1 /* $Id: main.h 684 2018-11-07 19:26:36Z bhockney $ */ 2 3 /* (C) 2004-2016 by Bob Hockney <zeus@ix.netcom.com> * 4 * Based on fwlogwatch written by * 5 * Boris Wesslowski <Wesslowski@CERT.Uni-Stuttgart.DE> * 6 * * 7 * wfwl_syslog is the backend syslog parser for webfwlog. * 8 * * 9 * This program is free software; you can redistribute it and/or modify * 10 * it under the terms of the GNU General Public License as published by * 11 * the Free Software Foundation; either version 2 of the License, or * 12 * (at your option) any later version. * 13 * * 14 * This program is distributed in the hope that it will be useful, * 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of * 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 17 * GNU General Public License for more details. * 18 * * 19 * You should have received a copy of the GNU General Public License * 20 * along with this program; if not, write to the Free Software * 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ 22 23 #ifndef _MAIN_H 24 #define _MAIN_H 25 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <sys/types.h> 29 #include <sys/socket.h> 30 #include <netinet/in.h> 31 #include <arpa/inet.h> 32 #include <regex.h> 33 34 /* config.h */ 35 36 #ifdef HAVE_CONFIG_H 37 #include <config.h> 38 #endif 39 40 #ifdef vms 41 # include <types.h> 42 # include <time.h> 43 #else 44 # include <sys/types.h> 45 # if TIME_WITH_SYS_TIME 46 # include <sys/time.h> 47 # include <time.h> 48 # else 49 # if HAVE_SYS_TIME_H 50 # include <sys/time.h> 51 # else 52 # include <time.h> 53 # endif 54 # endif 55 #endif /* defined (vms) */ 56 57 #ifdef HAVE_STDBOOL_H 58 #include <stdbool.h> 59 #else 60 typedef char bool; 61 #define false 0 62 #define true 1 63 #endif 64 65 #ifdef HAVE_LIBZ 66 #include <zlib.h> 67 #endif 68 69 #ifdef HAVE_MAXMINDDB_H 70 #include <maxminddb.h> 71 #ifdef HAVE_DB_H 72 #include <db.h> 73 #endif 74 #endif 75 76 77 /* Data sizes */ 78 79 #define BUFSIZE 1024 80 #define BUFSIZE_S "1023" 81 #define QUERYSIZE 4096 82 #define FILESIZE 256 83 #define TIMESIZE 40 84 #define SHORTLEN 128 85 #define SHORTLEN_S "127" 86 #define SHOSTLEN 33 87 #define SHOSTLEN_S "32" 88 #define IPLEN 16 89 #define IP6LEN 40 90 #define IP6LEN_S "39" 91 #define MAXSORTSIZE 24 92 93 #ifndef INET6_ADDRSTRLEN 94 #define INET6_ADDRSTRLEN 46 95 #endif 96 97 /* Files */ 98 99 #define INFILE "/var/log/messages" /* Default input file */ 100 #define REPORTDEF "-" 101 102 /* Database */ 103 104 enum { 105 DB_FAILURE, 106 DB_SUCCESS 107 }; 108 109 enum { 110 QUERY_OK, 111 QUERY_ERROR 112 }; 113 114 /* Modes */ 115 116 enum { 117 LOG_SUMMARY, 118 LOG_DETAIL 119 }; 120 121 /* Parser */ 122 123 #define PARSER_IPCHAINS 1 124 #define PARSER_NETFILTER 2 125 #define PARSER_IPFILTER 4 126 #define PARSER_WIN_XP 8 127 #define PARSER_IPFW 16 128 #define PARSER_CISCO_IOS 32 129 #define PARSER_CISCO_PIX 64 130 #define PARSER_SNORT 128 131 #define PARSER_NETSCREEN 256 132 133 enum { 134 PARSE_OK, 135 PARSE_ERROR, 136 PARSE_NO_HIT, 137 PARSE_WRONG_FORMAT, 138 PARSE_EXCLUDED 139 }; 140 141 enum { 142 IN_ADDR_OK, 143 IN_ADDR_ERROR 144 }; 145 146 /* TCP flags */ 147 148 #define TCP_SYN 1 149 #define TCP_ACK 2 150 #define TCP_FIN 4 151 #define TCP_RST 8 152 #define TCP_PSH 16 153 #define TCP_URG 32 154 #define TCP_OPTS_EXACT 64 155 #define TCP_FLAGS_MATCH 128 156 157 /* ipchains support */ 158 159 #define IPCHAINS_DATE 1 160 #define IPCHAINS_DATA 2 161 #define IPCHAINS_IPS 4 162 163 /* netfilter