 334 typedef struct yaf_newssl_cert_st { 335 fbSubTemplateList_t issuer; 336 fbSubTemplateList_t subject; 337 fbSubTemplateList_t extension; 338 fbVarfield_t sslCertSignature; 339 fbVarfield_t sslCertSerialNumber; 340 fbVarfield_t sslCertValidityNotBefore; 341 fbVarfield_t sslCertValidityNotAfter; 342 fbVarfield_t sslPublicKeyAlgorithm; 343 uint16_t sslPublicKeyLength; 344 uint8_t sslCertVersion; 345 uint8_t padding[5]; 346 fbVarfield_t sslCertificateHash; 347 fbVarfield_t sha1; 348 fbVarfield_t md5; 349 } yaf_newssl_cert_t; 350 351 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 352 typedef struct yaf_subssl_st { /* was yfSSLObjValue */ 353 fbVarfield_t sslObjectValue; 354 uint8_t sslObjectType; 355 uint8_t padding[7]; 356 } yaf_subssl_t; 357 358 359 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 360 typedef struct yaf_ssl_cert_st { 361 fbVarfield_t sslSignature; 362 fbVarfield_t sslIssuerCountryName; 363 fbVarfield_t sslIssuerOrgName; 364 fbVarfield_t sslIssuerOrgUnitName; 365 fbVarfield_t sslIssuerZipCode; 366 fbVarfield_t sslIssuerState; 367 fbVarfield_t sslIssuerCommonName; 368 fbVarfield_t sslIssuerLocalityName; 369 fbVarfield_t sslIssuerStreetAddress; 370 fbVarfield_t sslSubCountryName; 371 fbVarfield_t sslSubOrgName; 372 fbVarfield_t sslSubOrgUnitName; 373 fbVarfield_t sslSubZipCode; 374 fbVarfield_t sslSubState; 375 fbVarfield_t sslSubCommonName; 376 fbVarfield_t sslSubLocalityName; 377 fbVarfield_t sslSubStreetAddress; 378 uint8_t sslVersion; 379 } yaf_ssl_cert_t; 380 381 typedef struct yfSSLFullCert_st { 382 fbBasicList_t cert; 383 } yfSSLFullCert_t; 384 385 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 386 typedef struct yaf_entropy_st { 387 uint8_t payloadEntropy; 388 uint8_t reversePayloadEntropy; 389 } yaf_entropy_t; 390 391 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 392 typedef struct yaf_tcp_st { 393 uint32_t tcpSequenceNumber; 394 uint8_t initialTCPFlags; 395 uint8_t unionTCPFlags; 396 uint8_t reverseInitialTCPFlags; 397 uint8_t reverseUnionTCPFlags; 398 uint32_t reverseTcpSequenceNumber; 399 } yaf_tcp_t; 400 401 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 402 typedef struct yaf_mac_st { 403 uint8_t sourceMacAddress[6]; 404 uint8_t destinationMacAddress[6]; 405 } yaf_mac_t; 406 407 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 408 typedef struct yaf_p0f_st { 409 fbVarfield_t osName; 410 fbVarfield_t osVersion; 411 fbVarfield_t osFingerPrint; 412 fbVarfield_t reverseOsName; 413 fbVarfield_t reverseOsVersion; 414 fbVarfield_t reverseOsFingerPrint; 415 } yaf_p0f_t; 416 417 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 418 typedef struct yaf_fpexport_st { 419 fbVarfield_t firstPacketBanner; 420 fbVarfield_t secondPacketBanner; 421 fbVarfield_t reverseFirstPacketBanner; 422 } yaf_fpexport_t; 423 424 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 425 typedef struct yaf_payload_st { 426 fbVarfield_t payload; 427 fbVarfield_t reversePayload; 428 } yaf_payload_t; 429 430 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 431 typedef struct yaf_mptcp_st { 432 /** initial data seq no. */ 433 uint64_t mptcpInitialDataSequenceNumber; 434 /** receiver token */ 435 uint32_t mptcpReceiverToken; 436 /** max segment size */ 437 uint16_t mptcpMaximumSegmentSize; 438 /* addr id */ 439 uint8_t mptcpAddressID; 440 /* hash_flags */ 441 uint8_t mptcpFlags; 442 } yaf_mptcp_t; 443 444 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 445 typedef struct yaf_http_st { 446 fbBasicList_t server; 447 fbBasicList_t userAgent; 448 fbBasicList_t get; 449 fbBasicList_t connection; 450 fbBasicList_t referer; 451 fbBasicList_t location; 452 fbBasicList_t host; 453 fbBasicList_t contentLength; 454 fbBasicList_t age; 455 fbBasicList_t response; 456 fbBasicList_t acceptLang; 457 fbBasicList_t accept; 458 fbBasicList_t contentType; 459 fbBasicList_t version; 460 fbBasicList_t cookie; 461 fbBasicList_t setcookie; 462 fbBasicList_t httpAuthorization; 463 fbBasicList_t httpVia; 464 fbBasicList_t xforward; 465 fbBasicList_t httpRefresh; 466 uint8_t httpBasicListBuf[0]; 467 } yaf_http_t; 468 469 typedef struct yfIRCFlow_st { 470 fbBasicList_t ircMsg; 471 } yfIRCFlow_t; 472 473 typedef struct yfPOP3Flow_st { 474 fbBasicList_t pop3msg; 475 } yfPOP3Flow_t; 476 477 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 478 typedef struct yaf_tftp_st { 479 fbVarfield_t tftpFilename; 480 fbVarfield_t tftpMode; 481 } yaf_tftp_t; 482 483 /* tpl_review: sizes OK, ie names OK, tpl name OK, added padding */ 484 typedef struct yaf_slp_st { 485 fbBasicList_t slpString; 486 uint8_t slpVersion; 487 uint8_t slpMessageType; 488 uint8_t padding[6]; 489 } yaf_slp_t; 490 491 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 492 typedef struct yaf_ftp_st { 493 fbBasicList_t ftpReturn; 494 fbBasicList_t ftpUser; 495 fbBasicList_t ftpPass; 496 fbBasicList_t ftpType; 497 fbBasicList_t ftpRespCode; 498 uint8_t ftpBasicListBuf[0]; 499 } yaf_ftp_t; 500 501 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 502 typedef struct yaf_imap_st { 503 fbBasicList_t imapCapability; 504 fbBasicList_t imapLogin; 505 fbBasicList_t imapStartTLS; 506 fbBasicList_t imapAuthenticate; 507 fbBasicList_t imapCommand; 508 fbBasicList_t imapExists; 509 fbBasicList_t imapRecent; 510 uint8_t imapBasicListBuf[0]; 511 } yaf_imap_t; 512 513 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 514 typedef struct yaf_rtsp_st { 515 fbBasicList_t rtspURL; 516 fbBasicList_t rtspVersion; 517 fbBasicList_t rtspReturnCode; 518 fbBasicList_t rtspContentLength; 519 fbBasicList_t rtspCommand; 520 fbBasicList_t rtspContentType; 521 fbBasicList_t rtspTransport; 522 fbBasicList_t rtspCSeq; 523 fbBasicList_t rtspLocation; 524 fbBasicList_t rtspPacketsReceived; 525 fbBasicList_t rtspUserAgent; 526 fbBasicList_t rtspJitter; 527 uint8_t rtspBasicListBuf[0]; 528 } yaf_rtsp_t; 529 530 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 531 typedef struct yaf_sip_st { 532 fbBasicList_t sipInvite; 533 fbBasicList_t sipCommand; 534 fbBasicList_t sipVia; 535 fbBasicList_t sipMaxForwards; 536 fbBasicList_t sipAddress; 537 fbBasicList_t sipContentLength; 538 fbBasicList_t sipUserAgent; 539 uint8_t sipBasicListBuf[0]; 540 } yaf_sip_t; 541 542 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 543 typedef struct yaf_smtp_st { 544 fbBasicList_t