yafhooks.h
Go to the documentation of this file.
1/*
2 * Copyright 2007-2024 Carnegie Mellon University
3 * See license information in LICENSE.txt.
4 */
5/*
6 * yafhooks.h
7 * YAF Active Flow Table Plugin Interface
8 *
9 * ------------------------------------------------------------------------
10 * Authors: Brian Trammell
11 * ------------------------------------------------------------------------
12 * @DISTRIBUTION_STATEMENT_BEGIN@
13 * YAF 2.16
14 *
15 * Copyright 2024 Carnegie Mellon University.
16 *
17 * NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
18 * INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON
19 * UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
20 * AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
21 * PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF
22 * THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
23 * ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT
24 * INFRINGEMENT.
25 *
26 * Licensed under a GNU GPL 2.0-style license, please see LICENSE.txt or
27 * contact permission@sei.cmu.edu for full terms.
28 *
29 * [DISTRIBUTION STATEMENT A] This material has been approved for public
30 * release and unlimited distribution. Please see Copyright notice for
31 * non-US Government use and distribution.
32 *
33 * This Software includes and/or makes use of Third-Party Software each
34 * subject to its own license.
35 *
36 * DM24-1063
37 * @DISTRIBUTION_STATEMENT_END@
38 * ------------------------------------------------------------------------
39 */
40
84/*
85 *
86 * Design notes:
87 *
88 * 1. For now, it is okay for the yfhook facility to only support a single
89 * hook.
90 *
91 * 5. Each hook needs to know when a flow is flushed, so that it can make the
92 * per-flow export fields available.
93 *
94 * Changes in Version 4:
95 *
96 * Added a function to pass a config file to the plugin from the command line.
97 *
98 * Changes in Version 3:
99 *
100 * Hooks export entire templates that will be added to Yaf's
101 * subTemplateMultiList.
102 * yfWriteFlow in yafcore.c will call ypGetTemplateCount (a function as of v.
103 * 3),
104 * which will return the number of templates Yaf should alloc in the STML.
105 * When
106 * yfHookWriteFlow is called the STML entry can be added. The hook should not
107 * add NULL entries, if no template is to be added, ypGetTemplateCount should
108 * return
109 * 0. If the STML entry contains list fields (BL's, STL's, STML's), it must
110 * free
111 * these in the call to ypFreeLists. This means that the hook must maintain
112 * access to the record so that it can free it.
113 * ypFreeList does NOT free Yaf's STML, yaf will free this after all the hook's
114 * lists have been freed.
115 *
116 * As of Version 3, ypGetTemplate will call fbTemplateAppendSpecArray and
117 * fbSessionAddTemplate. It does not need to internal templates, only
118 * external.
119 *
120 * ypGetInfoModel should no longer be used. ypGetTemplate should allocate the
121 * info model and add the elements to the info model & the template.
122 *
123 * Versions 2 or Below:
124 *
125 * Each hook needs to be able to hand YAF an export template for its fields.
126 * These fields will appear in every exported record; a facility for NULLs MUST
127 * be provided by the hook's representation.