support */ 164 165 #define NF_DATE 1 166 #define NF_IN 2 167 #define NF_SRC 4 168 #define NF_DST 8 169 #define NF_PROTO 16 170 #define NF_SPT 32 171 #define NF_DPT 64 172 #define NF_TYPE 128 173 174 enum { 175 NF_OPT_NOPREFIX, 176 NF_OPT_PREFIX, 177 NF_OPT_SRC, 178 NF_OPT_DST 179 }; 180 181 /* ipfilter support */ 182 183 #define IPF_DATE 1 184 #define IPF_DATA 2 185 #define IPF_PROTO 4 186 #define IPF_SRC_IP 8 187 #define IPF_DST_IP 16 188 #define IPF_SRC_PORT 32 189 #define IPF_DST_PORT 64 190 #define IPF_TYPE 128 191 #define IPF_NO_HIT 256 192 193 #define IPF_OPT_NONE 1 194 #define IPF_OPT_COUNT 2 195 #define IPF_OPT_SRC 4 196 #define IPF_OPT_DST 8 197 #define IPF_OPT_RES 16 198 #define IPF_OPT_PORT 32 199 #define IPF_OPT_RPORT 64 200 201 /* ipfw support */ 202 203 #define IPFW_DATE 1 204 #define IPFW_CHAIN 2 205 #define IPFW_PROTO 4 206 #define IPFW_IPS 8 207 #define IPFW_IF 16 208 #define IPFW_NO_HIT 32 209 210 enum { 211 IPFW_OPT_NONE, 212 IPFW_OPT_ICMP, 213 IPFW_OPT_OTHER, 214 IPFW_OPT_PORTS 215 }; 216 217 /* Sorting */ 218 219 #define SORT_INV_NO_SORT 35767 220 221 /* enumerated list of columns by which sorting may be done */ 222 enum { 223 SORT_ID = 1, 224 SORT_SNAME, 225 SORT_COUNT, 226 SORT_START_TIME, 227 SORT_END_TIME, 228 SORT_PROTOCOL, 229 SORT_SOURCEHOST, 230 SORT_SOURCEPORT, 231 SORT_DESTHOST, 232 SORT_DESTPORT, 233 SORT_ICMP_TYPE, 234 SORT_ICMP_CODE, 235 SORT_ICMP_ECHOID, 236 SORT_ICMP_ECHOSEQ, 237 SORT_ICMP_MTU, 238 SORT_ICMP_GW, 239 SORT_IP_ID, 240 SORT_IP_IHL, 241 SORT_IP_TOS, 242 SORT_IP_TOTLEN, 243 SORT_IP_TTL, 244 SORT_IP6_FLOWLABEL, 245 SORT_IP6_PAY_LEN, 246 SORT_OOB_FAMILY, 247 SORT_LOCAL_HOST, 248 SORT_IN_IF, 249 SORT_OUT_IF, 250 SORT_FWMARK, 251 SORT_PREFIX, /* same as CHAINLABEL */ 252 SORT_LOCAL_TIME, 253 SORT_OOB_TIME, 254 SORT_TIME_USEC, 255 SORT_OOB_PROTOCOL, 256 SORT_MAC_SADDR, 257 SORT_MAC_DADDR, 258 SORT_MAC, 259 SORT_FRAGOFF, 260 SORT_CSUM, 261 SORT_AHESP_SPI, 262 SORT_TCP_SEQ, 263 SORT_TCP_ACKSEQ, 264 SORT_TCP_WINDOW, 265 SORT_UDP_LEN, 266 SORT_TCP_URGP, 267 SORT_TCP_OPTS, 268 SORT_CONTINENT_CODE_SRC, 269 SORT_CONTINENT_NAME_SRC, 270 SORT_COUNTRY_ISO_CODE_SRC, 271 SORT_COUNTRY_NAME_SRC, 272 SORT_SUBDIVISION_1_ISO_CODE_SRC, 273 SORT_SUBDIVISION_1_NAME_SRC, 274 SORT_SUBDIVISION_2_ISO_CODE_SRC, 275 SORT_SUBDIVISION_2_NAME_SRC, 276 SORT_CITY_NAME_SRC, 277 SORT_METRO_CODE_SRC, 278 SORT_TIME_ZONE_SRC, 279 SORT_ACCURACY_RADIUS_SRC, 280 SORT_REGISTERED_COUNTRY_GEONAME_ID_SRC, 281 SORT_REPRESENTED_COUNTRY_GEONAME_ID_SRC, 282 SORT_IS_ANONYMOUS_PROXY_SRC, 283 SORT_IS_SATELLITE_PROVIDER_SRC, 284 SORT_POSTAL_CODE_SRC, 285 SORT_LATITUDE_SRC, 286 SORT_LONGITUDE_SRC, 287 SORT_CONTINENT_CODE_DST, 288 SORT_CONTINENT_NAME_DST, 289 SORT_COUNTRY_ISO_CODE_DST, 290 SORT_COUNTRY_NAME_DST, 291 SORT_SUBDIVISION_1_ISO_CODE_DST, 292 SORT_SUBDIVISION_1_NAME_DST, 293 SORT_SUBDIVISION_2_ISO_CODE_DST, 294 SORT_SUBDIVISION_2_NAME_DST, 295 SORT_CITY_NAME_DST, 296 SORT_METRO_CODE_DST, 297 SORT_TIME_ZONE_DST, 298 SORT_ACCURACY_RADIUS_DST, 299 SORT_REGISTERED_COUNTRY_GEONAME_ID_DST, 300 SORT_REPRESENTED_COUNTRY_GEONAME_ID_DST, 301 SORT_IS_ANONYMOUS_PROXY_DST, 302 SORT_IS_SATELLITE_PROVIDER_DST, 303 SORT_POSTAL_CODE_DST, 304 SORT_LATITUDE_DST, 305 SORT_LONGITUDE_DST 306 }; 307 308 enum { 309 ORDER_ASCENDING, 310 ORDER_DESCENDING 311 }; 312 313 struct sort_order { 314 int field; 315 char keyname[SHORTLEN]; 316 int order; 317 int position; 318 struct sort_order *next; 319 }; 320 321 /* enumerated list