smtpHello; 545 fbBasicList_t smtpFrom; 546 fbBasicList_t smtpTo; 547 fbBasicList_t smtpContentType; 548 fbBasicList_t smtpSubject; 549 fbBasicList_t smtpFilename; 550 fbBasicList_t smtpContentDisposition; 551 fbBasicList_t smtpResponse; 552 fbBasicList_t smtpEnhanced; 553 fbBasicList_t smtpSize; 554 fbBasicList_t smtpDate; 555 uint8_t smtpBasicListBuf[0]; 556 } yaf_smtp_t; 557 558 typedef struct yfSSHFlow_st { 559 fbBasicList_t sshVersion; 560 uint8_t sshBasicListBuf[0]; 561 } yfSSHFlow_t; 562 563 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 564 typedef struct yaf_nntp_st { 565 fbBasicList_t nntpResponse; 566 fbBasicList_t nntpCommand; 567 } yaf_nntp_t; 568 569 570 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 571 typedef struct yaf_dns_st { 572 fbSubTemplateList_t dnsQRList; 573 } yaf_dns_t; 574 575 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 576 typedef struct yaf_dnsQR_st { 577 fbSubTemplateList_t dnsRRList; 578 fbVarfield_t dnsQName; 579 uint32_t dnsTTL; 580 uint16_t dnsQRType; 581 uint8_t dnsQueryResponse; 582 uint8_t dnsAuthoritative; 583 uint8_t dnsNXDomain; 584 uint8_t dnsRRSection; 585 uint16_t dnsID; 586 uint8_t padding[4]; 587 } yaf_dnsQR_t; 588 589 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 590 typedef struct yaf_dnsA_st { 591 uint32_t sourceIPv4Address; 592 } yaf_dnsA_t; 593 594 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 595 typedef struct yaf_dnsAAAA_st { 596 uint8_t sourceIPv6Address[16]; 597 } yaf_dnsAAAA_t; 598 599 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 600 typedef struct yaf_dnsCNAME_st { 601 fbVarfield_t dnsCName; 602 } yaf_dns_CNAME_t; 603 604 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 605 typedef struct yaf_dnsMX_st { 606 fbVarfield_t dnsMXExchange; 607 uint16_t dnsMXPreference; 608 uint8_t padding[6]; 609 } yaf_dnsMX_t; 610 611 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 612 typedef struct yaf_dnsNS_st { 613 fbVarfield_t dnsNSDName; 614 } yaf_dnsNS_t; 615 616 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 617 typedef struct yaf_dnsPTR_st { 618 fbVarfield_t dnsPTRDName; 619 } yaf_dnsPTR_t; 620 621 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 622 typedef struct yaf_dnsTXT_st { 623 fbVarfield_t dnsTXTData; 624 } yaf_dnsTXT_t; 625 626 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 627 typedef struct yaf_dnsSOA_st { 628 fbVarfield_t dnsSOAMName; 629 fbVarfield_t dnsSOARName; 630 uint32_t dnsSOASerial; 631 uint32_t dnsSOARefresh; 632 uint32_t dnsSOARetry; 633 uint32_t dnsSOAExpire; 634 uint32_t dnsSOAMinimum; 635 uint8_t padding[4]; 636 } yaf_dnsSOA_t; 637 638 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 639 typedef struct yaf_dnsSRV_st { 640 fbVarfield_t dnsSRVTarget; 641 uint16_t dnsSRVPriority; 642 uint16_t dnsSRVWeight; 643 uint16_t dnsSRVPort; 644 uint8_t padding[2]; 645 } yaf_dnsSRV_t; 646 647 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 648 typedef struct yaf_dnsRRSig_st { 649 fbVarfield_t dnsSigner; 650 fbVarfield_t dnsSignature; 651 uint32_t dnsSigInception; 652 uint32_t dnsSigExpiration; 653 uint32_t dnsTTL; 654 uint16_t dnsKeyTag; 655 uint16_t dnsTypeCovered; 