hi_si.h

snort-2.1.0入侵检测

/**
**  @file       hi_si.h
**
**  @author     Daniel J. Roelker <droelker@sourcefire.com>
**
**  @brief      This file contains structures and functions for the
**              Session Inspection Module.
**
**  The Session Inspection Module has several data structures that are
**  very important to the functionality of the module.  The two major
**  structures are the HI_SESSION and the HI_SI_INPUT.
**
**  NOTES:
**  - 2.25.03:  Initial Development.  DJR
*/
#ifndef __HI_SI_H__
#define __HI_SI_H__

#include "hi_include.h"
#include "hi_ui_config.h"
#include "hi_client.h"
#include "hi_server.h"
#include "hi_ad.h"

/*
**  These are the defines for the different types of
**  inspection modes.  We have a server mode, client mode and a "no" mode which
**  looks for anomalous HTTP server detection and tunneling.
*/
#define HI_SI_NO_MODE     0
#define HI_SI_CLIENT_MODE 1
#define HI_SI_SERVER_MODE 2

/**
**  The HI_SESSION structure contains the complete HTTP session, both the
**  client and the server constructs.  This structure is the structure that 
**  is saved per session in the Stream Interface Module.  This structure 
**  gets sent through the detection engine process (Normalization, 
**  Detection).
*/
typedef struct s_HI_SESSION
{
    /*
    **  The client construct contains all the info associated with a 
    **  client request.
    */
    HI_CLIENT client;

    /*
    **  The server construct contains all the info associated with a 
    **  server response.
    */
    HI_SERVER server;

    /*
    **  The anomalous server construct that let's us do things when we've
    **  found undefined HTTP traffic.
    */
    HI_ANOM_SERVER anom_server;

    /*
    **  The server configuration for this session
    */
    HTTPINSPECT_CONF *server_conf;

    /*
    **  The global configuration for this session
    */
    HTTPINSPECT_GLOBAL_CONF *global_conf;

} HI_SESSION;

/**
**  The HI_SI_INPUT structure holds the information that the Session
**  Inspection Module needs to determine the type of inspection mode
**  (client, server, neither) and to retrieve the appropriate server
**  configuration.
**
**  The input is the source and destination IP addresses, and the 
**  source and destination ports (since this should always be a
**  TCP packet).
*/
typedef struct s_HI_SI_INPUT
{
    unsigned long sip;
    unsigned long dip;
    unsigned short sport;
    unsigned short dport;
    unsigned char pdir;

} HI_SI_INPUT;

int hi_si_session_inspection(HTTPINSPECT_GLOBAL_CONF *GlobalConf,
        HI_SESSION **Session, HI_SI_INPUT *SiInput, int *piInspectMode);

#endif