idmef-tree-wrap.sgml

看看哈

<!-- ##### SECTION Title ##### -->
idmef-tree-wrap

<!-- ##### SECTION Short_Description ##### -->

Generating events using the low level IDMEF API

<!-- ##### SECTION Long_Description ##### -->

<para>

The IDMEF API is used by a sensor in order to generate events.  IDMEF is an alert description
format allowing almost any alert information to fit within an IDMEF alert, independantly of the
type of analyzer used.

</para>

<para> 
Here is real world example taken from the Snort Prelude sensors. The top level IDMEF object is always 
of type #idmef_message_t. You should refer to the <ulink url="http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-14.txt">IDMEF draft</ulink>, or to the Prelude API documentation in order to get a complete 
listing of theses objects, or a description of what information an object may carry.

<programlisting>
void snort_alert_prelude(Packet *p, char *msg, void *data, Event *event)
{
        int ret;
        idmef_time_t *time;
        idmef_alert_t *alert;
        prelude_string_t *str;
        idmef_message_t *idmef;
        idmef_classification_t *class;
        prelude_client_t *client = data;
        
        ret = idmef_message_new(&amp;idmef);
        if ( ret &lt; 0 )
                return;

        ret = idmef_message_new_alert(idmef, &amp;alert);
        if ( ret &lt; 0 )
                goto err;

        ret = idmef_alert_new_classification(alert, &amp;class);
        if ( ret &lt; 0 )
                goto err;

        ret = idmef_classification_new_text(class, &amp;str);
        if ( ret &lt; 0 )
                goto err;

        prelude_string_set_ref(str, msg);

        ret = event_to_impact(event, alert);
        if ( ret &lt; 0 )
                goto err;

        ret = event_to_reference(event, class);
        if ( ret &lt; 0 )
                goto err;
        
        ret = event_to_source_target(p, alert);
        if ( ret &lt; 0 )
                goto err;
        
        ret = packet_to_data(p, event, alert);
        if ( ret &lt; 0 )
                goto err;
        
        ret = idmef_alert_new_detect_time(alert, &amp;time);
        if ( ret &lt; 0 )
                goto err;
        idmef_time_set_from_timeval(time, &amp;p->pkth->ts);
        
        ret = idmef_time_new_from_gettimeofday(&amp;time);
        if ( ret &lt; 0 )
                goto err; 
        idmef_alert_set_create_time(alert, time);
                
        idmef_alert_set_analyzer(alert, idmef_analyzer_ref(prelude_client_get_analyzer(client)), 0);
        prelude_client_send_idmef(client, idmef);
                
 err:
        idmef_message_destroy(idmef);
	prelude_perror(ret, "Unable to create IDMEF alert");
}
</programlisting>

</para>

<!-- ##### SECTION See_Also ##### -->
<para>
#idmef_path_t for the high level IDMEF API.
</para>

<!-- ##### SECTION Stability_Level ##### -->


<!-- ##### MACRO IDMEF_LIST_APPEND ##### -->
<para>

</para>



<!-- ##### MACRO IDMEF_LIST_PREPEND ##### -->
<para>

</para>



<!-- ##### ENUM idmef_additional_data_type_t ##### -->
<para>

</para>

@IDMEF_ADDITIONAL_DATA_TYPE_ERROR: 
@IDMEF_ADDITIONAL_DATA_TYPE_STRING: 
@IDMEF_ADDITIONAL_DATA_TYPE_BYTE: 
@IDMEF_ADDITIONAL_DATA_TYPE_CHARACTER: 
@IDMEF_ADDITIONAL_DATA_TYPE_DATE_TIME: 
@IDMEF_ADDITIONAL_DATA_TYPE_INTEGER: 
@IDMEF_ADDITIONAL_DATA_TYPE_NTPSTAMP: 
@IDMEF_ADDITIONAL_DATA_TYPE_PORTLIST: 
@IDMEF_ADDITIONAL_DATA_TYPE_REAL: 
@IDMEF_ADDITIONAL_DATA_TYPE_BOOLEAN: 
@IDMEF_ADDITIONAL_DATA_TYPE_BYTE_STRING: 
@IDMEF_ADDITIONAL_DATA_TYPE_XML: 