of possible fields for report */ 322 enum { 323 COL_ID=1, 324 COL_SNAME, 325 COL_COUNT, 326 COL_LOCAL_HOST, 327 COL_LOCAL_TIME, 328 COL_START_TIME, 329 COL_END_TIME, 330 COL_LOG_PREFIX, 331 COL_FWMARK, 332 COL_OOB_PROTOCOL, 333 COL_MAC_SADDR, 334 COL_MAC_DADDR, 335 COL_MAC, 336 COL_IN_IF, 337 COL_OUT_IF, 338 COL_IP_PROTO, 339 COL_SOURCEHOST, 340 COL_SOURCEHOST_NAME, 341 COL_SOURCEPORT, 342 COL_SOURCE_SERVICE, 343 COL_DESTHOST, 344 COL_DESTHOST_NAME, 345 COL_DESTPORT, 346 COL_DEST_SERVICE, 347 COL_IP_ID, 348 COL_IP_CSUM, 349 COL_IP_FRAGOFF, 350 COL_IP_IHL, 351 COL_IP_TOS, 352 COL_IP_TTL, 353 COL_IP6_FLOWLABEL, 354 COL_IP6_PAY_LEN, 355 COL_IP_LEN, 356 COL_OOB_FAMILY, 357 COL_ICMP_TYPE, 358 COL_ICMP_CODE, 359 COL_TCP_SEQ, 360 COL_TCP_ACKSEQ, 361 COL_TCP_WINDOW, 362 COL_TCP_OPTIONS, 363 COL_TCP_URGP, 364 COL_UDP_LEN, 365 COL_ICMP_ECHOID, 366 COL_ICMP_ECHOSEQ, 367 COL_ICMP_MTU, 368 COL_ICMP_GATEWAY, 369 COL_AHESP_SPI, 370 COL_CONTINENT_CODE_SRC, 371 COL_CONTINENT_NAME_SRC, 372 COL_COUNTRY_ISO_CODE_SRC, 373 COL_COUNTRY_NAME_SRC, 374 COL_SUBDIVISION_1_ISO_CODE_SRC, 375 COL_SUBDIVISION_1_NAME_SRC, 376 COL_SUBDIVISION_2_ISO_CODE_SRC, 377 COL_SUBDIVISION_2_NAME_SRC, 378 COL_CITY_NAME_SRC, 379 COL_METRO_CODE_SRC, 380 COL_TIME_ZONE_SRC, 381 COL_ACCURACY_RADIUS_SRC, 382 COL_REGISTERED_COUNTRY_GEONAME_ID_SRC, 383 COL_REPRESENTED_COUNTRY_GEONAME_ID_SRC, 384 COL_IS_ANONYMOUS_PROXY_SRC, 385 COL_IS_SATELLITE_PROVIDER_SRC, 386 COL_POSTAL_CODE_SRC, 387 COL_LATITUDE_SRC, 388 COL_LONGITUDE_SRC, 389 COL_CONTINENT_CODE_DST, 390 COL_CONTINENT_NAME_DST, 391 COL_COUNTRY_ISO_CODE_DST, 392 COL_COUNTRY_NAME_DST, 393 COL_SUBDIVISION_1_ISO_CODE_DST, 394 COL_SUBDIVISION_1_NAME_DST, 395 COL_SUBDIVISION_2_ISO_CODE_DST, 396 COL_SUBDIVISION_2_NAME_DST, 397 COL_CITY_NAME_DST, 398 COL_METRO_CODE_DST, 399 COL_TIME_ZONE_DST, 400 COL_ACCURACY_RADIUS_DST, 401 COL_REGISTERED_COUNTRY_GEONAME_ID_DST, 402 COL_REPRESENTED_COUNTRY_GEONAME_ID_DST, 403 COL_IS_ANONYMOUS_PROXY_DST, 404 COL_IS_SATELLITE_PROVIDER_DST, 405 COL_POSTAL_CODE_DST, 406 COL_LATITUDE_DST, 407 COL_LONGITUDE_DST 408 }; 409 410 #define CACHE_RESOLVE 1 411 #define CACHE_POPULATE 2 412 #define CACHE_UPDATE 4 413 #define CACHE_POPULATE_FULL 8 414 415 struct field_order { 416 int field; 417 char keyname[SHORTLEN]; /* human readable for messages */ 418 int position; 419 struct field_order *next; 420 }; 421 422 /* Fields in report */ 423 /* this is used to indicate which fields are in report for more efficient summarization */ 424 struct fields_used { 425 unsigned char count; 426 unsigned char sname; 427 unsigned char local_time; 428 unsigned char earliest; 429 unsigned char latest; 430 unsigned char hostname; 431 unsigned char log_label; 432 unsigned char protocol; 433 unsigned char totlen; 434 unsigned char shost; 435 unsigned char shost_name; 436 unsigned char sport; 437 unsigned char src_service; 438 unsigned char dhost; 439 unsigned char dhost_name; 440 unsigned char dport; 441 unsigned char dst_service; 442 unsigned char flags; 443 unsigned char oob_protocol; 444 unsigned char mac_saddr_str; 445 unsigned char mac_daddr_str; 446 unsigned char raw_mac; 447 unsigned char fwmark; 448 unsigned char inif; 449 unsigned char outif; 450 unsigned char tos; 451 unsigned char ttl; 452 unsigned char ihl; 453 unsigned char csum; 454 unsigned char ipid; 455 unsigned char family; 456 unsigned char fragoff; 457 unsigned char pay_len; 458 unsigned char flowlabel; 459 unsigned char tcp_seq; 460 unsigned