1 /** 2 * @file mediator_core.h 3 * 4 * Yaf mediator for filtering, DNS deduplication, and other mediator-like 5 * things 6 ** ------------------------------------------------------------------------ 7 ** Copyright (C) 2012-2017 Carnegie Mellon University. All Rights Reserved. 8 ** ------------------------------------------------------------------------ 9 ** Authors: Emily Sarneso 10 ** ------------------------------------------------------------------------ 11 * @OPENSOURCE_HEADER_START@ 12 * Use of this (and related) source code is subject to the terms 13 * of the following licenses: 14 * 15 * GNU Public License (GPL) Rights pursuant to Version 2, June 1991 16 * Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013 17 * 18 * 19 * This material is based upon work funded and supported by 20 * the Department of Defense under Contract FA8721-05-C-0003 with 21 * Carnegie Mellon University for the operation of the Software Engineering 22 * Institue, a federally funded research and development center. Any opinions, 23 * findings and conclusions or recommendations expressed in this 24 * material are those of the author(s) and do not 25 * necessarily reflect the views of the United States 26 * Department of Defense. 27 * 28 * NO WARRANTY 29 * 30 * THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE 31 * MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY 32 * MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED 33 * AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF 34 * FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS 35 * OBTAINED FROM THE USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY 36 * DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM 37 * PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. 38 * 39 * This material has been approved for public release and unlimited 40 * distribution. 41 * 42 * Carnegie Mellon®, CERT® and CERT Coordination Center® are 43 * registered marks of Carnegie Mellon University. 44 * 45 * DM-0001877 46 * 47 * Carnegie Mellon University retains 48 * copyrights in all material produced under this contract. The U.S. 49 * Government retains a non-exclusive, royalty-free license to publish or 50 * reproduce these documents, or allow others to do so, for U.S. 51 * Government purposes only pursuant to the copyright license under the 52 * contract clause at 252.227.7013. 53 * 54 * Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie 55 * Mellon University, its trustees, officers, employees, and agents from 56 * all claims or demands made against them (and any related losses, 57 * expenses, or attorney's fees) arising out of, or relating to Licensee's 58 * and/or its sub licensees' negligent use or willful misuse of or 59 * negligent conduct or willful misconduct regarding the Software, 60 * facilities, or other rights or assistance granted by Carnegie Mellon 61 * University under this License, inluding, but not limited to, any 62 * claims of product liability, personal injury, death, damage to 63 * property, or violation of any laws or regulations. 64 * 65 * @OPENSOURCE_HEADER_END@ 66 * ----------------------------------------------------------- 67 */ 68 69 #include "templates.h" 70 #include "mediator_inf.h" 71 #include "mediator_ctx.h" 72 73 typedef fbSession_t *(*md_sess_init_fn)(fbSession_t *,GError **, uint8_t, gboolean); 74 75 typedef struct mdTmplContext_st { 76 uint16_t tid; 77 uint16_t ie; 78 size_t num_elem; 79 } mdTmplContext_t; 80 81 fbInfoModel_t *mdInfoModel(void); 82 83 fbSession_t *mdInitExporterSession( 84 fbSession_t *session, 85 GError **err, 86 uint8_t stats, 87 gboolean metadata_export); 88 89 fbSession_t *mdInitExporterSessionDNSDedupOnly( 90 fbSession_t *session, 91 GError **err, 92 uint8_t stats, 93 gboolean metadata_export); 94 95 fbSession_t *mdInitExporterSessionDedupOnly( 96 fbSession_t *session, 97 GError **err, 98 uint8_t stats, 99 gboolean metadata_export); 100 101 fbSession_t *mdInitExporterSessionDNSRROnly( 102 fbSession_t *session, 103 GError **err, 104 uint8_t stats, 105 gboolean metadata_export); 106 107 fbSession_t *mdInitExporterSessionFlowOnly( 108 fbSession_t *session, 109 GError **err, 110 uint8_t stats, 111 gboolean metadata_export); 112 113 fbSession_t *mdInitExporterSessionSSLDedupOnly( 114 fbSession_t *session, 115 GError **err, 116 uint8_t stats, 117 gboolean metadata_export); 118 119 #if HAVE_SPREAD 120 fbSession_t *mdInitSpreadExporterSession( 121 fbSession_t *session, 122 gboolean dedup, 123 GError **err); 124 #endif 125 fbSession_t *mdInitCollectorSession( 126 GError **err); 127 128 #if HAVE_SPREAD 129 gboolean mdSetSpreadExportTemplate( 130 fBuf_t *fbuf, 131 fbSpreadParams_t *sp, 132 uint16_t tid, 133 char **groups, 134 int num_groups, 135 GError **err); 136 #endif 137 138 gboolean mdSetExportTemplate( 139 fBuf_t *fbuf, 140 uint16_t tid, 141 GError **err); 142 143 void mdPrintIP4Address( 144 char *ipaddr_buf, 145 uint32_t ip); 146 147 gboolean mdOptionsCheck( 148 fBuf_t **fbuf, 149 uint16_t *tid, 150 fbTemplate_t **tmpl, 151 GError **err); 152 153 gboolean mdForwardOptions( 154 mdContext_t *ctx, 155 md_collect_node_t *collector, 156 GError **err, 157 uint16_t tid); 158 159 gboolean mdForwardTombstone( 160 mdContext_t *ctx, 161 md_collect_node_t *collector, 162 GError **err); 163 164 gboolean mdForwardStats( 165 mdContext_t *ctx, 166 md_collect_node_t *collector, 167 GError **err); 168 169 gboolean mdSendTombstoneRecord( 170 mdContext_t *ctx, 171 GError **err); 172 173 gboolean mdIgnoreRecord( 174 mdContext_t *ctx, 175 fBuf_t *fbuf, 176 uint16_t tid, 177 GError **err); 178 179 gboolean mdForwardDNSRR( 180 mdContext_t *ctx, 181 fBuf_t *fbuf, 182 GError **err); 183 184 gboolean mdForwardDedup( 185 mdContext_t *ctx, 186 fBuf_t *fbuf, 187 GError **err); 188 189 gboolean mdForwardDNSDedup( 190 mdContext_t *ctx, 191 fBuf_t *fbuf, 192 GError **err); 193 194 gboolean mdForwardDedupCustom( 195 mdContext_t *ctx, 196 mdTmplContext_t *tctx, 197 fBuf_t *fbuf, 198 GError **err); 199 200 gboolean mdForwardSSLDedup( 201 mdContext_t *ctx, 202 fBuf_t *fbuf, 203 GError **err); 204 205 gboolean mdForwardSSLCert( 206 mdContext_t *ctx, 207 fBuf_t *fbuf, 208 GError **err); 209 210 uint16_t mdConvertToSiLK( 211 md_main_template_t *rec, 212 uint16_t tid); 213 214 gboolean mdForwardFlow( 215 mdContext_t *ctx, 216 md_main_template_t *rec, 217 uint16_t tid, 218 GError **err); 219 220 void mdDecodeAndClear( 221 mdContext_t *ctx, 222 md_main_template_t *rec); 223 224 void mdMainDecode( 225 mdContext_t *ctx, 226 mdFullFlow_t *md_flow); 227 228 void mdCleanUP( 229 mdFullFlow_t *md_flow); 230 231 void mdCleanUpSSLCert( 232 yaf_newssl_cert_t *cert); 233 234 mdFieldList_t *mdCreateFieldList( 235 mdAcceptFilterField_t field); 236 237 void mdSetFieldListDecoratorJSON( 238 mdFieldList_t *list); 239 240 void mdSetFieldListDecoratorCustom( 241 mdFieldList_t *list, 242 char delimiter); 243 244 void mdSetFieldListDecoratorBasic( 245 mdFieldList_t *list, 246 char delimiter); 247 248 mdFieldList_t *mdCreateBasicFlowList( 249 gboolean payload); 250 251 mdFieldList_t *mdCreateIndexFlowList(void); 252 253 void attachHeadToDLL( 254 mdDLL_t **head, 255 mdDLL_t **tail, 256 mdDLL_t *newEntry); 257 258 void detachThisEntryOfDLL( 259 mdDLL_t **head, 260 mdDLL_t **tail, 261 mdDLL_t *entryToDetach); 262 263 void detachHeadOfSLL( 264 mdSLL_t **head, 265 mdSLL_t **toRemove); 266 267 void attachHeadToSLL( 268 mdSLL_t **head, 269 mdSLL_t *newEntry); 270