128 *
129 */
130
131#ifndef _YAF_HOOKS_H_
132#define _YAF_HOOKS_H_
133
134#include <yaf/autoinc.h>
135#include <yaf/decode.h>
136#include <yaf/yafcore.h>
137#include <yaf/yaftab.h>
138#if YAF_ENABLE_APPLABEL
139#include <pcre.h>
140#endif
141
143#define YAF_HOOK_INTERFACE_VERSION 6
144
147struct yfHookMetaData {
149 uint8_t version;
151 uint32_t exportDataSize;
153 uint8_t requireAppLabel;
154};
155
156
169gboolean
170yfHookPacket(
171 yfFlowKey_t *key,
172 const uint8_t *pkt,
173 size_t caplen,
174 uint32_t iplen,
175 yfTCPInfo_t *tcpinfo,
176 yfL2Info_t *l2info);
177
190void
191yfHookFlowPacket(
192 yfFlow_t *flow,
193 yfFlowVal_t *val,
194 const uint8_t *pkt,
195 size_t caplen,
196 uint32_t iplen,
197 yfTCPInfo_t *tcpinfo,
198 yfL2Info_t *l2info);
199
217void
218yfHookValidateFlowTab(
219 void **yfctx,
220 uint32_t max_payload,
221 gboolean uniflow,
222 gboolean silkmode,
223 gboolean applabelmode,
224 gboolean entropymode,
225 gboolean fingerprintmode,
226 gboolean fpExportMode,
227 gboolean udp_max_payload,
228 uint16_t udp_uniflow_port);
229
237gboolean
238yfHookFlowClose(
239 yfFlow_t *flow);
240
252void
253yfHookFlowAlloc(
254 yfFlow_t *flow,
255 void **yfctx);
256
264void
265yfHookFlowFree(
266 yfFlow_t *flow);
267
274fbInfoElement_t *
275yfHookGetInfoModel(
276 void);
277
287gboolean
288yfHookGetTemplate(
289 fbSession_t *session);
290
300gboolean
301yfHookFlowWrite(
302 fbSubTemplateMultiList_t *rec,
303 fbSubTemplateMultiListEntry_t *stml,
304 yfFlow_t *flow,
305 GError **err);
306
320gboolean
321yfHookAddNewHook(
322 const char *hookName,
323 const char *hookOpts,
324 const char *hookConf,
325 void **yfctx,
326 GError **err);
327
328#if YAF_ENABLE_APPLABEL
341void
342yfHookScanPayload(
343 yfFlow_t *flow,
344 const uint8_t *pkt,
345 size_t caplen,
346 pcre *expression,
347 uint32_t offset,
348 uint16_t elementID,
349 uint16_t applabel);
350
351#endif /* if YAF_ENABLE_APPLABEL */
352
360uint8_t
361yfHookGetTemplateCount(
362 yfFlow_t *flow);
363
370void
371yfHookFreeLists(
372 yfFlow_t *flow);
373
374
375/*
376 * The following are the prototypes of the functions that must be defined for
377 * a hook to be loaded into YAF. They are declared here to help ensure the
378 * hook uses the correct function signature.
379 */
380
381const struct yfHookMetaData *
382ypGetMetaData(
383 void);
384
385gboolean
386ypHookPacket(
387 yfFlowKey_t *key,
388 const uint8_t *pkt,
389 size_t caplen,
390 uint32_t iplen,
391 yfTCPInfo_t *tcpinfo,
392 yfL2Info_t *l2info);
393
394void
395ypFlowPacket(
396 void *yfHookConext,
397 yfFlow_t *flow,
398 yfFlowVal_t *val,
399 const uint8_t *pkt,
400 size_t caplen,
401 uint32_t iplen,
402 yfTCPInfo_t *tcpinfo,
403 yfL2Info_t *l2info);
404
405gboolean
406ypFlowClose(
407 void *yfHookConext,
408 yfFlow_t *flow);
409
410void
411ypFlowAlloc(
412 void **yfHookConext,
413 yfFlow_t *flow,
414 void *yfctx);
415
416void
417ypFlowFree(
418 void *yfHookConext,
419 yfFlow_t *flow);
420
421gboolean
422ypFlowWrite(
423 void *yfHookConext,
424 fbSubTemplateMultiList_t *rec,
425 fbSubTemplateMultiListEntry_t *stml,
426 yfFlow_t *flow,
427 GError **err);
428
429fbInfoElement_t *
430ypGetInfoModel(
431 void);
432
433gboolean
434ypGetTemplate(
435 fbSession_t *session);
436
437void
438ypSetPluginOpt(
439 const char *pluginOpt,
440 void *yfctx);
441
442void
443ypSetPluginConf(
444 const char *pluginConf,
445 void **yfctx);
446
447#if YAF_ENABLE_APPLABEL
448void
449ypScanPayload(
450 void *yfHookConext,
451 yfFlow_t *flow,
452 const uint8_t *pkt,
453 size_t caplen,
454 pcre *expression,
455 uint32_t offset,
456 uint16_t elementID,
457 uint16_t applabel);
458
459#endif /* YAF_ENABLE_APPLABEL */
460
461gboolean
462ypValidateFlowTab(
463 void *yfctx,
464 uint32_t max_payload,
465 gboolean uniflow,
466 gboolean silkmode,
467 gboolean applabelmode,
468 gboolean entropymode,
469 gboolean fingerprintmode,
470 gboolean fpExportMode,
471 gboolean udp_max_payload,
472 uint16_t udp_uniflow_port,
473 GError **err);
474
475uint8_t
476ypGetTemplateCount(
477 void *yfHookConext,
478 yfFlow_t *flow);
479
480void
481ypFreeLists(
482 void *yfHookConext,
483 yfFlow_t *flow);
484
485#endif /* _YAF_HOOKS_H_ */
yfFlow_st
A YAF flow.