char tcp_ack_seq; 461 unsigned char tcp_window; 462 unsigned char tcp_urgp; 463 unsigned char udp_len; 464 unsigned char icmp_type; 465 unsigned char icmp_code; 466 unsigned char icmp_echoid; 467 unsigned char icmp_echoseq; 468 unsigned char icmp_gw; 469 unsigned char icmp_mtu; 470 unsigned char ahesp_spi; 471 unsigned char continent_code_s; 472 unsigned char continent_name_s; 473 unsigned char country_iso_code_s; 474 unsigned char country_name_s; 475 unsigned char subdivision_1_iso_code_s; 476 unsigned char subdivision_1_name_s; 477 unsigned char subdivision_2_iso_code_s; 478 unsigned char subdivision_2_name_s; 479 unsigned char city_name_s; 480 unsigned char metro_code_s; 481 unsigned char time_zone_s; 482 unsigned char accuracy_radius_s; 483 unsigned char registered_country_geoname_id_s; 484 unsigned char represented_country_geoname_id_s; 485 unsigned char is_anonymous_proxy_s; 486 unsigned char is_satellite_provider_s; 487 unsigned char postal_code_s; 488 unsigned char latitude_s; 489 unsigned char longitude_s; 490 unsigned char continent_code_d; 491 unsigned char continent_name_d; 492 unsigned char country_iso_code_d; 493 unsigned char country_name_d; 494 unsigned char subdivision_1_iso_code_d; 495 unsigned char subdivision_1_name_d; 496 unsigned char subdivision_2_iso_code_d; 497 unsigned char subdivision_2_name_d; 498 unsigned char city_name_d; 499 unsigned char metro_code_d; 500 unsigned char time_zone_d; 501 unsigned char accuracy_radius_d; 502 unsigned char registered_country_geoname_id_d; 503 unsigned char represented_country_geoname_id_d; 504 unsigned char is_anonymous_proxy_d; 505 unsigned char is_satellite_provider_d; 506 unsigned char postal_code_d; 507 unsigned char latitude_d; 508 unsigned char longitude_d; 509 }; 510 511 /* Data structures */ 512 513 /* Used for ICMP type and code tables */ 514 struct icmp_code { 515 int code; 516 char *name; 517 }; 518 519 struct icmp_type { 520 int type; 521 char *name; 522 struct icmp_code *codes; 523 int numcodes; 524 }; 525 526 struct reportdef_keys { 527 char * key; 528 unsigned char sort_key; 529 uint32_t sel_key; 530 unsigned char sel_type; 531 time_t * aggregate_value; 532 unsigned char * field_used; 533 unsigned char col_key; 534 unsigned char cache_resolve; 535 unsigned char use_geoip; 536 }; 537 538 /* Geoip2 support */ 539 540 #define GEOIP_USE_SRC 1 541 #define GEOIP_USE_DST 2 542 #define GEOIP_OFF 4 543 544 /* Keep order of this enum list in sync with struct geoip_data, and also * 545 * array at top of parsers.c */ 546 enum { 547 GEOIP2_CONT_CODE, 548 GEOIP2_CONT_NAME, 549 GEOIP2_COUNTRY_ISO, 550 GEOIP2_COUNTRY_NAME, 551 GEOIP2_SUB_0_ISO, 552 GEOIP2_SUB_0_NAME, 553 GEOIP2_SUB_1_ISO, 554 GEOIP2_SUB_1_NAME, 555 GEOIP2_CITY, 556 GEOIP2_METRO, 557 GEOIP2_TZ, 558 GEOIP2_REG_COUNTRY_NAME, 559 GEOIP2_REP_COUNTRY_NAME, 560 GEOIP2_ANON_PROXY, 561 GEOIP2_SAT_PROV, 562 GEOIP2_POSTAL, 563 GEOIP2_LATITUDE, 564 GEOIP2_LONGITUDE, 565 GEOIP2_ACCURACY_RADIUS, 566 GEOIP2_MAX 567 }; 568 569 struct geoip_data { 570 char continent_code[SHOSTLEN]; 571 char continent_name[SHOSTLEN]; 572 char country_iso_code[SHOSTLEN]; 573 char country_name[SHOSTLEN]; 574 char subdivision_1_iso_code[SHOSTLEN]; 575 char subdivision_1_name[SHOSTLEN]; 576 char subdivision_2_iso_code[SHOSTLEN]; 577 char subdivision_2_name[SHOSTLEN]; 578 char city_name[SHOSTLEN]; 579 uint16_t metro_code; 580 char time_zone[SHOSTLEN]; 581 char registered_country_geoname_id[SHOSTLEN]; 582 char