1 /*
2 **
3 ** Copyright (C) 2008-2013 Ian Firns (SecurixLive) <dev@securixlive.com>
4 **
5 ** Copyright (C) 2002-2009 Sourcefire, Inc.
6 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
7 **
8 ** This program is free software; you can redistribute it and/or modify
9 ** it under the terms of the GNU General Public License Version 2 as
10 ** published by the Free Software Foundation.  You may not use, modify or
11 ** distribute this program under any other version of the GNU General
12 ** Public License.
13 **
14 ** This program is distributed in the hope that it will be useful,
15 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
16 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17 ** GNU General Public License for more details.
18 **
19 ** You should have received a copy of the GNU General Public License
20 ** along with this program; if not, write to the Free Software
21 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
22 **
23 **
24 */
25 
26 #ifndef __UNIFIED2_H__
27 #define __UNIFIED2_H__
28 
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32 
33 //SNORT DEFINES
34 //Long time ago...
35 #define UNIFIED2_EVENT               1
36 
37 //CURRENT
38 #define UNIFIED2_PACKET              2
39 #define UNIFIED2_IDS_EVENT           7
40 #define UNIFIED2_IDS_EVENT_IPV6      72
41 #define UNIFIED2_IDS_EVENT_MPLS      99
42 #define UNIFIED2_IDS_EVENT_IPV6_MPLS 100
43 #define UNIFIED2_IDS_EVENT_VLAN      104
44 #define UNIFIED2_IDS_EVENT_IPV6_VLAN 105
45 #define UNIFIED2_EXTRA_DATA          110
46 
47 /* Each unified2 record will start out with one of these */
48 typedef struct _Unified2RecordHeader
49 {
50     uint32_t type;
51     uint32_t length;
52 } Unified2RecordHeader;
53 
54 //UNIFIED2_IDS_EVENT_VLAN = type 104
55 //comes from SFDC to EStreamer archive in serialized form with the extended header
56 typedef struct _Unified2IDSEvent
57 {
58     uint32_t sensor_id;
59     uint32_t event_id;
60     uint32_t event_second;
61     uint32_t event_microsecond;
62     uint32_t signature_id;
63     uint32_t generator_id;
64     uint32_t signature_revision;
65     uint32_t classification_id;
66     uint32_t priority_id;
67     uint32_t ip_source;
68     uint32_t ip_destination;
69     uint16_t sport_itype;
70     uint16_t dport_icode;
71     uint8_t  protocol;
72     uint8_t  impact_flag;//overloads packet_action
73     uint8_t  impact;
74     uint8_t  blocked;
75     uint32_t mpls_label;
76     uint16_t vlanId;
77     uint16_t pad2;//Policy ID
78 } Unified2IDSEvent;
79 
80 //UNIFIED2_IDS_EVENT_IPV6_VLAN = type 105
81 typedef struct _Unified2IDSEventIPv6
82 {
83     uint32_t sensor_id;
84     uint32_t event_id;
85     uint32_t event_second;
86     uint32_t event_microsecond;
87     uint32_t signature_id;
88     uint32_t generator_id;
89     uint32_t signature_revision;
90     uint32_t classification_id;
91     uint32_t priority_id;
92     struct in6_addr ip_source;
93     struct in6_addr ip_destination;
94     uint16_t sport_itype;
95     uint16_t dport_icode;
96     uint8_t  protocol;
97     uint8_t  impact_flag;
98     uint8_t  impact;
99     uint8_t  blocked;
100     uint32_t mpls_label;
101     uint16_t vlanId;
102     uint16_t pad2;/*could be IPS Policy local id to support local sensor alerts*/
103 } Unified2IDSEventIPv6;
104 
105 //UNIFIED2_PACKET = type 2
106 typedef struct _Unified2Packet
107 {
108     uint32_t sensor_id;
109     uint32_t event_id;