<!-- ##### FUNCTION idmef_additional_data_type_to_numeric ##### -->
<para>

</para>

@name: 
@Returns: 


<!-- ##### FUNCTION idmef_additional_data_type_to_string ##### -->
<para>

</para>

@val: 
@Returns: 


<!-- ##### TYPEDEF idmef_additional_data_t ##### -->
<para>

</para>


<!-- ##### FUNCTION idmef_additional_data_new ##### -->
<para>

</para>

@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_additional_data_copy ##### -->
<para>

</para>

@src: 
@dst: 
@Returns: 


<!-- ##### FUNCTION idmef_additional_data_clone ##### -->
<para>

</para>

@src: 
@dst: 
@Returns: 


<!-- ##### FUNCTION idmef_additional_data_ref ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_additional_data_destroy ##### -->
<para>

</para>

@ptr: 


<!-- ##### FUNCTION idmef_additional_data_get_type ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_additional_data_set_type ##### -->
<para>

</para>

@ptr: 
@type: 


<!-- ##### FUNCTION idmef_additional_data_new_type ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_additional_data_get_meaning ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_additional_data_set_meaning ##### -->
<para>

</para>

@ptr: 
@meaning: 


<!-- ##### FUNCTION idmef_additional_data_new_meaning ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_additional_data_get_data ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_additional_data_set_data ##### -->
<para>

</para>

@ptr: 
@data: 


<!-- ##### FUNCTION idmef_additional_data_new_data ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### ENUM idmef_reference_origin_t ##### -->
<para>

</para>

@IDMEF_REFERENCE_ORIGIN_ERROR: 
@IDMEF_REFERENCE_ORIGIN_UNKNOWN: 
@IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC: 
@IDMEF_REFERENCE_ORIGIN_USER_SPECIFIC: 
@IDMEF_REFERENCE_ORIGIN_BUGTRAQID: 
@IDMEF_REFERENCE_ORIGIN_CVE: 
@IDMEF_REFERENCE_ORIGIN_OSVDB: 

<!-- ##### FUNCTION idmef_reference_origin_to_numeric ##### -->
<para>

</para>

@name: 
@Returns: 


<!-- ##### FUNCTION idmef_reference_origin_to_string ##### -->
<para>

</para>

@val: 
@Returns: 


<!-- ##### TYPEDEF idmef_reference_t ##### -->
<para>

</para>


<!-- ##### FUNCTION idmef_reference_new ##### -->
<para>

</para>

@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_reference_copy ##### -->
<para>

</para>

@src: 
@dst: 
@Returns: 


<!-- ##### FUNCTION idmef_reference_clone ##### -->
<para>

</para>

@src: 
@dst: 
@Returns: 


<!-- ##### FUNCTION idmef_reference_ref ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_reference_destroy ##### -->
<para>

</para>

@ptr: 


<!-- ##### FUNCTION idmef_reference_get_origin ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_reference_set_origin ##### -->
<para>

</para>

@ptr: 
@origin: 


<!-- ##### FUNCTION idmef_reference_new_origin ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_reference_get_name ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_reference_set_name ##### -->
<para>

</para>

@ptr: 
@name: 


<!-- ##### FUNCTION idmef_reference_new_name ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_reference_get_url ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_reference_set_url ##### -->
<para>

</para>

@ptr: 
@url: 


<!-- ##### FUNCTION idmef_reference_new_url ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_reference_get_meaning ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_reference_set_meaning ##### -->
<para>

</para>

@ptr: 
@meaning: 


<!-- ##### FUNCTION idmef_reference_new_meaning ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### TYPEDEF idmef_classification_t ##### -->
<para>

</para>


<!-- ##### FUNCTION idmef_classification_new ##### -->
<para>

</para>

@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_classification_copy ##### -->
<para>

</para>

@src: 
@dst: 
@Returns: 


<!-- ##### FUNCTION idmef_classification_clone ##### -->
<para>

</para>

@src: 
@dst: 
@Returns: 


