1 /* 2 ** Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 3 ** Copyright (C) 2002-2013 Sourcefire, Inc. 4 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> 5 ** 6 ** This program is free software; you can redistribute it and/or modify 7 ** it under the terms of the GNU General Public License Version 2 as 8 ** published by the Free Software Foundation. You may not use, modify or 9 ** distribute this program under any other version of the GNU General 10 ** Public License. 11 ** 12 ** This program is distributed in the hope that it will be useful, 13 ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 ** GNU General Public License for more details. 16 ** 17 ** You should have received a copy of the GNU General Public License 18 ** along with this program; if not, write to the Free Software 19 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 */ 21 22 /* PLEASE DO NOT EDIT THIS FILE */ 23 24 #ifndef __UNIFIED2_COMMON_H__ 25 #define __UNIFIED2_COMMON_H__ 26 27 #ifdef HAVE_CONFIG_H 28 #include "config.h" 29 #endif 30 31 #include <sys/types.h> 32 #ifndef WIN32 33 #ifdef LINUX 34 #include <stdint.h> 35 #endif 36 #include <netinet/in.h> 37 #endif 38 39 40 /*! \defgroup Unified2 41 */ 42 /** \addtogroup Unified2 */ 43 /*@{*/ 44 45 //SNORT DEFINES 46 //Long time ago... 47 #define UNIFIED2_EVENT 1 48 49 //CURRENT 50 #define UNIFIED2_PACKET 2 51 #define UNIFIED2_IDS_EVENT 7 52 #define UNIFIED2_IDS_EVENT_IPV6 72 53 #define UNIFIED2_IDS_EVENT_MPLS 99 54 #define UNIFIED2_IDS_EVENT_IPV6_MPLS 100 55 #define UNIFIED2_IDS_EVENT_VLAN 104 56 #define UNIFIED2_IDS_EVENT_IPV6_VLAN 105 57 #define UNIFIED2_EXTRA_DATA 110 58 #if defined(FEAT_OPEN_APPID) 59 #define UNIFIED2_IDS_EVENT_APPID 111 60 #define UNIFIED2_IDS_EVENT_APPID_IPV6 112 61 62 #define UNIFIED2_IDS_EVENT_APPSTAT 113 63 64 #define MAX_EVENT_APPNAME_LEN 64 65 #endif /* defined(FEAT_OPEN_APPID) */ 66 67 /* Data structure used for serialization of Unified2 Records */ 68 typedef struct _Serial_Unified2_Header 69 { 70 uint32_t type; 71 uint32_t length; 72 } Serial_Unified2_Header; 73 74 75 //UNIFIED2_IDS_EVENT_VLAN = type 104 76 //comes from SFDC to EStreamer archive in serialized form with the extended header 77 typedef struct _Unified2IDSEvent 78 { 79 uint32_t sensor_id; 80 uint32_t event_id; 81 uint32_t event_second; 82 uint32_t event_microsecond; 83 uint32_t signature_id; 84 uint32_t generator_id; 85 uint32_t signature_revision; 86 uint32_t classification_id; 87 uint32_t priority_id; 88 uint32_t ip_source; 89 uint32_t ip_destination; 90 uint16_t sport_itype; 91 uint16_t dport_icode; 92 uint8_t protocol; 93 uint8_t impact_flag;//overloads packet_action 94 uint8_t impact; 95 uint8_t blocked; 96 uint32_t mpls_label; 97 uint16_t vlanId; 98 uint16_t pad2;//Policy ID 99 #if defined(FEAT_OPEN_APPID) 100 char app_name[MAX_EVENT_APPNAME_LEN]; 101 #endif /* defined(FEAT_OPEN_APPID) */ 102 } Unified2IDSEvent; 103 104 105 //UNIFIED2_IDS_EVENT_IPV6_VLAN = type 105 106 typedef struct _Unified2IDSEventIPv6 107 { 108 uint32_t sensor_id; 109 uint32_t event_id; 110 uint32_t event_second; 111 uint32_t event_microsecond; 112 uint32_t signature_id; 113 uint32_t generator_id; 114 uint32_t signature_revision; 115 uint32_t classification_id; 116 uint32_t priority_id; 117 struct in6_addr ip_source; 118 struct in6_addr ip_destination; 119 uint16_t sport_itype; 120 uint16_t dport_icode; 121 uint8_t protocol; 122 uint8_t impact_flag; 123 uint8_t impact; 124 uint8_t blocked; 125 uint32_t mpls_label; 126 uint16_t vlanId; 127 uint16_t pad2;/*could be IPS Policy local id to support local sensor alerts*/ 128 #if defined(FEAT_OPEN_APPID) 129 char app_name[MAX_EVENT_APPNAME_LEN]; 130 #endif /* defined(FEAT_OPEN_APPID) */ 