1 /* 2 ** Modular Logfile Analyzer 3 ** Copyright 2000 Jan Kneschke <jan@kneschke.de> 4 ** 5 ** Homepage: http://www.modlogan.org 6 ** 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License as published by 10 the Free Software Foundation; either version 2 of the License, or 11 (at your option) any later version, and provided that the above 12 copyright and permission notice is included with all distributed 13 copies of this or derived software. 14 15 This program is distributed in the hope that it will be useful, 16 but WITHOUT ANY WARRANTY; without even the implied warranty of 17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 GNU General Public License for more details. 19 20 You should have received a copy of the GNU General Public License 21 along with this program; if not, write to the Free Software 22 Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA 23 24 ** 25 ** $Id: mrecord.h,v 1.31 2003/07/08 10:23:00 miham Exp $ 26 */ 27 28 #ifndef _M_RECORD_H_ 29 #define _M_RECORD_H_ 30 31 #include <time.h> 32 #include "config.h" 33 34 #include "buffer.h" 35 36 #define M_RECORD_NO_ERROR 0 37 #define M_RECORD_EOF -1 38 #define M_RECORD_SKIPPED 1 39 #define M_RECORD_CORRUPT 2 40 #define M_RECORD_IGNORED 3 41 #define M_RECORD_HARD_ERROR 4 42 43 44 /* a record 45 ** -------- 46 ** a record is chain if different struct's 47 ** mlogrec -> mlogrec_web -> mlogrec_clf_extended 48 ** -> mlogrec_ftp 49 ** -> mlogrec_squid 50 ** 51 ** each '->' in this picture is name 'ext' in the struct 52 ** the type of each dereferenced struct is carried in 'ext_type' as an int 53 ** which is one of the M_RECORD_TYPE's below. 54 */ 55 56 #define M_RECORD_TYPE_UNSET 0 57 #define M_RECORD_TYPE_WEB 1 58 #define M_RECORD_TYPE_TELECOM 2 59 #define M_RECORD_TYPE_TRAFFIC 3 60 #define M_RECORD_TYPE_MAIL 4 61 62 #define M_RECORD_TYPE_WEB_UNSET 0 63 #define M_RECORD_TYPE_WEB_FTP 1 64 #define M_RECORD_TYPE_WEB_EXTCLF 2 65 #define M_RECORD_TYPE_WEB_SQUID 3 66 67 #define M_RECORD_TYPE_TELECOM_UNSET 0 68 #define M_RECORD_TYPE_TELECOM_INTERNAL 1 69 70 #define M_RECORD_TYPE_TRAFFIC_UNSET 0 71 #define M_RECORD_TYPE_TRAFFIC_FLOW 1 72 #define M_RECORD_TYPE_TRAFFIC_IPCHAINS 2 73 #define M_RECORD_TYPE_TRAFFIC_IPPL 3 74 75 #define M_RECORD_TYPE_MAIL_UNSET 0 76 #define M_RECORD_TYPE_MAIL_QMAIL_STATUS 1 77 #define M_RECORD_TYPE_MAIL_VIRUS 2 78 79 typedef struct { 80 /* required fields (required by the main loop) */ 81 time_t timestamp; /**< (req) timestamp */ 82 83 int ext_type; /**< (int) */ 84 void *ext; /**< (int) */ 85 } mlogrec; 86 87 typedef struct { 88 buffer *req_host_name; /**< (req) requesting host name */ 89 buffer *req_host_ip; /**< (req) requesting host ip */ 90 buffer *req_user; /**< (opt) ... user */ 91 buffer *req_protocol; /**< (req) protocol used for this request*/ 92 buffer *req_url; /**< (req) ... url w/o http get vars*/ 93 int req_status; /**< (req) status of the request */ 94 double xfersize; /**< (req) transfered bytes */ 95 96 buffer *req_method; /**< (opt) */ 97 buffer *req_getvars; /**< (opt) */ 98 99 int ext_type; /**< (int) */ 100 void *ext; /**< (int) */ 101 } mlogrec_web; 102 103 typedef struct { 104 buffer *ref_url; /**< where the user was before */ 105 buffer *ref_getvars; 106 107 buffer *req_useragent; /**< what the user is using */ 108 buffer *req_useros; 109 110 buffer *srv_host; /**< which server is serving this request */ 111 buffer *srv_port; 112 113 time_t duration; /**< duration of transfer (mostly for streaming) */ 114 } mlogrec_web_extclf; 115 116 enum { M_RECORD_FTP_COMMAND_UNSET, M_RECORD_FTP_COMMAND_PUT, M_RECORD_FTP_COMMAND_GET, 117 M_RECORD_FTP_COMMAND_DELETE, M_RECORD_FTP_COMMAND_MKDIR, 118 M_RECORD_FTP_COMMAND_RMDIR 119 }; 120 121 122 #define M_RECORD_FTP_MODE_UNSET 0 123 #define M_RECORD_FTP_MODE_ASCII 1 124 #define M_RECORD_FTP_MODE_BINARY 2 125 typedef struct { 126 buffer *req_group; 127 int trans_command; 128 time_t trans_duration; 129 int trans_mode; 130 } mlogrec_web_ftp; 131 132 #define M_RECORD_SQUID_LOG_UNSET 0 133 #define M_RECORD_SQUID_LOG_TCP_HIT 1 134 #define M_RECORD_SQUID_LOG_TCP_MISS 2 135 #define M_RECORD_SQUID_LOG_TCP_REFRESH_HIT 3 136 #define M_RECORD_SQUID_LOG_TCP_REF_FAIL_HIT 4 137 #define M_RECORD_SQUID_LOG_TCP_REFRESH_MISS 5 138 #define M_RECORD_SQUID_LOG_TCP_CLIENT_REFRESH 6 139 #define M_RECORD_SQUID_LOG_TCP_IMS_HIT 7 140 #define M_RECORD_SQUID_LOG_TCP_IMS_MISS 8 141 #define M_RECORD_SQUID_LOG_TCP_SWAPFAIL 9 142 #define M_RECORD_SQUID_LOG_TCP_DENIED 10 143 #define M_RECORD_SQUID_LOG_UDP_HIT 11 144 #define M_RECORD_SQUID_LOG_UDP_HIT_OBJ 12 145 #define M_RECORD_SQUID_LOG_UDP_MISS 13 146 #define M_RECORD_SQUID_LOG_UDP_DENIED 14 147 #define M_RECORD_SQUID_LOG_UDP_INVALID 15 148 #define M_RECORD_SQUID_LOG_UDP_RELOADING 16 149 150 #define M_RECORD_SQUID_DATA_UNSET 0 151 #define M_RECORD_SQUID_DATA_DIRECT 1 152 #define M_RECORD_SQUID_DATA_FIREWALL_IP_DIRECT 2 153 #define M_RECORD_SQUID_DATA_FIRST_PARENT_MISS 3 154 #define M_RECORD_SQUID_DATA_FIRST_UP_PARENT 4 155 #define M_RECORD_SQUID_DATA_LOCAL_IP_DIRECT 5 156 #define M_RECORD_SQUID_DATA_SIBLING_HIT 6 157 #define M_RECORD_SQUID_DATA_NO_DIRECT_FAIL 7 158 #define M_RECORD_SQUID_DATA_NO_PARENT_DIRECT 8 159 #define M_RECORD_SQUID_DATA_PARENT_HIT 9 160 #define M_RECORD_SQUID_DATA_SINGLE_PARENT 10 161 #define M_RECORD_SQUID_DATA_SOURCE_FASTEST 11 162 #define M_RECORD_SQUID_DATA_PARENT_UDP_HIT_OBJ 12 163 #define M_RECORD_SQUID_DATA_SIBLING_UDP_HIT_OBJ 13 164 #define M_RECORD_SQUID_DATA_PASSTHROUGH_PARENT 14 165 #define M_RECORD_SQUID_DATA_SSL_PARENT_MISS 15 166 #define M_RECORD_SQUID_DATA_DEFAULT_PARENT 16 167 #define M_RECORD_SQUID_DATA_ROUNDROBIN_PARENT 17 168 #define M_RECORD_SQUID_DATA_CLOSEST_PARENT_MISS 18 169 #define M_RECORD_SQUID_DATA_CLOSEST_DIRECT 19 170 171 typedef struct { 172 int log_tag; 173 int data_tag; 174 } mlogrec_web_squid; 175 176 #define M_RECORD_TELECOM_DIRECTION_UNSET 0 177 #define M_RECORD_TELECOM_DIRECTION_IN 1 178 #define M_RECORD_TELECOM_DIRECTION_OUT 2 179 180 typedef struct { 181 char *called_number; /**< destination */ 182 char *calling_number; /**< source */ 183 int direction; /**< incoming/outgoing call */ 184 time_t duration; /**< duration of the call */ 185 186 int ext_type; 187 void *ext; 188 } mlogrec_telecom; 189 190 typedef struct { 191 char *user_id; /**< for pin protected phones */ 192 char *provider; /**< used provider */ 193 int units_to_pay; /**< the german telekom varies the time/unit not the price/unit */ 194 } mlogrec_telecom_internal; 195 196 /* taken from /etc/protocols */ 197 #define M_RECORD_TRAFFIC_PROTOCOL_UNSET 0 198 #define M_RECORD_TRAFFIC_PROTOCOL_ICMP 1 199 #define M_RECORD_TRAFFIC_PROTOCOL_IGMP 2 200 #define M_RECORD_TRAFFIC_PROTOCOL_GGP 3 201 #define M_RECORD_TRAFFIC_PROTOCOL_TCP 6 202 #define M_RECORD_TRAFFIC_PROTOCOL_EGP 8 203 #define M_RECORD_TRAFFIC_PROTOCOL_PARP 12 204 #define M_RECORD_TRAFFIC_PROTOCOL_UDP 17 205 #define M_RECORD_TRAFFIC_PROTOCOL_HMP 20 206 #define M_RECORD_TRAFFIC_PROTOCOL_IDP 22 207 #define M_RECORD_TRAFFIC_PROTOCOL_RDP 27 208 209 210 typedef struct { 211 char *src; 212 char *dst; 213 unsigned long xfer_incoming; 214 unsigned long xfer_outgoing; 215 216 int ext_type; 217 void *ext; 218 } mlogrec_traffic; 219 220 typedef struct { 221 int protocol; 222 unsigned int packets; 223 int src_port; 224 int dst_port; 225 int src_as; 226 int dst_as; 227 int src_interface; 228 int dst_interface; 229 } mlogrec_traffic_flow; 230 231 #define M_RECORD_IPCHAINS_ACTION_UNSET 0 232 #define M_RECORD_IPCHAINS_ACTION_ACCEPT 1 233 #define M_RECORD_IPCHAINS_ACTION_DENY 2 234 #define M_RECORD_IPCHAINS_ACTION_REJECT 3 235 #define M_RECORD_IPCHAINS_ACTION_MASQ 4 236 237 typedef struct { 238 int protocol; 239 char *device; 240 char *host; 241 char *chain; 242 int action; 243 int src_port; 244 int dst_port; 245 int rule; 246 } mlogrec_traffic_ipchains; 247 248 #define M_RECORD_IPPL_CONNSTATE_UNSET 0 249 #define M_RECORD_IPPL_CONNATTEMPT 1 250 #define M_RECORD_IPPL_CONNCLOSED 2 251 252 /* actions specific to ipmon lines */ 253 #define M_RECORD_IPPL_PASSED 3 254 #define M_RECORD_IPPL_BLOCKED 4 255 #define M_RECORD_IPPL_SHORT_PACKET 5 256 #define M_RECORD_IPPL_NO_MATCH 6 257 #define M_RECORD_IPPL_LOG_RULE 7 258 #define M_RECORD_IPPL_GLOBAL_LOGGING 8 259 260 #define M_RECORD_IPPL_PROTOCOL_UNSET 0 261 #define M_RECORD_IPPL_PROTOCOL_TCP 1 262 #define M_RECORD_IPPL_PROTOCOL_UDP 2 263 #define M_RECORD_IPPL_PROTOCOL_ICMP 4 264 265 typedef struct { 266 /* For source port */ 267 int src_port; 268 /* For destination port */ 269 int dst_port; 270 /* For connection state */ 271 int conn_state; 272 /* For protocol-type */ 273 int prototype; 274 /* For IP opts */ 275 int has_ipopts; 276 /* For remote ident */ 277 char* remident; 278 /* For remote host */ 279 char* remhost; 280 /* For protocol-name */ 281 char* protoname; 282 } mlogrec_traffic_ippl; 283 284 typedef struct { 285 char *receipient; /**< (req) receipient */ 286 char *sender; /**< (req) sender */ 287 time_t duration; /**< (req) durection */ 288 long bytes_in; /**< (req) traffic incoming */ 289 long bytes_out; /**< (req) traffic outgoing */ 290 291 int status_dsn; 292 int status_smtp; 293 char *status_text; 294 295 int ext_type; /**< (int) */ 296 void *ext; /**< (int) */ 297 } mlogrec_mail; 298 299 typedef struct { 300 int local_cur; 301 int local_max; 302 303 int remote_cur; 304 int remote_max; 305 306 int deliver_cur; 307 int queue_cur; 308 } mlogrec_mail_qmail_status; 309 310 typedef struct { 311 char *scanner; 312 char *virus; 313 char *subject; 314 } mlogrec_mail_virus; 315 316 /* init */ 317 mlogrec *mrecord_init(); 318 319 mlogrec_web *mrecord_init_web(); 320 mlogrec_web_extclf *mrecord_init_web_extclf(); 321 mlogrec_web_ftp *mrecord_init_web_ftp(); 322 mlogrec_web_squid *mrecord_init_web_squid(); 323 324 mlogrec_telecom *mrecord_init_telecom(); 325 mlogrec_telecom_internal *mrecord_init_telecom_internal(); 326 327 mlogrec_traffic *mrecord_init_traffic(); 328 mlogrec_traffic_flow *mrecord_init_traffic_flow(); 329 mlogrec_traffic_ipchains *mrecord_init_traffic_ipchains(); 330 mlogrec_traffic_ippl *mrecord_init_traffic_ippl(); 331 332 mlogrec_mail *mrecord_init_mail(); 333 mlogrec_mail_qmail_status *mrecord_init_mail_qmail_status(); 334 mlogrec_mail_virus *mrecord_init_mail_virus(); 335 336 /* free */ 337 void mrecord_free(mlogrec *record); 338 void mrecord_free_ext(mlogrec *record); 339 340 void mrecord_free_web(mlogrec_web *record); 341 void mrecord_free_web_extclf(mlogrec_web_extclf *record); 342 void mrecord_free_web_ftp(mlogrec_web_ftp *record); 343 void mrecord_free_web_squid(mlogrec_web_squid *record); 344 345 void mrecord_free_telecom(mlogrec_telecom *record); 346 void mrecord_free_telecom_internal(mlogrec_telecom_internal *record); 347 348 void mrecord_free_traffic(mlogrec_traffic *record); 349 void mrecord_free_traffic_flow(mlogrec_traffic_flow *record); 350 void mrecord_free_traffic_ipchains(mlogrec_traffic_ipchains *record); 351 void mrecord_free_traffic_ippl(mlogrec_traffic_ippl *record); 352 353 void mrecord_free_mail(mlogrec_mail * record); 354 void mrecord_free_mail_qmail_status(mlogrec_mail_qmail_status * record); 355 void mrecord_free_mail_virus(mlogrec_mail_virus * record); 356 357 /* reset */ 358 void mrecord_reset(mlogrec *record); 359 360 /* copy */ 361 362 int mrecord_copy_web_extclf(mlogrec_web_extclf *dst, mlogrec_web_extclf *src); 363 int mrecord_copy_web_squid(mlogrec_web_squid *dst, mlogrec_web_squid *src); 364 int mrecord_copy_web(mlogrec_web *dst, mlogrec_web *src); 365 int mrecord_copy(mlogrec *dst, mlogrec *src); 366 367 int mrecord_move(mlogrec *dst, mlogrec *src); 368 369 #endif 370