1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 3 // Copyright (C) 2002-2013 Sourcefire, Inc. 4 // Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> 5 // 6 // This program is free software; you can redistribute it and/or modify it 7 // under the terms of the GNU General Public License Version 2 as published 8 // by the Free Software Foundation. You may not use, modify or distribute 9 // this program under any other version of the GNU General Public License. 10 // 11 // This program is distributed in the hope that it will be useful, but 12 // WITHOUT ANY WARRANTY; without even the implied warranty of 13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 // General Public License for more details. 15 // 16 // You should have received a copy of the GNU General Public License along 17 // with this program; if not, write to the Free Software Foundation, Inc., 18 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 19 //-------------------------------------------------------------------------- 20 21 #ifndef UNIFIED2_H 22 #define UNIFIED2_H 23 24 // Unified logging (events and packets) shared header. 25 26 #include <netinet/in.h> 27 28 #include "protocols/protocol_ids.h" 29 30 // OBSOLETE (no longer generated): 31 // #define UNIFIED2_EVENT 1 32 // #define UNIFIED2_IDS_EVENT 7 33 // #define UNIFIED2_IDS_EVENT_IPV6 72 34 // #define UNIFIED2_IDS_EVENT_MPLS 99 35 // #define UNIFIED2_IDS_EVENT_IPV6_MPLS 100 36 // #define UNIFIED2_IDS_EVENT_APPSTAT 113 37 38 // CURRENT 39 #define UNIFIED2_PACKET 2 40 #define UNIFIED2_BUFFER 3 // !legacy_events 41 #define UNIFIED2_IDS_EVENT_VLAN 104 // legacy_events 42 #define UNIFIED2_IDS_EVENT_IPV6_VLAN 105 // legacy_events 43 #define UNIFIED2_EXTRA_DATA 110 44 #define UNIFIED2_EVENT3 114 45 46 #define MAX_EVENT_APPNAME_LEN 64 47 48 /* Data structure used for serialization of Unified2 Records */ 49 struct Serial_Unified2_Header 50 { 51 uint32_t type; 52 uint32_t length; 53 }; 54 55 // UNIFIED2_EVENT3 = type 114 56 struct Unified2Event 57 { 58 uint32_t snort_id; 59 60 uint32_t event_id; 61 uint32_t event_second; 62 uint32_t event_microsecond; 63 64 uint32_t rule_gid; 65 uint32_t rule_sid; 66 uint32_t rule_rev; 67 uint32_t rule_class; 68 uint32_t rule_priority; 69 70 // everything above this point is common to all prior event records 71 // try to keep the same for things like barnyard2 72 73 uint32_t policy_id_context; 74 uint32_t policy_id_inspect; 75 uint32_t policy_id_detect; 76 77 uint32_t pkt_src_ip[4]; 78 uint32_t pkt_dst_ip[4]; 79 uint32_t pkt_mpls_label; 80 81 uint16_t pkt_src_port_itype; 82 uint16_t pkt_dst_port_icode; 83 uint16_t pkt_vlan_id; 84 uint16_t unused; 85 86 uint8_t pkt_ip_ver; // 0x4 or 0x6, high nybble is src, low is dst 87 uint8_t pkt_ip_proto; 88 89 uint8_t snort_status; // allow=0, can't, would, force 90 uint8_t snort_action; // pass=0, drop, block, reset 91 92 char app_name[MAX_EVENT_APPNAME_LEN]; 93 }; 94 95 // UNIFIED2_IDS_EVENT_VLAN = type 104 96 struct Unified2IDSEvent 97 { 98 uint32_t sensor_id; 99 uint32_t event_id; 100 uint32_t event_second; 101 uint32_t event_microsecond; 102 uint32_t signature_id; 103 uint32_t generator_id; 104 uint32_t signature_revision; 105 uint32_t classification_id; 106 uint32_t priority_id; 107 uint32_t ip_source; 108 uint32_t ip_destination; 109 uint16_t sport_itype; 110 uint16_t dport_icode; 111 IpProtocol ip_proto; 112 uint8_t impact_flag; // overloads packet_action 113 uint8_t impact; 114 uint8_t blocked; 115 uint32_t mpls_label; 116 uint16_t vlanId; 117 uint16_t pad2; // Policy ID 118 char app_name[MAX_EVENT_APPNAME_LEN]; 119 }; 120 121 // UNIFIED2_IDS_EVENT_IPV6_VLAN = type 105 122 struct Unified2IDSEventIPv6 123 { 124 uint32_t sensor_id; 125 uint32_t event_id; 126 uint32_t event_second; 127 uint32_t event_microsecond; 128 uint32_t signature_id; 129 uint32_t generator_id; 130 uint32_t signature_revision; 131 uint32_t classification_id; 132 uint32_t priority_id; 133 struct in6_addr ip_source; 134 struct in6_addr ip_destination; 135 uint16_t sport_itype; 136 uint16_t dport_icode; 137 IpProtocol ip_proto; 138 uint8_t impact_flag; 139 uint8_t impact; 140 uint8_t blocked; 141 uint32_t mpls_label; 142 uint16_t vlanId; 143 uint16_t pad2; /*could be IPS Policy local id to support local sensor alerts*/ 144 char app_name[MAX_EVENT_APPNAME_LEN]; 145 }; 146 147 // UNIFIED2_PACKET = type 2 148 struct Serial_Unified2Packet 149 { 150 uint32_t sensor_id; 151 uint32_t event_id; 152 uint32_t event_second; 153 uint32_t packet_second; 154 uint32_t packet_microsecond; 155 uint32_t linktype; 156 uint32_t packet_length; 157 uint8_t packet_data[4]; 158 }; 159 160 struct Unified2ExtraDataHdr 161 { 162 uint32_t event_type; 163 uint32_t event_length; 164 }; 165 166 // UNIFIED2_EXTRA_DATA - type 110 167 struct SerialUnified2ExtraData 168 { 169 uint32_t sensor_id; 170 uint32_t event_id; 171 uint32_t event_second; 172 uint32_t type; // EventInfo 173 uint32_t data_type; // EventDataType 174 uint32_t blob_length; // Length of the data + sizeof(blob_length) + sizeof(data_type) 175 }; 176 177 struct Data_Blob 178 { 179 uint32_t length; 180 const uint8_t* data; 181 }; 182 183 enum EventInfoEnum 184 { 185 EVENT_INFO_XFF_IPV4 = 1, 186 EVENT_INFO_XFF_IPV6, 187 EVENT_INFO_REVIEWED_BY, 188 EVENT_INFO_GZIP_DATA, 189 EVENT_INFO_SMTP_FILENAME, 190 EVENT_INFO_SMTP_MAILFROM, 191 EVENT_INFO_SMTP_RCPTTO, 192 EVENT_INFO_SMTP_EMAIL_HDRS, 193 EVENT_INFO_HTTP_URI, 194 EVENT_INFO_HTTP_HOSTNAME, 195 EVENT_INFO_IPV6_SRC, // deprecated 196 EVENT_INFO_IPV6_DST, // deprecated 197 EVENT_INFO_JSNORM_DATA 198 }; 199 200 enum EventDataType 201 { 202 EVENT_DATA_TYPE_BLOB = 1, 203 EVENT_DATA_TYPE_MAX 204 }; 205 206 #define EVENT_TYPE_EXTRA_DATA 4 207 208 #define MAX_XFF_WRITE_BUF_LENGTH \ 209 (sizeof(Serial_Unified2_Header) + \ 210 sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData) \ 211 + sizeof(struct in6_addr)) 212 213 #endif 214 215