represented_country_geoname_id[SHOSTLEN]; 583 bool is_anonymous_proxy; 584 bool is_satellite_provider; 585 char postal_code[SHOSTLEN]; 586 double latitude; 587 double longitude; 588 uint16_t accuracy_radius; 589 uint32_t refcount; 590 }; 591 592 /* Used for receiving data from a line in log file */ 593 struct log_line { 594 char filename[FILESIZE]; 595 unsigned long int linenum; 596 time_t time; 597 char hostname[SHOSTLEN]; 598 char log_label[SHORTLEN]; 599 char chainlabel[SHORTLEN]; 600 char branchname[SHORTLEN]; 601 char interface[SHORTLEN]; 602 unsigned char protocol; 603 uint16_t totlen; 604 unsigned short int family; 605 struct in_addr shost; 606 #ifdef HAVE_INET_NTOP 607 struct in6_addr shost6; 608 #endif 609 char shost_s[INET6_ADDRSTRLEN]; 610 char shostname[SHORTLEN]; 611 uint32_t sport; 612 char sservice[SHORTLEN]; 613 struct in_addr dhost; 614 #ifdef HAVE_INET_NTOP 615 struct in6_addr dhost6; 616 #endif 617 char dhost_s[INET6_ADDRSTRLEN]; 618 char dhostname[SHORTLEN]; 619 uint32_t dport; 620 char dservice[SHORTLEN]; 621 unsigned char flags; 622 unsigned long int count; 623 uint16_t oob_protocol; 624 char mac_saddr_str[SHORTLEN]; 625 char mac_daddr_str[SHORTLEN]; 626 char raw_mac[SHORTLEN]; 627 uint32_t fwmark; 628 char inif[SHORTLEN]; 629 char outif[SHORTLEN]; 630 unsigned char tos; 631 unsigned char ttl; 632 unsigned char ihl; 633 uint16_t csum; 634 uint16_t ipid; 635 uint16_t pay_len; 636 uint32_t flowlabel; 637 uint16_t fragoff; 638 uint32_t tcp_seq; 639 uint32_t tcp_ack_seq; 640 uint16_t tcp_window; 641 uint16_t tcp_urgp; 642 uint16_t udp_len; 643 unsigned char icmp_type; 644 unsigned char icmp_code; 645 uint16_t icmp_echoid; 646 uint16_t icmp_echoseq; 647 struct in_addr icmp_gw; 648 uint16_t icmp_mtu; 649 uint32_t ahesp_spi; 650 struct geoip_data * geoip_data_src; 651 struct geoip_data * geoip_data_dst; 652 }; 653 654 /* Linked list of report data */ 655 struct conn_data { 656 char filename[FILESIZE]; 657 unsigned long int rowid; 658 unsigned long int linenum; 659 unsigned long int count; 660 time_t local_time; 661 time_t start_time; 662 time_t end_time; 663 char hostname[SHOSTLEN]; 664 char log_label[SHORTLEN]; 665 char chainlabel[SHORTLEN]; 666 char branchname[SHORTLEN]; 667 char interface[SHORTLEN]; 668 unsigned char protocol; 669 uint16_t totlen; 670 unsigned short int family; 671 struct in_addr shost; 672 #ifdef HAVE_INET_NTOP 673 struct in6_addr shost6; 674 #endif 675 char shost_s[INET6_ADDRSTRLEN]; 676 char shostname[SHORTLEN]; 677 uint32_t sport; 678 char sservice[SHORTLEN]; 679 struct in_addr dhost; 680 #ifdef HAVE_INET_NTOP 681 struct in6_addr dhost6; 682 #endif 683 char dhost_s[INET6_ADDRSTRLEN]; 684 char dhostname[SHORTLEN]; 685 uint32_t dport; 686 char dservice[SHORTLEN]; 687 unsigned char flags; 688 uint16_t oob_protocol; 689 char mac_saddr_str[SHORTLEN]; 690 char mac_daddr_str[SHORTLEN]; 691 char raw_mac[SHORTLEN]; 692 uint32_t fwmark; 693 char inif[SHORTLEN]; 694 char outif[SHORTLEN]; 695 unsigned char tos; 696 unsigned char ttl; 697 unsigned char ihl; 698 uint16_t csum; 699 uint16_t ipid; 700 uint16_t pay_len; 701 uint32_t flowlabel; 702 uint16_t fragoff; 703 uint32_t tcp_seq; 704 uint32_t tcp_ack_seq; 705 uint16_t tcp_window; 706 uint16_t tcp_urgp; 707 uint16_t udp_len; 708 unsigned char icmp_type; 709 unsigned char icmp_code; 710 uint16_t icmp_echoid; 711 uint16_t icmp_echoseq; 712 struct in_addr icmp_gw; 713 uint16_t icmp_mtu; 714 uint32_t ahesp_spi; 715 struct