110     uint32_t event_second;
111     uint32_t packet_second;
112     uint32_t packet_microsecond;
113     uint32_t linktype;
114     uint32_t packet_length;
115     uint8_t packet_data[4];   /* For debugging */
116 } Unified2Packet;
117 
118 
119 typedef struct _Unified2ExtraDataHdr{
120     uint32_t event_type;
121     uint32_t event_length;
122 }Unified2ExtraDataHdr;
123 
124 
125 //UNIFIED2_EXTRA_DATA - type 110
126 typedef struct _Unified2ExtraData{
127     uint32_t sensor_id;
128     uint32_t event_id;
129     uint32_t event_second;
130     uint32_t type;              /* EventInfo */
131     uint32_t data_type;         /*EventDataType */
132     uint32_t blob_length;       /* Length of the data + sizeof(blob_length) + sizeof(data_type)*/
133 } Unified2ExtraData;
134 
135 typedef enum _EventInfoEnum
136 {
137     EVENT_INFO_XFF_IPV4 = 1,
138     EVENT_INFO_XFF_IPV6 ,
139     EVENT_INFO_REVIEWED_BY,
140     EVENT_INFO_GZIP_DATA
141 }EventInfoEnum;
142 
143 typedef enum _EventDataType
144 {
145     EVENT_DATA_TYPE_BLOB = 1,
146     EVENT_DATA_TYPE_MAX
147 }EventDataType;
148 
149 #define EVENT_TYPE_EXTRA_DATA   4
150 
151 #define MAX_XFF_WRITE_BUF_LENGTH (sizeof(Unified2RecordHeader) + \
152         sizeof(Unified2ExtraDataHdr) + sizeof(Unified2ExtraData) \
153         + sizeof(struct in6_addr))
154 
155 
156 //---------------LEGACY, type '7'
157 //These structures are not used anymore in the product
158 typedef struct Unified2IDSEvent_legacy
159 {
160     uint32_t sensor_id;
161     uint32_t event_id;
162     uint32_t event_second;
163     uint32_t event_microsecond;
164     uint32_t signature_id;
165     uint32_t generator_id;
166     uint32_t signature_revision;
167     uint32_t classification_id;
168     uint32_t priority_id;
169     uint32_t ip_source;
170     uint32_t ip_destination;
171     uint16_t sport_itype;
172     uint16_t dport_icode;
173     uint8_t  protocol;
174     uint8_t  impact_flag;//sets packet_action
175     uint8_t  impact;
176     uint8_t  blocked;
177 } Unified2IDSEvent_legacy;
178 
179 //----------LEGACY, type '72'
180 typedef struct Unified2IDSEventIPv6_legacy
181 {
182     uint32_t sensor_id;
183     uint32_t event_id;
184     uint32_t event_second;
185     uint32_t event_microsecond;
186     uint32_t signature_id;
187     uint32_t generator_id;
188     uint32_t signature_revision;
189     uint32_t classification_id;
190     uint32_t priority_id;
191     struct in6_addr ip_source;
192     struct in6_addr ip_destination;
193     uint16_t sport_itype;
194     uint16_t dport_icode;
195     uint8_t  protocol;
196     uint8_t  impact_flag;
197     uint8_t  impact;
198     uint8_t  blocked;
199 } Unified2IDSEventIPv6_legacy;
200 
201 ////////////////////-->LEGACY
202 
203 
204 /*
205 ** The Unified2EventCommon structure is the common structure that occurs
206 ** at the beginning of all Unified2Event* structures.
207 **
208 ** This structure allows the safe casting of any Unified2Event* structure
209 ** in order to obtain common event information
210 */
211 typedef struct _Unified2EventCommon
212 {
213     uint32_t sensor_id;
214     uint32_t event_id;
215     uint32_t event_second;
216     uint32_t event_microsecond;
217     uint32_t signature_id;
218     uint32_t generator_id;
219     uint32_t signature_revision;
220     uint32_t classification_id;
221     uint32_t priority_id;
222 } Unified2EventCommon;
223 
224 #endif /* __UNIFIED2_H__ */
225