656 uint8_t dnsAlgorithm; 657 uint8_t dnsLabels; 658 uint8_t padding[6]; 659 } yaf_dnsRRSig_t; 660 661 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 662 typedef struct yaf_dnsDS_st { 663 fbVarfield_t dnsDigest; 664 uint16_t dnsKeyTag; 665 uint8_t dnsAlgorithm; 666 uint8_t dnsDigestType; 667 uint8_t padding[4]; 668 } yaf_dnsDS_t; 669 670 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 671 typedef struct yaf_dnsKey_st { 672 fbVarfield_t dnsPublicKey; 673 uint16_t dnsFlags; 674 uint8_t protocolIdentifier; 675 uint8_t dnsAlgorithm; 676 uint8_t padding[4]; 677 } yaf_dnsKey_t; 678 679 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 680 typedef struct yaf_dnsNSEC_st { 681 fbVarfield_t dnsHashData; 682 } yaf_dnsNSEC_t; 683 684 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 685 typedef struct yaf_dnsNSEC3_st { 686 fbVarfield_t dnsSalt; 687 fbVarfield_t dnsNextDomainName; 688 uint16_t iterations; 689 uint8_t dnsAlgorithm; 690 uint8_t padding[5]; 691 } yaf_dnsNSEC3_t; 692 693 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 694 typedef struct yaf_mysql_st { 695 fbSubTemplateList_t mysqlList; 696 fbVarfield_t mysqlUsername; 697 } yaf_mysql_t; 698 699 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 700 typedef struct yaf_mysql_txt_st { 701 fbVarfield_t mysqlCommandText; 702 uint8_t mysqlCommandCode; 703 uint8_t padding[7]; 704 } yaf_mysql_txt_t; 705 706 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 707 typedef struct yaf_dhcp_fp_st { 708 fbVarfield_t dhcpFingerPrint; 709 fbVarfield_t dhcpVendorCode; 710 fbVarfield_t reverseDhcpFingerPrint; 711 fbVarfield_t reverseDhcpVendorCode; 712 } yaf_dhcp_fp_t; 713 714 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 715 typedef struct yaf_dhcp_options_st { 716 fbBasicList_t options; 717 fbVarfield_t dhcpVendorCode; 718 fbBasicList_t revOptions; 719 fbVarfield_t reverseDhcpVendorCode; 720 } yaf_dhcp_options_t; 721 722 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 723 typedef struct yaf_rtp_st { 724 uint8_t rtpPayloadType; 725 uint8_t reverseRtpPayloadType; 726 } yaf_rtp_t; 727 728 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 729 typedef struct yaf_dnp_st { 730 fbSubTemplateList_t dnp_list; 731 } yaf_dnp_t; 732 733 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 734 typedef struct yaf_dnp_rec_st { 735 uint16_t dnp3SourceAddress; 736 uint16_t dnp3DestinationAddress; 737 uint8_t dnp3Function; 738 uint8_t padding[3]; 739 fbVarfield_t dnp3ObjectData; 740 } yaf_dnp_rec_t; 741 742 typedef struct yfModbusFlow_st { 743 fbBasicList_t mbmsg; 744 } yfModbusFlow_t; 745 746 typedef struct yfEnIPFlow_st { 747 fbBasicList_t enipmsg; 748 } yfEnIPFlow_t; 749 750 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 751 typedef struct yaf_flow_stats_st { 752 uint64_t dataByteCount; 753 uint64_t averageInterarrivalTime; 754 uint64_t standardDeviationInterarrivalTime; 755 uint32_t tcpUrgTotalCount; 756 uint32_t smallPacketCount; 757 uint32_t nonEmptyPacketCount; 758 uint32_t largePacketCount; 759 uint16_t firstNonEmptyPacketSize; 760 uint16_t maxPacketSize; 761 uint16_t standardDeviationPayloadLength; 762 uint8_t firstEightNonEmptyPacketDirections; 