geoip_data * geoip_data_src; 716 struct geoip_data * geoip_data_dst; 717 struct conn_data *next; 718 }; 719 720 /* when populating cache for summarized report at runtime, this structure */ 721 /* contains detail for summarized lines for fields that may not appear in */ 722 /* report */ 723 struct conn_data_sum { 724 unsigned long int rowid; 725 unsigned short int family; 726 struct in_addr shost; 727 #ifdef HAVE_INET_NTOP 728 struct in6_addr shost6; 729 #endif 730 char shost_s[INET6_ADDRSTRLEN]; 731 struct in_addr dhost; 732 #ifdef HAVE_INET_NTOP 733 struct in6_addr dhost6; 734 #endif 735 char dhost_s[INET6_ADDRSTRLEN]; 736 unsigned char protocol; 737 uint32_t sport; 738 uint32_t dport; 739 struct conn_data_sum *next; 740 }; 741 742 /* Linked list of files to be parsed */ 743 struct input_file { 744 char *name; 745 struct input_file *next; 746 }; 747 748 /* enumerated list of matches */ 749 enum { 750 P_MATCH_NONE, 751 P_MATCH_EXC 752 }; 753 754 /* include/exclude bitmap for numeric criteria, * 755 * to support use of multiple values. */ 756 #define MATCH_MUL_NONE 0x000000000000 757 #define MATCH_TCP_DPORT 0x000000000001 758 #define MATCH_TCP_SPORT 0x000000000002 759 #define MATCH_UDP_DPORT 0x000000000004 760 #define MATCH_UDP_SPORT 0x000000000008 761 #define MATCH_ICMP_TYPE 0x000000000010 762 #define MATCH_ICMP_CODE 0x000000000020 763 #define MATCH_SRC_HOST 0x000000000040 764 #define MATCH_DST_HOST 0x000000000080 765 #define MATCH_PROTOCOL 0x000000000100 766 #define MATCH_AHESP_SPI 0x000000000200 767 #define MATCH_IP_TOS 0x000000000400 768 #define MATCH_IP_TTL 0x000000000800 769 #define MATCH_IP_IHL 0x000000001000 770 #define MATCH_IP_TOTLEN 0x000000002000 771 #define MATCH_IP_ID 0x000000004000 772 #define MATCH_IP_CSUM 0x000000008000 773 #define MATCH_IP_FRAGOFF 0x000000010000 774 #define MATCH_OOB_MARK 0x000000020000 775 #define MATCH_TCP_SEQ 0x000000040000 776 #define MATCH_TCP_ACKSEQ 0x000000080000 777 #define MATCH_TCP_WINDOW 0x000000100000 778 #define MATCH_TCP_URGP 0x000000200000 779 #define MATCH_ICMP_ECHOID 0x000000400000 780 #define MATCH_ICMP_ECHOSEQ 0x000000800000 781 #define MATCH_ICMP_FRAGMTU 0x000001000000 782 #define MATCH_UDP_LEN 0x000002000000 783 #define MATCH_ICMP_GATEWAY 0x000004000000 784 #define MATCH_OOB_FAMILY 0x000008000000 785 #define MATCH_ICMPv6_TYPE 0x000010000000 786 #define MATCH_ICMPv6_CODE 0x000020000000 787 #define MATCH_ICMPv6_ECHOID 0x000040000000 788 #define MATCH_ICMPv6_ECHOSEQ 0x000080000000 789 #define MATCH_IP6_FLOWLABEL 0x000100000000ULL 790 #define MATCH_IP6_PAY_LEN 0x000200000000ULL 791 #define MATCH_OOB_PROTOCOL 0x000400000000ULL 792 #define MATCH_METRO_CODE_SRC 0x000800000000ULL 793 #define MATCH_ACCURACY_RADIUS_SRC 0x001000000000ULL 794 #define MATCH_LATITUDE_SRC 0x002000000000ULL 795 #define MATCH_LONGITUDE_SRC 0x004000000000ULL 796 #define MATCH_METRO_CODE_DST 0x008000000000ULL 797 #define MATCH_ACCURACY_RADIUS_DST 0x010000000000ULL 798 #define MATCH_LATITUDE_DST 0x020000000000ULL 799 #define MATCH_LONGITUDE_DST 0x040000000000ULL 800 801 /* enumerated list of item types in report definitions */ 802 enum { 803 DEF_NONE, 804 DEF_WHERE, 805 DEF_INVERT, 806 DEF_SORT, 807 DEF_ORDER, 808 DEF_COLUMN, 809 DEF_SUM, 810 DEF_OPTION 811 }; 812 813 /* enumerated list of items by which selection may be done */ 814 enum { 815 SEL_MIN_DATE = 1, 816 SEL_MAX_DATE, 817 SEL_PROTOCOL, 818 SEL_SOURCEHOST, 819 SEL_DESTHOST, 820 SEL_UDP_SPORT, 821 SEL_UDP_DPORT, 822 SEL_ICMP_TYPE, 