<!-- ##### FUNCTION idmef_classification_ref ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_classification_destroy ##### -->
<para>

</para>

@ptr: 


<!-- ##### FUNCTION idmef_classification_get_ident ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_classification_set_ident ##### -->
<para>

</para>

@ptr: 
@ident: 


<!-- ##### FUNCTION idmef_classification_new_ident ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_classification_get_text ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_classification_set_text ##### -->
<para>

</para>

@ptr: 
@text: 


<!-- ##### FUNCTION idmef_classification_new_text ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_classification_get_next_reference ##### -->
<para>

</para>

@ptr: 
@object: 
@Returns: 


<!-- ##### FUNCTION idmef_classification_set_reference ##### -->
<para>

</para>

@ptr: 
@object: 
@pos: 


<!-- ##### FUNCTION idmef_classification_new_reference ##### -->
<para>

</para>

@ptr: 
@ret: 
@pos: 
@Returns: 


<!-- ##### ENUM idmef_user_id_type_t ##### -->
<para>

</para>

@IDMEF_USER_ID_TYPE_ORIGINAL_ERROR: 
@IDMEF_USER_ID_TYPE_ORIGINAL_USER: 
@IDMEF_USER_ID_TYPE_CURRENT_USER: 
@IDMEF_USER_ID_TYPE_TARGET_USER: 
@IDMEF_USER_ID_TYPE_USER_PRIVS: 
@IDMEF_USER_ID_TYPE_CURRENT_GROUP: 
@IDMEF_USER_ID_TYPE_GROUP_PRIVS: 
@IDMEF_USER_ID_TYPE_OTHER_PRIVS: 

<!-- ##### FUNCTION idmef_user_id_type_to_numeric ##### -->
<para>

</para>

@name: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_type_to_string ##### -->
<para>

</para>

@val: 
@Returns: 


<!-- ##### TYPEDEF idmef_user_id_t ##### -->
<para>

</para>


<!-- ##### FUNCTION idmef_user_id_new ##### -->
<para>

</para>

@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_copy ##### -->
<para>

</para>

@src: 
@dst: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_clone ##### -->
<para>

</para>

@src: 
@dst: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_ref ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_destroy ##### -->
<para>

</para>

@ptr: 


<!-- ##### FUNCTION idmef_user_id_get_ident ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_set_ident ##### -->
<para>

</para>

@ptr: 
@ident: 


<!-- ##### FUNCTION idmef_user_id_new_ident ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_get_type ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_set_type ##### -->
<para>

</para>

@ptr: 
@type: 


<!-- ##### FUNCTION idmef_user_id_new_type ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_get_tty ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_set_tty ##### -->
<para>

</para>

@ptr: 
@tty: 


<!-- ##### FUNCTION idmef_user_id_new_tty ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_get_name ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_set_name ##### -->
<para>

</para>

@ptr: 
@name: 


<!-- ##### FUNCTION idmef_user_id_new_name ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_unset_number ##### -->
<para>

</para>

@ptr: 


<!-- ##### FUNCTION idmef_user_id_get_number ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_user_id_set_number ##### -->
<para>

</para>

@ptr: 
@number: 


<!-- ##### FUNCTION idmef_user_id_new_number ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### ENUM idmef_user_category_t ##### -->
<para>

</para>

@IDMEF_USER_CATEGORY_ERROR: 
@IDMEF_USER_CATEGORY_UNKNOWN: 
@IDMEF_USER_CATEGORY_APPLICATION: 
@IDMEF_USER_CATEGORY_OS_DEVICE: 

<!-- ##### FUNCTION idmef_user_category_to_numeric ##### -->
<para>

</para>

@name: 
@Returns: 


<!-- ##### FUNCTION idmef_user_category_to_string ##### -->
<para>

</para>

@val: 
@Returns: 


<!-- ##### TYPEDEF idmef_user_t ##### -->
<para>

</para>


<!-- ##### FUNCTION idmef_user_new ##### -->
<para>

</para>

@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_user_copy ##### -->
<para>

