ftpp_eo.h

Snort为国际上著名的轻量型入侵防御系统,为国内多家著名“自主知识产权”网络安全公司所使用。

/*
 * ftpp_eo.h
 *
 * Copyright (C) 2004 Sourcefire,Inc
 * Steven A. Sturges <ssturges@sourcefire.com>
 * Daniel J. Roelker <droelker@sourcefire.com>
 * Marc A. Norton <mnorton@sourcefire.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * Description:
 *
 * Contains the data structures, event types, specific events,
 * and function prototypes for the Event Output Module.
 *
 * This file is key to alerting with FTPTelnet.  It contains the header
 * file with all the individual alerts.
 *
 * The Event Output Module provides a mechanism to queue HttpInspect events
 * and prioritize them.  The Event Output Module does not actually log the
 * events, but tracks them per session/packet.  The user program needs to 
 * do the actual logging of events.
 *
 * Each event contains the type of event, the priority of the event, and
 * any data that is associated with the event.
 *
 * NOTES:
 * - 20.09.04:  Initial Development.  SAS
 *
 */
#ifndef __FTPP_EO_H__
#define __FTPP_EO_H__

#include "ftpp_include.h"
#include "ftpp_eo_events.h"

/*
 * We hold the type of alert, the priority of the alert
 * and any data associated with this alert.
 */
typedef struct s_FTPP_EVENT_INFO
{
    int alert_id;               /* the alert id */
    int alert_sid;              /* the unique sid */
    int classification;         /* classification */
    int priority;               /* the alert priority, 0 = highest */
    char *alert_str;            /* the alert string */

} FTPP_EVENT_INFO;

typedef struct s_FTPP_EVENT
{
    FTPP_EVENT_INFO *event_info;
    int  count;                 /* number of times event occurred in session */
    void *data;                 /* generic ptr to data */
    void (*free_data)(void *);  /* function to free data */

} FTPP_EVENT;

/*
 * This is a generic structure to translate different event types to
 * the same structure.  This helps when logging the different types
 * of events.
 */
typedef struct s_FTPP_GEN_EVENTS
{
    int *stack;
    int stack_count;
    FTPP_EVENT *events;

} FTPP_GEN_EVENTS;

/*
 * The idea behind this event storage structure is that we use a
 * simple stack to tell us which events we have set, so we don't
 * set an event twice and can access the events very easily.
 */
typedef struct s_FTP_EVENTS
{
    int stack[FTP_EO_EVENT_NUM];
    int stack_count;
    FTPP_EVENT events[FTP_EO_EVENT_NUM];

} FTP_EVENTS;

/*
 * The idea behind this event storage structure is that we use a
 * simple stack to tell us which events we have set, so we don't
 * set an event twice and can access the events very easily.
 */
typedef struct s_TELNET_EVENTS
{
    int stack[TELNET_EO_EVENT_NUM];
    int stack_count;
    FTPP_EVENT events[TELNET_EO_EVENT_NUM];

} TELNET_EVENTS;
#endif