131 } Unified2IDSEventIPv6; 132 133 134 135 //UNIFIED2_PACKET = type 2 136 typedef struct _Serial_Unified2Packet 137 { 138 uint32_t sensor_id; 139 uint32_t event_id; 140 uint32_t event_second; 141 uint32_t packet_second; 142 uint32_t packet_microsecond; 143 uint32_t linktype; 144 uint32_t packet_length; 145 uint8_t packet_data[4]; 146 } Serial_Unified2Packet; 147 148 149 typedef struct _Unified2ExtraDataHdr{ 150 uint32_t event_type; 151 uint32_t event_length; 152 }Unified2ExtraDataHdr; 153 154 155 156 //UNIFIED2_EXTRA_DATA - type 110 157 typedef struct _SerialUnified2ExtraData{ 158 uint32_t sensor_id; 159 uint32_t event_id; 160 uint32_t event_second; 161 uint32_t type; /* EventInfo */ 162 uint32_t data_type; /*EventDataType */ 163 uint32_t blob_length; /* Length of the data + sizeof(blob_length) + sizeof(data_type)*/ 164 } SerialUnified2ExtraData; 165 166 167 typedef struct _Data_Blob 168 { 169 uint32_t length; 170 const uint8_t *data; 171 } Data_Blob; 172 173 //UNIFIED2_EXTRA_DATA - type 110 174 typedef struct _Serial_Unified2ExtraData{ 175 uint32_t sensor_id; 176 uint32_t event_id; 177 uint32_t event_second; 178 uint32_t type; 179 Data_Blob data; 180 } Unified2ExtraData; 181 182 typedef enum _EventInfoEnum 183 { 184 EVENT_INFO_XFF_IPV4 = 1, 185 EVENT_INFO_XFF_IPV6, 186 EVENT_INFO_REVIEWED_BY, 187 EVENT_INFO_GZIP_DATA, 188 EVENT_INFO_SMTP_FILENAME, 189 EVENT_INFO_SMTP_MAILFROM, 190 EVENT_INFO_SMTP_RCPTTO, 191 EVENT_INFO_SMTP_EMAIL_HDRS, 192 EVENT_INFO_HTTP_URI, 193 EVENT_INFO_HTTP_HOSTNAME, 194 EVENT_INFO_IPV6_SRC, 195 EVENT_INFO_IPV6_DST, 196 EVENT_INFO_JSNORM_DATA 197 }EventInfoEnum; 198 199 typedef enum _EventDataType 200 { 201 EVENT_DATA_TYPE_BLOB = 1, 202 EVENT_DATA_TYPE_MAX 203 }EventDataType; 204 205 #define EVENT_TYPE_EXTRA_DATA 4 206 207 #define MAX_XFF_WRITE_BUF_LENGTH (sizeof(Serial_Unified2_Header) + \ 208 sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData) \ 209 + sizeof(struct in6_addr)) 210 211 212 #define Serial_Unified2IDSEvent Unified2IDSEvent 213 #define Serial_Unified2IDSEventIPv6 Unified2IDSEventIPv6 214 215 216 //---------------LEGACY, type '7' 217 //These structures are not used anymore in the product 218 typedef struct _Serial_Unified2IDSEvent_legacy 219 { 220 uint32_t sensor_id; 221 uint32_t event_id; 222 uint32_t event_second; 223 uint32_t event_microsecond; 224 uint32_t signature_id; 225 uint32_t generator_id; 226 uint32_t signature_revision; 227 uint32_t classification_id; 228 uint32_t priority_id; 229 uint32_t ip_source; 230 uint32_t ip_destination; 231 uint16_t sport_itype; 232 uint16_t dport_icode; 233 uint8_t protocol; 234 uint8_t impact_flag;//sets packet_action 235 uint8_t impact; 236 uint8_t blocked; 237 } Serial_Unified2IDSEvent_legacy; 238 239 //----------LEGACY, type '72' 240 typedef struct _Serial_Unified2IDSEventIPv6_legacy 241 { 242 uint32_t sensor_id; 243 uint32_t event_id; 244 uint32_t event_second; 245 uint32_t event_microsecond; 246 uint32_t signature_id; 247 uint32_t generator_id; 248 uint32_t signature_revision; 249 uint32_t classification_id; 250 uint32_t priority_id; 251 struct in6_addr ip_source; 252 struct in6_addr ip_destination; 253 uint16_t sport_itype; 254 uint16_t dport_icode; 255 uint8_t protocol; 256 uint8_t impact_flag; 257 uint8_t impact; 258 uint8_t blocked; 259 } Serial_Unified2IDSEventIPv6_legacy; 260 261 262 #if defined(FEAT_OPEN_APPID) 263 //UNIFIED2_IDS_EVENT_IPV6_VLAN = type 200 264 typedef struct _Serial_Unified2AppStat 265 { 266 uint32_t event_second; 267 uint32_t AppCnt; 268 } Serial_Unified2AppStat; 269 #endif /* defined(FEAT_OPEN_APPID) */ 270 271 ////////////////////-->LEGACY 272 273 /*@}*/ 274 #endif /* __UNIFIED2_COMMON_H__ */ 275 276