Definition yafcore.h:409
yfFlowKey_st
A YAF flow key.
Definition yafcore.h:244
yfFlowVal_st
A YAF uniflow value.
Definition yafcore.h:314
yfHookMetaData
Exported from the plugin to tell YAF about its export data & interface version.
Definition yafhooks.h:147
yfHookMetaData::version
uint8_t version
version of plugin interface
Definition yafhooks.h:149
yfHookMetaData::requireAppLabel
uint8_t requireAppLabel
turn on application labeling related functions
Definition yafhooks.h:153
yfHookMetaData::exportDataSize
uint32_t exportDataSize
size of data plugin will export
Definition yafhooks.h:151
yfL2Info_st
Datalink layer information structure.
Definition decode.h:93
yfTCPInfo_st
TCP information structure.
Definition decode.h:123
yafcore.h
YAF Core Library.
yfHookFlowFree
void yfHookFlowFree(yfFlow_t *flow)
Frees all memory associated with the flow state in all of the attached plugins.
yfHookFlowPacket
void yfHookFlowPacket(yfFlow_t *flow, yfFlowVal_t *val, const uint8_t *pkt, size_t caplen, uint32_t iplen, yfTCPInfo_t *tcpinfo, yfL2Info_t *l2info)
Similar to yfHookPacket but also given yfFlowVal_t struct for processing per flow direction.
yfHookFlowWrite
gboolean yfHookFlowWrite(fbSubTemplateMultiList_t *rec, fbSubTemplateMultiListEntry_t *stml, yfFlow_t *flow, GError **err)
called by yfWriteFlow to add the data from all registered plugins to the outgoing IPFIX record
yfHookAddNewHook
gboolean yfHookAddNewHook(const char *hookName, const char *hookOpts, const char *hookConf, void **yfctx, GError **err)
Adds another hook (plugin) into yaf.
yfHookGetTemplate
gboolean yfHookGetTemplate(fbSession_t *session)
Gets the IPFIX info model template for the export data from all the plugins and turns it into a singl...
yfHookGetInfoModel
fbInfoElement_t * yfHookGetInfoModel(void)
Returns the IPFIX info model aggregated for all plugins.
yfHookGetTemplateCount
uint8_t yfHookGetTemplateCount(yfFlow_t *flow)
Returns the amount of templates to add to the SubtemplateMultiList from all plugins hooked.
yfHookPacket
gboolean yfHookPacket(yfFlowKey_t *key, const uint8_t *pkt, size_t caplen, uint32_t iplen, yfTCPInfo_t *tcpinfo, yfL2Info_t *l2info)
Function called to do processing on each packet as it comes in.
yfHookFreeLists
void yfHookFreeLists(yfFlow_t *flow)
Sends control back to the plugin to free any BasicLists, SubTemplateLists, or SubTemplateMultiLists t...
yfHookFlowClose
gboolean yfHookFlowClose(yfFlow_t *flow)
Called upon flow close to do any necessary plugin processing upon flow close.
yfHookFlowAlloc
void yfHookFlowAlloc(yfFlow_t *flow, void **yfctx)
Allow plugins to allocate flow state information for each flow captured by yaf at the time of flow cr...
yfHookValidateFlowTab
void yfHookValidateFlowTab(void **yfctx, uint32_t max_payload, gboolean uniflow, gboolean silkmode, gboolean applabelmode, gboolean entropymode, gboolean fingerprintmode, gboolean fpExportMode, gboolean udp_max_payload, uint16_t udp_uniflow_port)
Validation function to make sure the plugin can and should operate based on the flowtable options.
yaftab.h
Flow generation interface for YAF.