823 SEL_ICMP_CODE, 824 SEL_ICMPv6_TYPE, 825 SEL_ICMPv6_CODE, 826 SEL_LOCAL_HOST, 827 SEL_IN_IF, 828 SEL_OUT_IF, 829 SEL_PREFIX, 830 SEL_TCP_SPORT, 831 SEL_TCP_DPORT, 832 SEL_TCP_FLAGS, 833 SEL_TCP_SYN, 834 SEL_TCP_ACK, 835 SEL_TCP_FIN, 836 SEL_TCP_RST, 837 SEL_TCP_PSH, 838 SEL_TCP_URG, 839 SEL_TCP_OPTS_EXACT, 840 SEL_AHESP_SPI, 841 SEL_IP_TOS, 842 SEL_IP_TTL, 843 SEL_IP_IHL, 844 SEL_IP_TOTLEN, 845 SEL_IP_ID, 846 SEL_IP_CSUM, 847 SEL_IP_DF, 848 SEL_IP_MF, 849 SEL_IP_FRAGOFF, 850 SEL_IP6_FLOWLABEL, 851 SEL_IP6_PAY_LEN, 852 SEL_OOB_FAMILY, 853 SEL_OOB_MARK, 854 SEL_TCP_SEQ, 855 SEL_TCP_ACKSEQ, 856 SEL_TCP_WINDOW, 857 SEL_TCP_URGP, 858 SEL_ICMP_ECHOID, 859 SEL_ICMP_ECHOSEQ, 860 SEL_ICMP_GATEWAY, 861 SEL_ICMP_FRAGMTU, 862 SEL_ICMPv6_ECHOID, 863 SEL_ICMPv6_ECHOSEQ, 864 SEL_UDP_LEN, 865 SEL_OOB_PROTOCOL, 866 SEL_MAC_SADDR, 867 SEL_MAC_DADDR, 868 SEL_MAC, 869 SEL_CONTINENT_CODE_SRC, 870 SEL_CONTINENT_NAME_SRC, 871 SEL_COUNTRY_ISO_CODE_SRC, 872 SEL_COUNTRY_NAME_SRC, 873 SEL_SUBDIVISION_1_ISO_CODE_SRC, 874 SEL_SUBDIVISION_1_NAME_SRC, 875 SEL_SUBDIVISION_2_ISO_CODE_SRC, 876 SEL_SUBDIVISION_2_NAME_SRC, 877 SEL_CITY_NAME_SRC, 878 SEL_METRO_CODE_SRC, 879 SEL_TIME_ZONE_SRC, 880 SEL_ACCURACY_RADIUS_SRC, 881 SEL_REGISTERED_COUNTRY_GEONAME_ID_SRC, 882 SEL_REPRESENTED_COUNTRY_GEONAME_ID_SRC, 883 SEL_IS_ANONYMOUS_PROXY_SRC, 884 SEL_IS_SATELLITE_PROVIDER_SRC, 885 SEL_POSTAL_CODE_SRC, 886 SEL_LATITUDE_SRC, 887 SEL_LONGITUDE_SRC, 888 SEL_CONTINENT_CODE_DST, 889 SEL_CONTINENT_NAME_DST, 890 SEL_COUNTRY_ISO_CODE_DST, 891 SEL_COUNTRY_NAME_DST, 892 SEL_SUBDIVISION_1_ISO_CODE_DST, 893 SEL_SUBDIVISION_1_NAME_DST, 894 SEL_SUBDIVISION_2_ISO_CODE_DST, 895 SEL_SUBDIVISION_2_NAME_DST, 896 SEL_CITY_NAME_DST, 897 SEL_METRO_CODE_DST, 898 SEL_TIME_ZONE_DST, 899 SEL_ACCURACY_RADIUS_DST, 900 SEL_REGISTERED_COUNTRY_GEONAME_ID_DST, 901 SEL_REPRESENTED_COUNTRY_GEONAME_ID_DST, 902 SEL_IS_ANONYMOUS_PROXY_DST, 903 SEL_IS_SATELLITE_PROVIDER_DST, 904 SEL_POSTAL_CODE_DST, 905 SEL_LATITUDE_DST, 906 SEL_LONGITUDE_DST 907 }; 908 909 /* enumerated list of selection criteria types */ 910 enum { 911 SEL_NUM = 1, 912 SEL_DOUBLE, 913 SEL_REGEX, 914 SEL_BOOLEAN, 915 SEL_IPADDR, 916 SEL_PROTO, 917 SEL_DATE, 918 SEL_DFMF, 919 SEL_AGG_COUNT, 920 SEL_AGG_DATE, 921 SEL_ID 922 }; 923 924 struct selection { 925 int field; 926 char keyname[SHORTLEN]; 927 int type; 928 unsigned long int value; 929 unsigned long int max_value; 930 double double_value; 931 double max_double_value; 932 char svalue[SHORTLEN]; 933 regex_t buf; 934 unsigned short int family; 935 uint32_t in_addr; 936 uint32_t netmask; 937 #ifdef HAVE_INET_NTOP 938 struct in6_addr in6_addr; 939 #endif 940 unsigned char in6_bits; 941 unsigned char invert; 942 int have_value; 943 struct selection *next; 944 }; 945 946 /* Holds values for aggregate selection criteria */ 947 struct select_sum { 948 unsigned long int min_count; 949 unsigned long int max_count; 950 time_t max_earliest; 951 time_t min_latest; 952 }; 953 954 /* Verbosity levels. * 955 * The labels are for convenience only. */ 956 enum { 957 VERBOSE_OFF, /* No status messages */ 958 VERBOSE_INFO, /* Basic status messages of actions being taken */ 959 VERBOSE_NOTICE, /* Detail status messages */ 960 VERBOSE_ALERT, /* Still more status messages */ 961 VERBOSE_WARNING, /* Some detail of progress */ 962 VERBOSE_ERROR, /* More detail of progress */ 963 VERBOSE_DEBUG /* Great detail of progress */ 964 }; 965 966 /* Contains parsed global options. */ 