763 uint8_t padding[1]; 764 /* reverse Fields */ 765 uint64_t reverseDataByteCount; 766 uint64_t reverseAverageInterarrivalTime; 767 uint64_t reverseStandardDeviationInterarrivalTime; 768 uint32_t reverseTcpUrgTotalCount; 769 uint32_t reverseSmallPacketCount; 770 uint32_t reverseNonEmptyPacketCount; 771 uint32_t reverseLargePacketCount; 772 uint16_t reverseFirstNonEmptyPacketSize; 773 uint16_t reverseMaxPacketSize; 774 uint16_t reverseStandardDeviationPayloadLength; 775 uint8_t padding2[2]; 776 } yaf_flow_stats_t; 777 778 779 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 780 typedef struct md_dns_rr_st { 781 uint64_t flowStartMilliseconds; 782 uint8_t sourceIPv6Address[16]; 783 uint8_t destinationIPv6Address[16]; 784 uint32_t sourceIPv4Address; 785 uint32_t destinationIPv4Address; 786 uint32_t dnsTTL; 787 uint32_t observationDomainId; 788 uint32_t yafFlowKeyHash; 789 uint16_t dnsQRType; 790 uint16_t sourceTransportPort; 791 uint16_t destinationTransportPort; 792 uint16_t vlanId; 793 uint16_t dnsID; 794 uint8_t protocolIdentifier; 795 uint8_t dnsQueryResponse; 796 uint8_t dnsAuthoritative; 797 uint8_t dnsNXDomain; 798 uint8_t dnsRRSection; 799 uint8_t padding[5]; 800 fbVarfield_t rrname; 801 fbVarfield_t rrdata; 802 } md_dns_rr_t; 803 804 /* tpl_review: sizes OK, ie names OK, tpl name OK */ 805 typedef struct md_dedup_st { 806 uint64_t monitoringIntervalStartMilliSeconds; 807 uint64_t monitoringIntervalEndMilliSeconds; 808 /* with hash this (stime) makes unique key */ 809 uint64_t flowStartMilliseconds; 810 uint64_t observedDataTotalCount; 811 uint8_t sourceIPv6Address[16]; 812 uint32_t sourceIPv4Address; 813 uint32_t yafFlowKeyHash; 814 fbVarfield_t mapname; 815 fbVarfield_t observedData; 816 /* ssl only fields */ 817 fbVarfield_t sslCertSerialNumber1; 818 fbVarfield_t sslCertIssuerCommonName1; 819 fbVarfield_t sslCertSerialNumber2; 820 fbVarfield_t sslCertIssuerCommonName2; 821 } md_dedup_t; 822 823 typedef struct md_dedup_old_st { 824 uint64_t fseen; 825 uint64_t lseen; 826 uint64_t count; 827 uint8_t sip6[16]; 828 uint32_t sip; 829 uint32_t hash; 830 fbVarfield_t data; 831 /* ssl only fields */ 832 fbVarfield_t serial1; 833 fbVarfield_t issuer1; 834 fbVarfield_t serial2; 835 fbVarfield_t issuer2; 836 } md_dedup_old_t; 837 838 839 typedef struct mdFullFlow_st { 840 md_main_template_t *rec; 841 yaf_entropy_t *entropy; 842 yaf_mac_t *mac; 843 yaf_payload_t *pay; 844 yaf_p0f_t *p0f; 845 yaf_flow_stats_t *stats; 846 yaf_fpexport_t *fp; 847 fbSubTemplateMultiListEntry_t *dhcpfp; 848 /* yfDHCP_FP_Flow_t *dhcpfp; */ 849 yaf_mptcp_t *mptcp; 850 void *app; 851 fbSubTemplateMultiListEntry_t *cert; 852 yfSSLFullCert_t *fullcert; 853 yaf_newssl_cert_t **sslcerts; 854 char *collector_name; 855 uint16_t app_tid; 856 uint16_t app_elements; 857 uint16_t tid; 858 uint8_t collector_id; 859 } mdFullFlow_t; 860 861 typedef gboolean (*mdPrint_fn)(mdFullFlow_t *, mdBuf_t *, size_t *, char *); 862 863 typedef struct mdFieldList_st mdFieldList_t; 864 865 struct mdFieldList_st { 866 mdFieldList_t *next; 867 mdPrint_fn print_fn; 868 mdAcceptFilterField_t field; 869 GString *decorator; 870 }; 871 872 #endif 873