</para>

@src: 
@dst: 
@Returns: 


<!-- ##### FUNCTION idmef_user_clone ##### -->
<para>

</para>

@src: 
@dst: 
@Returns: 


<!-- ##### FUNCTION idmef_user_ref ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_user_destroy ##### -->
<para>

</para>

@ptr: 


<!-- ##### FUNCTION idmef_user_get_ident ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_user_set_ident ##### -->
<para>

</para>

@ptr: 
@ident: 


<!-- ##### FUNCTION idmef_user_new_ident ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_user_get_category ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_user_set_category ##### -->
<para>

</para>

@ptr: 
@category: 


<!-- ##### FUNCTION idmef_user_new_category ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_user_get_next_user_id ##### -->
<para>

</para>

@ptr: 
@object: 
@Returns: 


<!-- ##### FUNCTION idmef_user_set_user_id ##### -->
<para>

</para>

@ptr: 
@object: 
@pos: 


<!-- ##### FUNCTION idmef_user_new_user_id ##### -->
<para>

</para>

@ptr: 
@ret: 
@pos: 
@Returns: 


<!-- ##### ENUM idmef_address_category_t ##### -->
<para>

</para>

@IDMEF_ADDRESS_CATEGORY_ERROR: 
@IDMEF_ADDRESS_CATEGORY_UNKNOWN: 
@IDMEF_ADDRESS_CATEGORY_ATM: 
@IDMEF_ADDRESS_CATEGORY_E_MAIL: 
@IDMEF_ADDRESS_CATEGORY_LOTUS_NOTES: 
@IDMEF_ADDRESS_CATEGORY_MAC: 
@IDMEF_ADDRESS_CATEGORY_SNA: 
@IDMEF_ADDRESS_CATEGORY_VM: 
@IDMEF_ADDRESS_CATEGORY_IPV4_ADDR: 
@IDMEF_ADDRESS_CATEGORY_IPV4_ADDR_HEX: 
@IDMEF_ADDRESS_CATEGORY_IPV4_NET: 
@IDMEF_ADDRESS_CATEGORY_IPV4_NET_MASK: 
@IDMEF_ADDRESS_CATEGORY_IPV6_ADDR: 
@IDMEF_ADDRESS_CATEGORY_IPV6_ADDR_HEX: 
@IDMEF_ADDRESS_CATEGORY_IPV6_NET: 
@IDMEF_ADDRESS_CATEGORY_IPV6_NET_MASK: 

<!-- ##### FUNCTION idmef_address_category_to_numeric ##### -->
<para>

</para>

@name: 
@Returns: 


<!-- ##### FUNCTION idmef_address_category_to_string ##### -->
<para>

</para>

@val: 
@Returns: 


<!-- ##### TYPEDEF idmef_address_t ##### -->
<para>

</para>


<!-- ##### FUNCTION idmef_address_new ##### -->
<para>

</para>

@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_address_copy ##### -->
<para>

</para>

@src: 
@dst: 
@Returns: 


<!-- ##### FUNCTION idmef_address_clone ##### -->
<para>

</para>

@src: 
@dst: 
@Returns: 


<!-- ##### FUNCTION idmef_address_ref ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_address_destroy ##### -->
<para>

</para>

@ptr: 


<!-- ##### FUNCTION idmef_address_get_ident ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_address_set_ident ##### -->
<para>

</para>

@ptr: 
@ident: 


<!-- ##### FUNCTION idmef_address_new_ident ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_address_get_category ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_address_set_category ##### -->
<para>

</para>

@ptr: 
@category: 


<!-- ##### FUNCTION idmef_address_new_category ##### -->
<para>

</para>

@ptr: 
@ret: 
@Returns: 


<!-- ##### FUNCTION idmef_address_get_vlan_name ##### -->
<para>

</para>

@ptr: 
@Returns: 


<!-- ##### FUNCTION idmef_address_set_vlan_name ##### -->
<para>

</para>

@ptr: 
@vlan_name: 


<!-- ##### FUNCTION idmef_address_new_vlan_name ##### -->
<para>

</para>