967 /* Also contains the current log line being parsed and other reused data */ 968 /* There is one of these with global scope */ 969 struct options { 970 unsigned char mode; /* reporting mode */ 971 #ifdef HAVE_LIBZ 972 gzFile inputfd; /* file handle of current input file */ 973 #else 974 FILE * inputfd; /* file handle of current input file */ 975 #endif 976 char pathname[FILESIZE]; /* path to syslog files */ 977 char filename[FILESIZE]; /* name of file currently being parsed */ 978 unsigned long int packet; /* set to line number for packet detail */ 979 unsigned long int linenum; /* line number currently being parsed */ 980 unsigned char std_in; /* set if no input files; reads stdin */ 981 char geoip2_locale[SHORTLEN]; /* currently used only for geoip2 data */ 982 983 unsigned char verbose; /* verbosity level: 0 to 5 */ 984 int filecount; /* number of input files, or 0 if stdin used */ 985 char reportdef[FILESIZE]; /* name of report definition file */ 986 char db[SHORTLEN]; /* database to use - mysql or pgsql */ 987 char mysql_server[SHORTLEN]; /* location of mysql server */ 988 char mysql_user[SHORTLEN]; /* mysql user name */ 989 char mysql_pass[SHORTLEN]; /* mysql password */ 990 char mysql_wfwl_db[SHORTLEN]; /* mysql database */ 991 unsigned char have_db; /* set if database support is compiled in */ 992 993 char pgsql_server[SHORTLEN]; /* location of postgresql server */ 994 char pgsql_user[SHORTLEN]; /* postgresql user name */ 995 char pgsql_pass[SHORTLEN]; /* postgresql password */ 996 char pgsql_db[SHORTLEN]; /* postgresql database */ 997 char pgsql_wfwl_schema[SHORTLEN]; /* postgresql schema */ 998 unsigned char pgsql_have_namespace; /* set if server supports schemas */ 999 1000 struct log_line *line; /* data for current log line being parsed */ 1001 char format_sel[SHORTLEN]; /* list of parsers from command line */ 1002 unsigned int format; /* list of parsers to use */ 1003 unsigned int parser; /* used internally by parser to determine what has been parsed */ 1004 unsigned char repeated; /* used for repeat expansion */ 1005 int orig_count; /* 0 or 1; used with repeat expansion */ 1006 char geoip2_file[BUFSIZE]; /* geoip filename */ 1007 #ifdef HAVE_MAXMINDDB_H 1008 MMDB_s *geoip2_handle; /* geoip database handle */ 1009 #ifdef HAVE_DB_H 1010 DB *dbp; /* pointer to berkeley db */ 1011 #endif 1012 #endif 1013 unsigned char use_geoip; /* bitmap for whether source, destination, or neither fields are used */ 1014 struct geoip_data *geoip_data_init; /* initialized blank geoip_data struct to initialize lines */ 1015 bool use_db; /* whether or not to use berkeley db with geoip */ 1016 1017 unsigned char sortfield; /* field to sort by */ 1018 unsigned char sortmode; /* ascending or descending */ 1019 unsigned char resolve_hosts; /* set if hostnames and service names are to be resolved */ 1020 1021 unsigned long int report_rows; /* number of total rows in report */ 1022 unsigned long int matched_entries; /* number of log entries meeting selection criteria */ 1023 unsigned long int included_entries; /* number of log entries not limited by aggregate criteria */ 1024 unsigned char use_out; /* set if outfile to be used */ 1025 char outputfile[FILESIZE]; /* name of outfile */ 1026 1027 unsigned long int max; /* maximum number of rows to output */ 1028 unsigned long int begin; /* starting row to output */ 1029 1030 unsigned char ipchains_check; /* set to check ipchains rules */ 1031 }; 1032 1033 #endif 1034